Question

Question 1

Describe a Business Continuity Management System including its BIA Strategies, plans, and Tests and Exercises that would be appropriate for the Organization. Justify your chosen strategies and type of exercises.

Question 2.

A) Outline key/distinguishing characteristics and objectives of Emergency Management, Crisis Management, Disaster Recovery Planning and Business Continuity Management? Provide brief examples of relevant past real world incidents requiring initiation of each of these activities.

B) What is Business Continuity Management? List and explain in details the three Elements of BCM

C) What are the most common approaches to executing a BIA? Mention the four main elements of a BIA.

Question 3.

A) Distinguish between Recovery Time Objectives (RTOs) and Recovery Pont Objectives (RPOs).

B) What is an important consideration when identifying RTOs? Illustrate your answer with practical real world examples.

C) Describe in details What an Emergency Operations Center is and give differences between Cold, Warm and Hot Sites.

Provide reference for the answers

Answer 1

Answer 1

A Business Impact Analysis (BIA) anticipates the consequences of disruption that can be occurred in a business and collect information needed to develop recovery strategies. It should identify the impacts (operational and financial) from the disruption of business. Potential loss scenarios should be predicted during a risk assessment, since it is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency.

A Succesful BIA consists of five elements which are used to supports the disaster recovery and contingency plans for business continuity planning are,

• · Sponsorship of executives
• · Understanding the Organization
• · Tools of BIA
• · Processes of BIA
• · Findings of BIA

Contingency planning is creating reactions ahead of time for different circumstances that may affect business. A good contingency plan should also address negative and positive events that may disrupt operations.

The possibility of a situation that adversely impacts operations in a business can be predetermined to avoid those situations. If the response to the situation is poor, it might have a dramatic impact on the future of the business, such as loss of data, loss of customers, or even the loss of the business.

A good contingency plan should include any event that might interrupt the operations. some of the areas to be included in the plan are,

• Natural disasters, such as hurricanes, fires, and earthquakes
• worksite accidents
• Personnel issues
• Mismanagement
• Product issues

• Information security recovery strategies would be implemented at the hospital is crucial for the proper working of hospitals. Disaster recovery planning (DRP) is getting more priority than anything else , since healthcare organizations transformed into digital environments. Due to this ,there will be large amounts of data, creating complications in storage, recovery and security. To protect from these complicated situations, healthcare IT executives must analyze current risks in their disaster recovery planning.

  Different strategies that can be implemented are,

• Do Involve whole hospital and partner agencies when developing hospital’s strategies for recovery
• Plan for system failures  
• Integrating recovery strategies into hospital’s emergency operations plan (EOP)
• Usage of  Hospital Incident Command System (HICS).
• Consider your hospital’s hazard vulnerability analysis (HVA)
• Plan to communicate recovery information to partner agencies
• Answer 3:-
• RTO: Recovery Time Objective

  RTO refers to how much time an application can be down without causing significant damage to the business. Some applications can be down for days without significant consequences. Some high priority applications can only be down for a few seconds without incurring employee irritation, customer anger and lost business.

  RTO is not simply the duration of time between loss and recovery. The objective also accounts for the steps IT must take to restore the application and its data. If IT has invested in failover services for high priority applications, then they can safely express RTO in seconds. (IT must still restore the on-premises environment. But since the application is processing in the cloud, IT can take the time it needs.)

  Your RTO mission is to categorize applications by priority and potential business loss and match your resources accordingly. For example, typical plans for near-zero RTOs will require failover services. 4-hour RTOs allow for on-premises recovery starting with bare metal restore and ending with full application and data availability. For 8+ hour RTOs, IT may sign maintenance contracts with local system integrators.

• RPO: Recovery Point Objective

• Recovery point objectives refer to your company’s loss tolerance: the amount of data that can be lost before significant harm to the business occurs. The objective is expressed as a time measurement from the loss event to the most recent preceding backup.

  If you back up all or most of your data in regularly scheduled 24-hour increments, then in the worst-case scenario you will lose 24 hours’ worth of data. For some applications this is acceptable. For others it is absolutely not.

  For example, if you have a 4-hour RPO for an application then you will have a maximum 4-hour gap between backup and data loss. Having a 4-hour RPO does not necessarily mean you will lose 4 hours’ worth of data. Should a word processing application go down at midnight and come up by 1:15 am, you might not have much (or any) data to lose. But if a busy application goes down at 10 am and isn’t restored until 2:00 pm, you will potentially lose 4 hours’ worth of highly valuable, perhaps irreplaceable data. In this case, arrange for more frequent backup that will let you hit your application-specific RPO.

  Depending on application priority, individual RPOs typically range from 24 hours, to 12, to 8, to 4; down to near-zero measured in seconds. 8-hour-plus RPOs might be able to take advantage of your existing backup solution as long as it has a minimum impact on your production systems. 4-hour RPOs will need scheduled snapshot replication, and near-zero RPOs will require continuous replication. In cases where both the RPO and RTO are near-zero, combine continuous replication with failover services for near-100% application and data availability.