[I would recommend to read the Business Continuity Planning interview with David Spinks as David is very knowledgeable in this area. http://trust.ncms.org/interviewCO0702.htm WEN]
To: MfgTrust; MfgTrustIG Subject: Special NCMS Report - Business Continuity Planning Dear NCMS Alliance Partners: We thought this month's Corner.Office article, interview, and resources pages on Business Continuity Planning were especially relevant to the theme of the NCMS InfraGard Manufacturing Industry Association. So, we decided to share them with you this month, and not restrict distribution to members only, as is the usual case with Corner.Office features. You are invited to view the article below. To access the accompanying expert interview and Resources pages on Business Continuity Planning, please go to http://trust.ncms.org, Publications Index tab. John Sheridan <><><><><><><><><><> July 2002 Corner.Office Corner.Office is a monthly exclusive members-only feature of the NCMS InfraGard Manufacturing Industry Association Infrastructure assurance for manufacturers Powered by NCMS <><><><><><><><><><> This month -BUSINESS CONTINUITY PLANNING (BCP) A safety net for businesses <><><><><><><><><><> Editor's Preface Every business faces minor downtimes, and major unknowns; hence it is important to have plans in place which guarantee business contingency. Before the September 2001 attack on America quite a few business people said that they saw BCP as an inefficient use of resources, i.e. an expenditure which does not bring any return on investments. But statistics tell a different story, and events like 9-11 serve as drastic reminders that it is vital for every company to have plans in place to ensure business continuity, and the continuity of our suppliers and logistics - especially as globalization and our interdependence continues to grow. BCP cost relatively little in comparison what the company could potentially lose in a major incident. Therefore it seems highly prudent that organizations of all sizes seriously research and develop a plausible and efficient BCP. This month's Corner.Office features a special in-depth interview with David Spinks, Director - Information Assurance for Europe, Middle East and Africa at EDS (http://www.eds.com). He is responsible for EDS' portfolio of Information Assurance services across all those markets. Mr. Spinks is also chairman of the E-commerce Security Special Interest Group, an active member of the Guild of Security Controllers, a member of the British Computer Society Committee and co-author of the guide "E-commerce - a World of Opportunity". He has spoken to audiences all over the world on subjects such as the impact of e-commerce on the supplier chain, business continuity planning after year 2000 and information security: the real threats. Because we thought this article, interview, and resources pages were especially timely and relevant, we will be sharing them broadly this month. Thus, you will find these materials posted on our public web site (http://trust.ncms.org, Publications Index tab), and not just on the NCMS members-only site. John Sheridan ([EMAIL PROTECTED]) <><><><><><><><><><> BUSINESS CONTINUITY PLANNING <><><><><><><><><><> According to the Info Security News Magazine (2000), an effective BCP and disaster recovery plan can reduce losses by 90% in the event of an incident. According to another study 81% of CEOs indicated their company plans would not be able to cope with a catastrophic event like the September 2001 attacks. There are numerous examples of companies suffering due to poor Business Contingency Planning. In the 1993 World Trade Center bombing, 150 companies went out of business (out of 350 affected)-scarcely an encouraging statistic. But an incident does not need to be a dramatic terrorist attack to have a massive impact on an organisation. For instance, in the case of fires, 44% of businesses fail to reopen and 33% of these failed to survive beyond 3 years. The examples could be continued endlessly. The bottom line is businesses need to have plans in place to cope with incidents (whether they be major terrorist attacks or a minor hardware problem) and thereby avoid major business interruptions. <><><><><><><><><><> The Business Continuity Management Process Before even starting to create a Business Continuity Plan it is of vital importance to get the full support of the management and governance of your organization. Without it will be very difficult push BCP plans through the entire company. Furthermore directors should be involved in the strategic design of the BCP as it will help to create a realistic plan which will be focused on the business interests of the company. After that one should start to man the team which will be responsible for designing the BCP and to initiate the business continuity management process. This is important as the team will serve as central focus point during the entire Business Continuity Management Process. It is also important to set a time scale for the BCP delivery and create a budget for the process. Next the BCP team has to identify threats and conduct a risk assessment, which will help to design the areas on which the plan should focus as it impossible to avoid or mitigate all risk. Hence, the team will have to prioritise depending on likelihood of the risk and business impact. It is very important to analysis all risk and threats whether they be technical, economic, internal, external, human or natural. Once the risk assessment has been done, one has to do manage the risks. Preventive, detective and reactive means have to be put in place in order to protect the company. For example, it might be possible to migrate risks by using insurance, contracting out some services, implementing safeguards and controls and so. High impact, but low probability risks which cannot be mitigated are prime candidates for Business Continuity Planning. <><><><><><><><><><> Business Impact Analysis A business impact analysis will help to define critical business processes. This is useful since once a major incident happens all efforts must be invested to return the primary business functions to a predetermined level during the critical business resumption phase and to establish the time span to achieve these objectives. Both of these objectives must be determined by management