Create a Business Continuity Plan: Key Rules

Business in the XXI century is unthinkable without information technology. It is a powerful engine of the economy, but at the same time a source of risks. Business continuity is tied to the continuity of IT services. Their refusal threatens, at best, with downtime and financial losses, at worst - with catastrophic consequences. By what means information security and business continuity is ensured, read our material.

Components of crisis management: BCM, BCP, DRP

The more information technology is used in a business, the more seriously it needs to ensure uninterrupted processes. This applies to credit and financial, telecommunications companies, high-tech enterprises with a continuous production cycle, such as nuclear power plants. A well-thought-out crisis management system is in demand in retail, e-commerce, the public sector - in short, almost everywhere where business continuity is critically important.

A number of industries have specific business continuity regulations that must be followed in order to license activities.

The degree of risk is determined by the consequences of the failure of IT services. For example, for banks, even a short interruption in their activities is fraught with colossal material losses. And what if an incident occurs in an airline or a fuel and energy complex? Here, not only money is at stake, but people's lives are in danger.

The reasons for business risks are different. These are natural disasters (remember the freezing rain in Moscow in 2021, the economic damage from which for JSC “MOESK” amounted to about 1.3 billion rubles [1]), and accidents in power systems, not to mention cybercrimes (their number only in Russia grows three to four times annually) [2]. Due to the variety of risks, the relevance of information security (IS) is beyond doubt.

A survey conducted by DEAC in 2021 showed the situation regarding business continuity risks in the Russian business environment. According to the results, solutions to ensure the continuity of processes are most in demand in two areas - financial and information. If IT systems are unavailable, 40% of respondents will be able to continue working for no more than an hour, 24% - no more than a minute. The greatest threat to business continuity is posed by risks associated with information security and changes in the country's legislation. Moreover, almost half of the respondents believe that in the near future these risks will only grow.

There are crisis management tools through which the general information security of an enterprise is implemented. These are special technological disciplines - BCM (BCP & DRP). They "flow" from the information security system, inheriting its methodology and the following basic principles:

  • risk analysis of emergencies and the impact of emergencies on business processes and functions;
  • incident control and management;
  • strategic and tactical continuity planning information and communication technology (ICT).

BCM (BCP & DRP) ensure the security of the business as a whole, which is indicated in many international, national and industry standards. In particular, ISO / IEC 27001, ISO 22301: 2021. The first international standard is devoted to information security issues in general, the second concerns specifically the use of BCM. Compliance with their requirements should be considered when choosing a data center for storing information. If you intend to use your own resources of the enterprise, you should think about the implementation of these standards - this will become the key to data security and business continuity.

However, the disciplines under consideration are not identical to information security management, which is only the basis for them. Historically, starting with a banal backup of information, the BCM system gradually covered, in addition to information security issues, almost all aspects of business activity, turning into a holistic structure of views on methods of ensuring business continuity - an organization's resilience to all kinds of failures, destruction and losses, primarily financial.

For reference

  • BCM (Business Continuity Management) - business continuity management.
  • BCP (Business Continuity Planning) - business continuity planning.
  • DRP (Disaster Recovery Planning) - Disaster recovery plan.

Business Continuity Plan Example

Planning a disaster?

Good afternoon, dear colleagues.

In one of the previous articles on crisis situations, we touched on the issues of writing a company's anti-crisis plan (in the international classification - BCP) and, in particular, its IT part - IT BCP. The issues of the relevance of having an anti-crisis plan in each company were also considered there.

The main topic of this article will be a deeper dive into this document. We will consider in detail the structure of IT BCP, touch on organizational and technical issues, and also analyze the working IT BCP using the example of a typical probable risk. The article will be useful for business owners, risk managers, CIOs and other leaders responsible for business continuity.

Why does business need disaster plans and how do they work?

Different companies in the course of their work solve many strategic and tactical tasks But all, one way or another, strive for the same thing - to improve their performance in the market, minimize costs and increase profits. At different stages of their lives, businesses are faced with emergencies that can drastically change the course of normal operations of the company or even throw it out of the market. For a short time, for a long time or forever. The range of mandatory tasks of any company, regardless of the size and direction of activity, includes preventive work with emergencies - preparation for them, working off in the event of an attack, exit with minimal losses and further improvement in this direction.

In general, the company should have a single document BCP (business continuity plan), which regulates and describes the company's actions in typical crisis situations and, most importantly, actions in preparation for them.

Typically, a BCP is written, implemented, and refined by a senior security officer or CIO, with direct input from the head of the organization. These persons are also entrusted with the task of forming an anti-crisis team from among employees or by attracting external specialists.

Let's analyze in detail how IT BCP works in general, and also touch on some features.

