Producing an Abstracted Business Continuity Plan

-


Developing an Abstracted Business Continuity Plan for Green Accountancy Services

In this blog post, we'll explore how to develop an abstracted business continuity plan, incorporating a business impact analysis (BIA), using the fictitious case of Green Accountancy Services. This exercise is beneficial for professionals, students, and small to medium-sized businesses looking to enhance their understanding of business continuity planning. 


Case Study Context: Green Accountancy Services

  • Services Provided: Green Accountancy Services offers accountancy services for various organizations, handling sensitive information and generating reports for the local tax authority.

  •   Office Locations: The firm has five offices across the country, with some offices in earthquake-prone areas and others in flood-prone areas. The head office is located in a large urban area experiencing significant heatwaves.

  • Network and IT: All offices share a centralized network and storage system at the head office. The IT team, based at the headquarters, consists of four individuals with shared security responsibilities.



This task is consisting of three steps, which you should document:

    1. Business Impact Analysis (BIA):

  • Scenario Development: Create a brief scenario (at least 100 words) describing an adverse event that could impact Green Accountancy Services.
  • Identify Critical ICT Functions: Identify at least two critical ICT functions that could be at risk in your scenario. 
    2.  Information Security Controls: 

  • Selection of Controls: Based on your BIA, choose three information security controls from ISO/IEC 27002:2022 that would be affected by your scenario. Select no more than one control from each of the main categories: organizational, people, physical, and technical.

    3. Business Continuity Plan:
  • Plan Development: Using the three identified controls, develop a business continuity plan. For each control, include at least one point following the Plan-Do-Check-Act framework from ISO/IEC 27031. Detail the resources, facilities, and processes needed.


Step 1: Business Impact Analysis (BIA)

Scenario Development:

Imagine a scenario where a major flood impacts one of the offices of Green Accountancy Services located in a flood-prone area. The flood damages the local office's IT infrastructure, including servers and networking equipment, and disrupts connectivity to the central network housed at the headquarters. As a result, employees cannot access critical client data or communicate with other offices.


Identify Critical ICT Functions:

    1.  Data Access and Storage: Employees need continuous access to the central data storage at the head office to retrieve client information and financial records.
    1.  Network Connectivity: Seamless network connectivity between offices is crucial for communication, data transfer, and coordinated operations.

    

Step 2: Information Security Controls

Selection of Controls from ISO/IEC 27002:2022:
  1. Organizational Control - Business Continuity Management:

    • Control 17.1.1: Planning Information Security Continuity. Develop and implement processes to ensure the continuous availability of critical information during adverse events.

    2. People Control - Training and Awareness:

    • Control 7.2.2: Information Security Awareness, Education, and Training. Provide ongoing training to employees on emergency procedures and the use of backup systems.

    3. Technical Control - Backup:

    • Control 12.3.1: Information Backup. Regularly back up information, software, and system images and test their availability and reliability.



Step 3: Business Continuity Plan

Plan-Do-Check-Act Framework:

    1. Organizational Control - Business Continuity Management:
    • Plan: Develop a detailed business continuity plan that includes disaster recovery strategies for flood scenarios. Identify alternate office locations and remote working arrangements.
    • Do: Implement the business continuity plan, ensuring that all employees are aware of their roles during a disaster. Conduct regular drills to test the plan.
    • Check: Monitor the effectiveness of the plan through periodic reviews and updates based on feedback from drills and actual incidents.
    • Act: Make necessary adjustments to the plan to address any gaps or weaknesses identified during reviews and drills.

    2. People Control - Training and Awareness:
    • Plan: Develop a training program that includes modules on emergency response, use of backup systems, and remote work procedures.
    • Do: Conduct regular training sessions and simulations to ensure employees are prepared for flood scenarios.
    • Check: Evaluate the effectiveness of the training program through quizzes, feedback, and performance during drills.
    • Act: Update the training content based on feedback and new developments in business continuity practices.

    3. Technical Control - Backup:
    • Plan: Establish a robust backup schedule that includes daily backups of critical data and weekly system images. Store backups in a secure, offsite location.
    • Do: Implement automated backup processes and ensure backups are completed as scheduled. Perform regular tests to verify the integrity and restorability of backups.
    • Check: Review backup logs and test restore procedures periodically to ensure backups are functioning correctly.
    • Act: Address any issues identified during backup tests and reviews, and update backup procedures as needed to ensure data integrity and availability.


Resources, Facilities, and Processes:
    • Resources: Backup servers, cloud storage solutions, training materials, emergency kits.
    • Facilities: Alternate office locations, remote work capabilities, secure offsite backup storage.
    • Processes: Regular training sessions, automated backup routines, periodic review and update of the business continuity plan.

By following these steps, Green Accountancy Services can develop a robust business continuity plan that ensures resilience against adverse events such as floods, safeguarding critical ICT functions and maintaining operational continuity.



Example Business Continuity Plan Template from ENISA
https://www.enisa.europa.eu/publications/example-bcp-template

    Comments

    Post a Comment

    Popular posts from this blog

    Solving Computer Forensics Case Using Autopsy

    -
    Image
      Computer Forensics is the well-planned series of procedures and techniques used for obtaining evidence from computer systems and storage media. This evidence can then be analyzed for relevant information that is to be presented in a court of law. This article focused on a particular case and a forensic tool to give you a ‘feel’ of what computer forensics investigations are like. However, it is in no way comprehensive enough to cover the variety of problems and complications faced by the investigator.   Scenario  A complaint was made to the authorities describing alleged Wi-Fi hacking activity. When the authorities reached the spot, they found an abandoned Dell computer which is suspected that this computer was used for hacking purposes. Schardt uses "Mr.Evil" nickname when he goes online. He is also accused of parking his car in wireless range (like Starbucks and other T-Mobile Hotspots) where he would then intercept internet traffic, attempting to get credit card numb...
    Read more

    Pentesting - Exploitation Guide Metasploitable 1

    -
    Image
    Metasploitable Metasploitable is an Ubuntu 8.04 server installed on a VMWare 6.5 image with a number of vulnerable packages included, which can be run on most virtualization software. You can grab your copy at Vulnhub – Metasploitable I used Kali Linux for attacking and VirtualBox for virtualization. Information Gathering nmap is a great tool for scanning ports and finding network services on a machine. We will run nmap with the following options: -sV to probe open ports for service and version info -O to fingerprint and try to guess the operating system -p1-65535 to do a complete port scan root@kali:~# nmap -sV -O 192.168.0.14 -p1-65535 Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-12 16:46 MDT Nmap scan report for 192.168.0.14 Host is up (0.00073s latency). Not shown: 65522 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.1 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open...
    Read more