A business continuity plan is a proactive plan created by an organization to continue with the businesses operation in the case there is an interruption due to an attack or a natural disaster. A business impact analysis is a review of how much the organization will be impacted from an interruption. Creating an impact analysis and a continuity plan is critical to the success of an organization for preparation for any event that may impact on the integrity and productivity of the company.
The business impact analysis is largely about collecting data and devising the company’s plan from this data. The BIA should tell us what the company’s maximum acceptable outage or maximum tolerable period of disruption will be. This will be how long we can afford to have down time before it affects the company’s by becoming an indirect cost. Some things to consider in an impact analysis are what type of environment Your IT department runs in relation to the organization. Will the downtime of your systems negatively impact the company drastically in terms of time downtime equaling money lost. The BIA will identify the stakeholders or who benefits from the accomplishments of the company. The BIA will identify the critical business functions, this will be anything that the company cannot operate functionally without. The BIA will identify what the recovery critical resources are, and these could be hardware, software, supporting infrastructure, and any critical personnel. It will also identify recovery priorities, what order of priorities from highest to lowest can the resources maximum acceptable outage be.
The business continuity plan should include the company’s mission critical systems and the business impact analysis. The scope of the BCP should be clearly defined, it should state locations, critical systems, employees, and vendors. The BCP should include any incidents specific to an organization’s location such as instances where outages could occur due to hurricanes, tornadoes, earthquakes, recurring power outages, and security attacks. The strategy will give details of the specifics of the BCP, specific locations, how notifications are sent out, key employees responsible for certain areas. It will list the sensitivity of data that could be compromised during an attack and what should be done to protect it and recover systems. It will list and order of succession in the case of physical disaster. Once there is some sort of recovery it will discuss the reconstitution phase, how to return the organization back to normal or as close to normal as possible function as can be.