The DRI International Glossary for Resilience is carefully curated by industry experts to present best-in-class definitions for terms used in our profession. Regularly updated, the aim of the glossary is to promote a common set of universal terms in order to reduce confusion and remove inconsistencies. More details can be found at the bottom of this page about Cited References and Glossary Changes. Show
You can also download the PDF file of the glossary by logging into your DRI account or creating one here. Learn moreTo access the glossary in other languages and to learn more about the International Glossary for Resilience and its committee members, click here. Maximum elapsed time between a disruption and restoration of needed operational capacity or capability. The level of potential losses that a society or community considers acceptable given existing social, economic, political, cultural, technical and
environmental conditions. UNISDR Editor’s Note: In engineering terms, acceptable risk is also used to assess and define the structural and non-structural measures that are needed in order to reduce possible harm to people, property, services and systems to a chosen tolerated level, according to codes or “accepted practice” which are based on known probabilities of hazards and other factors. A role that is very similar to business
relationship manager, but includes more commercial aspects. Most commonly used when dealing with external customers. Formal declaration by a Designated Accrediting Authority (DAA) or Principal Accrediting Authority (PAA) that an information system is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards. The implementation of business continuity procedures, activities and plans in response to a serious incident, emergency, event or crisis. Monitoring of a configuration item or an IT service that uses automated regular checks to discover the current status. Notification that a potential disaster situation is imminent, exists or has occurred; usually includes a directive for personnel
to stand by for possible activation. An approach for prevention, mitigation, preparedness, response, continuity, and recovery that addresses a full range of threats and hazards, including natural, human-caused, and technology-caused. The routing of information via an alternate cable or other medium (i.e. using different networks should the normal network be rendered
unavailable). A site held in readiness for use during a business continuity invocation to continue the urgent and important processes of an organization. The term applies equally to office or technology requirements. BCI Editor’s Note: Alternate sites may be known as ‘cold’, ‘warm’ or ‘hot’. They might also be called simply a recovery or backup site. In the UK the more traditional term is “alternative site”. An alternate operating location
to be used by business functions when the primary facilities are inaccessible. Similar TermsAlternate Locations (FCD 1) - Fixed, mobile, or transportable locations, other than the headquarters facility, where D/A leadership and continuity personnel relocate in order to perform essential functions following activation of the continuity plan. These include locations to which agency leadership may devolve. These locations refer to not only locations sites but also work arrangements such as telework and mobile work. Alternate Work Area (DRJ) Recovery environment complete with necessary infrastructure (desk, telephone, workstation, and associated hardware and equipment, communications, etc). Fallback (BCI/DRJ) A fallback facility is another site/building that can be used when the original site/building is unusable or unavailable. Secondary Site (DRI) A location other than the primary site which can be used for the resumption of business operations and other functions in the event of a disaster, a major system or infrastructure malfunction or an inability to access the primary site. A secondary site can be used:
Work Area Recovery (BCI/DRJ) The component of recovery and continuity that deals specifically with the relocation of a key function or department in the event of a disaster, including personnel, essential records, equipment supplies, work space, communication facilities, work station computer processing capability, fax, copy machines, mail services, etc. Office recovery environment complete with necessary office infrastructure (desk, telephone, workstation, hardware, communications). ApplicationDRISoftware program that performs a specific function directly for a user and can be executed without access to system control, monitoring, or administrative privileges. Application ManagementITILThe function responsible for managing applications throughout their lifecycle. Application PortfolioITILA database or structured document used to manage applications throughout their lifecycle. The application portfolio contains key attributes of all applications. The application portfolio is sometimes implemented as part of the service portfolio, or as part of the configuration management system. Application RecoveryBCI/DRJThe component of disaster recovery that deals specifically with the restoration of business system software and data after the processing platform has been restored or replaced. ArchitectureITILThe structure of a system or IT service, including the relationships of components to each other and to the environment they are in. Architecture also includes the standards and guidelines, which guide the design and evolution of the system. AssessmentITILInspection and analysis to check whether a standard or set of guidelines is being followed, that records are accurate, or that efficiency and effectiveness targets are being met. AssetBCI/DRJAnything that has value to the organization. BCI Editor’s Note: This can include physical assets such as premises, plant and equipment as well as HR resources, intellectual property, goodwill and reputation. Asset ManagementITILAsset management is the process responsible for tracking and reporting the value and ownership of financial assets throughout their lifecycle. Asset management is part of an overall service asset and configuration management process. AuditISACAFormal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met. Scope Note: May be carried out by internal or external groups. Audit TrailCNSSI-4009
