Business continuity planning: Unterschied zwischen den Versionen

Aus Foxwiki
K Textersetzung - „Kurzbeschreibung“ durch „Beschreibung“
Der Seiteninhalt wurde durch einen anderen Text ersetzt: „'''Business continuity planning''' == Beschreibung == <noinclude> == Anhang == === Siehe auch === {{Special:PrefixIndex/{{BASEPAGENAME}}}} ==== Links ==== ===== Weblinks ===== = TMP = ==See also== {{columns-list|colwidth=22em| * Capacity planning * Catastrophe modeling * Crisis management * Cyber resilience * Digital continuity * Disaster ** Disaster recovery ** Disaster recovery and business con…“
Markierung: Ersetzt
Zeile 1: Zeile 1:
'''topic''' - Beschreibung
'''Business continuity planning'''
 
== Beschreibung ==
== Beschreibung ==


Zeile 10: Zeile 11:


= TMP =
= TMP =
[[Image:BCPLifecycle.gif|thumb|Business continuity planning life cycle]]
'''Business continuity''' may be defined as "the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident",<ref>BCI Good Practice Guidelines 2013, quoted in [[Mid Sussex District Council]], [https://www.midsussex.gov.uk/media/1838/mid-sussex-business-continuity-plan.pdf Business Continuity Policy Statement], published April 2018, accessed 19 February 2021</ref> and '''business continuity planning'''<ref>{{cite magazine |magazine=[[Forbes]] |date=June 26, 2015 |url=https://www.forbes.com/sites/johnrampton/2015/06/26/how-to-build-an-effective-and-organized-business-continuity-plan |title=How to Build an Effective and Organized Business Continuity Plan}}</ref><ref>{{cite web  |website=[[American Bar]].org (American Bar Association) |url=https://www.americanbar.org/content/dam/aba/events/disaster/surviving_a_disaster_a_lawyers_guide_to_disaster_planning.authcheckdam.pdf |archive-url=https://ghostarchive.org/archive/20221009/https://www.americanbar.org/content/dam/aba/events/disaster/surviving_a_disaster_a_lawyers_guide_to_disaster_planning.authcheckdam.pdf |archive-date=2022-10-09 |url-status=live |date=2011 |title=Surviving a Disaster}}</ref> (or '''business continuity and resiliency planning''') is the process of creating systems of prevention and recovery to deal with potential threats to a company.<ref>Elliot, D.; Swartz, E.; Herbane, B. (1999) Just waiting for the next big bang: business continuity planning in the UK finance sector. Journal of Applied Management Studies, Vol. 8, No, pp. 43–60. Here: p. 48.</ref> In addition to prevention, the goal is to enable ongoing operations before and during execution of [[disaster recovery]].<ref>{{cite magazine |magazine=Business Insurance Magazine |author=Alan Berman |date=March 9, 2015 |url=http://www.businessinsurance.com/article/20150309/ISSUE0401/303159991/constructing-a-successful-business-continuity-plan |title=Constructing a Successful Business Continuity Plan}}</ref> Business continuity is the intended outcome of proper execution of both business continuity planning and disaster recovery.
Several [[business continuity standards]] have been published by various standards bodies to assist in checklisting ongoing planning tasks.<ref>{{cite web |title=Business Continuity Plan |publisher=United States Department of Homeland Security |url=https://www.ready.gov/business/implementation/continuity |access-date=4 October 2018 |archive-date=7 December 2018 |archive-url=https://web.archive.org/web/20181207233700/https://www.ready.gov/business/implementation/continuity |url-status=dead }}</ref>
Business continuity requires a top-down approach to identify an organisation's minimum requirements to ensure its viability as an entity. An organization's resistance to failure is "the ability ... to withstand changes in its environment and still function".<ref name=auto>{{Cite journal |author1=Ian McCarthy |author2=Mark Collard  |author3=Michael Johnson |title=Adaptive organizational resilience: an evolutionary perspective |journal=Current Opinion in Environmental Sustainability |volume=28 |pages=33–40 |doi=10.1016/j.cosust.2017.07.005|year=2017 |bibcode=2017COES...28...33M }}</ref> Often called resilience, it is a capability that enables organizations to either endure environmental changes without having to permanently adapt, or the organization is forced to adapt a new way of working that better suits the new environmental conditions.<ref name=auto/>
==Overview==
Any event that could negatively impact operations should be included in the plan, such as [[supply chain]] interruption, loss of or damage to critical infrastructure (major machinery or computing/network resource). As such, BCP is a [[subset]] of [[risk management]].<ref>{{cite web|url=http://flevy.com/blog/business-continuity-planning/|title=Business Continuity Planning |last=Intrieri|first=Charles|date=10 September 2013|publisher=Flevy|access-date=29 September 2013}}</ref> In the U.S., government entities refer to the process as ''[[Continuity of Operations Plan|continuity of operations planning]]'' (COOP).<ref>{{Cite web|url=https://www.fema.gov/emergency-managers/national-preparedness/continuity|title=Continuity Resources and Technical Assistance &#124; FEMA.gov|website=www.fema.gov}}</ref> A '''business continuity plan'''<ref name=D.BCP>{{Cite web|url=https://www.aig.co.uk/content/dam/aig/emea/united-kingdom/documents/property-insights/business-continuity-planning-guidelines-for-preparation-of-your-plan.pdf|title=A Guide to the preparation of a Business Continuity Plan|access-date=2019-02-08|archive-date=2019-02-09|archive-url=https://web.archive.org/web/20190209125238/https://www.aig.co.uk/content/dam/aig/emea/united-kingdom/documents/property-insights/business-continuity-planning-guidelines-for-preparation-of-your-plan.pdf|url-status=dead}}</ref> outlines a range of disaster scenarios and the steps the business will take in any particular scenario to return to regular trade. BCP's are written ahead of time and can also include precautions to be put in place. Usually created with the input of key staff as well as stakeholders, a BCP is a set of contingencies to minimize potential harm to businesses during adverse scenarios.