CBCP Axioms 3 19 10 TechnoDyned v1

Your single source for Education
in IT Governance, Risk and Controls
www.technodyneuniversity.com
CBCP Axioms
General – 10 Domains of Business Continuity
1. Project initiation and management

2. Risk evaluation and control
3. Business impact analysis (BIA)
4. Developing business continuity management strategies
5. Emergency response and operations
6. Developing and implementing business continuity plans
7. Awareness and training program
8. Exercising and maintaining business continuity plans
9. Crisis communications
10. Coordination with external agencies
Domain 1 – Project Initiation and Management
1. Pre-planning process includes domains 1, 2, and 3 which is Project initiation and management, risk
evaluation and control, and Business impact analysis
2. Planning process includes domains 4,5, and 6 which is developing business continuity strategies,
emergency response and operations, and developing and implementing business continuity plans
3. Post-planning process include domains 7, 8, 9, and 10 which is awareness and training programs,
maintaining and exercising business continuity plans, public relations and crisis communications, and
coordinating with public authorities
4. Everything in an organization starts from its policies. Most important thing to support BC project is for the
executives to issue a policy statement to support business continuity
5. Policy statement sets the tone for the BC program
6. BC program costs are evaluated based on its perceived value to the organization’s management
7. Disaster recovery is related to IT activities; Business continuity is related to recovery of business processes.
Disaster recovery is a subset of business continuity.
8. Business continuity is one project and is for the entire organization
9. BC planning usually results in a change to the normal operations of an organization.
10. Disaster is an unplanned and sudden calamitous incident. It renders the organization unable to provide
critical business functions for as period of time. It results in loss to the organization at an unacceptable
level.
11. Minor inconvenience is NOT a disaster. Whether it is minor inconvenience or a disaster depends upon
RTO(s) of critical business processes.
12. You always plan for a disaster happening at the worst possible time
13. Business continuity plan is a set of preparations and procedures for responding to a disaster which have
been agreed upon and approved by the management
14. Recovery procedures should not have dependency upon key individuals or SMEs (subject matter experts).
Such experts could be on vacation or be injured or be away to take care of their family affairs
15. Business continuity plan is written by the process owners, not BC/DR coordinators. Nobody understands
business better than business unit owners (aka functional managers).
16. IT people are responsible for the disaster recovery. Business unit owners are responsible for the business
continuity.
17. Board of directors and executives have the ultimate responsibility for business continuity. Business
continuity coordinator does not have that fiduciary responsibility so long as negligence is not a factor
18. People/entities affected by the disaster include stakeholders (equity holders), employees, and customers
19. Business Unit Owners are responsible for protecting an organization’s assets and resources involving
business processes
©Copyright Jay Ranade and TechnoDyne University

Proprietary and Confidential – Not for resale or distribution
Jayranade@technodyneuniversity.com; Jayranade@aol.com
Page 1
20. Business continuity coordinator’s job has four parts: collect information related to the project, assimilate
that information and present it to the management, provide recommendations to the management, and
implement decisions of the management
21. BC planning is done for only those things which are recoverable. There is no need for BC planning for
things which can not be recovered
22. BC project builds the process that builds the BC plan and it continues indefinitely
23. There is usually resistance to change in every organization, and BC project is a change, hence it faces
resistance. Resistance must be amicably countered by teamwork, communications, and awareness program
24. One of the ways to counter employee resistance to BC plan is to stress upon the benefits such as
sustainability and survivability of the organization which in a positive way affects the employment of
personnel. Also, emphasize safety of employees in case of an adverse incident
25. Resistance to the BC project can be mitigated through formal means such as meetings and presentations or
through informal means such as elevator talk, personal meetings and discussing over lunch and planting the
seeds of BC project’s significance
26. It is a good practice to give a short term BC plan before you give long term plan (e.g. for the next 3 years).
27. BC project is a planned endeavor which has specific goals and results to be achieved at a specific time
28. Deliverable of the BC Project is the BC Program. BC project has a discrete beginning and end, however,
the BC program lives on, and has no end.
29. BC project plan should include resources needed for project- personnel, equipment, funding, and time
schedules
30. BC project is discrete in the sense that it has a specific beginning and end point.
31. BC project has complex interdependencies between various elements
32. BC project has a defined and precise objective. It is one-of-a-kind project for each organization, you can
not use cookie cutter approach for a BC project
33. A Business Continuity Project has 7 distinct phases: 1. project initiation phase (including problem
definition), 2. functional requirements phase, 3. design and development phase, 4. implementation phase, 5.
testing and exercising phase, 6. maintenance and updating of plans phase, and 7. execution phase.
Execution phase occurs only when an incident happens that requires invocation of the BC plan.
34. Phase 1 and 2 of the BC project cover pre-plan phase plus part of planning phase i.e. domains 1,2, 3,
and 4
35. Phase 3 and 4 of the BC project cover the Planning phase i.e. domains 5 and 6
36. Phase 5 and 6 of the BC project cover the post-plan phase i.e. domains 7 and 8
37. Phase 7 of the BC project is the plan activation/execution phase and covers domains 9 and 10
38. BC project initiation phase (phase 1) begins with a mission that has defined goals and objectives. It builds a
process consisting of procedures to reach that goal. It has both responsibility and proper accountability.
39. It is very important to develop a glossary of terms during project initiation phase (phase 1) so that
communications between different personnel is accurate and precise
40. In the Project initiation phase (phase 1), objectives are defined. Eventually you build the program so that all
business units have a BC plan
41. In project initiation phase (phase 1), assumptions are defined and CSF (critical success factors) are laid out.
One major assumption is that the resources for the project will be available.
42. Functional requirements phase (phase 2) includes risk analysis (domain 2) and business impact analysis
(domain 3).
43. In functional requirements phase (phase 2), you gather facts which help the organization arrive at decisions.
These facts are gathered from individuals as well as from documentation. Always validate the facts
gathered during this phase from an alternate source.
44. BC project change requests, while BC planning project is in progress, is not unusual. Such requests must
come from a user, accepted by the BC project manager, and signed by all the parties. Project plan might be
required to be modified due to such a change request. Resources may need to be reallocated, reassigned, or
resource requirement may increase.
45. Three responsibilities of the BC project manager in critical order are: define project objectives, establish
project framework, and develop the plan.

