Page 220 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 220
Explaining the Benefits of BCP
At a recent conference, one of the authors discussed business
continuity planning with the chief information security officer
(CISO) of a health system from a medium-sized United States
(U.S.) city. The CISO’s attitude was shocking. His organization had
not conducted a formal BCP process, and he was confident that a
“seat-of-the-pants” approach would work fine in the unlikely event
of a disaster.
This “seat-of-the-pants” attitude is one of the most common
arguments against committing resources to BCP. In many
organizations, the attitude that the business has always survived
and the key leaders will figure something out in the event of a
disaster pervades corporate thinking. If you encounter this
objection, you might want to point out to management the costs
that will be incurred by the business (both direct costs and the
indirect cost of lost opportunities) for each day that the business is
down. Then ask them to consider how long a “seat-of-the-pants”
recovery might take when compared to an orderly, planned
continuity of operations.
Legal and Regulatory Requirements
Many industries may find themselves bound by federal, state, and
local laws or regulations that require them to implement various
degrees of BCP. We’ve already discussed one example in this chapter—
the officers and directors of publicly traded firms have a fiduciary
responsibility to exercise due diligence in the execution of their
business continuity duties. In other circumstances, the requirements
(and consequences of failure) might be even more severe. Emergency
services, such as police, fire, and emergency medical operations, have
a responsibility to the community to continue operations in the event
of a disaster. Indeed, their services become even more critical in an
emergency when public safety is threatened. Failure on their part to