<ref>{{cite web|title=Business Continuity Planning (BCP) for Businesses of all Sizes|url=http://www.williamadvisorygroup.com/business-continuity-planning-bcp-for-businesses-of-all-sizes/|date=19 April 2017|access-date=28 April 2017|archive-url=https://web.archive.org/web/20170424090047/http://www.williamadvisorygroup.com/business-continuity-planning-bcp-for-businesses-of-all-sizes/|archive-date=24 April 2017|url-status=dead}}</ref>
===Resilience===
A 2005 analysis of how disruptions can adversely affect the operations of corporations and how investments in resilience can give a [[competitive advantage]] over entities not prepared for various contingencies<ref>{{cite book |author=Yossi Sheffi |url=http://resilient-enterprise.mit.edu |title=The Resilient Enterprise: Overcoming Vulnerability for Competitive Enterprise |publisher=MIT Press |date=October 2005|author-link=Yossi Sheffi}}</ref> extended then-common business continuity planning practices. Business organizations such as the [[Council on Competitiveness]] embraced this resilience goal.<ref>{{cite web |url=http://www.compete.org/publications/detail/31/the-resilient-economy-integrating-competitiveness-and-security |title=Transform. The Resilient Economy |access-date=2019-02-04 |archive-date=2013-10-22 |archive-url=https://web.archive.org/web/20131022142939/http://www.compete.org/publications/detail/31/the-resilient-economy-integrating-competitiveness-and-security/ |url-status=dead }}</ref>
Adapting to change in an apparently slower, more evolutionary manner - sometimes over many years or decades - has been described as being more resilient,<ref>{{Cite web | url=https://www.newsday.com/2.811/jamie-herzlich/small-business-a-good-plan-shields-from-storm-clouds-1.1322137?firstfree=yes |title = Newsday &#124; Long Island's & NYC's News Source &#124; Newsday}}</ref> and the term "strategic resilience" is now used to go beyond resisting a one-time crisis, but rather continuously anticipating and adjusting, "before the case for change becomes desperately obvious".
This approach is sometimes summarized as: [[preparedness]],<ref>{{cite conference |title=Business Continuity Preparedness and the Mindfulness State of Mind |book-title=AMCIS 2007 Proceedings |quote= "An estimated 80 percent of companies without a well-conceived and tested business continuity plan, go out of business within two years of a major disaster" (Santangelo 2004) |author1=Tiffany Braun |author2=Benjamin Martz |s2cid=7698286 |date=2007}}</ref> protection, response and recovery.<ref>{{cite web |url=https://www.isms.online/iso-27001/annex-a-17-information-security-aspects-of-business-continuity-management/ |title=Annex A.17: Information Security Aspects of Business Continuity Management |publisher=ISMS.online |date=November 2021}}</ref>
Resilience Theory can be related to the field of Public Relations. Resilience is a communicative process that is constructed by citizens, families, media system, organizations and governments through everyday talk and mediated conversation.<ref>{{Cite web|url=https://www.researchgate.net/publication/322693327|title=Communication and resilience: concluding thoughts and key issues for future research|website=www.researchgate.net}}</ref>
The theory is based on the work of [[Patrice Buzzanell|Patrice M. Buzzanell]], a professor at the Brian Lamb School of Communication at [[Purdue University]]. In her 2010 article, "Resilience: Talking, Resisting, and Imagining New Normalcies Into Being"<ref>{{Cite journal|last=Buzzanell|first=Patrice M.|date=2010|title=Resilience: Talking, Resisting, and Imagining New Normalcies Into Being|journal=Journal of Communication|volume=60|issue=1|pages=1–14|doi=10.1111/j.1460-2466.2009.01469.x|issn=1460-2466}}</ref> Buzzanell discussed the ability for organizations to thrive after having a crisis through building resistance. Buzzanell notes that there are five different processes that individuals use when trying to maintain resilience- crafting normalcy, affirming identity anchors, maintaining and using communication networks, putting alternative logics to work and downplaying negative feelings while foregrounding positive emotions.
When looking at the resilience theory, the crisis communication theory is similar, but not the same. The crisis communication theory is based on the reputation of the company, but the resilience theory is based on the process of recovery of the company. There are five main components of resilience: crafting normalcy, affirming identity anchors, maintaining and using communication networks, putting alternative logics to work, and downplaying negative feelings while foregrounding negative emotions.<ref>{{Cite journal|last=Buzzanell|first=Patrice M.|date=March 2010|title=Resilience: Talking, Resisting, and Imagining New Normalcies Into Being|journal=Journal of Communication|volume=60|issue=1|pages=1–14|doi=10.1111/j.1460-2466.2009.01469.x|issn=0021-9916}}</ref> Each of these processes can be applicable to businesses in crisis times, making resilience an important factor for companies to focus on while training.