Page 2
46. Every project has an associated risk called “Project Risk”. Project manager must assess such project risk.
Causes of “project risk” could be but are not limited to project complexity, loss of funding, risk from
personnel etc.
47. There are certain things which must be taken care of upfront in a BC Project. Emergency Response team
must be created to respond to incidents. Their responsibility is to coordinate, control, and communicate
during an incident. Executive management must issue a BC policy statement. Functional managers must be
made aware of their responsibilities which include protection of people and assets and support of BC
policy. And asset protection committee must be formed which also performs the damage assessment during
an incident, and provides for insurance from risk management perspective.
48. Voice communications becomes very important during an incident. In general, voice communications
requirements increase tremendously during an incident. BC project must consider this essential element.
49. What are the six Rs of business continuity/disaster recovery? Reduce/Ready, respond, recover, resume,
restore, return
50. From Business Continuity Coordinator’s perspective, ALL areas of the organization are involved for BC
project. BC Coordinator leads the effort and maintains the overall plan. BC plan is revised at least once a
year or as changes occur that warrant plan updates
51. BC planning and implementation increases the business cost before an incident but saves the cost or
reduces the losses after an incident.
Domain 2 – Risk Evaluation and Control
1. A threat exploits a vulnerability to cause damage to an asset which creates risks of availability,
confidentiality, or integrity. You put controls in place to mitigate such risks. When risk mitigation has
reached a level where management is comfortable, they accept such residual risk. BC primarily deals with
the risk of availability, but to some extent also integrity and confidentiality.
2. In BC planning, risk analysis activities include identification of threats (e.g. earthquake, hurricane,
terrorism, flooding etc), vulnerabilities, and controls. Recommendations must be made to reduce risk to a
level where it is acceptable to the management.
3. Remember, what is called risk in common parlor is in fact a threat. Examples of threats are earthquake,
hurricane, tornado, flooding, lack of system documentation, over dependence on a subject matter expert
with no backup, terrorism, tsunamis etc. Threats goal is to damage or destroy an asset by exploiting its
vulnerabilities.
4. Risk Analysis (RA) is done at a very high level, for example it would be done to reduce risk for a building
or a plant. Business Impact Analysis (BIA) is done at the business process level. A building could support
many business processes or a business process many span many buildings.
5. Risk is also exposure to loss of asset, or potential loss of an asset, causation of injury, danger to business
etc.
6. Threat is a cause; Risk is the effect.
7. Threat is an event that can cause loss.
8. Threats can be natural or man-made.
9. Deteriorating work ethic is a threat which increases the chance that someone may do something against the
organization.
10. Document those situations where threats are outside your control and report them to the BC team and
management
11. Vulnerability is also the probability of what’s the chance of being hurt
12. Quantitative risk assessment assigns a monetary value to the damage, loss, or asset value.
13. Preventive control in risk analysis assumes that it is better and more cost effective to prevent a disaster than
to recover from one.
14. Implementation of controls mitigates the effect of a threat by plugging vulnerability (ies).
15. Risk can not (repeat can not) be eliminated. It can only be mitigated.
16. Quantitative risk depends upon likelihood (frequency) of occurrence of an incident and impact of each such
occurrence of that incident

Page 3
17. Risk’s impact can be on personnel, organization’s processes/operations, assets, and the business mission of
the company.
18. Purpose of risk evaluation and control implementation is to prevent a risk from occurring in the first place
or to mitigate its impact if it occurs anyway.
19. DRII definition: Threat is an event that causes a vulnerability to become an actual loss to the company asset
20. DRII definition: Vulnerability is an exposure to an event that can cause actual loss to company assets
21. DRII: Threat is a cause. Vulnerability is a probability. Risk is the effect (on the assets)
22. Example1: Power outage is the threat. Control is UPS and/or diesel generator. Example 2: Tsunami is a
threat. Vulnerability of Zagreb to Tsunami is zero. So, risk is zero from that threat. Example 3: Leakage of
gases from a chemical factory is a threat (e.g. Bhopal incident in India). Vulnerability to human beings is
high. Control can not be implemented. So, risk is unavoidable. Such a risk is called inherent risk.
23. Some of the important assets of an organizations are: facility/building, computer hardware, computer
applications, personnel, inventory of raw and finished goods, telecommunications network, voice/data
communications equipment, power supply, environmental protection, security, system software, data,
manufacturing plan/equipment, customers and users etc
24. Personnel are the most important asset under any circumstances. Data and information is a key asset which
if lost/destroyed, can not be recreated in the absence of backups. Building or infrastructure is next in
importance.
25. During risk analysis phase - identify existing controls, analyze value of new controls, and recommend
controls
26. ALE (annualized loss expectancy) = frequency of occurrence of an event on an annualized basis X impact
of each occurrence in monetary units
27. ALE model has two shortcomings- it does not address time dimension of the problem (e.g. hurricane
happens in fall, not in spring), and benefit distribution amongst multiple controls
28. Risk controls must be identified and their effect on risk mitigation evaluated and their value to the
organization determined. Risks must be mitigated to an extent where the residual risk is acceptable to the
management.
29. Remember that cost of implementing controls can be CAPEX as well OPEX. Annual cost is OPEX plus
amortized cost of CAPEX.
30. Most threats occur during off hours (think why)
31. An organization may be exposed to risk for threats which occur outside its physical boundary or for threats
which are outside its areas of control (give examples of 9/11 and other cases)
32. After an incident, when personnel have to implement recovery procedures, excessive work and related
stress could be a threat to recovery operations.
33. Lack of documentation is a threat to disaster recovery
34. Avoid single point of failures (SPFs) for power supply. Don’t let power lines come from a single power
grid or go through a single conduit.
35. Avoid SPFs for communications lines. Implement techniques like diverse routing, alternate routing, and
avoiding communications lines entering building through a single conduit.
36. Quantitative risk analysis is objective, its result is a monetary value; Qualitative risk analysis is subjective,
its result is a relative value (low, medium, high) or intangible risk (reputational risk, credibility risk, loss of
customers, loss of brand name)
37. What is a control? It can be a process, a procedure, or a device.
38. Types of controls can be physical or procedural.
39. Policy is a procedural control.
40. Control can deter a threat from occurring, or mitigate its impact if it DOES occur.
41. Controls can be preventive, detective, corrective, or deterrent.
42. In BC, you apply preventive controls when you plan and prepare, apply detective controls to detect when
incident occurs, mitigate its impact shortly thereafter (emergency response), and apply corrective controls
to recover when it is safe to do so.
43. BC Planning is a preventive control. When implemented after an incident, it is a corrective control.
44. Example of physical controls: fire detection system, fire suppression system, card entry control system,
security guards

