Business Continuity and Disaster Recovery Planning, Term Paper Example
Words: 3171Term Paper
In today’s technology world, a business should be prepared for unexpected events that may cause the business interruption for long periods. Therefore, it is necessary for a company to have an a contingency plan against any external events that cause the normal operations delays in operation or shut-down for short or long periods of time. An organization must invest in business contingency planning and disaster initiatives because it requires the inclusion of the entire business, security and IT teams. It is too late to perform an effective response once the disaster has breach your business. The lack of planning could result in the business operations being shut down for good. In reality, these disaster consequences could impact the organization for years to come (Long, 2014, pg.2). The Healthcare Technology Management (HTM) experienced some operational delays because of power shortages or unexpected winter weather conditions. The damage was minimal and the medical storage data was protected. However, there was a need for a business contingency plan that would keep the business operational.
The company must have a plan in place to deal with the adverse effects on the daily operations.Theorganizational contingency planning preparation is about an organization being ready and prepared for unexpected events. It does not matter the size of yourorganization, all companies need a contingencyplan. The healthcare organization called Healthcare Technology Management (HTM). The company is located in Bethesda, Maryland. The city of Bethesda, Maryland is thriving business urban district that has the foundation to support hundreds of businesses, restaurants, theaters and its access to the Metro train line. This location has easy access to the DC Metro Area, Bethesda Naval Hospital, Bethesda Naval Medical Center, and the National Institute of Health.
The primary function of the Healthcare TechnologyManagement (HTM) provide healthcare solutions to hospitals that allow the storage of medical data for Naval Medical Center. The business longevity depends on whether HTM can develop a contingency plan that can prepare for the urban emergency incidents. HTM had several incidents such as damage to power lines, Navy location shooting, Maryland public stalking shooter and 911 that impacted the operations.
Including some security breaches because the events caused the business operations to concentrate on the event instead of preparing for the operational adverse impacts. In the news for the first time, business disasters catastrophic events are at the top of the list of concerns for most businesses. This included data, physical and cyber breaches are the number one reason companies worry about disaster according to Allianz Global Corporate & Specialty 2014 Risk Barometer Report (Zolkos, 2014, pg.1).
The HTM organization had some experiences with some security and system issues that cause the business to have long periods of business interruptions. During this period, the organization not onlylost revenue but they discovered that the company’s internal operations were not prepared for any time of disaster or security breach. The purpose of this business contingency plan is to provide the organization with guidance during the development of the Business Continuity Plan(BCP). The primary objectives of the BCP is to prepare the organization for potential business disruption or any disaster that would interrupt or stop business s operations. The BCP will minimize the overall damaged to the company’s infrastructure. The organization will conduct a detailed gap and risk assessment prior to completing the BCP in order to identify which security resources need to be added or improved.
Why Contingency Planning
The contingency preparation for HTM could have avoided some operational delays which could have breached medial documents. The risk management planning is so crucial to the business operational success during a disaster. The large and small companies should be aware of the pitfalls when preparing the contingency plan. If the plan is not taken serious enough, the business could possibly be closed permanently for business. HTM needs to evaluate the strong points and weak points of a business contingency plan proposal. The wise organizations will endeavor into contingency planning to ensure the company is protected for the future. A company plan which only takes into account the best-case circumstance for your business is not likely to last very long. The contingency plan helps prepare the company for disasters or seasonal decreases in earnings or new competitor products coming into the industry. It is essential to make sure the organizationpossesses a wide vision required to maintain business operations preventing confidential or physical breaches.
The more risks your business can anticipate, the better the company will be at meeting the many challenges that can arise from Acts of God. The contingency planning and risk management are only as good as the strategies developed to help mitigate the potential financial damage to your company. The mitigation strategies may include a variety of methods for limiting the effects of future problems to an organization, including storing capital for revenue shortfalls as well as making improvements to facilities to reduce the chances of employee injury . These strategies provide the business with a plan of action in the event of a problem.
