Business Continuity Plan

Organization

1
INFORMATION SECURITY
Version 1.

This document has been prepared by AGESIC (Agency for the Development of Management Government)
Electronics and the Society of Information and Knowledge.

The document presented is a guide for the establishment of a Business Continuity Plan.
in the organization, which must be adapted to its reality.

You are free to copy, distribute, communicate, and disseminate this document with the personnel of the area
information security, as well as creating derivative works from it to improve the document.

2
Business Continuity Plan (BCP)
Version Category
Last State
update

Distribution list

Each of the following people must have a copy of this plan in

paper format to be used in case of disaster. Each of the teams in the
the following list will receive updates to this document for the purposes of
keep the documentation updated.

Role Name Cargo

Objective
The objective of this Business Continuity Plan (BCP) is to serve as a guide for
the recovery of the critical processes of <organization>. The current plan defines
high level, the processes required to restore services after an event of
disaster.

Scope
This plan encompasses the critical processes for the operation of <organization>.

Assumptions

This BCP is based on a series of assumptions for the proper execution of the plan.
the same are described below:

The disaster affects a site of <organization>, while the site of

Contingency is available.
There are detailed procedures for recovery, in addition to the present one.
plan.
The disaster does not have a widespread impact in the area.
The key contacts and defined recovery groups are available for
coordinate recovery efforts and implement procedures
defined.

3
Alternative site

In the event of a disaster affecting the facilities of <organization>, the use has been planned
of alternative facilities where critical operations can be resumed
organization.

If the alternative facilities were not found under the appropriate conditions, they would...
they may use other facilities that are deemed appropriate. The criteria for
select a site will be the following:

Sufficient space for the development of activities

Parking lot, loading or unloading area
Adequate communication and energy installations
Physical security measures according to the needs
Availability for equipment installation if necessary
Well-being of the officials

Contingency strategy

Summary of the contingency strategy

The strategy considers the recovery of operations with the least impact on the
users and the general public. It focuses on resolving aspects
related to technology, suppliers, and services offered to the public.

Specifically, it focuses on the following:

Personnel security in alternate facilities
Establish priorities for the allocation of technological resources and personnel
Delegate recovery responsibilities to each functional area
Central management of recovery efforts
Communication of the situation status to the relevant authorities and
general public if applicable.

Internal procedures
Technology

Include at this point the description of recovery procedures and measures of

continuity established in the technological platform of the organization, such as
backups, alternative servers, etc.

Equipment

Indicate if there is an inventory of equipment, its location and

update procedure

Personal, knowledge and skills

Indicate training of personnel in first aid, use of external defibrillators

automated external defibrillators (AED), firefighter training, etc.

4
Building aspects

Indicate at this point the test procedures for emergency equipment,

such as alarms, extinguishers, emergency lights.

Financial aspects

Consider aspects related to insurance in case of having coverage, and definition

of funds to address these situations.

Scope of the plan

After conducting a Business Impact Analysis (BIA), an identification was made

of the critical processes and the time in which the activities must be recovered.

The approximate times for recovery are indicated below

critical processes of the organization. Recovery teams may use the
Present table as a reference for coordinating recovery activities.

Critical process Period of

recovery (RTO)

5
Recovery equipment

The structure of the recovery teams is critical to the success of the process. The
teams have been formed with personnel from different areas to have a
global view of the organization's processes.

The heads of each recovery team are defined in the table.

next.

Roll by Name Data Contact Data of

recovery contact alternative contact

Classification of events
The organization can be affected in different ways by each of the
disaster situations. This plan focuses on the scenarios that involve the
less than a medium probability of occurrence and a high impact on the organization.