AuditorASISPerson with competence to conduct an audit. [ISO 9001 2000] AuthenticationDRIThe process of verifying the identity or other attributes claimed by or assumed of an entity (user, process, or device), or to verify the source and integrity of data. NIST SP 800-53: Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. Authority Having JurisdictionNFPA 1600An organization, office, or individual responsible for enforcing the requirements of a code or standard, or for approving equipment, materials, an installation, or a procedure. AuthorizationCNSSI-4009Access privileges granted to a user, program, or process or the act of granting those privileges. Automatic Call Distribution (ACD)ITILUse of information technology to direct an incoming telephone call to the most appropriate person in the shortest possible time. ACD is sometimes called Automated Call Distribution. AvailabilityHIPAAThe property that data or information is accessible and useable upon demand by an authorized person. AwarenessBCI/DRJTo create understanding of basic BCM issues and limitations. This will enable staff to recognize threats and respond accordingly. Examples of creating such awareness include distribution of posters and flyers targeted at company-wide audience or conducting specific business continuity briefings for executive management of the organization. Awareness is less formal than training and is generally targeted at all staff. BBackupBCI/DRJA process by which data, electronic or paper based is copied in some form so as to be available and used if the original data from which it originated is lost, destroyed or corrupted. Basel Accord (Basel III)BCI/DRJAn agreement by international financial institutions on the financial risk assessment and ratios between capital and risk. BenchmarkITILThe recorded state of something at a specific point in time. BenchmarkingBCI/DRJComparing a benchmark with a baseline or with best practice. The term benchmarking is also used to mean creating a series of benchmarks over time and comparing the results to measure progress or improvement. Best PracticeITILProven activities or processes that have been successfully used by multiple organizations. Biological HazardUNISDRProcess or phenomenon of organic origin or conveyed by biological vectors, including exposure to pathogenic micro-organisms, toxins and bioactive substances that may cause loss of life, injury, illness or other health impacts, property damage, loss of livelihoods and services, social and economic disruption, or environmental damage. UNDRR Editor’s Note: Examples of biological hazards include outbreaks of epidemic diseases, plant or animal contagion, insect or other animal plagues and infestations. Black SwanBCI/DRJA term popular in BCM, based upon a book of the same name in which the author defines a black swan as an event that could not be predicted by normal scientific or probability methods. BCM professionals need to prepare for “black swan” events. Business ContinuityNFPA 1600An ongoing process to ensure that the necessary steps are taken to identify the impact of potential losses and maintain viable recovery strategies, recovery plans, and continuity of services. Business Continuity CoordinatorDRJA role within the BCM program that coordinates planning and implementation for overall recovery of an organization or unit(s). Business Continuity Management (BCM)ISO 22301Holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. Business Continuity Management LifecycleBCI/DRJA series of business continuity activities which collectively cover all aspects and phases of the BCM program. Business Continuity Management ProgramBCI/DRJOngoing management and governance process supported by top management and appropriately resourced to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity of products and services through training, exercising, maintenance and review. Business Continuity Management System (BCMS)ISO 22301Part of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity. ISO Editor’s Note: The management system includes organizational structure, policies, planning activities, responsibilities, procedures, processes and resources. Business Continuity Management TeamBCI/DRJA group of individuals functionally responsible for directing the development and execution of the business continuity plan, as well as responsible for declaring a disaster and providing direction during the recovery process, both pre-disaster and post-disaster. Business Continuity Maturity Model (BCMM)BCI/DRJA tool to measure the level and degree to which BCM activities have become standard and assured business practices within an organization. Business Continuity Plan (BCP)BCI/DRJA