WHITE PAPER

Business Continuity
Planning Concept of
Operations
Curtis Keliiaa

Copyright SANS Institute 2021. Author Retains Full Rights.

This paper was published by SANS Institute. Reposting is not permitted without express written permission.
 BUSINESS CONTINUITY PLANNING CONCEPT OF OPERATIONS

BCP Command Structure

Business Continuity Planning (BCP) is a program that assesses the existing
operations, risks, and customer relationships of an organization for the development
of organizational preparedness. BCP develops an integrated approach to ensuring that
critical processes continue to function during and after a disaster or incident that
interrupts the operation of the organization. The Homeland Security national incident
management system (NIMS) incident command system (ICS) provides the basis for
this BCP command structure.

ts.
The BCP command structure is designed to benefit the operational environment with

igh
coordinated emergency management (EM), IT disaster recovery (ITDR), and
continuity of operations planning (COOP) BCP elements. Roles have been assigned

ll r
as they pertain to executive management and decision makers. Note that the
infrastructure support function has been identified as a specific section because of the

fu
core services provided to keep the organization in operation. Similarly, finance and

ins
administration and line operations functional areas have been added because of
critical importance at a program level. BCP / COOP, IT support and EM program

eta
offices are also included to illustrate the ongoing effort needed to sustain BCP
program viability. The BCP command structure is illustrated in figure 1.
rr
ho
ut

Business Continuity Planning Command Structure

Based on the Homeland Security NIMS/IC S
,A
06

Key fingerprint = AF19 FA27 2F94 998D FDB5

EMERGE NCYDE3D F8B5 06E4 A169 4E46
COMMAND CONTINGENCY BCP/COOP
20

PLANNING SUP PORT

COORDINATOR PROGRAM OFFI CE
te

BCP I NCIDENT COMMANDER

(EXECUTIVE VICE PRESI DENT) I T SUPPORT
tu

EXECUTIVE COORDINATION AND COMMUNICATION PROGRAM OFFI CE

sti

EMERGENCY
MANAGEMENT
In

P UB LIC INFORMA TION OFFICE R A ND ADMINISTRATIVE FINANCE CHIEF PROGRAM OFFI CE

NS

FINANCE &
EMERGENCY SERVICES ITDR SERVICES COOP
ADMINISTRATI ON
SA

SECTION CHIEF BUSI NESS LINE

SECTION CHI EF INFRASTRUCTURE
(ON CALL VICE SECTION OPE RATIONS
(CHIEF S ECTION CHI EF SUPPORT
©

PRESIDENT) CHIEFS SECTION

INFORMATION (CONTROLLER) SECTI ON CHIEF
(EMERGENCY (VICE CHIEFS
OFFICER) (DIRECTOR)
DIRECTOR) PRESIDENTS) (DIRECTORS)

RECOVERY MANAGER AND E M, ITDR, COOP RECOVE RY COORDINATORS

OPERATIONS & EMERGENCY FINANCE

RECOVERY PLANNING LOGISTICS & SUPPLY
SECURITY & ADMINISTRATION

Figure 1: BCP Command Structure

1
© SANS Institute@2006,
2021 SANS Institute As part of the Information Security Reading Room
Author Retains Full Rights
Author retains full rights.
 BUSINESS CONTINUITY PLANNING CONCEPT OF OPERATIONS

BCP Roles
• Emergency Incident Commander (EIC) - The EIC is responsible for on-site field
emergency operations until threats and hazards to people, facilities and the
environment are terminated.
• Public Information Officer (PIO) – The PIO is responsible for public relations
communication.
• Administrative Finance Chief (AFC) – The AFC is responsible for overall
coordination of emergency funding and cost collection.
• Emergency Director (ED) – The ED is responsible for all emergency operations

ts.
coordination and communications and doubles as the emergency management

igh
section chief. The ED calls for BCP activation and declares that normal
operations may resume upon BCP termination.

ll r
• BCP Incident Commander (BCP IC) - The BCP IC is responsible for overall BCP
coordination and communications. The BCP IC declares BCP termination.

fu
• Section Chief (SC) – An SC is responsible for coordination of area activities and

ins
reporting to the ED and BCP IC any issues that require higher level attention
• Recovery Manager (RM) – The RM is responsible for all mission recovery

eta
coordination, which includes the restoration of support services needed to perform
mission during BCP operations and full recovery to normal operations
rr
• Recovery Coordinator (RC) An RC is responsible for supporting the RM by
ho
facilitating the resumption and recovery of EM, ITDR and COOP BCP elements
• Contingency Planning Coordinator (CPC) – The CPC is responsible for overall
ut

coordination of COOP planning to ensure consistency in development and

,A

provide resources to support implementation across the organization.