beforehand for the process to proceed as smoothly as possible. One has to collect data in order to decide which are the primary business processes and which are the secondary. As a company has limited resources it is critical to understand where it needs to focus on in order to recover in case of an incident. <><><><><><><><><><> Planning Once that has been done the team can design the Business Continuity Plan(s). It is important to make the plan simple enough so that it can be executed without any problems during a crisis and it needs to be based on steps previously described. Also one has to define the threshold for every incident so that appropriate measures can be taken depending on the incident. Once the BCP plans has been designed and approved it needs to be tested under realistic conditions as untested BCPs historically fail. David Spinks, Director of Information Assurance EDS, stresses that, "we see far too many Business Continuity Plans and or Disaster Recovery Plans that whilst they have been tested were done so in unrealistic ideal conditions and thus we do not truly recognise what really happens in a crisis." It is important to always tie aims during the Business Continuity Management Process to the business needs. For example, it is not the function of an Information Security to protect all information. They just need to protect the information which the business needs to protected. The same needs to be done with Business Continuity Planning. Once the plan has been tested and designed, it is important to revaluate the plan and retest it as business processes change periodically as the requirements of companies are changing from time to time. For example, a company buys new equipment on which it is heavily dependent. Thus a BCP should be revised after purchases, upgrades of equipment and so on. It is therefore important to realize that the Business Continuity Plan is a living document, which needs to be changed and adjusted if business requirements change. Finally it is equally important to educate everyone in the company of the BCP. Since it will be the employees who are there to react to (or in some cases prevent) an incident, a BCP's success or failure depends largely on the way it is implemented by the employees. If not properly trained regarding the BCP, its likelihood of success is seriously diminished. <><><><><><><><><><> Media Management One aspect of BCP which deserves special attention is media management. Business Continuity not only deals with putting all the company's effort in recovering the critical business processes. It is of as much importance to have good media management during this process, whether you do it yourself in a small company, or have professional help in a larger company. This is because a company which recovered after an incident, but did not communicate with its customers, suppliers. stakeholders, shareholders, employees, or affected public will have lost the trust of these groups. This will have an adverse impact on the company's public perception, lead to a deterioration of faith in the company, and in the end it will translate itself into revenue losses. So BCP should also focus on what the military like to call "hearts and minds" operations where the company tries to maintain its public standing. Businesses should prepare public statements beforehand as it would be very bad to have no comments during a crisis as it will not prevent journalists from writing about the event and turn the event into a PR nightmare. Manufacturers are highly dependent on their suppliers; hence it is important to work together with the important ones (at least the ones that support the primary business functions) and make sure that they have good BCP plans in place as it is of little use to have effective BCP plans in place whilst the main suppliers have none. <><><><><><><><><><> Conclusion In conclusion businesses should have BCP in place in order to resume functionality, and procedures in place in case of an incident which affects the company and which will enable them to recover far quicker and with less losses than a company who disregards such plans, thinking 'it would never happen to us.' Business Continuity needs to be seen as safety net for businesses. Even though there are costs involved, it is well worth having such plans as it will save the business during an incident and help it react in an ordered and timely matter. Good BCP plans, which are implemented successfully during a crisis, will give the company good return of investments and hence BCP can be seen as a business enabler. <><><><><><><><><><> The author of this month's Corner.Ofc feature is Wanja Eric Naef. UK resident Wanja is a scholar and chief researcher for the Information Warfare Site (IWS) a partner with NCMS. The Information Warfare Site is an online resource that aims to stimulate debate about a range of subjects from information security to information operations and e-commerce. <><><><><><><><><><> Put Corner.Office to Work for You Corner.Office is a monthly, NCMS-members-only product of the NCMS InfraGard Manufacturing Industry Association. This email awareness feature tends to emphasize management issues, and is designed to work with the operationally oriented, and more broadly distributed, Mfg.Trust email awareness feature. These email awareness features are pointedly short, but backed up by excellent resources at http://members.ncms.org and http://trust.ncms.org that provide more in-depth coverage of the monthly themes. Additionally, the web resources serve as a searchable database that you can revisit at any time. Members are entitled to have Corner.Office and Mfg.Trust distributed to all the employees of their companies, and we encourage broad dissemination to raise awareness. Please consider how we can best serve you: Corporate newspapers? Intranets? Private Internal Distribution Lists? Just contact the editor! NCMS will be flexible and imaginative in responding to requests that support InfraGard and help achieve our mission. <><><><><><><><><><> To unsubscribe please send a blank e-mail message to [EMAIL PROTECTED] with the subject line "unsubscribe MfgTrust". If you have trouble unsubscribing, contact the editor. Copyright 2002 - National Center for Manufacturing Sciences IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk
