Skip to content

Page353

Continued BCP/DRP Maintenance

Once the initial BCP/DRP plan is completed, tested, trained, and implemented, it must be kept up to date. Business and IT systems change quickly, and IT professionals are accustomed to adapting to that change. BCP/DRP plans must keep pace with all critical business and IT changes.

Change Management

The change management process was discussed in depth previously in this chapter. This process is designed to ensure that security is not adversely affected as systems are introduced, changed, and updated. Change Management includes tracking and documenting all planned changes, formal approval for substantial changes, and documentation of the results of the completed change. All changes must be auditable.

The change control board manages this process. The BCP team should be a member of the change control board, and attend all meetings. The goal of the BCP team’s involvement on the change control board is to identify any changes that must be addressed by the BCP/DRP plan.

BCP/DRP Version Control

Once the Business Continuity Plan and associated plans (such as the Disaster Recovery Plan) are completed, they will be updated routinely. Any business or operational change to systems documented by the BCP and related plans must be reflected in updated plans. Version control becomes critical. For example: the team handling a disaster should not be working on an outdated copy of the DRP.

Any updates to core BCP/DRP plans should be sent to all BCP/DRP team members. The updates should include a clear cancellation section to remove any ambiguity over which version of the plan is in effect. Many DRP members will keep hardcopies of the plans in binders: there must be a process to manage updates to printed materials as well.

BCP/DRP Mistakes

Business continuity and disaster recovery planning are a business’ last line of defense against failure. If other controls have failed, BCP/DRP is the final control. If it fails, the business may fail.

The success of BCP/DRP is critical, but many plans fail. The BCP team should consider the failure of other organizations’ plans, and view their own under intense scrutiny. They should ask themselves this question: “Have we made mistakes that threaten the success of our plan?”

Common BCP/DRP mistakes include:

  • Lack of management support
  • Lack of business unit involvement
  • Lack of prioritization among critical staff
  • Improper (often overly narrow) scope
  • Inadequate telecommunications management
  • Inadequate supply chain management
  • Incomplete or inadequate crisis management plan
  • Lack of testing
  • Lack of training and awareness
  • Failure to keep the BCP/DRP plan up to date