Disaster scenarios

The events that can affect the organization's operations have been
categorized into natural events, environmental events, and other threats, and include
the following cases:

Naturals Fire
Flood
Pandemic
Other climatic aspects

Of the environment Power supply failure or

Water supply outage
Explosions
Non-compliance of external suppliers
Destruction of equipment
Problems on the technological platform
Accidental death

Others Sabotage
threats Bomb threats
Security breaches
Loss of key personnel

6
Potential impact

The mentioned disaster scenarios can result in impacts such as those that
The following are indicated:

Loss of organizational resources

2. Loss of technological platform
3. Suspension of operations
4. Loss of critical equipment

Below is a table that relates the potential event and the scenario of
disaster.

7
Impact on the Loss Loss of Suspension Loss of
tasks resources of the platform of the equipment
Scenario organization technological critical operations
Natural disasters
Fire X X X X
Flood X X X X
Pandemic X X
Others aspects X X
climatic
Environmental disasters
Supply failure X X X
of water
Supply failure X X
of energy
Explosions X
Non-compliance of X
suppliers
externals
Destruction del X
equipment
Problems in the X
platform
technological
Death X
accidental
Other threats
Sabotage X
Threats of X X
bomb
Gaps of X X
security
Loss of staff X
key

8
Fire, flood, and other climate disasters

These scenarios consider the organization's inability to operate from its

usual facilities for a period of time, and they assume that:
There is a total loss of access to the organization's facilities, or
Each area of the building can be impacted by the situation, and
The building loss is specific to the organization.

Pandemic

This scenario considers the unavailability due to illness concurrently of

an important part of its staff and assumes that:
There is a widespread impact on all areas, or
At least one area is in a critical situation regarding resources.
of personnel to carry out the tasks.

Loss of key personnel

This scenario considers the unavailability of key personnel and assumes:

Loss of key skills and knowledge
Loss of high authorities

Loss of technological platform

This scenario considers a total loss of technological infrastructure and assumes:

Loss of internal network and/or internet connectivity
Loss of servers
Loss of phone connectivity

Loss of energy or water supply

This scenario covers a total loss of services.

Loss of critical equipment or destruction of equipment

These scenarios cover the loss of all or part of the critical equipment for the
operations of the organization, such as:
Printer 1
<Scanner 1>
<Etc.>

Checklist

Initial response procedures are critical for managing a scenario of

efficient disaster, reducing the impact on operations of the
organization. The following tasks must be completed immediately and are used
as a trigger for the initial response to the relevant disaster scenario. The
Completeness of the checklist ensures that all activities were carried out in
the planned time ranges.

9
Id. Activities Responsible Range Finished
time
1 Inform the <name or position> of In form
incident, mentioning: immediate to the
Date and time of the incident detect a
The way it was incident
detected
2 Perform an impact analysis 1 – 5 minutes
initial and determine actions
3 Notify first aid for 1 – 5 minutes
ensure that a provision is made for a
proper attention to staff
affected
4 Notify the security personnel 1 - 5 minutes
physics / surveillance in case of the
event affects the building
5 Notify the severity del 15 minutes
incident a the teams of
recovery
6 Evaluate the need to declare 15 - 20
disaster and apply the measures minutes
forecasted in the Plan of
Business Continuity and Plan
Disaster Recovery
7 Working together with the Every 5 - 15
Police, Firefighters and Emergency minutes
Doctor (if applicable)
8 Notify the activation of the plan to 15 - 20
the affected references in each minutes
area
9 Gather a the teams of 30 minutes
recovery and determine:
Frequency of meetings
Need for resources
Affected processes
Procedures of
recovery
10 Determine if the incident can 45 minutes
to have an impact on the image
public of the organization
11 Analyze the need to issue 60 minutes
announcements or hold a press conference
from the press, as deemed appropriate
appropriate
12 Monitor y review the Continuously
recovery procedures
applicable ato the processes
affected and the scenario

10
Recovery timelines
Time ranges
The recovery time of activities is critical to ensure that the
usual operations can be recovered with minimal impact. The scale of
the following time is considered:

Period 1: immediate
Period 2: 24 hours
Period 3: 3 days
Period 4: 1 week
Period 5: 2 - 4 weeks

The times allow indicating the criticality of the activities identified by the
organization. Most of the recovery tasks will take place in the
first three periods to minimize the impact of the event.

