B
B
B
u
u
u
s
s
s
i
i
i
n
n
n
e
e
e
s
s
s
s
s
s
C
C
C
o
o
o
n
n
n
t
t
t
i
i
i
n
n
n
u
u
u
i
i
i
t
t
t
y
y
y
M
M
M
a
a
a
n
n
n
a
a
a
g
g
g
e
e
e
m
m
m
e
e
e
n
n
n
t
t
t
f
f
f
o
o
o
r
r
r
I
I
I
n
n
n
f
f
f
o
o
o
r
r
r
m
m
m
a
a
a
t
t
t
i
i
i
o
o
o
n
n
n
T
T
T
e
e
e
c
c
c
h
h
h
n
n
n
o
o
o
l
l
l
o
o
o
g
g
g
y
y
y
W
W
W
h
h
h
a
a
a
t
t
t
i
i
i
s
s
s
B
B
B
C
C
C
M
M
M
?
?
?
A subject that covers disaster recovery, crises management, risk management controls and Technology recovery. An issue, which explore the approach of Business Continuity in case of a Disaster, with minimum resources, and maximum output.
The obvious visionary problem of issue that it is considered as a subject, which applies on Private sector, or a subject, which is an Information Technology concern. Practically BCM applies on all Business whether Private or Public and every department either IT or Production. According to Business Continuity Institute Good Practice Guidelines BCM applies equally on Management & Operational staff as well as Technology and geographical location.
To initiate with, I pen down the Business continuity aspect for Information Technology, and will continue to write about BCM for other business segments in near future.
W
W
W
h
h
h
y
y
y
B
B
B
C
C
C
M
M
M
f
f
f
o
o
o
r
r
r
I
I
I
n
n
n
f
f
f
o
o
o
r
r
r
m
m
m
a
a
a
t
t
t
i
i
i
o
o
o
n
n
n
T
T
T
e
e
e
c
c
c
h
h
h
n
n
n
o
o
o
l
l
l
o
o
o
g
g
g
y
y
y
?
?
?
I
I
I
n
n
n
c
c
c
r
r
r
e
e
e
a
a
a
s
s
s
e
e
e
d
d
d
d
d
d
e
e
e
p
p
p
e
e
e
n
n
n
d
d
d
e
e
e
n
n
n
c
c
c
e
e
e
o
o
o
n
n
n
I
I
I
T
T
T
:
:
:
Businesses with dependency of Information technology are most vulnerable victim of any disaster. Starting from Data entry to month end posting, each operation is dependable on various process including technology and human interference. Hardware using OS, carrying Databases, running applications, entering data, collecting documents are dependable operations, of each other. One layer disturbance can hold the operations with in no time.
M
M
M
o
o
o
r
r
r
e
e
e
i
i
i
n
n
n
t
t
t
e
e
e
r
r
r
a
a
a
c
c
c
t
t
t
i
i
i
v
v
v
i
i
i
t
t
t
y
y
y
w
w
w
i
i
i
t
t
t
h
h
h
o
o
o
u
u
u
t
t
t
s
s
s
i
i
i
d
d
d
e
e
e
w
w
w
o
o
o
r
r
r
l
l
l
d
d
d
:
:
:
The Customer Database in a excel file which costs you several years of Business can be easily emailed to any of your competitor
Internet made every computer sharable for other computer connected on the Internet. In a latest research, 10 Major Threat have been explored for Internet users which are as follows;
1 Vulnérable CGI and extension on web server 2 Remote Procedure (NFS and Remote execution) 3 IIS Remote Data Services (for example .htr files) 4 Sendmail Buffer Overflow
5 Solaris sadmind and mountd
6 IMAP/POP buffer overflow or incorrect configuration
7 Default SNMP community strings set to ‘public’ and ‘private.’ 8 Global file sharing (netbios, Macintosh web sharing, UNIX NFS) 9 Use of weak password or no password on user id
10 Bind Weaknesses
B
B
B
r
r
r
o
o
o
a
a
a
d
d
d
e
e
e
r
r
r
A
A
A
v
v
v
a
a
a
i
i
i
l
l
l
a
a
a
b
b
b
i
i
i
l
l
l
i
i
i
t
t
t
y
y
y
:::Technological advancement like Local Area Networks, Wide Area Networks and wireless network, made data widely available to users. With small mismanagement, the same data will be accessible to unwanted users hence can create immediate problems to your Business Continuity. The Tender Document, which you have planned to submit next morning, with little efforts, can ruin your business targets of the Year.
Making the desired data at desired time is most important part of Business Operations. Securing Network traffic, files and stopping External intrusion are the part of BCM. Cold sites, Warm site and hot sites are the major modalities apply on data broader availability for Business continuity in case of any disaster.
E
E
E
x
x
x
p
p
p
l
l
l
o
o
o
s
s
s
i
i
i
o
o
o
n
n
n
o
o
o
f
f
f
D
D
D
a
a
a
t
t
t
a
a
a
:
:
:
In fact, data is easier to create than to Manage, secure and administrate. Just of small network of users, carry several formats and types of data traveling spontaneously. Application’s data (Entered by an application on any Database like Oracle, SQL DB), Documented Data (Quotations, Proposals, Inquiries, Contacts) Emails (PST files) and various independent applications are depending source of any IT Operation. All Businesses depending on any sort of Computers in Operation are equally important to the business. Managing these data is a thorough activity, and making this data available in case of any disaster is serious responsibility.