There are three main groups that are affected by a crisis. They are [[wikt:micro|micro]] (individual), [[wikt:meso|meso]] (group or organization) and [[wikt:macro|macro]] (national or interorganizational). There are also two main types of resilience, which are proactive and post resilience. Proactive resilience is preparing for a crisis and creating a solid foundation for the company. Post resilience includes continuing to maintain communication and check in with employees.<ref>{{Cite journal|last=Buzzanell|first=Patrice M.|date=2018-01-02|title=Organizing resilience as adaptive-transformational tensions|journal=Journal of Applied Communication Research|volume=46|issue=1|pages=14–18|doi=10.1080/00909882.2018.1426711|s2cid=149004681|issn=0090-9882}}</ref> Proactive resilience is dealing with issues at hand before they cause a possible shift in the work environment and post resilience maintaining communication and accepting changes after an incident has happened. Resilience can be applied to any organization.
In New Zealand, the Canterbury University Resilient Organisations programme developed an assessment tool for benchmarking the Resilience of Organisations.<ref>{{cite web |url=http://www.resorgs.org.nz |date=March 22, 2011 |title=Resilient Organisations}}</ref> It covers 11 categories, each having 5 to 7 questions. A ''Resilience Ratio'' summarizes this evaluation.<ref>{{cite web |url=https://resiliencei.com/resilience-diagnostic |title=Resilience Diagnostic |date=November 28, 2017}}</ref>
===Continuity===
Plans and procedures are used in business continuity planning to ensure that the critical organizational operations required to keep an organization running continue to operate during events when key dependencies of operations are disrupted. Continuity does not need to apply to every activity which the organization undertakes. For example, under [[ISO 22301|ISO 22301:2019]], organizations are required to define their business continuity objectives, the minimum levels of product and service operations which will be considered acceptable and the [[#Maximum RTO|maximum tolerable period of disruption]] (MTPD) which can be allowed.<ref>ISO, [https://www.bsigroup.com/globalassets/Documents/iso-22301/resources/iso-22301-implementation-guide-2016.pdf ISO 22301 Business Continuity Management: Your implementation guide], published, accessed 20 February 2021</ref>
A major cost in planning for this is the preparation of audit compliance management documents; automation tools are available to reduce the time and cost associated with manually producing this information.
==Inventory==
Planners must have information about:
* Equipment
* Supplies and suppliers
* Locations, including other offices and [[Backup site|backup]]/work area recovery (WAR) sites
* Documents and documentation, including which have off-site backup copies:<ref name=D.BCP/>
** Business documents
** Procedure documentation
==Analysis==
The analysis phase consists of:
* Impact analysis
* Threat and risks analysis
* Impact scenarios
Quantifying of loss ratios must also include "dollars to defend a lawsuit."<ref>{{Cite web|url=http://www.jcrcny.org/wp-content/uploads/2013/10/EmergencyManual.2.0.pdf |archive-url=https://ghostarchive.org/archive/20221009/http://www.jcrcny.org/wp-content/uploads/2013/10/EmergencyManual.2.0.pdf |archive-date=2022-10-09 |url-status=live|title=Emergency Planning}}</ref> It has been estimated that a dollar spent in loss prevention can prevent "seven dollars of disaster-related economic loss."<ref>{{cite web |website=RI.gov |title=Can your Organization survive a natural disaster? |url=http://www.riema.ri.gov/berhodyready/files/Session_1_Business%20Continuity.pdf |archive-url=https://ghostarchive.org/archive/20221009/http://www.riema.ri.gov/berhodyready/files/Session_1_Business%20Continuity.pdf |archive-date=2022-10-09 |url-status=live
| author=Helen Clark |date=August 15, 2012}}</ref>
===Business impact analysis (BIA)===
A business impact analysis (BIA) differentiates [[Critical system|critical]] (urgent) and non-critical (non-urgent) organization functions/activities. A [[Mission-essential function|function]] may be considered critical if dictated by law.
Each function/activity typically relies on a combination of constituent components in order to operate:
* Human resources (full-time staff, part-time staff, or contractors)
* IT systems
* Physical assets (mobile phones, laptops/workstations etc.)
* Documents (electronic or physical)
For each function, two values are assigned:
* Recovery point objective (RPO) – the acceptable latency of data that will not be recovered. For example, is it acceptable for the company to lose 2 days of data?<ref>{{cite web |last1=May|first1=Richard|title=Finding RPO and RTO |url=http://www.virtualdcs.co.uk/blog/business-continuity-planning-rpo-and-rto.html|url-status=dead |archive-url=https://web.archive.org/web/20160303224604/http://www.virtualdcs.co.uk/blog/business-continuity-planning-rpo-and-rto.html|archive-date=2016-03-03}}</ref> The recovery point objective must ensure that the maximum tolerable data loss for each activity is not exceeded.
* Recovery time objective (RTO)&nbsp; – the acceptable amount of time to restore the function
==== Maximum RTO ====
Maximum time constraints for how long an enterprise's key products or services can be unavailable or undeliverable before stakeholders perceive unacceptable consequences have been named as:
* {{visible anchor|Maximum tolerable period of disruption}} (MTPoD)
* Maximum tolerable downtime (MTD)
* Maximum tolerable outage (MTO)