The objectives for each time period are indicated in the table.
continuation:

Period Tasks
immediate Notify the staff
Notify emergency services if applicable
Notify CERTuy if applicable
24 hours Notify external parties
Ensure that there are backups of critical information
Notify the insurer if applicable
3 days Assessment of the availability of supplies for the processes of the
organization
1 week Completion of system recovery activities and
processes
The software and hardware are available.
2 - 4 weeks The officials are relocated to the alternate facilities.
The execution of critical processes resumes.
The process of refurbishing the facilities begins.
usual

Recovery procedures
The periods indicated in the table correspond to maximum periods, the tasks
they can be completed in shorter periods.
Include all procedures that are deemed necessary based on the scenarios.
that are determined as probable according to the risk analysis of the
organization. The procedures included below are presented as
example>

Loss of facilities

The following recovery procedures must be executed when the

the organization's facilities are inaccessible. If the facilities are not
are found accessible, as defined in section 3, must be executed the
next high-level actions.

11
 Period Assignment Responsibility Finalized
Immediate Notify the officials
Notify the police and services of
emergency
24 hours Contact the insurer
3 days Locate key personnel at the alternative site
1 week Finalize the recovery of site elements
principal
4 weeks Start operations from the alternative site

Loss of personnel

The following high-level actions must be executed when it is verified that

loss of at least 25% of the organization's staff, or they are affected
critical areas in their entirety, for example due to illness.

Period Task Responsibility Finalized

Immediate Determine if the loss of personnel
Is it temporary or permanent?
Determine the cause of the loss
24 hours Inform the health authorities if applicable
3 days Obtain temporary staff
1 week Complete initial induction
4 weeks Performance evaluation of the new
staff in the development of their functions

Loss of technological platform

The high-level procedures included below must be
executed in the event of loss or failure of availability of the technological platform
the organization.

Period Task Final Responsibility

Immediate Contact technology personnel
24 hours Obtain information from backups
3 days Determine equipment needs of
emergency and repair, buy or lease
teams
1 week Verify correct operation of the
technology platform
4 weeks Evaluate the deployment of the platform
technological in another definitive environment (in
if necessary

Loss of energy or water services

The following high-level procedures should be executed when there is a

failure in the provision of energy or water services.

Period Task Responsibility Finished

Immediate Determine scope - building, area,
department, etc.
Contact the service provider

12
 Period Task Final Responsibility
24 hours Verify that the case was attended by the
supplier company
3 days In case the service shortage persists,
to evaluate measures alternatives (e.g.
generators
1 week Check the operation of the systems with
alternative measures
4 weeks Check the proper resolution of the service and
backward

Loss of key suppliers

The following high-level procedures should be executed when...

noted the loss of one or more key suppliers.

Period Task Responsibility Completed

Immediate Contact the supplier
Determine if the impossibility
Is the job permanent or
temporal
Confirm stock levels of the
product if applicable
24 hours Contact suppliers
alternatives
Request quotes
3 days Receive offers from suppliers
Start review of the offers
1 week Finalize review of
suppliers and offers
4 weeks Start a business relationship with
supplier

Loss of critical equipment

The following high-level tasks must be executed when failures are detected.
in critical equipment that affects the organization's critical processes.

Period Task Responsibility Finished

Immediate Identify the processes y
affected equipment
24 hours Conduct an analysis of
impact
Evaluate the feasibility of
repair the equipment
affected
3 days In case it is not repairable,
send quotation request to
plaza suppliers

13
 Period Task Responsibility Completed
1 week Receive and evaluate offers
Determine offer more
convenient
Start procedures of
acquisition
4 weeks Validate the correct
operation del
equipment

Testing and updating the plan

The testing and updating of the BCP is critical to ensure that the document
is still valid and appropriate to the reality of the organization. The owner of
document is responsible for its update and ensuring that the information of
it is correct and complete.