Page 4
45. Examples of Procedural controls: employee hiring and termination policies, document receipting, clean
desk policy
46. Since budgetary considerations are always important, implementations of controls must be prioritized using
risk-based approach. It means that areas of high risk must be handled first.
47. Risk analysis must be conducted at least annually or if a significant change has occurred. Significant
change could be a major reorganization, mergers and acquisitions, change of business, or change of key
people.
48. Purpose of doing periodic (annual) risk analysis is to determine when the previously deployed controls are
no longer viable and need to be reconsidered.
49. What is an internal threat? Lack of security and lack of documentation.
50. What is the purpose of risk analysis? To apply controls to mitigate/reduce risk
51. Quantitative risk analysis is objective in nature; Qualitative risk analysis is subjective in nature.
52. What are the benefits of Risk Analysis? Disaster avoidance and cost effective controls.
53. Who receives the BC reports? Senior management, line and function management, and audit department
54. How long do you keep vital records? Seven years or as dictated by the company policy.
55. Perform critical component failure analysis (aka Monte Carlo Analysis) to determine single points of
failures.
Domain 3 – Business Impact Analysis (BIA)
1. Lower the RTO, more expensive it is for an organization

2. Recovery time objective (RTO) is the time period in which if a critical business process is not recovered,
will result in irreversible loss possibly resulting in tendency of the business to fail
3. RTO is also called MTD (maximum tolerable downtime).
4. RTO (or MTD) starts at the time of disruption.
5. BCP starts as a project and then continues as a process
6. In BCP project, BIA is step # 2 (risk analysis is step # 1)
7. In BCP process, BIA is step # 1
8. In BIA, first establish value and criticality of each organizational business unit as they bring value to the
whole organization and relate to total organization. This process determines the criticality of each unit.
9. After criticality of each business unit has been determined, identify critical resources (personnel, data,
servers, communications equipment etc) that will be needed for recovery strategy
10. After criticality has been determined, prioritize the restoration of the function of that business unit in case
of disaster.
11. What is the difference between an interview and a questionnaire during BIA determination process?
Interview is conversational and interviewer maintains the control. Questionnaire is simple and logical and
good for consistency of answering structure
12. What are the key success factors of an interview? Consistency, conversational, and maintenance of control
by the interviewer
13. What’s the difference between RA and BIA? Risk Analysis (RA) is done at a very high level, for example
it would be done to reduce risk for a building pr a plant. Business Impact Analysis (BIA) is done at the
business process level. A building could support many business processes or a business process may span
many buildings.
14. During BIA, all business processes are considered before it is determined if they are critical or not (or
important vs. non-important)
15. In BIA, a business process is separated into its constituent elements. Those elements could be manual,
automated (means IT-dependent), or may have interface with external elements (something not within the
control of an organization). Detailed examination of those elements is required for BIA.
16. During BIA, assess impact of an outage on a business process being considered. Consider time criticality of
the business process and impact of its non-availability on the total organization function. For example
month-end is a critical time for processing.
17. During BIA, determine non-IT recovery resources as well as IT recovery resources (data,
telecommunications, servers etc) required to recover the business process

Page 5
18. Always determine interdependence between business processes, because it will determine the recovery
strategy and priority
19. Remember that business process(es) is the driver in BIA.
20. During disaster recovery, business functions or application systems are restored only to an acceptable level
of operational capability.
21. After a disruption, this is what you have to do during/within RTO: recover data to RPO, recover IT
operations and business operations, start acceptable level of business operations with current and accurate
data in order to continue business
22. Objective of BIA planning is to determine criticality of business functions, find critical dependencies,
determine impact of disruptions on business, and figure out critical resources needed to recover.
23. Characteristics of a good questionnaire during BIA are simplicity, ease of understanding, logical flow,
oriented towards target audience, precision, and closed-end questions (force an answer, either yes or no, or
a choice from a list)
24. Sometimes even business process owners may not understand significance of their area, because they take
everything for granted. An experienced interviewer will pull required information out of business folks.
25. Facts collected during interview must be validated from other sources.
26. During BIA planning some of the considerations are to find out any SLA associated with that business
process, any upstream or downstream dependencies, and time-dependent impacts such as financial
objectives, service objectives, legal/regulatory repercussions, competitor’s position etc
27. Some of the important documents needed for reference by the BIA analyst are: organization’s mission
statement, service objective, annual report, policies, and organizational chart. Also do not ignore new hire
documentation package, since it is prepared by HR and usually is complete.
28. Do not overlook considerations such as manual workarounds and possible manual procedures as temporary
substitute for IT processes, because they can make the RTO longer which makes BC plans more cost
effective (management likes it)
29. Do not ignore consideration for a business process getting affected at the critical time periods like a critical
time of the day or month-end or year-end.
30. Take into account legal, regulatory, and SLA requirements to determine RTO
31. There are not only tangible impacts (financial) of an interruption, but also intangible impacts like customer
service, reputation, customer loyalty, brand etc
32. Quantitative impact of a possible interruption can be measured in monetary terms. Qualitative impact can
not be measured in monetary units. Impact can be operational but can not be quantified. Operational impact
is a qualitative loss.
33. Quantitative analysis is also known as objective and qualitative analysis as subjective.
34. BIA for incidents that have direct effect on personnel (e.g. any pandemic) must be taken into during BIA.
Recovery strategies will be different in that scenario.
35. Don’t forget that Risk analysis takes into consideration overall impact of an incident on the organization,
BIA is for a specific process loss.
36. Qualitative impacts are measured in subjective terms e.g. low, medium, high or something similar.
37. BIA is the final step in pre-planning stage
38. In BIA, always take into account dependencies between business processes and functional units
39. One of the major purposes of BIA is to determine value of each organizational unit as they relate to the
whole organization AND which processes in that unit are critical for business continuity
40. Always determine time criticality of a business process e.g. month end could be a critical time for many
processes.
41. Criticality of recovery resource requirements (IT, data, telecommunications) depend upon criticality of the
prioritized processes as a result of BIA
42. When doing BIA, also determine when the peak activity period is.
43. Value of BCP is to keep the losses down.
44. In qualitative risk analysis (scaled as insignificant, minimal, moderate, significant, Critical), each kind of
impact needs a definition so that response can be qualified.
45. For prioritizing processes which have the same RTO, consider loss impact curve over time.
46. Loss’s impact curve depends upon when the loss occurs.

