Now that the hard work of Phase 1 and 2 have been completed, its time to determine what the mitigating activities will be for each of the scenarios that have been defined. Phase 3 is what the whole BCP is made of, essentially. In this phase, all of the planning, relationship information and real analysis take place. For each disaster scenario defined in Phase 1 and the related risk area in Phase 2, now is the time to determine the appropriate solutions and activities required to resume business to a desired function based on maximum allowable downtime.
Items you want to cover and include are:
- Include in the mitigating activities the specific activities required by all constituents (departments, 3rd parties, etc.)
- Emphasize functional area implementation strategy, including emphasis on IT controls for resumption of IT systems. Do the same for other functional areas of the business.
- Have a full IT Systems Assessment and Security Review performed and completed during this phase. Leave no stone unturned. This is the time to better your IT practices, not necessarily grade your IT department or service providers on their performance.
Parts of this process will include:
- An in-depth review and compare of current IT systems documentation of the computer network configurations, hardware and software in use, network topology, and user and data access security to actual implementation noted in the assessment and review.
- Have in-depth systems scanning of the computer network for vulnerabilities from possible internal and external security concerns such as; employee access to data, viruses, malware, hardware and software patch management, and other rogue malicious services or threats to general network reliability.
- Included in these scans should be email systems and related external services for management, public services such as DNS, and spam/anti-virus filtering.
- Network firewall(s) and routers should also be documented and examined for best practice implementations in regards to Internet communications and remote access to corporate systems from outside of the network.
- Assess the management of IT as it relates to hardware and software purchases and installations by users and the IT Department, general user support and maintenance, support and help-desk interfaces and procedures.
Completing this phase involves:
- Getting estimated costs and estimated time to implement key mitigating activities, as applicable.
- Expanded Phase 2 matrices illustrating the above findings and estimates.
- Include in these updates the detailed findings and remediation options, costs, and time to implement the solutions considered from the full IT Systems Assessment and Security Review.
- Obtain sponsor approval for above expansion(s) from each department.
- Full review of next steps, process and budget from all involved.
After this is complete – we move to Phase 4 – drafting the end result! Stay tuned….