documented collection of procedures and information that is developed, compiled, and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical products and services at an acceptable predefined level. Similar TermContinuity Plan (FCD 1) A documented plan that details how an individual organization will ensure itcan continue to perform its essential functions during a wide range of events that impact normal operations. Business Continuity Plan AdministratorBCI/DRJThe designated individual responsible for plan documentation, maintenance, and distribution. Business Continuity PlanningBCI/DRJThe process of developing prior arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions can continue within planned levels of disruption. The end result of the planning process is the BC Plan. Business Continuity Policy StatementBCI/DRJA BCM policy sets out an organization’s aims, principles and approach to BCM, what and how it will be delivered, key roles and responsibilities and how BCM will be governed and reported upon. Business Continuity ProgramISO 22301Ongoing management and governance process supported by top management and appropriately resourced to implement and maintain business continuity management. Business Continuity Program BoardBCI/DRJA management group to give advice, guidance and management authorization to the BC Manager. Business Continuity Steering CommitteeBCI/DRJA top management group to give direction, advice, guidance and financial approval for the BCM programs undertaken by the BCM manager and various BC coordinators. Business Continuity StrategyBCI/DRJA strategic approach by an organization to ensure its recovery and continuity in the face of a disaster or other major incidents or business disruptions. Business Continuity TeamBCI/DRJThe strategic, tactical and operational teams that would respond to an incident, and who should contribute significantly to the writing and testing of the BC plans. Business FunctionBCI/DRJA description of work that is performed to accomplish the specific requirements of the organization. Examples of business function include delivering raw materials, paying bills, receiving cash and inventory control. Business Impact Analysis (BIA)FCD 1A method of identifying the effects of failing to perform a function or requirement. Business InterruptionBCI/DRJAny event, whether anticipated (i.e., public service strike) or unanticipated (i.e., blackout), which disrupts the normal course of business operations at an organization’s location. Business Interruption CostsBCI/DRJThe impact to the business caused by different types of outages, normally measured by revenue lost. Business ObjectiveITILThe objective of a business process, or of the business as a whole. Business OperationsITILThe day-to-day execution, monitoring and management of business processes. Business ProcessITILA process that is owned and carried out by the business. A business process contributes to the delivery of a product or service to a business customer. Business RecoveryBCI/DRJSteps taken to resume the business within an acceptable timeframe following a disruption. Business Recovery CoordinatorBCI/DRJAn individual or group designated to coordinate or control designated processes or testing. Business Recovery TeamBCI/DRJA group responsible for: relocation and recovery of business unit operations at an alternate site following a business disruption; and subsequent resumption and restoration of those operations at an appropriate site. Business Recovery TimelineBCI/DRJThe approved sequence of activities required to achieve stable operations following a business interruption. This timeline may range from minutes to weeks, depending upon the recovery requirements and methodology. Business ResumptionSingapore MASThe condition of a function, following its recovery, when it is ready to take on tasks and activities to meet new business obligations. Business UnitBCI/DRJA business unit within an organization e.g. branch/ division. Business Unit CoordinatorBCI/DRJA staff member appointed by a business unit to serve as the liaison person responsible for all BCM direction and activities within the unit. CCall TreeBCI/DRJA document that graphically depicts the calling responsibilities and the calling order used to contact management, employees, customers, vendors and other key contacts in the event of an emergency, disaster or severe outage situation. CapacityUNISDRThe combination of all the strengths, attributes and resources available within a community, society or organization that can be used to achieve agreed goals. UNDRR Editor’s Note: Capacity may include infrastructure and physical means, institutions, societal coping abilities, as well as human knowledge, skills and collective attributes such as social relationships, leadership and management. Capacity also may be described as capability. Capacity assessment is a term for the process by which the capacity of a group is reviewed against desired goals, and the capacity gaps are identified for further action. Change ManagementFFIECChange management refers to the broad processes for managing organizational change. Change management encompasses planning, oversight or governance, project management, testing, and implementation. ChecklistBCI/DRJ
Chief Information Officer (CIO)CNSSI-4009Agency official responsible for:
Civil EmergencyBCI/DRJEvent or situation which threatens serious damage to human welfare in a place, environment or a place or the security of that place. Cloud ComputingCNSSI-4009A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cold SiteBCI/DRJAn alternate facility that already has in place the environmental infrastructure required to recover critical business functions or information systems, but does not have any pre-installed computer hardware, telecommunications equipment, communication lines, etc. These must be provisioned at time of disaster. Command CenterBCI/DRJThe location, local to the event but outside the immediate affected area, where tactical response, recovery and restoration activities are managed. There could be more than one command center for each event reporting to a single emergency operations center. ConfidentialityHIPAAThe property that data or information is not made available or disclosed to unauthorized persons or processes. Contingency PlanBCI/DRJA plan used by an organization or business unit to respond to a specific systems failure or disruption of operations. Contingency PlanningBCI/DRJProcess of developing advanced arrangements and procedures that enable an organization to respond to an undesired event that negatively impacts the organization. Continual ImprovementNFPA 1600Recurring process of enhancing the management program in order to achieve improvements in overall performance consistent with the entity's policy, goals, and objectives. ContinuityASISStrategic and tactical capability, pre-approved by management, of an organization to plan for and respond to conditions, situations, and events in order to continue operations at an acceptable predefined level. ASIS Editor’s Note: Continuity, as used in this Standard, is the more general term for operational and business continuity to ensure an organization’s ability to continue operating outside of normal operating conditions. It applies not only to for profit companies, but organizations of all natures, such as non-governmental, public interest, and governmental organizations. Continuity ManagerFCD 1The Senior Continuity Planner responsible for managing day-to- day continuity programs, representing his/her D/A on the Continuity Advisory Group and working groups, as appropriate, and reporting to the Continuity Coordinator on all continuity program activities. Continuity of Government (COG)FCD 1A coordinated effort within each branch of government (e.g., the Federal Government’s executive branch) to ensure that National Essential Functions (NEFs) continue to be performed during a catastrophic (COG) emergency. FCD Editor’s Note: this term may also be applied to non-Federal governments. Continuity of Operations (COOP) PlanNIST SP 800-34A predetermined set of instructions or procedures that describe how an organization’s mission-essential functions will be sustained within 12 hours and for up to 30 days as a result of a disaster event before returning to normal operations. Continuous AvailabilityITILA continuously available IT service. Continuous OperationsITIL
ControlISACAThe means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management, or legal nature. Example controls include policies, procedures, roles, RAID, door-locks etc. A control is sometimes called a countermeasure or safeguard. Control also means to manage the utilization or behavior of a configuration item, system or IT service. Corporate GovernanceBCI/DRJThe system/process by which the directors and officers of an organization are required to carry out and discharge their legal, moral and regulatory accountabilities and responsibilities. Corrective ActionISO 22301Action to eliminate the cause of nonconformity and to prevent recurrence. Cost Benefit AnalysisBCI/DRJA process (after a BIA and risk assessment) that facilitates the financial of different strategic BCM options and balances the cost of each option against the perceived savings. CrisisBCI/DRJA critical event, which, if not handled in an appropriate manner, may dramatically impact an organization’s profitability, reputation, or ability to operate. Or, an occurrence and/or perception that threatens the operations, staff, shareholder value, stakeholders, brand, reputation, trust and/or strategic/business goals of an organization. Crisis ManagementBCI/DRJThe overall coordination of an organization’s response to a crisis, in an effective, timely manner, with the goal of avoiding or minimizing damage to the organization’s profitability, reputation, and ability to operate. Crisis Management Team (CMT)BCI/DRJA group of individuals responsible for developing and implementing a comprehensive plan for responding to a disruptive incident. The team consists of a core group of decision-makers trained in incident management and prepared to respond to any situation. BCI Editor’s Note: In most countries crisis and incident are used interchangeably but in the UK the term crisis has traditionally been used for wide area incidents involving emergency services. However the recent UK Government sponsored PAS200 document seeks to extend the use of this term beyond the public sector. Critical InfrastructureBCI/DRJPhysical assets whose incapacity or destruction would have a debilitating impact on the economic or physical security of an organization, community, nation, etc. Similar TermCritical Asset (FCD 1) An asset of such strategic importance to the performance of essential functions that its incapacitation or destruction would have a very serious or debilitating effect on an organization’s ability to perform the function(s). Cyber AttackFFIECAn attempt to damage, disrupt, or gain unauthorized access to a computer, computer system, or electronic