Home > Articles > Security > Network Security

  • Print
  • + Share This
From the author of

Plan Development

This section provides a detailed methodology for producing and testing a continuity-of-operations plan. An effective COOP must anticipate any potential scenario and respond immediately to identify and verify the safety of all personnel and to maintain the continuity of business operations.


The following project outline is provided solely as a guide. It is only intended to be an example of a methodology for the creation of a business continuity/disaster recovery plan. It doesn't claim to be the authoritative process, but is a good place to start.

Because recovery planning is a complex and labor-intensive process, it requires the involvement of staff from across the organization. The disaster-recovery team must be aware of all the organization's key business processes, technical infrastructure, and data and personnel requirements.

The assembled team should have overall responsibility for the planning effort and should periodically report its status to senior management. The team will also have to work with senior management to gain an understanding of the existing and future technological infrastructure of the organization, as well as to ascertain the organization's most critical operations.

The team must identify all the client personnel who may be involved in the development, testing, or execution of the continuity-of-operations efforts. This requirement helps to ensure that all participants in the plan recognize and are prepared to execute their roles.

The proposed methodology consists of eight separate phases (described in the following sections):

  • Phase 1: Pre-Planning Activities (Project Kickoff)

  • Phase 2: Vulnerability Assessment

  • Phase 3: Business Impact Assessment (BIA)

  • Phase 4: Detailed Definition of Requirements

  • Phase 5: Plan Development

  • Phase 6: COOP Testing Program

  • Phase 7: Maintenance Program

  • Phase 8: Initial Plan Testing and Implementation

Phase 1: Pre-Planning Activities (Project Kickoff)

Several bits of information must be gathered before the true planning can begin. First, the organization must determine the individual business processes that are critical for the overall survival of the firm, as well as the processes that support those functions. Give the greatest consideration to maintaining these functions during and after any disaster. This decision must be reached by or in full cooperation with the senior management of the firm.

Next, establish a list of all the potential risks that may occur leading to the compromise of the firm's ability to conduct business or protect its employees. Risk is defined as anything that may lead to these problems:

  • Harm to personnel

  • Failure of business processes

  • Loss of or damage to assets:

    • Technical infrastructure

    • Physical infrastructure (buildings, planes, etc.)

  • Regulatory liability

  • Inability to perform customer service duties

  • Reputation or brand damage

In addition, review any existing contingency and business-continuity plans in this phase.

Phase 2: Vulnerability Assessment

Now that you know the risks, perform a vulnerability assessment (VA) to measure the firm's overall exposure to those risks. The VA considers the security control currently established within an organization. This formal evaluation includes the following areas, among others:

  • Network security procedures in place and enforced

  • Physical security

  • Operating procedures

  • Data backup mechanisms

  • Systems development and maintenance

  • Database security

  • Data and voice communications security

  • Systems and access-control processes

  • Insurance

  • Security planning and administration

  • Application controls

  • Technology deployment

  • Password policy

The goal of this phase is to ascertain the security posture of the firm in relation to the risks identified in Phase 1. Report observations and recommendations to senior management so that action can begin toward implementing any cost-effective recommendations for heightening the firm's security posture.

Phase 3: Business Impact Assessment (BIA)

A business impact assessment (BIA) of all business units enables the team to do the following:

  • Ascertain the impact of events (disaster, compromise) to the system or any critical function

  • Assess the maximum time that a business unit can survive loss of operation

In addition, the BIA helps to identify the critical systems and processes for each business unit. However, the true intent of the BIA is to determine the timeframes in which critical functions must be restored to operation in the wake of a disaster. This information can be used to drive the resources required to ensure that those metrics are met for all critical functions and business units.

Phase 4: Detailed Definition of Requirements

This phase focuses on developing a profile for the continuity-of-operations plan. This profile is to be used as a basis for analyzing alternative strategies for business continuity and disaster recovery. It's important to identify the resources needed to support the critical functions identified in Phase 3, such as the following:

  • Hardware: Mainframe, data and voice communications equipment, personal computers, NICs, routers, switches, firewalls, intrusion-detection systems, and so on

  • Software: Anti-virus software, application code, and so on

  • Documentation: Technology-use policy, security policy and procedures, application user manuals

  • Outside support: Utilities, transportation services, Internet/telecom service providers, and so on

  • Facilities: Office space, office equipment, and so on

  • Personnel for each business unit

COOP strategies must be based on short-term, intermediate-term, and long-term outages.

Phase 5: Plan Development

This phase defines COOP components and documents plans. It's important to document the planned changes to existing firm procedures, whether during normal operations, during a disaster, at a backup site, or afterward, when normal processing has resumed.

At this stage, identify emergency response teams and recovery teams, along with detailed descriptions of their roles and responsibilities. It's also a good idea to develop some sort or awareness or training program for members of these teams, so that they're equipped and prepared to perform these vital functions.

The same individuals may make up the two teams; however, due to the potential workload and the criticality of these job tasks, it may be wise to have different people on these teams.

Phase 6: COOP Testing Program

The goal of testing the COOP is to ensure that the plan will meet the criteria of restoring the firm's operations within the specific critical timeframes determined in Phase 3. Numerous testing strategies should be evaluated until a strategy that's tailored to the firm's specific environment stands out.

There are many kinds of tests to consider:

  • Checklist test. Essentially a proofreading of the plan by all parties involved to ensure that nothing has been missed.

  • Structured walk-through. A step-by-step analysis of how the plan works (what steps are performed, and by whom), from the objectives through to the details of recovery options. Again, representatives of all parties take part in the test.

  • Simulation test. This is similar to a wedding rehearsal. The staffs involved in the emergency response and recovery efforts go through the steps of the plan to ensure that such steps are feasible and effective.

  • Parallel test. Backup systems are tested while production systems are operational. This verifies that backup processing is functional and produces the same results as the production systems.

  • Full-interruption test. As the name suggests, this is a full-blown live test in which production systems are interrupted and the firm implements the COOP to test its ability to continue business operations.

These tests can be used individually or in combination as a part of the overall test strategy. The approach you take to test the COOP depends in large part on the continuity-of-operations strategies you selected to meet the requirements of the organization. The goal of the testing is to ensure that the strategies are comprehensive in scope and meet the organization's needs effectively.

Phase 7: Maintenance Program

Maintenance of the plan is critical to the success of an actual recovery. The plan must evolve to reflect any changes to the environment. Existing change management processes must be revised to take COOP program maintenance into account. In areas where no change management exists, developing such procedures is strongly recommended.

The plan itself should be evaluated periodically; the frequency of the evaluation should be consistent with the rate of new technology deployment, among other things.

Phase 8: Initial Plan Testing and Implementation

Once a COOP is formally developed, conduct initial tests of the plan to ensure that it will result in the continuity and eventual recovery of communications and data-processing capabilities, as well as the full resumption of normal business processes. Any necessary modifications to the plans must be made based on an analysis of the test results.

  • + Share This
  • 🔖 Save To Your Account