1.1 SCOPE
Defining the management procedures for business continuity and disaster recovery.
DESCRIPTION OF ACTIVITIES 2.1 OPERATIONAL IMPACT ANALYSIS AND RISK ASSESSMENT
The information collected within the organization from an operational impact analysis and risk assessment provides the foundation for an effective business continuity management program.
In preparing the Business Impact Analysis (BIA) and risk assessment process, the company defines risk scenarios, which are tools for predicting possible damage and the resulting involvement of the organization.
These scenarios are defined based on an understanding of the context and vulnerabilities, and based on reference events whose occurrence is considered more likely.
The evaluation of these risk scenarios, aimed at an immediate assessment of losses, is particularly important for defining the Business Continuity plan.
The company achieves its objectives by delivering its services to stakeholders. Therefore, it is important to create an understanding of the negative impact over time that the failure to deliver these products or services and associated activities could have on the organization's objectives and operations.
The BIA, which represents the analysis of operational impact, maps critical business processes (where critical does not mean less performing, but rather the most important or core business processes that, if not restored within the defined objectives, could compromise the organization's very survival). It identifies their level of criticality, impact on the business, recovery time (recovery time objectives), and the resources required for the service to be restored and continue at acceptable levels.
From the BIA, the company defines specific indicators such as:
- Maximum Acceptable Outage (MAO)
- Maximum Tolerable Period of Disruption (MTPD)
- Minimum Business Continuity Objective (MBCO)
- Recovery Point Objective (RPO)
- Recovery Time Objective (RTO) These indicators are necessary to define the Business Continuity Strategy and the Business Continuity Plan.
In addition to the BIA, the organization establishes, implements, and maintains a formal and documented risk assessment process that systematically identifies, analyzes, and evaluates the risks of disaster incidents for the organization.
2.2 OPERATIONAL CONTINUITY STRATEGY
Determining the operational continuity strategy involves identifying the actions necessary to control the results of the operational impact analysis and risk assessment, in order to meet the organization's operational continuity objectives.
The determination and selection of an operational continuity strategy are based on the outcome of the operational impact analysis and risk assessment.
The consolidation, continuation, recovery, and resumption of priority activities consider other related activities and their supporting resources.
The Business Continuity strategy determines:
- Protection of priority activities
- Stabilization, continuation, recovery, and resumption of priority activities and their dependencies
- Mitigation, by responding to the impact through management The determination of the strategy includes the approval of the timeline for activity resumption.
The company also evaluates the Business Continuity capabilities of suppliers that impact its business processes.
2.3 BUSINESS CONTINUITY PLAN
The main contents of the Business Continuity Plan include:
- Purpose and scope
- Criteria for evaluating response effectiveness
- Criteria for activating the response
- Response procedures
- Crisis management responsibilities
- Communications
- Interfaces
- Resources
- Information flows The Business Continuity Plan also includes the Disaster Recovery plan.
In particular, the Business Continuity Plan assesses:
- Roles, responsibilities, and authorities for each procedure/activity
- Incident management and crisis declaration
- Contact information for each documented procedure
- Communication methods
- Implementation procedure, identifying the actions and tasks to be performed The company reviews procedures for the recovery of operational activities. The goal of recovery is to resume operational activities that support normal business operations following a disruptive event.
Return to normalcy can be achieved through:
- Repairing damages resulting from the incident
- Migrating activities from temporary locations to the main recovered location
- Relocating to a new location 2.4 DISASTER RECOVERY PLAN
The Disaster Recovery (DR) Plan details the necessary phases for restoring the resources (hardware, software, infrastructure, etc.) used for service delivery by the company.
The DR plan outlines the operational procedures needed to accurately assess the emergency/disaster situation that prevents the normal delivery of services by the company.
The document "Business Continuity and Disaster Recovery Plan" also describes the various phases for restoring the telecommunication system, recovering data, and configuring procedures to contain the emergency and initiate the subsequent return to normal operational conditions.
2.5 EXERCISES AND TESTING
The company's business continuity procedures and related preparations cannot be considered reliable until they are verified through exercises, and their updates are guaranteed.
Exercising is essential to ensure that strategies, policies, plans, and procedures that have been implemented are adequate and can meet the business continuity objectives. Exercises promote teamwork, competence, confidence, and knowledge, involving those who may need to use the procedures.
Elements of exercises and testing include:
Exercise program Exercises related to business continuity plans The company has designed scenarios that meet the objectives of the exercises, using threats identified in the risk analysis or other appropriate events.
The company has determined:
Annual exercise program Minutes of exercises conducted, including evaluation of outcomes and analysis of any deviations from expectations.