Business continuity

Business Continuity is the activity performed by an organization to ensure that critical business functions will be available to customers, suppliers, regulators, and other entities that must have access to those functions. These activities include many daily chores such as project management, system backups, change control, and help desk. Business Continuity is not something implemented at the time of a disaster; Business Continuity refers to those activities performed daily to maintain service, consistency, and recoverability.

The foundation of Business Continuity is the policies, guidelines, standards, and procedures implemented by an organization. All system design, implementation, support, and maintenance must be based on this foundation in order to have any hope of achieving Business Continuity, Disaster Recovery, or in some cases, system support. "Business continuity is sometimes confused with disaster recovery", but they are separate entities. Disaster recovery is a small subset of business continuity.

The term Business Continuity describes a mentality or methodology of conducting day-to-day business, whereas Business Continuity Planning is an activity of determining what that methodology should be. The Business Continuity Plan may be thought of as the incarnation of a methodology that is followed by everyone in an organization on a daily basis to ensure normal operations.

The components of the Business Continuity methodology required for manifestation into a documented plan include:

Policies

Policies are those things mandated by the management of an organization that will always be performed according to a preset design plan, and supporting all business functions within an organization.

Guidelines

Guidelines are those things which are recommended to be performed according to a preset design plan. However depending upon the needs and requirements of the target business function, these items may or may not be performed, or may be altered during implementation.

tandards

Standards consist of the technical specifications for the implementation of all business functions, and are derived from the Policies and Guidelines.

Procedures

Procedures are the step-by-step instructions for the implementation of organizational Standards as applied to any business function.

Resource Planning and Deployment

The concept of business continuity implies the underlying resources are implemented and deployed in such a way, that lends itself to being re-implemented and or re-deployed on an as needed basis. This level of flexibility requires that business functions are planned and deployed beginning from an overall mentality of business continuity, and working downward to systems design. Conversly, working in the opposite direction, from the systems up, always results in inflexible business functions that are difficult to manage, maintain, and modify.

Organizational Structure

Part of business continuity is ensuring that all personnel in an organization understand which business functions are the most important to the business. This understanding must be manifested in personnel training to take over those business functions when personnel enter or leave the company during normal business operations. Redundancy of skills is also very important in the event of a disaster, when the availability of knowledgable personnel with critical skillsets may be unpredictable.

Business Impact Analysis

The entire concept of business continuity is based on the identification of all business functions within an organization, and then assigning a level of importance to each business function. A business impact analysis is the primary tool for gathering this information and assigning criticality, recovery point objectives, and recovery time objectives, and is therefore part of the basic foundation of business continuity.

It can be used to identify extend and timescale of the impact on different levels of an organization. For instance it can examine the effect of disruption on operational, functional and strategic activities of an organization.Not only the current activities but the effect of disruption on major business changes, introducing new product or services for example, can be determined by BIA.

Good practice indicates that a Business Impact Analysis should be reviewd as a minimum annualy but more frequently in the event of:
1. A particularly aggressive pace of business change
2. Significant changes in the internal business process, location or technology
3. Significant changes in the external business environment – such as market or regulatory change [BCI Good Practice Guidelines 2007]

ecurity Management

In today's global business environment, security must be the top priority in managing Information Technology. For most organizations, security is mandated by law, and conformance to those mandates is investigated regularly in the form of audits. Failure to pass security audits can have financial and management changing impacts upon an organization.

Document Management

In large Information Technology environments, personnel turnover is inevitable and must be planned as part of business continuity. The solution to the problems associated with turnover, is complete and up-to-date documentation. This insures that new personnel will have the information they need to quickly become knowledgable and productive with respect to the business functions they are tasked to support. This also implies that business function related documentation is largely generated (rather than written) from existing systems and managed in an automated manner.

Change Management

Regulations require that changes to business functions be documented and tracked for auditing purposes and is designated as "Change Control". This brings a level of stability to the business functions by requiring the support personnel to document and coordinate proposed changes to the underlying systems. As this process becomes more and more automated, the emphasis will be less upon personnel control, and more upon regulatory compliance.

Audit Management

One of the most costly and time consuming aspects of Information Technology management is dealing with auditors. One of the goals of business continuity is data center automation, which includes audit management. All modern Business functions should be designed with the concept of automatically generating the requisite audit compliance information and documentation as part of conducting day-to-day business. This dramatically reduces the time and cost associated with manually producing this information.

ervice Level Agreements

The interface between management and Information Technology is the Service Level Agreement. This provides a written contract stipulating the expectations of management with regard to the availability of a necessary business function, and the deliverables that Information Technology provides in support of that business function.

Other Components

Disaster Recovery Planning occurs as a subset of defining the Business Continuity procedures.

---

The following is a list of physical and logical entities within anInformation Technology environment which require the application of aBusiness Continuity Methodology. Applying the methodology shouldinclude the definition of things such as policies, guidelines,standards, procedures, etc., for each item in the list:

* Frames and Managed Systems
* Firmware and Microcode
* Internal and external disk storage
* Frame or Managed System Names
* Partition Names
* Node Names
* Host Names
* DNS Aliases
* Hardware Management Consoles and Console Access
* Virtualization
* Networking Design
* VLAN's
* TCP/IP Subnets
* Resource or Service Groups
* Workload Management
* Volume Groups
* Logical Volumes / Disk Partitions
* Journaling Filesystems Log
* Filesystem mount points
* User names and UID numbers
* Group names and GID numbers
* Security
* High Availability
* System Installation
* Application Installation
* Database Installation
* System Monitoring
* Application Monitoring
* Database Monitoring
* Patch Management

Planning

Links

External Links

* [http://www.triparadigm.com/bcmethodology/index.shtml Business Continuity Methodology]
* [http://www.TalkingBusinessContinuity.com Business Continuity Portal by BSI]
* [http://www.thebci.org Business Continuity Institue ]

References

[http://www.thebcicertificate.org/bci_gpg.htm BCI Good Practice Guidelines]