Section 1 - Risk Scenarios Catalog

In 2021, the Bank of Russia approved methodological recommendations for ensuring the continuity of operations of non-bank financial institutions dated August 18, 2021 No. 28-MR. In which he paid special attention to the issue of ensuring information security in a non-bank financial organization and the work of NFO employees in emergency situations.

Our experts prepare the necessary documents to ensure information security and ensure the continuity of the activities of a non-bank financial institution:

A. Documents prepared in accordance with the general guidelines of the guidelines:

  • Information security policy
  • Job description of the information security administrator
  • Order on approval of the information security regulation and appointment of persons responsible for information protection
  • Order on approval of the list of information resources
  • Order on protected rooms and rooms with limited access
  • List of rooms with limited access
  • List of employees with access to premises with limited access
  • Technical passport of the protected premises
  • Action plan for information security
  • Work plan for information protection
  • Procedure for access to information, software and hardware resources
  • Order on the procedure for access to information resources and approval of their list
  • Statement on the use of software
  • Order on the use of software <
  • Regulations on the use of the Internet and electronic ronny mail
  • List of email addresses of employees
  • Order on the use of the Internet and e-mail
  • Regulation on password protection
  • Order on organization of password protection
  • Regulation on backup
  • Order on backup
  • Regulation on anti-virus control
  • Order on anti-virus control
  • Regulations on the use of mobile devices and storage media
  • A plan for ensuring the continuity of operation and restoration of an automated system
  • Order to put the plan into effect
  • Regulations for responding to information security incidents
  • Information security memo
  • Mandatory civil defense and emergency documentation.

B. Documents prepared in accordance with the additional recommendations of the guidelines:

  • Business Continuity Policy
  • Incident Management Plan
  • Business Continuity and Recovery Plan
  • Planned ( target) time to resume and restore critical processes (RTO).
  • The procedure, methods, resources and timing of measures to prevent, reduce the impact and eliminate the consequences of a possible disruption of the daily functioning of the organization caused by emergency situations.
  • A list of emergency factors that can lead to the suspension of critical processes, and the procedure for activating the Business Continuity Plan under the influence of each of the factors.
  • Inclusion of procedures in the Business Continuity Plan, the implementation of which in the daily operation of the organization is necessary for the successful implementation of the Business Continuity Plan (including procedures aimed at ensuring the security of information systems).
  • A list of critical processes and their recovery priorities.
  • The order of implementation of critical processes in emergency situations, if they are subject to change under the influence of emergency situations.
  • The procedure for interaction between the management bodies and employees of the organization in emergency situations, including the powers of the management bodies, departments and employees of the organization for the implementation of activities under the Business Continuity Plan.
  • The procedure for emergency notification and the method of communication between management bodies, departments and employees of the organization, information on contacts of emergency operational services (telephone numbers) and internal contacts (telephone numbers, e-mail addresses) of persons responsible for the implementation of activities within Business continuity plan.
  • The procedure for informing clients and counterparties of the organization, as well as the Bank of Russia about the occurrence and possible consequences of emergencies.
  • Procedure for revising (updating) the Business Continuity Plan.
  • The procedure for backing up information and databases serving critical processes to backup machine storage media to resume these processes in the event of loss or damage to information or databases due to emergencies.
  • A training program for responsible employees of the organization on ensuring the safety and continuity of critical processes.
  • The procedure for managing access to information systems serving critical processes, including managing the rights and privileges of users of information systems, delimiting access to these systems based on the set of access control rules established in them, as well as monitoring compliance with these rules ...
  • The procedure for drawing up and submitting to the authorized body a report on the continuity of the organization's activities.

Sample Financial Institution Continuity Plan

1 A practical guide based on general guidelines (chapters 1-2)

Credit Bureau (CRB), the number of title parts of credit histories in which less than 20 million

Credit Rating Agencies (CRA).

The business continuity plan is one of the mandatory documents in corporate governance today. A well-thought-out checklist for the crisis has helped many companies avoid operational collapse during the first wave of the COVID-19 pandemic. If your organization does not yet have such a document, then now is the time to draw up one. Or reconsider. Our permanent expert Natalya Vinogradova tells what elements must be included in the business continuity plan and what to look for in its preparation.

One of the main problems during any crisis is confusion and feelings of helplessness that arise at all levels of the organization and prevent them from taking the necessary actions in time. Solving it is the main task of the business continuity plan, or BCP (Business Continuity Plan). Such a plan allows you to agree in advance and work out the main anti-crisis steps, support the work of the company and quickly resume it in the event of any failures. In fact, it is a set of rules that the entire company must follow in order to ensure the continuity of business processes and customer support, as well as preserve its assets.

