Dan Swanson’s Security Resources: #8

This week’s resources are focused on the challenging and closely related subjects of business continuity planning (BCP) and disaster recovery programs (DRP). Being able to recover from a disaster is critical to an organization’s long term success, as something is going to happen eventually.



Making sure management and IT staff both understand the business requirements for BCP and DR is the first step. Resourcing the program effort is the next step! Read on … (for help).




Good luck and have another great week.


Dan Swanson



1. What Should Your Business Continuity Efforts Focus On?
A Reader Asks: Should your business continuity program (BCP) consider the impacts of emerging threats and changing business practices, and what are the key issues involved today? 

The Auditor Responds:Short answer – Your BCP and disaster recovery programs should be designed to respond to a wide variety of potential incidents, covering both man-made disasters, such as power-grid or environmental control failures, and natural disasters, such as hurricanes and mass staff outages due to epidemics.

The long answerhttp://www.itcinstitute.com/display.aspx?ID=20902.

Business Continuity Planning Standards and Guidelines


Regulatory compliance requirements influence many of the information security practitioner’s roles and responsibilities, including the development of a business continuity plan. In this excerpt from Chapter 1: Contingency and Continuity Planning of “Business Continuity and Disaster Recovery for InfoSec Managers,” John W. Rittinghouse and James F. Ransome outline the regulatory requirements that should be addressed when establishing and maintaining a business continuity plan. 


3. Business Continuity Impact Analysis

The Business Impact Analysis (BIA) is the backbone of the entire business continuity exercise or, at least, it should be if handled correctly. Even so, it cannot stand alone and without full support, approval and backing from the highest level of management, the exercise will not achieve its full potential. A well-executed BIA can make the difference between a fully developed, robust business continuity plan, and a mediocre one.


Business Impact Analysis – http://www.vccs.edu/its/models/bia.htm

BIA Templates at CCEP – http://www.ccep.ca/ccepbcp3.html

4. Generally Accepted Business Continuity Practices

  1. Project Initiation and Management
  2. Risk Evaluation and Control
  3. Business Impact Analysis
  4. Developing Business Continuity Strategies
  5. Emergency Response and Operations
  6. Developing Business Continuity
  7. Training and Awareness
  8. Maintaining and Exercising Business Continuity Plans
  9. Public Relations and Crisis Communications
  10. Coordination with Public

5. Resources regarding the “Insider Threat” issue

Leading resources consolidated by Gideon – truly an excellent repository on an important issue.

6. FIRST is the global Forum for Incident Response and Security Teams.

FIRST is the premier organization and recognized global leader in incident response. Membership in FIRST enables incident response teams to more effectively respond to security incidents – reactive as well as proactive. FIRST brings together a variety of computer security incident response teams from government, commercial, and educational organizations. FIRST aims to foster cooperation and coordination in incident prevention, to stimulate rapid reaction to incidents, and to promote information sharing among members and the community at large.




Related Download
CanadianCIO Census 2016 Mapping Out the Innovation Agenda Sponsor: Cogeco Peer 1
CanadianCIO Census 2016 Mapping Out the Innovation Agenda
The CanadianCIO 2016 census will help you answer those questions and more. Based on detailed survey results from more than 100 senior technology leaders, the new report offers insights on issues ranging from stature and spend to challenges and the opportunities ahead.
Register Now