Page 6
47. Key deliverables resulting from BIA are: reporting findings to management, process interdependencies,
recovery resources, recovery time, and prioritized recovery list
48. Finally, suggested steps for recovery based in BIA would be:
• List business processes/functions by ascending order of RTO
• Consolidate priority levels or groups
• Move functions up in a priority level if required (never down)
• Have senior management confirm it
Domain 4 – Developing Business Continuity Management Strategies
1. In the planning stage, “Developing BC Management Strategies” is the first step.

2. In this phase, first you identify recovery strategies for business units (functional areas), perform assessment
of those strategies using BIA (means determine RTO), do cost-benefit analysis, and finally consolidate
those strategies across organization or enterprise
3. In order to create recovery strategies, consider technology as well as non-technology issues. IT recovery
does not mean business recovery.
4. Recovery strategy must include off-site storage of documents and alternate recovery sites. They both do not
have to be the same.
5. Important documents include Business continuity plan as well.
6. Important information documents must be rotated depending upon requirements.
7. Offsite storage facility must be secure and accessible during business as well as off hours.
8. Ensure that offsite storage facility is not so far that it takes long time to access it or so near the primary
facility that it gets affected by the same incident.
9. It is important that you plan for the worst possible disaster scenario.
10. Selection criteria for the alternate site must take into consideration needs for communications and precisely
what you are getting.
11. Consider location of alternate site such as proximity to gas station, hazmat considerations, proximity to an
embassy, neighborhood safety, storm water flooding statistics etc
12. Always evaluate vendors (hot site or others) to determine if they have contingency plan themselves or not.
13. Have advance arrangements with vendors regarding expeditious delivery of critical equipment and
supplies. It can be done through SLA which includes penalty clauses for non-compliance. Always have
alternate arrangements just in case.
14. Take into consideration availability of BC resources including human resources.
15. Do not forget test time and its projected cost for alternate site which could be significant.
16. Remember: Each recovery strategy has a cost element and a risk element. Assess both. Management’s
acceptance of a particular strategy will depend upon their risk appetite.
17. Remember that companies’ duplicate site(s) (where data is replicated real time) has shorter RTO but costs
are relatively higher.
18. Some of the IT recovery strategies are hot site, warm site, cold site, mobile site, replication site, split
processing facility, and reciprocal arrangement site.
19. Some of the business recovery strategies are business recovery centers, work outsourcing etc
20. Hot site is usually service provider managed (e.g. Sungard). It has vendor provided hardware, storage,
communications, UPS, generator etc. Many organizations subscribe to a hot site and vendor makes it
profitable due to economy of scale. They provide facility to perform scheduled DR tests.
21. Hot site may have consideration of many organizations being affected by the same regional disaster and
vendor’s hot site may not be able to provide service to all.
22. A warm site usually has storage facility for data servers (they are relatively inexpensive) but not processing
servers (they are expensive). Processing servers are shipped expeditiously after the incident (remember that
you need SLA).
23. Cold site has only raised floor, communications links, HVAC, and that’s all. It is the cheapest but RTO is
longer. You order everything after an incident (remember that you need SLA).
24. What is the disadvantage of cold site? It is empty space sitting dormant.

Page 7
25. You can have combination strategies for different business processes. They do not have to be following the
same recovery strategy. It all depends on RTO of that process.
26. Reciprocal agreements are hard to enforce. Some of the risks associated with reciprocal agreements are
confidentiality of data, hardware becoming incompatible over time, both organizations being affected by
the same incident, partner’s facilities not having sufficient computing resources etc.
27. Do provide for recovery of voice network as well.
28. For data network recovery, consider alternate routing, alternate vendors, foreign exchanges, dial backup etc
29. Plan for phased recovery of communications/data network. Give highest priority to critical processes (as
determined by RTO).
30. Risk of each recovery strategy can be determined by gap analysis (where we are and where we want to be).
31. Capabilities of off site storage material should also be tested to ensure that requirements will be met after
an incident.
32. Saturation of a hot site vendor can be attested by an independent auditing firm.
33. Understand that some functional units need to recover to a higher level of BAU e.g. corporate
communications and facilities
34. Cost benefit analysis should be kept simple. Figures are better than words. Remember that cost includes
cost to implement plus the cost to maintain
35. Business impacts are used to justify a BC strategy
36. Remember the six R of BCP- Reduction, Response, Recovery, Resumption, Restoration, Return
37. Recovery phase (#3 R) in only for critical processes and even for those it is not BAU
38. In the Resumption phase, you stay at the alternate site till facilities for primary site are restored
39. Disaster is undeclared ONLY when you have Returned (#6 R)
40. In the restoration phase, you restore non-critical systems first, not the critical ones. Only when the non-
critical systems are functioning should you restore other systems in the order of increasing criticality.
41. Costs go up when RTO goes down.
Domain 5 – Emergency Response and Operations
1. Who assumes role of commander of ICS? First authority at the scene.