06

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
This functional model for BCP is considered to be a distributed solution that provides
20

responsiveness in any situation and allows individuals to solve the problems at hand.
The majority of recovery work will be done by operations teams under the direction
te

of the section chiefs. The BCP command structure is intended to facilitate consistency
tu

in approach and communications. Each incident is unique and requires evaluation of

sti

vulnerabilities and threats to determine appropriate action. Such a distributed solution

In

will maximize value and provide dynamic response in the worst of times.
NS

Figure 2 illustrates the coordination and overlap of EM and BCP facilitated through
consistent command, public and internal communications where vulnerabilities for
SA

each incident are examined and BCP activation is called for by the emergency
director when organizational operation is threatened. Note that appropriate levels of
©

physical and cyber security must be maintained throughout the BCP life cycle.

2
© SANS Institute@2006,
2021 SANS Institute As part of the Information Security Reading Room
Author Retains Full Rights
Author retains full rights.
 BUSINESS CONTINUITY PLANNING CONCEPT OF OPERATIONS

Emergency Management and Business Continuity Planning

Command, Public and Internal Communications

Emergency Mana geme nt

Environme nt, Safety & Heal th Ass ura nce
Bus ine ss Continuity Planning
Organizational Assurance

ts.
E M Inc ident Commander ,
Threats to P eople Adminis tr ativ e Financ e Threats to
Chief & Public Infor mation

igh
Fac ilities and the Organizational
Officer
Environme nt Operation
BCP Incident Commander

ll r
Calls for B CP Termination

EM E mergency Dir ector, COMMA ND, PUBLIC &

fu
Recovery Manager & BCP Inc ident Commander,
INTERNAL
S ec tion Chiefs Contingency Planning
COMMUNICATIONS Coordinator & Section

ins
Chiefs
E mergency E scalation P roc edur es BCP Ac tivation,
Response, Emer genc y Director Calls Oper ation &

eta
Termination & for BCP Ac tivation Termination
Rec ov ery
EM, ITDR & COOP
rr
E mergency Management Rec ov ery Coor dinator s Business Continuity Planning
Life Cy cle Life Cycle
ho
BCP Conditions of
Ac tivation, Operation
ut

and Termination
,A

Figure 2: EM and BCP Command, Public and Internal Communications

06

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20

BCP Conditions of Activation, Operation and Termination

te

Emergency operations have established methodologies for emergency response

tu

rooted in the NIMS / ICS. These include roles and activities that define initial
sti

emergency response (activation phase), resolution of the emergency situation

(termination phase) and return to normal operations (recovery phase). BCP activation
In

will work in-kind with EM, meaning that the emergency director will have authority
NS

of control for the BCP activation and operation phases for all operations of the
organization. The emergency incident commander will work with the emergency
SA

director and section chiefs to manage initial response through to the termination of
the emergency situation. The emergency situation is terminated when threats and
©

hazards to people, facilities and the environment are controlled and a safe
environment is restored. Upon emergency director declaration of BCP activation, the
BCP incident commander coordinates BCP operation with the section chiefs and the
EM recovery team (recovery manager and recovery coordinators).

BCP Conditions of Activation

BCP activation is triggered when an incident is determined to threaten mission
operations. Threats to mission operations include: threats to people, facilities and the
environment requiring emergency response; threats to critical infrastructure that are

3
© SANS Institute@2006,
2021 SANS Institute As part of the Information Security Reading Room
Author Retains Full Rights
Author retains full rights.
 BUSINESS CONTINUITY PLANNING CONCEPT OF OPERATIONS

essential to the operation of the organization (facilities, energy and water utilities,
information and communication networks); threats to the operability of critical
processes, supply and critical partnerships.

The emergency director declares BCP activation to initiate resumption and recovery
services and communication. BCP activation puts into action mission operation
contingency plans in order to sustain critical processes and services.

BCP Conditions of Operation

ts.
BCP operations initiate upon BCP activation as contingency plans and recovery

igh
operations begin. Contingency operations run in conjunction with EM recovery
operations through to completion of the BCP operations phase. Mission recovery

ll r
includes the recovery of facilities, infrastructure and services required for the return
to normal operations. The BCP incident commander declares that BCP operations are

fu
completed upon consensus from the emergency director, section chiefs, recovery

ins
manager and recovery coordinators.

eta
BCP Conditions of Termination
BCP operations can be terminated when facilities, infrastructure and services are
rr
sustainable and reliable. The emergency director declares that normal operations may
resume upon consensus from the BCP incident commander, section chiefs, recovery
ho

manager and recovery coordinators.

ut
,A

Critical Issues
BCP operations are dependent on planning, communication, coordination and
06

Keysecurity. Critical
fingerprint = AF19issues include:
FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20

1. Personnel Safety
2. Environmental Safety
te

3. Physical Security
tu

4. Cyber Security
5. Identification of Critical personnel
sti

6. Identification of Critical assets

In

7. Identification of Critical processes

8. Identification of Vital Records
NS

9. Established Command Structure

SA

10. Managed Command Communications

11. Managed Public Information and Safety Communications
12. Managed EM and BCP Internal Communications
©

13. Prioritization of Activities

14. Training, Testing and Continual Improvement
15. Timely Implementation

4
© SANS Institute@2006,
2021 SANS Institute As part of the Information Security Reading Room
Author Retains Full Rights
Author retains full rights.