* Maximum acceptable outage (MAO)<ref>{{cite web |title=Maximum Acceptable Outage (Definition) |url=http://www.riskythinking.com/glossary/maximum_acceptable_outage.php |access-date=4 October 2018 |website=riskythinking.com |publisher=Albion Research Ltd.}}</ref><ref>{{cite web |title=BIA Instructions, BUSINESS CONTINUITY MANAGEMENT - WORKSHOP | url=http://www.driecentral.org/biainstructions.pdf |archive-url=https://ghostarchive.org/archive/20221009/http://www.driecentral.org/biainstructions.pdf |archive-date=2022-10-09 |url-status=live |website=driecentral.org |access-date=4 October 2018 |publisher=Disaster Recovery Information Exchange (DRIE) Central}}</ref>
According to ISO 22301 the terms ''maximum acceptable outage'' and ''maximum tolerable period of disruption'' mean the same thing and are defined using exactly the same words.<ref>{{cite web |title=Plain English ISO 22301 2012 Business Continuity Definitions |url=http://www.praxiom.com/iso-22301-definitions.htm |website=praxiom.com |publisher=Praxiom Research Group LTD. |access-date=4 October 2018}}</ref> Some standards use the term ''maximum downtime limit''.<ref>{{cite web |url=https://www.ncsc.gov.bh/assets/static_images/policies/baseline-cybersecurity-controls-v1.pdf |page=12 |title=Baseline Cyber Security Controls |publisher=[[Ministry of Interior (Bahrain)|Ministry of Interior]] - National Cyber Security Center |year=2022}}</ref>
====Consistency====
When more than one system crashes, recovery plans must balance the need for data consistency with other objectives, such as RTO and RPO.
<ref name=OpsBLog.Consistency>{{cite web |url=https://www.opscentre.com/blog/2016/03/22/recovery-consistency-objective |title=The Rise and Rise of the Recovery Consistency Objective |access-date=September 9, 2019 |date=2016-03-22 |archive-date=2020-09-26 |archive-url=https://web.archive.org/web/20200926060225/https://www.opscentre.com/blog/2016/03/22/recovery-consistency-objective/ |url-status=dead }}</ref> '''Recovery Consistency Objective''' (RCO) is the name of this goal. It applies [[data consistency]] objectives, to define a measurement for the consistency of distributed business data within interlinked systems after a disaster incident. Similar terms used in this context are "Recovery Consistency Characteristics" (RCC) and "Recovery Object Granularity" (ROG).<ref>"How to evaluate a recovery management solution." West World Productions, 2006 [http://www.thefreelibrary.com/How+to+evaluate+a+recovery+management+solution-a0147748661]</ref>
While RTO and RPO are absolute per-system values, RCO is expressed as a percentage that measures the deviation between actual and targeted state of business data across systems for process groups or individual business processes.
The following formula calculates RCO with "n" representing the number of business processes and "entities" representing an abstract value for business data:
<math>\text{RCO} = 1 - \frac{(\text{number of inconsistent entities})_n}{(\text{number of entities})_n}</math>
100% RCO means that post recovery, no business data deviation occurs.<ref>{{cite web |author1=Josh Krischer  |author2=Donna Scott |author3=Roberta J. Witty |title=Six Myths About Business Continuity Management and Disaster Recovery |publisher=Gartner Research | url=http://www.gartner.com/it/content/868800/868812/six_myths_about_bcm.pdf |archive-url=https://ghostarchive.org/archive/20221009/http://www.gartner.com/it/content/868800/868812/six_myths_about_bcm.pdf |archive-date=2022-10-09 |url-status=live}}</ref>
===Threat and risk analysis (TRA)===
After defining recovery requirements, each potential threat may require unique recovery steps (contingency plans or playbooks). Common threats include:
{{columns-list|colwidth=18em|
* [[Epidemic]]/pandemic
* [[Earthquake]]
* Fire
* [[Flood]]
* [[Hacker (computer security)|Cyber attack]]
* [[Sabotage]] (insider or external threat)
* [[Hurricane]] or other major storm
* [[Power outage]]
* Water outage (supply interruption, contamination)
* Telecomms outage
* IT outage
* [[Terrorism]]/[[Piracy]]
* [[War]]/civil disorder
* Theft (insider or external threat, vital information or material)
* Random failure of mission-critical systems
* Single point dependency
* Supplier failure
* Data corruption
* Misconfiguration
* Network outage
}}
The above areas can cascade: Responders can stumble. Supplies may become depleted. During the 2002–2003 [[SARS]] outbreak, some organizations compartmentalized and rotated teams to match the [[incubation period]] of the disease. They also banned in-person contact during both business and non-business hours. This increased [[Resilience (organizational)|resiliency]] against the threat.
===Impact scenarios===
Impact scenarios are identified and documented:
* need for medical supplies<ref>{{cite journal|doi=10.1016/j.ijpe.2009.10.004 |title=Medical supply location and distribution in disasters}}{{clarify|reason={{pipe}}doi= does not match {{pipe}}title=|date=December 2021}}</ref>
* need for transportation options<ref>{{cite web
  |url=https://scholar.google.com/scholar_url?url=https://orbi.uliege.be/bitstream/2268/8333/1/JORS_Barbarosoglu_Arda_2004.pdf%26hl=en%26sa=X%26scisig=AAGBfm0xx_ynzP503rz-gtdgZVSN_h-m7w%26nossl=1%26oi=scholarr |archive-url=https://ghostarchive.org/archive/20221009/https://orbi.uliege.be/bitstream/2268/8333/1/JORS_Barbarosoglu_Arda_2004.pdf%26hl=en%26sa=X%26scisig=AAGBfm0xx_ynzP503rz-gtdgZVSN_h-m7w%26nossl=1%26oi=scholarr |archive-date=2022-10-09 |url-status=live
  |title=transportation planning in disaster recovery  |website=SCHOLAR.google.com}}</ref>