2. What is the purpose of various teams? To identify tasks and to coordinate them.
3. Emergency response team is activated right away upon knowledge of the incident
4. CMT (crisis management team) makes decision whether to declare disaster or not. Emergency response
team does NOT make that decision
5. CMT is located at EOC
6. Top priority of emergency response team (ERT) is to prevent or limit injury to people.
7. Emergency response team’s next responsibilities are to prevent/limit damage to structure/equipment and
prevent/limit loss to the vital business functions.
8. Traditionally, ERT was run by IT, facilities, or security area. But it should be managed by BC since it is a
business function.
9. Emergency response procedures are part of the BCP.
10. Emergency response procedures do not require RA or BIA.
11. Formal procedures must be developed to respond to expected disaster events. Prepare for the worst.
12. Command and control requirements of managing emergency must be identified.
13. ICS is a methodology, not a product.
14. Command site is where CMT is.
15. Some cities have generic command centers which can be used by anybody during an emergency.
16. During emergency, open 24X7 child care and elderly care center for employees.
17. Disaster in undeclared when business is back in BAU mode (aka 6th R or Return)
18. When a public authority takes control of the situation, only they can authorize who can enter or not enter
the building premises. Have people designated in BC plan who need to assess the situation. Damage
Assessment Team (DAT) needs access in order to recommend declaration of disaster or otherwise.
19. Have predetermined escalation procedures to help management make a decision on disaster declaration.
20. Disaster declaration depends upon RTO of damaged business processes.

Page 8
21. Do not declare disaster if you can help it. Disaster declaration costs money in activating alternate strategies.
22. Building management is responsible for the evacuation plan. In a multi tenant building, they conduct fire
drill exercises every once in a while.
23. There must be a plan for emergency evacuation. It must have procedures to ensure everybody is accounted
for, evacuated people are sent to a safe place, and handicapped people are taken care of.
24. Security of damaged facility is a must to prevent looting and pilferage. It can be provided by internal
security or public authority if it is still at site.
25. When police arrives, they take control. When fire department arrives, they take command control from
police. Explain this to your security people (who usually are ex-army people).
26. One must practice for two weeks away from your regular facility to learn and to know what you need to
work effectively.
27. Emergency response could be needed even if your organization has not been hit. You could be in the
neighborhood and police could cordon off the whole area or 5-10 block area.
28. BCP has two sections, and you transition from Emergency Response Procedures section to the Business
Continuity Procedures section.
29. Escalation is done to the higher management. Notification is done to other people. Escalation is
procedural.
30. Once in a while, practice evacuation and inform employees that they can not go back. They should be able
to figure out what is needed for BC.
31. Employees with special medical conditions (diabetes or hypertension) will need special care and will need
medicine.
32. More exercises and tests you conduct, more prepared people would be.
33. Device is tested. People exercise procedures.
34. Containment of incident is very important during emergency operations.
35. Here is something you need to do in the case of a disaster: 1. Recognize/detect a disaster. 2. Protect people
3. Contain incident 4. Assess the effects 5. Decide optimum actions
36. Ensure that the keyed entry exit doors are fail safe and not fail secure.
37. Plan ahead for equipment and facilities in the EOC (emergency operations center). EOC is not for
executives.
38. Have a pre-designated person do the logging of events and take pictures for latter use for insurance
purposes and for legal reasons.
39. Mobile phones may not work due to system overload (unless service provider moves COWs and BULLs)
in that vicinity. Law enforcement may jam frequency if they deem fit.
40. Plan for use of DIRECT lines if companies’ PBX is damaged or down. Plan this with the
telecommunications company in advance.
41. Develop procedures and contact list regarding how you communicate during off hours in emergency.
42. Keep in mind 4 “C” words- Coordinate, Command, Control, and Communicate
43. Emergency procedures must define who authorizes going back into the facility
Domain 6 – Developing and Implementing Business Continuity Plans
1. Planning is done for the worst case scenario happening at the worst possible time
2. BC Plans are advance planning and arrangements which ensure continuity of critical business processes,
and which are agreed to by the management.
3. BC plans also include sufficient agreed to preparations and agreed to procedures to respond to disaster
events
4. BC planning also involves implementing procedures to deter a threat or mitigate a risk arising from known
threats
5. BC plan includes considerations for destruction of a physical facility
6. BC plan includes procedures, equipment, and personnel for manual and IT operations
7. BC plan must be customized for each organization, since each organization is unique
8. BC plan must be flexible enough to enact changes, additions, and deletions for maintenance
Page 9
9. BC plan must not have dependency on certain individuals. It should be based on procedures.
10. Each individual implementing part of the BC plan must have an alternate in case primary is unavailable.
11. BC plan must not have complete dependency on vendors since they may be overloaded and may have other
priorities. However, SLA with penalty clauses does help.
12. BC plan must not have complete dependence on public authorities since they may be overwhelmed with
work.
13. BC plan implementation should revolve around teams, not individuals. Nobody knows it all. BC plans must
be tested at least once a year or when there is a significant change.
14. BC plan must have call tree activation procedures
15. HOT site vendors provide for conducting tests w/o charge. Use that facility.
16. BC plan must document critical decision points.
17. BC plan should be a corporate effort inclusive of all components.
18. BC plan closes the gap between where we are and where we want to be in case of a disaster. BIA provides
the requirements.
19. BC plan should be both general as well as comprehensive and all encompassing
20. BC plan covers all corporate areas
21. BC plan should cover the worst case scenario (aka the key scenario)
22. BC plan covers three possible areas of risk- financial, legal, business service interruption
23. End goal of recovery is to reduce consequences of a disaster to an acceptable level at the end of RTO which
ensures minimum amount to stay in business
24. Usually, internal users have the most complaints for reduced service. External stakeholders are more
understanding.
25. Plan for major catastrophes not minor inconveniences (determined by RTO)
26. Remember that recovery does not result in BAU
27. Organization will still lose money and time but will stay in business
28. Senior management is responsible for the business continuity project. Senior management shows its
commitment through policy statement, establishing a BC steering committee, and establish sponsors for the
project
29. Management has to make it clear that personnel concern is priority #1 and business is priority #2
30. Senior management accepts the business risk of any shortcomings in the plan
31. Controls and risk have inverse relationship. Smaller the controls, bigger the risk.
32. A key disaster is severe in magnitude, occurs at worst possible time, and results in loss of access to all
files, information, and equipment (including IT). BC plan is for the worst case scenario.
33. Always start with a short term plan for the BC project before a big plan. Short term plan can be
implemented quickly and should have visibility.
34. Remember the 6 R of Business continuity: Reduction (through risk analysis and controls), Response
(means emergency response), Recovery and Resumption (means recovering critical processes at minimum
acceptance level), Restoration and Return (to a BAU level).
35. Make sure BC plan is aligned with change control. A change may require altering the contents of BC plan
as well.
36. Contact information needs to be in the plan.
37. Essential elements of BC plan are people, facility (sites), data, Hardware, communications, transportation,
supplies, documentation, equipment, and above all the PLAN itself.
38. Consider that public transportation gets diverted after an incident and whole stretigy for moving people
may have to be revisited.
39. Escalation and notification procedures should include key management and BC people.
40. Call tree testing should be done at odd hours e.g on holidays, weekends, early hours of the morning.
41. Escalation and activation procedures must be documented in the BC plan.
42. Primary call list is management and BC recovery people. Vendors are secondary.
43. If possible, use automation software for BC plan.
44. Write plan by position not name.
45. Remember that a downstream unit can not have a shorter RTO than an upstream unit.
46. Voice communications requirements increase following a disaster.