R
R
R
i
i
i
s
s
s
k
k
k
s
s
s
A
A
A
b
b
b
o
o
o
u
u
u
n
n
n
d
d
d
While applying BCM on IT segments, following are the risks, to be addressed comprehensively.
• Viruses and worms • Human error
• Employee sabotage • Hackers
• Power outages and infrastructure issues • Natural disasters
• Terrorist and other attacks • Hardware and software failure
F
F
F
i
i
i
g
g
g
u
u
u
r
r
r
e
e
e
s
s
s
d
d
d
o
o
o
n
n
n
’
’
’
t
t
t
l
l
l
i
i
i
e
e
e
:
:
:
43 percent of companies that experience a disaster but have no BCP in place ever reopen. 90 percent of them are out of business in two years.
(University of Texas study)
80 percent of companies indicated they had been the subjects of a hostile attack in the form of hacking, viruses or Denial of Service attacks. (IDC survey)
F
F
F
r
r
r
o
o
o
m
m
m
W
W
W
h
h
h
e
e
e
r
r
r
e
e
e
t
t
t
o
o
o
S
S
S
t
t
t
a
a
a
r
r
r
t
t
t
?
?
?
1 1)) KnKnooww yyoouurr BBuussiinneessssHaving identified the mission critical processes and functions it is important to determine what the impact would be upon the organization’s goals if these were disrupted or lost. Once having identified those critical processes and functions, a risk assessment can be conducted to identify the many threats to these processes. Whatever risks the organization faces, there are relatively few effects, for example: loss of critical system(s), site or personnel or denial of access to systems and premises, all of which produce similar disruption. To this end, the Business Impact Analysis enables the organization to focus risk assessments on essential business elements rather than conduct a global risk-specific analysis. The process will also take into account the time sensitivity of each business function / process to disruption and this information will determine the recovery objectives.
2
2)) DeDefifinnee tthhee tthhrreeatatss
As an old saying says, “knowing your enemy is more important than to know your friends”. In the same context, its important to define each Threat explored to you business continuity. At the end of this activity, you will notice that many possibilities exist like,
• Do nothing – in some instances the board may consider the risk commercially acceptable
• Changing or ending the process – deciding to alter existing
procedures must be done bearing in mind the organization’s key focus
• Insurance – provides financial recompense / support in the event of loss, but does not provide protection for brand and reputation
• Loss Mitigation – tangible procedures to eliminate / reduce risk
• Business Continuity Planning – an approach that seeks to improve organizational resilience to interruption, allowing for the recovery of key Business and systems processes within the recovery time frame objective, whilst maintaining the organization’s critical functions.
3
3)) DoDoccuummeennttaatitioonn ooff PlPlaan n
The core document, carrying all these information and Planning, will be Business Continuity Plan (BCP-Manual). This document brings together the actions to be taken at the time of an incident, who is involved and how they
are to be contacted. The plan or plans must reflect the current position of the organization and all it stakeholders. A BCP should be designed to provide recovery of the organization within the recovery time objectives established during the BIA process.
In developing of the plan consideration must be given to:
• The use of planning aids, plan development and maintenance tools
• Inclusion of job descriptions for those involved in delivering the plan
• What action plans and checklists should be provided
• What information databases and other supporting documentation are required
• The recovery team description, responsibilities and organization
• Support staff required including recovery and group co-coordinators
• The location and equipping of the Emergency (Crisis) Operations Center
C
C
C
o
o
o
n
n
n
c
c
c
l
l
l
u
u
u
s
s
s
i
i
i
o
o
o
n
n
n
Sufficient Research is available for Business Continuity Managements and Planning, on several Portals, Associations and
Group on Internet. BCP is more a continues process than a generic Plan, so regular research and amendments in the plan is the most appropriate factor to make your plan practically applicable, in case of any disaster. Specialized Consulting is also available for this segments from various companies with in the region.
Experts say that the “Best thing for any BCP is that Disaster should not occur” but this is not the statement to be relaxed.
Links for more resources
http://www.dri.org
http://www.acp-international.com/partners.html http://www.continuitycentral.com/contact.htm http://www.plan-it-control-it.com/
http://www.globalcontinuity.com/
Views, comments and critics are always appreciated at
gawasti@yahoo.com
Me-bcp@yahoogroups.com
W
W
W
r
r
r
i
i
i
t
t
t
e
e
e
r
r
r
’
’
’
s
s
s
P
P
P
r
r
r
o
o
o
f
f
f
i
i
i
l
l
l
e
e
e
I am a Graduated in IT, served in various Organization of Saudi Arabia, having intense observation on the regional growth in IT Sector specially IS Security, from last six years. Recently engaged with E-Security Gulf Group WLL. to execute the Business Operation In Saudi Arabia. I can be contacted for any details or clarifications on this subject gawasti@yahoo.com or Cell +966-059660016. More details can also be downloaded from