* civilian impact of nuclear disasters<ref>{{Cite web|url=https://www.globalsecurity.org/security/library/report/2004/hsc-planning-scenarios-jul04_exec-sum.pdf |archive-url=https://ghostarchive.org/archive/20221009/https://www.globalsecurity.org/security/library/report/2004/hsc-planning-scenarios-jul04_exec-sum.pdf |archive-date=2022-10-09 |url-status=live|title=PLANNING SCENARIOS Executive Summaries}}</ref>
* need for business and data processing supplies<ref>{{cite magazine
  |author=Chloe Demrovsky
  |title=Holding It All Together
  |magazine=Manufacturing Business Technology |date=December 22, 2017}}</ref>
These should reflect the widest possible damage.
==Tiers of preparedness==
[[SHARE (computing)|SHARE]]'s seven tiers of [[disaster recovery]]<ref>developed by SHARE's Technical Steering Committee, working with IBM</ref> released in 1992, were updated in 2012 by IBM as an eight tier model:<ref name=IBM.2012>{{cite web
|url=https://share.confex.com/share/118/webprogram/Handout/Session10387/Session%2010387%20Business%20Continuity%20Soloution%20Selection%20Methodology%2003-7-2012.pdf |archive-url=https://ghostarchive.org/archive/20221009/https://share.confex.com/share/118/webprogram/Handout/Session10387/Session%2010387%20Business%20Continuity%20Soloution%20Selection%20Methodology%2003-7-2012.pdf |archive-date=2022-10-09 |url-status=live
|title=A Business Continuity Solution Selection Methodology |publisher=IBM Corp.
|author=Ellis Holman  |date=March 13, 2012}}</ref>
* '''Tier 0''' – '''No off-site data''' • Businesses with a Tier 0 Disaster Recovery solution have no Disaster Recovery Plan. There is no saved information, no documentation, no backup hardware, and no contingency plan. Typical recovery time: ''The length of recovery time in this instance is unpredictable''. In fact, it may not be possible to recover at all.
*'''Tier 1''' – '''Data backup with no Hot Site''' • Businesses that use Tier 1 Disaster Recovery solutions back up their data at an off-site facility. Depending on how often backups are made, they are prepared to accept ''several days to weeks of data loss'', but their backups are secure off-site. However, this Tier lacks the systems on which to restore data. Pickup Truck Access Method (PTAM).
*'''Tier 2''' – '''Data backup with Hot Site''' • Tier 2 Disaster Recovery solutions make regular backups on tape. This is combined with an off-site facility and infrastructure (known as a hot site) in which to restore systems from those tapes in the event of a disaster. This tier solution will still result in the need to recreate several hours to days worth of data, but ''it is less unpredictable in recovery time''. Examples include: PTAM with Hot Site available, IBM Tivoli Storage Manager.
*'''Tier 3''' – '''Electronic vaulting''' • Tier 3 solutions utilize components of Tier 2. Additionally, some mission-critical data is electronically vaulted. This electronically vaulted data is typically more current than that which is shipped via PTAM. As a result there is ''less data recreation or loss after a disaster occurs''.
*'''Tier 4''' – '''Point-in-time copies''' • Tier 4 solutions are used by businesses that require both greater data currency and faster recovery than users of lower tiers. Rather than relying largely on shipping tape, as is common in the lower tiers, Tier 4 solutions begin to incorporate more disk-based solutions. ''Several hours of data loss is still possible'', but it is easier to make such point-in-time (PIT) copies with greater frequency than data that can be replicated through tape-based solutions.
*'''Tier 5''' – '''Transaction integrity''' • Tier 5 solutions are used by businesses with a requirement for consistency of data between production and recovery data centers. There is ''little to no data loss'' in such solutions; however, the presence of this functionality is entirely dependent on the application in use.
*'''Tier 6''' – '''Zero or little data loss''' • Tier 6 Disaster Recovery solutions ''maintain the highest levels of data currency''. They are used by businesses with little or no tolerance for data loss and who need to restore data to applications rapidly. These solutions have no dependence on the applications to provide data consistency.
*'''Tier 7''' – '''Highly automated, business-integrated solution''' • Tier 7 solutions include all the major components being used for a Tier 6 solution with the additional integration of automation. This allows a Tier 7 solution to ensure consistency of data above that of which is granted by Tier 6 solutions. Additionally, recovery of the applications is automated, allowing for restoration of systems and applications much faster and more reliably than would be possible through manual Disaster Recovery procedures.
==Solution design==
Two main requirements from the impact analysis stage are:
* For IT: the minimum application and data requirements and the time in which they must be available.
* Outside IT: preservation of hard copy (such as contracts). A process plan must consider skilled staff and embedded technology.
This phase overlaps with [[ disaster recovery |disaster recovery planning]].
The solution phase determines:
* [[Crisis management]] command structure
* Telecommunication architecture between primary and secondary work sites
* [[Data replication]] methodology between primary and secondary work sites
* [[Backup site]] with applications, data and work space
=={{anchor|published standards}} Standards==
===ISO Standards ===