Page 10
47. Business operations insurance is a control (is it P or C?)

48. Emergency expenditures should follow open pocket book policy but should be controlled and recorded.
49. Wet paper documents should be freeze dried for recovery (includes original contract documents)
50. Copy of a contract is not admissible evidence, it is secondary evidence.
51. Have a team of PR people to handle media and others after an incident
52. Never answer any questions with “no comment”. It usually suggests admission of the fact.
53. PR media center should be away from employees performing recovery.
54. Briefing should be a prepared statement. Good briefing is for 9 seconds, 3 maximum points, and 27 words.
55. Do not lie to media. You can say we are looking into it or say it is still under investigation or say I will get
this clarified in the next briefing.
56. Always tell media at the end when (what time and where) the next briefing is.
57. Media control type procedures should be in the BC plan and is usually part of the crisis communications.
58. There should be a separate message line for the employees and keep it updated
59. There should be a separate message line for employee’s families. It should be operational right after an
incident because incident is known via media right away. Such a message line will reduce personal calls to
the employees who are needed for recovery.
60. BC plan should be based on checklist. Details should be moved to appendices.
61. BC plan must describe all the teams. It should include number of teams, function of each team, and
members of each team.
62. Team leaders should be functional or operational unit managers. A leader must have authority.
63. Team members must have the qualification and the skills and should be willing to work long hours under
pressure.
64. Team leader should be adept at resolving conflicts. Stress should be on recovery and not on conflict
resolution.
65. Team procedures define how to perform the responsibility. Each situation will be different, so it can not be
procedure-driven.
66. Primary responsibility of emergency response team is to protect the people and the property.
67. People on the emergency operations team (remember they are in the command and control role at the EOC)
typically are NOT part of the business recovery team.
68. Usually team members on the emergency response team include fire wardens, floor fire wardens etc.
69. Crisis management team is also known as emergency operations team.
70. Emergency operations do not do emergency response functions. Emergency response is done by Incident
Response Team.
71. Employees should have knowledge of emergency evacuation procedures.
72. Functional recovery is for the functional manager.
73. Vendor control is vital for off-site operations.
74. Restoration of the BC package is the highest priority after an incident.
75. Line managers are also known as functional area managers.
76. People involved in developing and implementing BCP are senior management, BC coordinator, various
teams, and functional managers.
77. Functional manager is responsible for the BC plan for their unit.
Domain 7 – Awareness and Training Programs
1. Awareness is knowing or reality

2. Training is to provide schooling using a process or method.
3. Purpose of training is to make someone proficient.
4. In awareness, if you do not need to follow a procedure, you just need awareness.
5. Awareness starts with new employee orientation.
6. Awareness and training is not a one-time thing, it never stops.
7. Quality of a BC person who leads is emotional stability, leadership skills, and understanding of the
business.
8. People who are not assigned to a team are either standbys or they can go home.