communications network; An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information. Cyber ResilienceDRIAn entity's ability to continuously deliver their products and services despite any adverse cyber events by actively protecting against known or potential threats; planning for the recoverability of applications and data; adapting to changing threat landscapes; effectively training personnel about the existing threats; and ensuring that response plans are maintained and exercised. CybersecurityCNSSI 4009The prevention of damage to, unauthorized use of, exploitation of, and—if needed—the restoration of electronic information and communications systems, and the information they contain, in order to strengthen the confidentiality, integrity and availability of these systems. DDamage AssessmentNFPA 1600An appraisal or determination of the effects of the incident on humans, on physical, operational, economic characteristics, and on the environment. Data IntegrityFFIECThe property that data has not been destroyed or corrupted in an unauthorized manner; Maintaining and assuring the accuracy and consistency of data over its entire life-cycle. Data MirroringBCI/DRJA process whereby critical data is replicated to another device. Data RecoveryBCI/DRJThe restoration of computer files from backup media to restore programs and production data to the state that existed at the time of the last safe backup. DeclarationBCI/DRJA formal announcement by pre-authorized personnel that a disaster or severe outage is predicted or has occurred and that triggers pre-arranged mitigating actions (e.g., a move to an alternate site). Delegation of AuthorityFCD 1Identification, by position, of the authorities for making policy determinations and decisions at HQ, field levels, and all other organizational locations. Generally, pre-determined delegations of authority will take effect when normal channels of direction have been disrupted and will lapse when these channels have been reestablished. Denial of Service (DoS)CNSSI-4009The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.) DependencyBCI/DRJThe reliance or interaction of one activity or process upon another. DevolutionFCD-1The transfer of statutory authority and responsibility from an organization’s primary operating staff and facilities to other staff and alternate locations to sustain essential functions when necessary. Devolution Emergency Response Group (DERG) FCD-1Personnel stationed at a geographically dispersed location, other than the primary location, who are identified to continue performance of essential functions. DisasterBCI/DRJA sudden, unplanned catastrophic event causing unacceptable damage or loss.
Disaster Recovery (DR)BCI/DRJThe technical aspect of business continuity. The collection of resources and activities to re-establish information technology services (including components such as infrastructure, telecommunications, systems, applications and data) at an alternate site following a disruption of IT services. Disaster recovery includes subsequent resumption and restoration of those operations at a more permanent site. Disaster Recovery PlanNIST SP 800-34A written plan for recovering one or more information systems at an alternate facility in response to a major hardware or software failure or destruction of facilities. Disaster Recovery PlanningBCI/DRJThe activities associated with the continuing availability and restoration Planning of the IT infrastructure. Disaster Risk ReductionUNISDRThe concept and practice of reducing disaster risks through systematic efforts to analyse and manage the causal factors of disasters, including through reduced exposure to hazards, lessened vulnerability of people and property, wise management of land and the environment, and improved preparedness for adverse events. Comment: A comprehensive approach to reduce disaster risks is set out in the United Nations-endorsed Hyogo Framework for Action, adopted in 2005, whose expected outcome is “The substantial reduction of disaster losses, in lives and the social, economic and environmental assets of communities and countries.” The International Strategy for Disaster Reduction (ISDR) system provides a vehicle for cooperation among Governments, organizations and civil society actors to assist in the implementation of the Framework. Note that while the term “disaster reduction” is sometimes used, the term “disaster risk reduction” provides a better recognition of the ongoing nature of disaster risks and the ongoing potential to reduce these risks. Disaster/Emergency ManagementNFPA 1600/BCI/DRJ
DisruptionASISAn event that interrupts normal business, functions, operations, or processes, whether anticipated (e.g., hurricane, political unrest) or unanticipated (e.g., a blackout, terror attack, technology failure, or earthquake). ASIS Editor’s Note: A disruption can be caused by either positive or negative factors that will disrupt normal functions, operations, or processes. Distributed Denial of Service (DDoS)CNSSI-4009A denial of service technique that uses numerous hosts to perform the attack. DocumentBCI/DRJInformation and its supporting medium such as paper, magnetic, electronic or optical computer disc or image. DowntimeBCI/DRJA period in time when something is not in operation. BCI Editor’s Note: This is often called outage when referring to IT services and systems. Duty of CareBCI/DRJA corporate governance requirement to take care of the assets of the organization – a duty incumbent on officers of an enterprise. EEmergencyASIS