There are many standards that are available to support business continuity planning and management.<ref name="Tierney">{{cite journal |last1=Tierney |first1=Kathleen |title=Disaster Governance: Social, Political, and Economic Dimensions |journal=Annual Review of Environment and Resources |date=21 November 2012 |volume=37 |issue=1 |pages=341–363 |doi=10.1146/annurev-environ-020911-095618 |s2cid=154422711 |language=en |issn=1543-5938|doi-access=free }}</ref><ref name="Partridge">{{cite book |last1=Partridge |first1=Kevin G.  |date= 2011 |last2=Young |first2=Lisa R. |title=CERT® Resilience Management Model (RMM) v1.1: Code of Practice Crosswalk Commercial Version 1.1 |url=https://apps.dtic.mil/sti/pdfs/ADA585451.pdf |publisher=Carnegie Mellon University |location=Pittsburgh, PA |access-date=5 January 2023}}</ref>
The [[International Organization for Standardization]] (ISO) has for example developed a whole series of standards on Business continuity management systems <ref>{{Cite web|url=https://www.iso.org/committee/5259148/x/catalogue/p/1/u/0/w/0/d/0|title=ISO - ISO/TC 292 - Security and resilience |website=International Organization for Standardization}}</ref> under responsibility of technical committee [[ISO/TC 292]]:
* [[ISO 22300]]:2021 Security and resilience – Vocabulary  (Replaces [[ISO 22300]]:2018 Security and resilience - Vocabulary and  [[ISO 22300]]:2012 Security and resilience - Vocabulary.)<ref>{{Cite web|url=https://www.iso.org/cms/render/live/en/sites/isoorg/contents/data/standard/06/84/68436.html|title=ISO 22300:2018|website=ISO|date=12 July 2019 }}</ref>
* [[ISO 22301]]:2019 Security and resilience – Business continuity management systems – Requirements  (Replaces [[ISO 22301]]:2012.)<ref>{{Cite web|url=https://www.iso.org/cms/render/live/en/sites/isoorg/contents/data/standard/07/51/75106.html|title=ISO 22301:2019|website=ISO|date=5 June 2023 }}</ref>
* [[ISO 22313]]:2020 Security and resilience – Business continuity management systems – Guidance on the use of ISO 22301 (Replaces  [[ISO 22313]]:2012 Security and resilience - Business continuity management systems - Guidance on the use of ISO 22301.)<ref>{{Cite web|url=https://www.iso.org/cms/render/live/en/sites/isoorg/contents/data/standard/07/51/75107.html|title=ISO 22313:2020|website=ISO}}</ref>
* [[ISO/TS 22317]]:2021 Security and resilience – Business continuity management systems – Guidelines for business impact analysis - (Replaces ISO/TS 22315:2015 Societal security – Business continuity management systems – Guidelines for business impact analysis.)<ref>{{Cite web|url=https://www.iso.org/standard/79000.html|title=Iso/Ts 22317:2021}}</ref>
* [[ISO/TS 22318]]:2021 Security and resilience – Business continuity management systems – Guidelines for supply chain continuity (Replaces ISO/TS 22318:2015 Societal security — Business continuity management systems — Guidelines for supply chain continuity.)<ref>{{Cite web|url=https://www.iso.org/standard/79001.html|title=Iso/Ts 22318:2021}}</ref>
* [[ISO/TS 22330]]:2018 Security and resilience – Business continuity management systems – Guidelines for people aspects on business continuity (Current as of 2022.)<ref>{{Cite web|url=https://www.iso.org/cms/render/live/en/sites/isoorg/contents/data/standard/05/00/50067.html|title=ISO/TS 22330:2018|website=ISO|date=12 July 2019 }}</ref>
* [[ISO/TS 22331]]:2018 Security and resilience – Business continuity management systems – Guidelines for business continuity strategy - (Current as of 2022.)<ref>{{Cite web|url=https://www.iso.org/cms/render/live/en/sites/isoorg/contents/data/standard/05/00/50068.html|title=ISO/TS 22331:2018|website=ISO}}</ref>
* [[ISO/TS 22332]]:2021 Security and resilience – Business continuity management systems – Guidelines for developing business continuity plans and procedures (Current as of 2022.)<ref>{{Cite web|url=https://www.iso.org/standard/50069.html|title=Iso/Ts 22332:2021}}</ref>
* [[ISO/IEC/TS 17021-6]]:2014 Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 6: Competence requirements for auditing and certification of business continuity management systems.<ref>{{Cite web|url=https://www.iso.org/cms/render/live/en/sites/isoorg/contents/data/standard/06/49/64956.html|title=ISO/IEC TS 17021-6:2014|website=ISO}}</ref>
* ISO/IEC 24762:2008 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services (withdrawn)<ref>{{cite web |title=ISO/IEC 24762:2008 |url=https://www.iso.org/standard/41532.html |website=ISO |date=6 March 2008 |access-date=5 January 2023 |language=en}}</ref>
* ISO/IEC 27001:2022 [[Information security]], cybersecurity and privacy protection — Information security management systems — Requirements. (Replaces ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements.)<ref>{{cite web |title=ISO/IEC 27001:2022 |url=https://www.iso.org/standard/82875.html |website=ISO |access-date=5 January 2023 |language=en}}</ref>
* ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls. (Replaces ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls.)<ref>{{cite web |title=ISO/IEC 27002:2022 |url=https://www.iso.org/standard/75652.html |website=ISO |access-date=5 January 2023 |language=en}}</ref>
* [[ISO/IEC 27031]]:2011 Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity.<ref>{{cite web |title=ISO/IEC 27031:2011 |url=https://www.iso.org/standard/44374.html |website=ISO |date=5 September 2016 |access-date=5 January 2023 |language=en}}</ref>
* ISO/PAS 22399:2007 Societal security - Guideline for incident preparedness and operational continuity management (withdrawn)<ref>{{cite web |title=ISO/PAS 22399:2007 |url=https://www.iso.org/standard/50295.html |website=ISO |date=18 June 2012 |access-date=5 January 2023 |language=en}}</ref>