Business Impact Analysis (BIA)
The Business Impact Analysis must be performed by the HTM contingency team to ensure the organization has a gap analysis that helps prepared for disasters. The BIA Report should be reported and review by the organizations Disaster Team. The team should identify the critical functions that must be completed in times of an operation disaster. In addition, the team must provide specific directives to follow after the threat has been contained. (University of Toronto, 2011).The HTM organization depends on the large servers to store medical information that is retrievable by customers 24/7. These critical applications must have secondary and third options to ensuring the power does not get shut-down. The IT department must complete a criticaloperational analysis that is prepared and can tolerate power interruptions, security breaches and disaster events.
The intangible effects must be considered in the initial analysis because the organization needs to understand where cash flow needs can be bolstered, considering the additional financial experiences and possibility of working from another location or even remote. The most important factor that must be analyse how long with customers go without service and what is the number of customers that can impact the company’s financial situation. The entire business and consumer market understands the important of protecting medical information at all cost. HTM has learned not being prepared for possible break in operations can cause blown deadlines, loss of customers, missed sales quotas and disgruntled customers. The last incident that impacted HTM did not have a solid security plan. In order for HTM to avoid this type of meltdown again, they must create a BIA that includes information on how to respond to systems, atmosphere and physical threats detailing everyone’s responsibility during a potential attack. The preparation for incidents by BIA does not make BIA a risk management that focuses on vulnerabilities and breaches. Risk management is what when something goes wrong, however, the BIA is takes control of the business environment has been breached and the attack was successful. At that moment, BIA is prepared to make the necessary adjustment to lead the organization in counter measurements.
Incident Response Planning (IRP)
The Incident Response Planning (IRP) stagedefines exactly what constitutes a security occurrence and recommends the emergency reaction steps. This incident response plan document talks about precisely how details are handed to the appropriate employees, evaluation of the occurrence, decreasing damage and reaction approach, information,and upkeep of evidence. The incident response plan will explain aspects of accountability and create processes for handing different security occurrences.
This incident response plan defines what constitutes a security incident and outlines the Incident Response phases. This incident response plan document discusses how information is passed to the appropriate personnel, assessment of the incident, minimizing damage and response strategy, documentation, and preservation of evidence. The incident response plan will define areas of responsibility and establish procedures for handling various security incidents.
“An incident response plan (IRP) is a set of written instructions for detecting, responding to, and limiting the effects of an information security event. Incident response plans provide instructions for responding to a number of potential scenarios, including data breaches, denial of service/distributed denial of service attacks, firewall breaches, virus or malware outbreaks or insider threats”(Search Security,2014),pg.1). The IRP is important to HTM because it prepares the staff and IT staff to adapt and react to the adverse incidents that impact operations. The IRP can prevent unnecessary reaction to events that may not be a breach. IRP can identify which threats are real. The IRP should include a team of eradication experts that find the root of problem while removing those affect areas from the operation and production environments. The loss of medical information or the loss of storing medical information is enough to lose the HTM doors.
The IRP response plan can limit the amount of damage of the incident. The additional servers offsite would be warranted because HTM must protect the medical information at all cost. The addition of a containment provision would isolate the affect areas and contain them. The recovery portion of the IRP would ensure that the affected areas were removed and not allowed back into operations until the threat has been removed. There lessons to be learned from past breaches such as completing an incident report that can quickly be put into action to minimize damage. The IRP can benefit the HTM organization by defining how to minimalize the length of the damage of the breach while reducing the response time. In addition, the IRP should identify who will be responsible on the incident response team in the event of a breach or disaster. The response team must be able to quickly identify the integrity of the breach.
