Information Security

 Business Continuity Planning

Business continuity deals with keeping a department and an institution in business after a disaster has been experienced and takes a lot more into account than just technology. Disaster recovery focuses on how to survive a disaster and what to do right after a disaster. These plans are usually technology-oriented and focus on getting the network and systems up and running as quickly as possible. Business continuity planning (BCP) is receiving more attention because of the heightened awareness of recent years, and new regulatory requirements that reinforced the need for insightful planning. The following topics are critical subject areas of business continuity:


  • Business continuity and disaster recovery planning: Management leadership, goals and requirements, business impact analysis, team construction and operations, plan testing and implementation.
  • Backup alternatives: Hardware, software and network approaches, physical security and access, multiple sites, and recovery from offsite facilities.
  • Recovery and testing: Strategies for executing recovery, phase and complete plan testing.
  • Emergency response: Preserving assets and life, reducing fraud, theft and vandalism.

For more information read the following document: EPCC Business Continuity Planning Procedure draft (PDF)

Disaster recovery (DR) is a subordinate component of business continuity planning. It is critical that EPCC departments understand the degree of potential damage to the student learning process and departmental and institutional missions that interruptions cause. Disasters can be man-made or natural, technology failures and more. Virtually every type of business interruption causes some effect on the success of our daily activities. It is requisite that we identify the every issue that can affect our operations and develop backup alternatives before we encounter a real occurrence. Contingency Planning Guide for Federal Information System-NIST Special Publication 800-34 Rev. 1 (PDF)

Business impact analysis (BIA) is the nucleus of business continuity planning. The fundamental task is to identify those mission-critical operations and information resources that deserve as much protective measures as is economically feasible. So, the overall goals of the business impact analysis are as follows:


  • Identify the most critical business functions necessary for the survival of the company
  • Identify the necessary resources for those critical functions
  • Calculate the maximum tolerable downtime (MTD) that the company can endure for each resource
  • Identify vulnerabilities and threats
  • Calculate the risk of each threat
  • Provide backup and alternate solutions
  • The business continuity plan provides a response

The business continuity plan provides a response checklist with easily followed steps. A BCP improves responsiveness by minimizing panic and uncertainty by employees that might not be those who perform these tasks on a regular basis. If necessary, augmenters might be asked to step in to roles of great responsibility. The plan will give them some confidence that they will be able to perform these new tasks. Risk Management Guide for Information Technology Systems - NIST Special Publication 800-30

This guide is a very good document for learning the fundamentals of continuity planning. It displays responsibilities of key managers and the structure of teams which form to operate the plan. The Business Impact Analysis, key to plan development, is fully described. Recovery plan goals and the supporting tasks, then how to test the plan wind up this effective treatment.


Business Continuity Planning Guidelines (PDF)

As a department or program complies with EPCC Procedure and test all or part of their Business Continuity Plan, the department head should complete and forward this memorandum to the CIO.

"Compliance with BCP Testing" memorandum (PDF)