* IWA 5:2006 Emergency Preparedness (withdrawn)<ref>{{cite web |title=IWA 5:2006 |url=https://www.iso.org/standard/44985.html |website=ISO |access-date=5 January 2023 |language=en}}</ref>
===British standards===
The [[British Standards Institution]] (BSI Group) released a series of standards which have since been withdrawn and replaced by the ISO standards above.
* [[BS 7799]]-1:1995 -  peripherally addressed information security procedures. (withdrawn)<ref>{{cite web |title=BS 7799-1:1995 Information security management - Code of practice for information security management systems |url=https://knowledge.bsigroup.com/products/information-security-management-code-of-practice-for-information-security-management-systems/standard |website=BSI Group |access-date=5 January 2023}}</ref>
* [[BS 25999]]-1:2006 - Business continuity management Part 1: Code of practice (superseded, withdrawn)<ref>{{cite web |title=BS 25999-1:2006 Business continuity management - Code of practice |url=https://knowledge.bsigroup.com/products/bs-25999-1-2006-business-continuity-management-code-of-practice/standard |website=BSI Group |access-date=5 January 2023}}</ref>
* BS 25999-2:2007 Business Continuity Management Part 2: Specification (superseded, withdrawn)<ref>{{cite web |title=BS 25999-2:2007 (USA Edition) Business continuity management - Specification |url=https://knowledge.bsigroup.com/products/business-continuity-management-specification-1/standard |website=BSI Group |access-date=5 January 2023}}</ref>
* 2008: BS 25777, Information and communications technology continuity management. Code of practice. (withdrawn)<ref>{{cite web |title=BS 25777:2008 (Paperback) Information and communications technology continuity management. Code of practice |url=https://knowledge.bsigroup.com/products/information-and-communications-technology-continuity-management-code-of-practice-1/standard |website=BSI Group |access-date=5 January 2023}}</ref>
Within the UK, BS 25999-2:2007 and BS 25999-1:2006 were being used for business continuity management across all organizations, industries and sectors. These documents give a practical plan to deal with most eventualities—from extreme weather conditions to terrorism, IT system failure, and staff sickness.<ref>British Standards Institution (2006). Business continuity management-Part 1: Code of practice :London</ref>
In 2004, following crises in the preceding years, the UK government passed the [[Civil Contingencies Act 2004|Civil Contingencies Act of 2004]]: Businesses must have continuity planning measures to survive and continue to thrive whilst working towards keeping the incident as minimal as possible.
The Act was separated into two parts:
Part 1: civil protection, covering roles & responsibilities for local responders
Part 2: emergency powers.<ref>Cabinet Office. (2004). overview of the Act. In: Civil Contingencies Secretariat Civil Contingencies Act 2004: a short. London: Civil Contingencies Secretariat</ref>
In the United Kingdom, resilience is implemented locally by the [[Local Resilience Forum]].<ref>{{cite web |title=July 2013 (V2) The role of Local Resilience Forums: A reference document |url=https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/62277/The_role_of_Local_Resilience_Forums-_A_reference_document_v2_July_2013.pdf |website=Cabinet Office |access-date=5 January 2023}}</ref>
===Australian standards===
* HB 292-2006, "A practitioners guide to business continuity management"<ref>{{cite web |title=HB HB 292—2006 Executive Guide to Business Continuity Management |url=https://www.saiglobal.com/PDFTemp/Previews/OSH/as/misc/handbook/HB292-2006.pdf |website=Standards Australia |access-date=5 January 2023}}</ref>
* HB 293-2006, "Executive guide to business continuity management"<ref>{{cite web |title=HB 293—2006 Executive Guide to Business Continuity Management |url=https://www.saiglobal.com/PDFTemp/Previews/OSH/as/misc/handbook/HB293-2006.pdf |website=Standards Australia |access-date=5 January 2023}}</ref>
===United States===
* [[NFPA 1600|NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs]] (2010). ''[[National Fire Protection Association]]''. (superseded).<ref>{{cite book |title=NFPA 1600, Standard on Disaster/Emergency Management and Business Continuity Programs |date=2010 |publisher=National Fire Protection Association |location=Quincy, MA |isbn=978-161665005-6 |edition=2010 |url=https://www.nfpa.org/assets/files/AboutTheCodes/1600/1600-10-PDF.pdf}}</ref>
* [[NFPA 1600, Standard on Continuity, Emergency, and Crisis Management]] (2019, current standard), ''[[National Fire Protection Association]]''.<ref>{{cite web |title=A Comprehensive Overview of the NFPA 1600 Standard |url=https://www.alertmedia.com/blog/nfpa-1600/ |website=AlertMedia |access-date=4 January 2023 |language=en |date=29 January 2019}}</ref>
* [[United States federal government continuity of operations|Continuity of Operations]] (COOP) and National Continuity Policy Implementation Plan (NCPIP), United States Federal Government<ref name="overview"/><ref>{{cite web |title=NATIONAL CONTINUITY POLICY IMPLEMENTATION PLAN Homeland Security Council August 2007 |url=https://emilms.fema.gov/IS0545/documents/NCPIP_August_2007_508_Compliant.pdf |website=FEMA |access-date=5 January 2023}}</ref><ref>{{cite web |title=Continuity Resources and Technical Assistance {{!}} FEMA.gov |url=https://www.fema.gov/emergency-managers/national-preparedness/continuity |website=FEMA |access-date=5 January 2023 |language=en}}</ref>