Types of tests

The organization's recovery operations test will be conducted in a manner

planned.

The tests will be conducted using a combination of the following methodologies:

Type Description
Paper review Review the content of the plan
Essay Validate the content of the plan based on interviews
Use artificial situations to validate that the plan
Partial or total simulation contains the necessary information for a
successful recovery.
Test of the activities Invoke the plans in a situation that does not make
criticism endanger the business
Test complete
Real test of transition to contingency, abandonment of
including the management of
buildings, etc.
incidents

Test intervals

Each recovery scenario must be tested with a frequency of at least

annual, or greater in case a change in conditions that warrants it is determined.

The plan must be kept updated in such a way as to capture the dynamism of the
organization for which it was developed and whose purpose is to protect. This ensures that
any change or modification that arises as a consequence of a test, it
include promptly in the plan.

14
Template for test results report to the BCP

Business Continuity Plan

Test results report

Test date:

Participating areas:

Type of test Paper review Partial simulation

Essay Total simulation

Test act. critiques Complete test

Scope of the test

Test results and proposed modifications to the BCP:

Company:........................

Date:

15
Glossary

Term Meaning
BCP Business Continuity Plan

A BCP or Business Continuity Plan is a

document what describe the methods y
required procedures to recover the
operations at the established levels, after a
disaster situation.
DRP Disaster Recovery Plan

A DRP or Disaster Recovery Plan is

focus on the recovery of the platform
technological. The DRP is referenced by the BCP for
achieve the recovery of their computer systems;
these procedures are defined by staff from
technology and are used for technical recovery of
the systems.
SLA Service Level Agreement

A SLA or service level agreement specifies the

service provision conditions to which one
It imposes on a provider, such as response times.

16
Annexes
Annex 1 – Risk Assessment Results
This section must be adjusted according to the results of the risk assessment.
organization
The following risks have been identified as the most likely situations that
could affect the organization.
Risk Probability Impact Impact Mitigation actions
Fire Medium High Losses Fire alarms,
edilicias procedures from
Disruption the evacuation,
operation training the
normal personal, inspection of
Firefighters
Flood Medium Average Disruption Building Maintenance
functioning
normal
Activities Low Medium Disruption Alarm, CCTV, personnel
criminals functioning surveillance
normal
Loss of Low High Continuity of the First assistances,
personal key Defibrillator Business External
Automatic (DEA)
Failure from below Under Communications Use of mobile phones
telephony externals
Loss of Low Middle Technology, Lighting of
energy lighting emergency UPS,
among others generators
Loss of Medium Medium Services Redundancy
platform externals e
technological interns
Loss of Middle High Compliance Backrests of
information Disruption to the information
functioning
normal
Medium Non-compliance High Disruption to the multiples suppliers
o of functioning SLAs
provider normal
external

Risk matrix

High Medium High High

Medium Under Medium High
Under Low Under Medium
Under Medium High

Probability

17
Annex 2 - Contact information of external suppliers

Company 1
Service
Contact:
Address:

Telephone:
Fax:
E-mail:
Web:
Phone of
guard

Company 2
Service
Contact:
Address:

Phone:
Fax:
E-mail
Web:
Telephone of
guard

Annex 3 – Contact details

Personal key - References
Name Address Cell phone Telephone

Contact details of other officials

Name Address Cellular Telephone

18
 Name Address Cellular Phone

Annex 4 - Classification matrix of the organization's equipment

Reference a spreadsheet that contains the classification of the equipment regarding

criticidad: alta, media y baja>

Annex 5 – Plans of the organization's offices

Include or reference the organization's plans with evacuation routes

References
Include references to other relevant documents, such as procedures

Revision history

Review Date Responsible Summary of changes

19