In addition, BCP is an opportunity for a leader to focus on the business and determine what should be given priority attention during the crisis (“must be”), and what is important, but not first of all (“was would be good ... ").

Your strategy will differ depending on what caused the business crisis. There are three main types of risks (losses).

  • Loss of an office or production facility - for example, when, due to natural disasters or fire, the operation of an office, production or warehouse is impossible.
  • Infrastructure losses - when a power failure, computer virus or any other emergency disrupted the operation of critical systems: accounting, IT systems, etc.
  • Human losses - some kind of disaster ( again, a global pandemic) deprives your staff of the ability to perform some functions or participate in some processes.

In case of loss of office, the plan should include options for transferring employees to remote work - at home or at any other site (for example, in a coworking space). In case of infrastructure problems, as a rule, it is possible to find alternative technical solutions to restore normal operation or to manually support the most critical processes. The situation when you are left without human resources is the most difficult, since you will have to bring in new personnel and train them.

Three things to pay close attention to are these.

Information and security. The primary task is to ensure the safety of the organization in general and employees in particular, as well as inform everyone about the measures taken. Ensure the purchase of personal protective equipment, take care of the safety of workplaces, write down the safety rules that personnel must follow. Keep everyone in the loop to minimize rumors, panic, and general anxiety. If necessary, open a hotline.

Organization. In times of crisis, many businesses send people on unpaid leave, cut staff and / or wages, or start working outside the office. Make a plan to keep your organization running across its constraints and focusing on the most critical processes. Monitoring compliance with labor legislation in this situation is extremely important and will require additional work from personnel officers.

Financial issues. To survive the crisis, you need a steady cash flow. In the face of a rapidly declining income, it is imperative to tighten control over spending and the movement of funds. Even those businesses that are doing well themselves may have partners whose work will be negatively affected by the crisis, and this can cause a domino effect.

- Agility and flexibility is the new norm. Most likely, you will not be able to predict either the duration or the scale of the crisis. The measures that you envisaged in your original anti-crisis plans may not be sufficient or they will require urgent adjustments.

Business in the 21st century is unthinkable without information technology. It is a powerful engine of the economy, but at the same time a source of risks. Business continuity is tied to the continuity of IT services. Their refusal threatens, at best, with downtime and financial losses, at worst - with catastrophic consequences. By what means information security and business continuity is ensured, read our material.

Components of crisis management: BCM, BCP, DRP

The more information technology is used in a business, the more seriously it needs to ensure uninterrupted processes. This applies to credit and financial, telecommunications companies, high-tech enterprises of a continuous production cycle, for example, nuclear power plants. A well-thought-out crisis management system is in demand in retail, e-commerce, the public sector - in short, almost everywhere where business continuity is critically important.

A number of industries have specific business continuity regulations that must be followed in order to license activities.

The degree of risk is determined by the consequences of the failure of IT services. For example, for banks, even a short interruption in their activities is fraught with colossal material losses. What if an incident occurs in an airline or a fuel and energy complex? Here, not only money is at stake, but people's lives are in danger.

The reasons for business risks are different. These are natural disasters (remember the freezing rain in Moscow in 2021, the economic damage from which for JSC “MOESK” amounted to about 1.3 billion rubles [1]), and accidents in power systems, not to mention cybercrimes (their number only in Russia grows three to four times annually) [2]. Due to the variety of risks, the relevance of information security (IS) is beyond doubt.

A survey conducted by DEAC in 2021 showed the situation regarding business continuity risks in the Russian business environment. According to the results, solutions for ensuring the continuity of processes are most in demand in two areas - financial and information. If IT systems are unavailable, 40% of respondents will be able to continue working for no more than an hour, 24% - no more than a minute. The greatest threat to business continuity is posed by risks associated with information security and changes in the country's legislation. Moreover, almost half of the respondents believe that these risks will only grow in the near future.

There are crisis management tools through which the general information security of an enterprise is implemented. These are special technological disciplines - BCM (BCP & DRP). They "flow" from the information security system, inheriting its methodology and the following basic principles:

  • risk analysis of emergencies and the impact of emergencies on business processes and functions;
  • incident control and management;
  • strategic and tactical continuity planning information and communication technology (ICT).

BCM (BCP & DRP) ensure the security of the business as a whole, which is indicated in many international, national and industry standards. In particular, ISO / IEC 27001, ISO 22301: 2021. The first international standard is devoted to information security issues in general, the second concerns specifically the use of BCM. Compliance with their requirements should be considered when choosing a data center for storing information. If it is supposed to use the company's own resources, it is worth thinking about the implementation of these standards - this will become the key to data security and business continuity.

We use cookies
We use cookies to ensure that we give you the best experience on our website. By using the website you agree to our use of cookies.
Allow cookies