Page 11
9. Make sure that people outside the team understand their role as well.
10. When writing a BC manual, referencing another manual is fine.
11. Possible awareness topics: control officer’s liability, coordination with local and governmental
authorities.
12. Continuing education of the BC coordinator is very important to learn new techniques and
methodologies.
13. One way to expedite training process is to train people who can train other people.
14. One way to get people interested voluntarily in emergency awareness and training program is to give
them training in emergency management at home and then lead to office environment.
15. Your organization can have one day a year as BC awareness day when different audio visual aids and
other marketing techniques can be used to spread the word.
16. Managers should introduce employees to the fire wardens and BC coordinator.
17. In order to identify correct training requirements and methodologies, understand your audience.
18. Business recovery responsibilities should be documented in the responsible party’s evaluation.
Domain 8 – Exercising and Maintaining Business Continuity Plans
1. Desktop checking (aka tabletop exercise) is the first step for exercising a BC plan.
2. Purpose of the exercise is to find weaknesses in the plan, not faults with the people.
3. Do not look for 100 percent success in a BC exercise.
4. Always practice procedures before a disaster.
5. Familiarity with your own responsibilities and those of others is required during an exercise.
6. One of the purposes of exercise is to demonstrate that you are prepared.
7. Validate team assignments before an exercise.
8. Be prepared to analyze complex issues during an exercise. Some of these complex issues can be due to
process interdependencies.
9. Prudent test strategy includes creating a test scenario (e.g. loss of a physical structure).
10. Manager’s role during exercise is to support the plan.
11. Good exercise strategy is a factor of the experience level and the number of resources.
12. Characteristics of a successful exercise planning are: practice a particular scenario, know the objectives,
document the results, know the participants, and ensure presence of evaluators / observers.
13. Various types of tests are: 1. Walk-through or desk check test 2. Procedures verification test (each team
reads through their procedures) 3. Simulation test – it’s a functional test and is more real 4. Actual
operational test- it’s a full scale test
14. Walk through or desk test does not affect productivity.
15. Exercise should not interfere with BAU beyond the extent what management has accepted as acceptable
risk.
16. Full operational test should be scheduled at off hours.
17. Every DR/BC test should have a back out plan in case something goes wrong.
18. If there is a serious flaw found during the test, do not stop the test there. Complete the test for other
objectives.
19. Initial test should start small.
20. Detailed procedures must be followed during the tests.
21. It is very important to test two things- call tree invocation and restoration from backup data. These are
crucial elements during a real incident.
22. Conduct small surprise tests to increase awareness level. Surprise test is not for management but for other
people.
23. BC/DR testing should involve actual data and NOT test data.
24. Change the test scenario from one test to the other.
25. Senior management must be aware of the scheduled and surprise tests.
26. Senior management should participate in the tests as well and their role is to stay informed and ensure that
BAU continues.
27. Business value of the exercise is that it will highlight positive changes in people, processes, and vendors.

Page 12
28. BC plans should be tested at least once a year or when a change occurs.
29. Tests must be observed by someone who can give subjective opinion. Internal auditor is such a person.
30. Objective (quantitative) way of evaluating a test is to see if the time-line has been met.
31. Post test report must be prepared to document expected and actual results.
32. Post test report must be sent to the senior management, functional manager, and internal audit.
33. Save and keep the test results as per company policy or if there is no such policy, at least till the next test.
34. Test reporting after the exercise may include success criteria. But be careful not to measure success criteria
of individuals, only of the execution of the plan.
35. Always clearly explain the value which the exercise brings to the organization. One such value is
“preparedness”.
36. Tests report should include test objectives, test criteria, and actual results. They should be sent to senior
management, functional managers, and internal audit.
37. As you conduct more and more tests, BC team is learning less and less since they are more prepared.
38. Tests almost always result in recommendations which should be reflected in updating the BC plan.
39. Ensure that BC plan is aligned with change management function. If BC plan is not aligned, it will become
obsolete, hence ineffective, quickly.
40. Reduce confusion about maintenance activities e.g. who, when, why, how, where the maintenance is done.
41. Clarify to ensure that one understands the effects of change on DEPENDENT functions, not just the
function being changed or maintained.
42. Ensure that the standards exist for change incorporation in BC plan on schedules.
43. Maintenance frequency for BC plan can be quarterly, monthly, before an exercise, as the change occurs (if
you have dedicated maintenance staff), or annually (minimally). Risk assessment must be done for the
change maintenance frequency.
44. If the management has “upped” the event scenario, strategy needs to be rethought.
45. Partial disasters are more difficult to recover from than a complete disasters due to complexity involved in
maintaining data integrity. EMP bomb can cause partial disaster.
46. Budget must be provided for scheduled maintenance.
47. Software maintenance tools can be home grown or can be third party software.
48. Third party software tools must be held in source code “escrow” to mitigate risk occurring from the vendor
going out of business.
49. Justification for budget spent on acquired tool is “maintenance cost reduction”.
50. Following are the sources of BC plan maintenance due to changes: 1. Exercise results require plan to be
tweaked 2. Management directives 3. Strategic business meetings 4. Change management meetings related
to IT processes 5. Scheduled meetings with recovery team leaders 6. Change in company business (e.g.
M&A)
51. BC plans should be revised when the following happens: 1.Strategic business changes 2. Personnel or key
team members move or their contact information is changed 3.Technology changes which necessitate
change in recovery strategy
52. BC plan maintenance must address recovery tasks of personnel (by position, not name), recovery
procedures-related changes, contact numbers (personnel and vendors), periodic reviews, backup processes,
and process for reviewing/suggesting changes to the plan.
53. Document control must be enacted to avoid multiple floating versions of a BC plan. Each document must
be assigned numbers, each document must have ownership, documents must be paginated, and updates
must replace old pages.
54. Web version of the BC plan document must be checked for broken hyperlinks to documents on a regular
basis.
55. Remember that each business unit has its own recovery plan, not the entire plan for the organization.
56. Best places to store BC plans is office, home, car trunk, and alternate site. Important thing is that plan must
be at a secure place and have ease of access.
57. Key success factors for a BC plan are to establish plan update policies and procedures and communicate
changed information between dependent organizational units.
58. Emergency response requires communications, coordination, control, and conflict resolution.