Disaster Recovery Planning (DRP)
The primary objective of a Disaster Recovery Plan (DRP) is allow an organization to outlast anexternal or internal disaster that helps HTM to establish a normal business operations after the threat. The Disaster Recovery Plan (DRP) is a position statement taken by the organization that is committed to taking operation actions after the disaster. This plan is a post-plan to ensure the organization can still operate business as normal after the threat is eliminated. (Disaster Recovery Journal, 2014, pg.1). HTM must develop an intensive DRP to ensure all critical business operations are recommenced in an acceptable time frame. The DRP plan should be able to identify the best strategies for getting the operations back to normal in the shortest period. The successful implementation of the DRP will minimize the time the company will be incapacitated. The primary objective of a Disaster Recovery Plan(DRP) is the development of policies and procedures on how an organization will handle potential human disasters after threat is removed.
The disaster recovery plan strategies that every single organization contains as an element of business management contains the procedures and processes to be performed to successfully respond to and regroup from catastrophe recovery circumstances, which negatively effects information systems and business operations. The DRP helps prepare measures which are well-constructed and executed will certainly empower establishments to reduce the consequences of the disaster and recommence business critical operations rapidly. The goal of the Disaster Recovery Plan (DRP) is to analyze the organizations weaknesses to develop a plan that will counteract any disruption of business operations. Including reacting to computer operations being unusable and preparing for the worst situations. (Disaster Recovery Journal, 2014, pg.1). One of the most key elements of disaster recovery planning is the pre-planning that allows the company to identify the range, assignments, daily activities, and specific roles which will respond to virtually any impending disaster. The pre-planning process for DRP permits the business to understand as it happens precisely how the organization would probably react to disaster along with contingency strategies after the danger has been eradicated.
The HTM top management must be supportive of DRP because the organization must be led from the top down for the plan to work in real time. The upper management team should be held accountable for being involved with the implementation, planning and coordinating the disaster recovery plan. DRP initiatives must be acted out in order to find the weaknesses and gaps within the HTM organization. The company needs to commit a number of hours and HTM organizational resources to the program to development a solid action plan. In addition, the DRP must establish a planning committee to ensure the development and implementation of the DRP is taken very seriously. The planning committee must be held accountable for overseeing the entire DRP project including define roles, perform risk assessments, and business impact analysis. The entire organization must buy-in to the DRP to help analyze the potential gaps the company could encounter during a catastrophic disaster. The goal is to make the DRP as real as possible to discover how individuals will react when under pressure to save lives and critical business documents. In addition, there should be a stand-by team that evaluates how much of the critical documents have been lost. The most extreme case would be the advent of a fire which poses one the greatest threats to an organization. The DRP team needs to practice determining if the fire was due to a human intervention or a most serious fire caused by faulty equipment. This team is very critical to determine the next steps because a serious fire may warrant evacuating the entire building.
It is essential that the Steering Committee evaluates the affects and repercussions because of loss of data and services. The planning committee must also examine the costs associated with decreasing the possible exposures and develop focal points for processing and operations. The Steering Committee must have the overall accountability for delivering instruction and assistance to the DRP development team. The committee should also help make all decisions associated with the restoration planning effort. The Project Administrator should work with the Steering Committee in deciding the comprehensive work strategy and creating interview agendas for executing the Security Analysis and the Business Impact Analysis (BIA). The security committee must be ready to examine the financial, physical, and monetary ramifications. The HTM should be focused on building an enhance security plan to guarantee the company does not experience significant classified breaches of the medical records in storage. The Naval Hospital medical records are the closest to national security breach because of the many government officials that utilize the Naval Hospital facilities. This type of security breach must be included in the Steering Committees gap analysis.
The Disaster Recovery Planning (DRP) is a needed process that all organizations that may need procedures for recovering the lost software data or hardware. The DRP focus on bridging the missing gaps of technology, lost data, communication and software/hardware issues. In the event of a building fire the DRP plan must include strategic measures to save critical medical data. In addition, the DRP must compensate for possible loss of life, or key personnel who may be responsible for DRP action plan. A contingency back-up plan is necessary for the personnel in case others have been overtaken by fire. The DRP initiatives are a part of the more extensive analysis done by the Business Continuity Planning (BCR). However, the DRP plan must be practiced until the entire organization is familiar with the plan of attack after the threat has been removed. The DRP plans must be accessible, updated, and adaptable to the many changes an organization will face through growth.