* Business Continuity Planning Suite, DHS National Protection and Programs Directorate and FEMA.<ref>{{cite web |title=Continuity of operations: An overview |url=https://www.fema.gov/pdf/about/org/ncp/coop_brochure.pdf |website=FEMA |access-date=5 January 2023}}</ref><ref>{{cite web |title=Business {{!}} Ready.gov |url=https://www.ready.gov/business |website=www.ready.gov |access-date=5 January 2023}}</ref><ref>{{cite web |title=Business Continuity Planning Suite {{!}} Ready.gov |url=https://www.ready.gov/business-continuity-planning-suite |website=www.ready.gov |access-date=5 January 2023}}</ref><ref name="overview">{{cite web |title=Business Continuity Plan {{!}} Ready.gov |url=https://www.ready.gov/business-continuity-plan |website=www.ready.gov |access-date=5 January 2023}}</ref>
*  ASIS SPC.1-2009, Organizational Resilience: Security, Preparedness, and Continuity Management Systems - Requirements with Guidance for Use, [[American National Standards Institute]]<ref>{{cite book |title=ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems - Requirements with Guidance for Use |date=2009 |publisher=American National Standards Institute |isbn=978-1-887056-92-2 |url=https://www.ndsu.edu/fileadmin/emgt/ASIS_SPC.1-2009_Item_No._1842.pdf}}</ref>
==Implementation and testing==
The implementation phase involves policy changes, material acquisitions, staffing and testing.
===Testing and organizational acceptance===
The 2008 book ''Exercising for Excellence'', published by The [[British Standards Institution]] identified three types of exercises that can be employed when testing business continuity plans.
* '''Tabletop exercises''' - a small number of people concentrate on a specific aspect of a BCP. Another form involves a single representative from each of several teams.
* '''Medium exercises''' - Several departments, teams or disciplines concentrate on multiple BCP aspects; the scope can range from a few teams from one building to multiple teams operating across dispersed locations. Pre-scripted "surprises" are added.
* '''Complex exercises''' - All aspects of a medium exercise remain, but for maximum realism no-notice activation, actual evacuation and actual invocation of a disaster recovery site is added.
While start and stop times are pre-agreed, the actual duration might be unknown if events are allowed to run their course.
==Maintenance==
Biannual or annual maintenance cycle maintenance of a BCP manual<ref name=AUdoc>{{Cite web|url=https://publications.qld.gov.au/dataset/05765d5a-91b3-45fd-af43-699ede65dd8a/resource/63f7d2dc-0f40-4abb-b75f-7e6acfeae8f3/download/businesscontinuityplantemplate.doc|title=Business Continuity Plan Template}}</ref> is broken down into three periodic activities.
* Confirmation of information in the manual, roll out to staff for awareness and specific training for critical individuals.
* Testing and verification of technical solutions established for recovery operations.
* Testing and verification of organization recovery procedures.
Issues found during the testing phase often must be reintroduced to the analysis phase.
===Information and targets===
The BCP manual must evolve with the organization, and maintain information about '''who has to know what''':
* A series of checklists
** Job descriptions, skillsets needed, training requirements
** Documentation and document management
* Definitions of terminology to facilitate timely communication during [[disaster recovery]],<ref>{{Cite web|url=https://drii.org/resources/viewglossary|title=Glossary &#124; DRI International|website=drii.org}}</ref>
* Distribution lists (staff, important clients, vendors/suppliers)
* Information about communication and transportation infrastructure (roads, bridges)<ref>{{cite web  |website=CMS.gov
|url=https://www.cms.gov/Medicare/Medicare-Contracting/FFSProvCustSvcGen/Downloads/Disaster-Recovery-Plan-Checklist.pdf |archive-url=https://ghostarchive.org/archive/20221009/https://www.cms.gov/Medicare/Medicare-Contracting/FFSProvCustSvcGen/Downloads/Disaster-Recovery-Plan-Checklist.pdf |archive-date=2022-10-09 |url-status=live  |title=Disaster Recovery Plan Checklist}}</ref>
===Technical===
Specialized technical resources must be maintained. Checks include:
* [[Computer virus|Virus]] definition distribution
* Application security and service patch distribution
* Hardware operability
* Application operability
* Data verification
* Data application
===Testing and verification of recovery procedures===
Software and work process changes must be documented and validated, including verification that documented work process recovery tasks and supporting disaster recovery infrastructure allow staff to recover within the predetermined recovery time objective.<ref>{{cite web
|title=Validation of a Disaster Management Metamodel (DMM) |author=Othman
|url=https://scholar.google.com/scholar_url?url=http://ro.uow.edu.au/cgi/viewcontent.cgi%253Farticle%253D2748%2526context%253Deispapers%26hl=en%26sa=X%26scisig=AAGBfm0CkEknKpMQtJeZBAWSgF_CqnzjNg%26nossl=1%26oi=scholarr |website=SCHOLAR.google.com}}</ref>
==See also==
==See also==
{{columns-list|colwidth=22em|
{{columns-list|colwidth=22em|

Version vom 16. November 2024, 12:43 Uhr

Business continuity planning

Beschreibung

Anhang

Siehe auch

Links

Weblinks

TMP

See also

Vorlage:Columns-list

References

Vorlage:Reflist

Further reading

External links

Vorlage:Sister project links

Vorlage:Authority control Vorlage:Aspects of organizations

  1. https://en.wikipedia.org/wiki/Business_continuity_planning