Page 13
Domain 9 – Crisis Communications

Domain 10 – Coordination with External Agencies
1. Important escalation procedures for proper communications are problem identification, established disaster
declaration criteria, call tree invocation, and fast initial response to an incident.
2. Disaster declaration criteria should be based on RTO of critical processes as determined by BIA.
3. Who (individual or team) is authorized to declare disaster is documented in the BC plan.
4. DAT is one of the primary sources to find out extent of damage and their observations are related to the
recoverability of critical business processes and their RTOs.
5. Call tree activation documents who will be called first, and who will be called by whom. It documents
when team members will be contacted and has their contact information. Call tree activated is automated
these days.
6. Initial response actions include dispatching initial response team, dispatching DAT, activating support
teams (IT, security, property etc), retrieving and recovering recovery procedures/plans, and issuing alerts.
7. IT team should have predetermined knowledge of which systems should be recovered first and in what time
frame. They are governed by RTOs of the critical business processes. Goal is to recover critical business
processes within RTO.
8. DAT team investigates a single site. For multiple sites affected by an incident, more DATs are needed.
9. Major action items after an incident are: 1. PR should prepare declaration statement 2. Activate EOC
(emergency operations center) for CMT (crisis management team) 3.Alert and Activate recovery teams 4.
Alert and activate vendors needed in the recovery 5. Activate public relations department 6. Plan on
recovery
10. Communication is of paramount importance during crisis for management and prioritization of tasks.
11. Primary notification parties in an incident are senior management, BC coordinator, BC teams, functional
managers, vendors, and DAT.
12. Secondary notifications are done to other employees (whose efforts would be less time-sensitive),
customers, public, suppliers (ask them to halt supplies).
13. One way to win media support is to invite them when you conduct a BC exercise. But this is done prior to
an incident.
14. PR person or spokesperson should be pre-designated and should be well trained to handle media.
15. Employees should be made aware before hand that they should not talk to media on voluntary basis and if
approached should direct them to the organization’s spokesperson.
16. HR should be responsible for dealing with the employee families’ concerns. HR should set up the toll free
number so that employee families can find the status.
17. If an employee is injured, HR is the one who should be making call to the family. HR is trained for these
eventualities.
18. Develop schedule for press conferences. Do not keep the media in suspense.
19. Do not forget that media is a cheap source of communicating with your employees.
20. Tailor your answers for the audience.
21. PR person is considered part of the CMT (crisis management team) or EOC (emergency operation center)
22. Policies and procedures must exist for dealing with media.
23. PR team must exercise the communications plan.
24. If needed, get help from a media relations consultant.
25. Sources of information during a crisis are DAT, security, HR, facilities personnel, business units, and risk
management department.
26. DAT is a very good source of preliminary information.
27. ICS (incident command system) is a methodology, not a product.
28. ICS can be adapted to any incident or emergency.
29. Primary purpose of ICS use is to stabilize the incident and provide for safety of human life.
30. You can coordinate with single or multi-jurisdictional government agency using ICS.
31. First to arrive on the scene is the initial incident commander. Usually it is the facilities management or
personnel or Initial Response Team. Command is transferred to a higher authority or agency upon their
arrival. If the incident is stabilized, the initial response team can be put back in charge.

Page 14
32. In USA, fire department has higher authority than police department for incident management.
33. ICS has command at the top, and 4 units reporting to it are operations, planning, logistics, and
finance/administration.
34. Function of Command in ICS is to set objectives and prioritize and have overall responsibility of the
incident.
35. Function of Operations is to direct all resources, make tactical plans and conduct tactical operations.
36. Function of Planning is to collect and evaluate information, keep resource status, and develop action plan
to meet objectives.
37. Function of Logistics is to provide resources, provide other services to meet the needs.
38. Function of Finance and Administration is monitor incident-related costs and do accounting,
procurement, time recording, and cost analysis.
39. When a public authority leaves, pre-approved person from the organization takes over.
40. In order to deal effectively with the public authorities, identify and be familiar with applicable laws and
regulations. For example, the fire code regulations require you to have effective evacuation plans.
41. Develop good relationship with public authorities and find out how and where do they respond in an
emergency, and what is their jurisdiction.
42. Flow charts are helpful in planning. Some organizations use flow charts while others use written
procedures.
43. BCP professionals are responsible for crisis communications and coordinating with public authorities.
Exam Hints
1. Read the question completely.
2. Do not assume anything. Do not apply “if” statements.
3. Do not apply it to your job because your company may not be doing it properly.
4. Eliminate obvious wrong answers.
5. Plug your answer back into the question and see if it makes sense.


Page 15

CBCP Axioms 3 19 10 TechnoDyned v1

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

CBCP Axioms 3 19 10 TechnoDyned v1

Enviado por

Direitos autorais:

Formatos disponíveis

Your single source for Education

in IT Governance, Risk and Controls

1. Project initiation and management

Domain 1 – Project Initiation and Management

©Copyright Jay Ranade and TechnoDyne University

©Copyright Jay Ranade and TechnoDyne University

Domain 2 – Risk Evaluation and Control

©Copyright Jay Ranade and TechnoDyne University

©Copyright Jay Ranade and TechnoDyne University

Domain 3 – Business Impact Analysis (BIA)

1. Lower the RTO, more expensive it is for an organization

©Copyright Jay Ranade and TechnoDyne University

©Copyright Jay Ranade and TechnoDyne University

Domain 4 – Developing Business Continuity Management Strategies

1. In the planning stage, “Developing BC Management Strategies” is the first step.

©Copyright Jay Ranade and TechnoDyne University

Domain 5 – Emergency Response and Operations

1. Who assumes role of commander of ICS? First authority at the scene.

©Copyright Jay Ranade and TechnoDyne University

Domain 6 – Developing and Implementing Business Continuity Plans

©Copyright Jay Ranade and TechnoDyne University

47. Business operations insurance is a control (is it P or C?)

Domain 7 – Awareness and Training Programs

1. Awareness is knowing or reality

©Copyright Jay Ranade and TechnoDyne University

Domain 8 – Exercising and Maintaining Business Continuity Plans

©Copyright Jay Ranade and TechnoDyne University

©Copyright Jay Ranade and TechnoDyne University

Domain 9 – Crisis Communications

©Copyright Jay Ranade and TechnoDyne University

©Copyright Jay Ranade and TechnoDyne University

Você também pode gostar