Business Continuity Planning (BCP)
Business continuity planning( BCP )entails defining possible dangers , assessing precisely how those hazards are going to impact operations , developing protection and processes intended to minimize those threats , evaluating those processes to ensure they function , and routinely examining the system to ensure that it is up-to-date. “This is where a business continuity plan comes into play. To give your organization the best shot at success during a disaster, you need to put a current, tested plan in the hands of all personnel responsible for carrying out any part of that plan”(Tittel& Lindros,2014). The disaster recovery planning phrase helps an organization realize the true the true potential for losing all communication, power, and data due to a hurricane, tornado or a simple wire being cut in the building by accident. Regardless of the disaster, Business Continuity Planning (BCP) is mandatory (Slater, 2013, pg.1)
Consequently, the primary goals of a company continuity strategy are to recognize essential operations and challenges, offer a master plan to preserve or regain important operations throughout a crisis, and produce a strategy to communicate with vital individuals in the course of the turmoil. Organizations may deal with a number of unfortunate occurrences that cover anything from less serious to disastrous. BCP generally can help a business to maintain operating when it comes to many tragedies, including fires, but is probably not as effective in the event that a sizable part of the people is impacted, for example when it comes to a disease outburst.A smart organization that understands the ramifications of not being prepared will revised the Business Continuity Planning (BCP) documents because of new and different threats are found each year. The preparation for power failures, weather conditions, or fire can be the difference between business operations as normal or the complete shut-down of operations. (Slater, 2013). The best organizations take the lead from organizations that have faced catastrophic events that were not prepared for the outcomes. The BCP analysis will identify those critical areas that could possible exposure medical records to exposure, damage, or breach of confidentiality. The bottom line BCP will save the company reputation, customer’sdata, and the organizations internal data.
The BCP has several areas that must be incorporated in the pre-planning and delivery of this initiatives:
- The critical business operations must be established quickly after the threat has been removed
- The must be a plan for alternative was to functioning whether it be remotely or in a backuplocation/building
- The development of BCP programs that is very simple to implement while integrating data storage space for back-up data for business and for customers
- Develop the written policies and procedures need for the contingency plan including the roles, policies procedures and the time frames this must be completed.
- A detailed contingency plan that is available to firs team, second team and alternates to ensure the organization has enough critical teams involved in the delivering the plan
- The BCP should create hypothetical incidents to find gaps in the organization that need to be filled before the actual disaster happens. This would be similar to a fire drill.
The security of business equipment is essential in the planning of the BCP initiatives. This security breach of personal computers, business computers, IPhone, and laptops must be include in gap analysis.
Disaster Recovery Plan. (2014). Disaster recovery planning process. Retrieved from
Long, M. (2014). Business interruption risk assessment: A multi-disciplinary approach. Retrieved from http://www.drj.com/new2dr/w3_029.htm
Search Security. (2014).Incident response plan. Retrieved from http://searchsecurity.techtarget.com/definition/incident-response-plan-IRP
Slater, D. (2012).Business continuity and disaster recovery planning. The basics. Retrieved from http://www.csoonline.com/article/2118605/pandemic-preparedness/business-continuity-and-disaster-recovery-planning–the-basics.html
Tittel, E. & Lindros, K. (2014). How to create an effective business continuity plan. Retrieved from http://www.cio.com/article/742974/How_to_Create_an_Effective_Business_Continuity_Plan
University of Toronto. (2011). Disaster recovery planning. Retrieved from http://www.utoronto.ca/security/documentation/business_continuity/dis_rec_plan.htm
Zolkos,R. (2014).Business interruption, catastrophic top the list of risk concerns: Survey. Retrieve from http://www.businessinsurance.com/article/20140114/NEWS06/140119936
Time is precious
don’t waste it!