Handbook of Information Security Management:Risk Management and Business Continuity Planning

Previous Table of Contents Next


  Stay Focused on the BCP Scope — Whether the BIA process is for development of technological platforms, end-user, facilities recovery, voice network, etc., it is very important that you do not allow scope creep in the minds of the interviewees. The discussion can become very unwieldy if you do not hold the focus of the loss impact discussions on the precise scope of the BCP project.
  There Are No Wrong Answers — Because all the results will be compared with one-another before the BIA report is forwarded, then you can emphasize that the interviewee should not worry about wrong answers. As the BIA process evolves, each business unit’s financial and operational impacts will be compared with the others, and those impact estimates which are out of line with the rest will be challenged and adjusted accordingly.
  Do Not Insist upon Getting the Financial Information on the Spot — Sometimes the compilation of financial loss impact information requires a little time to accomplish. We often will tell the interviewee that we will return within a few days to collect the information, so that additional care can be taken in preparation — making sure that we do actually return and pick up the information later.
  The Value of Push Back — Do not underestimate the value of push back when conducting BIA interviews. Business unit personnel will, most times, tend to view their activities as extremely time-critical, with little or no downtime acceptable. In reality, their operations will be arranged in some priority order with the other business processes of the organization for recovery priority. Realistic MTDs must be reached, and sometimes the interviewer must push back and challenge what may be considered unrealistic recovery requirements. Be realistic in challenging, and request that the interviewees be realistic in estimating their business unit’s MTDs. Common ground will eventually be found that will be more meaningful to those who will read the BIA Findings and Recommendations Report — the senior management group.

Interpreting and Documenting the Results

As the BIA interview information is gathered, there is considerable tabular and written information that begins to quickly accumulate. This information must be correlated and analyzed. Many issues will arise here and there will be issues and some follow-up interviews or information-gathering requirements. The focus at this point in the BIA process should be as follows:

  Begin Documentation of the Results Immediately — Even as the initial BIA interviews are being scheduled and completed, it is a good idea to begin preparation of the BIA Findings and Recommendations Report and actually start entering preliminary information. The reason is twofold. The first is that if you wait to the end of the process to start formally documenting the results, it is going to be more difficult to recall details that should be included. Second, as the report begins to evolve, there will be issues that arise where you will want to perform additional investigation while you still have time to ensure the investigation can be thoroughly performed.
  Develop Individual Business Unit BIA Summary Sheets — Another practical technique is to document each and every BIA interview with its own BIA Summary Sheet. This information can eventually be used directly by importing it into the BIA Findings and Recommendations Report which can also be distributed back to each particular interviewee to authenticate the results of the interview. The BIA Summary Sheet contains a summation of all the verbal information that was documented during the interview. This information will be of great value later as the BIA process evolves.
  Send Early Results Back to Interviewees for Confirmation — By returning the BIA Summary Sheet for each of the interviews back to the interviewee, you can continue to build consensus for the BCP project and start to ensure that any future misunderstandings regarding the results can be avoided. Sometimes you may want to get a formal sign-off, and other times the process is simply informal.
  We Are Not Trying to Surprise Anyone! — The purpose for diligently pursuing the formalization of the BIA interviews and returning to confirm the understandings from the interview process is to make very sure that there are no surprises later. This is especially important in large BCP projects where the BIA process takes a substantial amount of time and there is always a possibility that someone might forget what was said.
  Definition of Time-Critical Business Functions/Processes — As has been emphasized in this chapter, all issues should focus back to the true time-critical business processes of the organization. Allowing attention to be shifted to specific recovery scenarios too early in the BIA phase will result in confusion and lack of attention toward what is really important.
  Tabulation of Financial Impact Information — There can be a tremendous amount of tabular information generated through the BIA process. It should be boiled down to its essence and presented in such a way as to support the eventual conclusions of the BIA project team. It is easy to overdo it with numbers. Just ensure that the numbers do not overwhelm the reader and fairly represent the impacts.
  Understanding the Implications of the Operational Impact Information — Oftentimes, the weight of evidence and the basis for the recovery alternative decision is based on the operational rather that the financial information. Why? Usually the financial impacts are more difficult to accurately quantify because the precise disaster situation and the recovery circumstances are hard to visualize. We know that there will be a customer service impact because of a fire, for instance. But we would have a hard time telling you with any degree of confidence what the revenue loss impact would be for a fire that affects one particular location of the organization. Since the BIA process should provide a qualitative estimate (orders of magnitude), the basis for making the hard decisions regarding acquisition of recovery resources are, in many cases, based on the operational impact estimates rather than hard financial impact information.


Previous Table of Contents Next



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.