How many plans should I prepare? BCP, DRP or COOP
I hate the (incompetent) IS auditor, here is the story. One day your external auditor from big 4 audit firm come checking your IT system. This guy, discuss some issue with executive level within your company. This text book auditor then asks you to prepare any document or plan in case of disaster or incident. You, in charge in IT department then asking question to the auditor.
“Can you explain more detail what type of document? Since I’m little bit confuse with your jargon of BCP, DRP, COOP what is the difference?”
And here is the explanation, theoretically, according to NIST-SP 800-34 standard, you must prepare:
1. Business Continuity Plan (BCP)
Purpose: Provide procedures for sustaining essential business operations while recovering from a significant disruption
Scope: Addresses business processes; IT addressed based only on its support for business process
2. Business Recovery (or Resumption) Plan (BRP)
Purpose: Provide procedures for recovering business operations immediately following a disaster
Scope: Addresses business processes; not IT-focused; IT addressed based only on its support for business process
3. Continuity of Operations Plan (COOP)
Purpose: Provide procedures and capabilities to sustain an organization’s essential, strategic functions at an alternate site for up to 30 days
Scope: Addresses the subset of an organization’s missions that are deemed most critical; usually written at headquarters level; not IT-focused
4. Continuity of Support Plan/IT Contingency Plan
Purpose: Provide procedures and capabilities for recovering a major application or general support system
Scope: Same as IT contingency plan; addresses IT system disruptions; not business process focused
5. Crisis Communications Plan
Purpose: Provides procedures for disseminating status reports to personnel and the public
Scope: Addresses communications with personnel and the public; not IT focused
6. Cyber Incident Response Plan
Purpose: Provide strategies to detect, respond to, and limit consequences of malicious cyber incident
Scope: Focuses on information security responses to incidents affecting systems and/or networks
7. Disaster Recovery Plan (DRP)
Purpose: Provide detailed procedures to facilitate recovery of capabilities at an alternate site
Scope: Often IT-focused; limited to major disruptions with long-term effects
8. Occupant Emergency Plan (OEP)
Purpose: Provide coordinated procedures for minimizing loss of life or injury and protecting property damage in response to a physical threat
Scope: Focuses on personnel and property particular to the specific facility; not business process or IT system functionality based
Ok, eight document, maybe makes you sick. Here is the clue, since you're an IT Manager, technically you only responsible for the DRP (Disaster Recovery Plan) since it’s the only plan that really IT focused. Others document is cross department document, so you can hide from this task by send it to other department.
Legally, you may say to your executive level to tell other guy in finance or operation division to prepare this document. Worst case scenario, if your management insists, then leave IT Contingency Plan to be prepared by your department.
In my experience, a lot of documentation sometimes does not mean effective. You're the IT Manager in charge for the IT environment, so you must have more confidence when dealing with IS auditor. Seriously, if I’m in the position of external auditor, I’ll try to get bigger picture about the auditee and the client situation, before told him to prepare a lot of document his they could not understand.
Damn I hate the auditor