Emergency ManagementBCI/DRJEmergency management is the responsibility of governments and public authorities, complying with appropriate laws that relate to emergency response. BCI Editor’s Note: An Emergency Management Plan (EMP) is usually managed by one or more Emergency Management Teams (EMT). Different structures exist in different countries. Emergency Operations CenterBCI/DRJThe physical and/or virtual location from which strategic decisions are made and all activities of an event/incident/crisis are directed, coordinated and monitored. DRJ Editor’s Note: EOC is different from Command Center. Emergency PreparednessBCI/DRJThe capability that enables an organization or community to respond to an emergency in a coordinated, timely, and effective manner to prevent the loss of life and minimize injury and property damage. Emergency Relocation Group (ERG) FCD-1Staff assigned to continue performance of essential functions at an alternate location in the event that their primary operating facility or facilities are impacted or incapacitated by an incident. Emergency ResponseBCI/DRJThe immediate reaction and response to an emergency situation commonly focusing on ensuring life safety and reducing the severity of the incident. Emergency Response PlanBCI/DRJA documented plan usually addressing the immediate reaction and response to an emergency situation. Similar TermsEmergency Plan (FCD 1) Documented procedures that direct coordinated actions to be undertaken in response to threats that are typically of limited duration, and do not require an organization to activate its continuity plan. Also referred to as Occupant Emergency Plan or Building Closure Plan. Occupant Emergency Plan (OEP) (FCD 1) A short-term emergency response plan which establishes procedures for evacuating buildings or sheltering-in-place to safeguard lives and property.Organizations may refer to this plan as the Emergency Plan or Building Closure Plan. Common scenarios that would lead to the activation of these plans include inclement weather, fire, localized power outages, and localized communications outages. These types of events aregenerally short-term in nature. Emergency Response Team (ERT)BCI/DRJQualified and authorized personnel who have been trained to provide immediate assistance. EnterpriseCNSSI-4009An organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance. An enterprise may consist of all or some of the following business aspects: acquisition, program management, financial management (e.g., budgets), human resources, security, and information systems, information and mission management. Enterprise Risk Management (ERM)BCI/DRJERM includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall. EscalationBCI/DRJThe process by which event related information is communicated upwards through an organization’s established chain of command. Essential FunctionsFCD 1The critical activities performed by organizations, especially after a disruption of normal activities. Essential ServicesBCI/DRJInfrastructure services without which a building or area would be considered disabled and unable to provide normal operating services; typically includes utilities (water, gas, electricity, telecommunications), and may also include standby power systems or environmental control systems. EvacuationASISOrganized, phased, and supervised dispersal of people from dangerous or potentially dangerous areas. [ASIS International Business Continuity Guideline: 2005]. EventISO 31000Occurrence or change of a particular set of circumstances. Executive / Management Succession PlanBCI/DRJA predetermined plan for ensuring the continuity of authority, decision making, and communication in the event that key members of executive management unexpectedly become incapacitated. ExerciseNFPA 1600Activity in which the entity’s plan(s) is rehearsed in part or in whole to ensure that the plan(s) contains the appropriate information and produces the desired result when put into effect. Types of ExercisesDesk Top Exercise (BCI/DRJ) Technique for rehearsing emergency teams in which participants review and discuss the actions they would take according to their plans, but do not perform any of these actions; can be conducted with a single team, or multiple teams, typically under the guidance of exercise facilitators. Call Tree Test (BCI/DRJ) A test designed to validate the currency of contact lists and the processes by which they are maintained. Disaster Recovery Exercise (FFIEC) A test of an institution’s disaster recovery or BCP. Full-Scale Exercise (DRI) A full-scale exercise is a multi-agency, multi-jurisdictional, multidiscipline exercise involving functional (e.g., joint field office, emergency operations centers) and “boots on the ground” response (e.g., continuity staff relocating to their alternate sites to conduct scenario driven essential functions). Functional Exercise (DRI) A functional exercise examines and/or validates the coordination, command, and control between various multi-agency coordination centers (e.g., emergency operations centers, joint field office). A functional exercise does not involve any “boots on the ground” (i.e., first responders or emergency officials responding to an incident in real time). Table Top Exercise (BCI/DRJ) One method of exercising plans in which participants review and discuss the actions they would take without actually performing the actions. Representatives of a single team, or multiple teams, may participate in the exercise typically under the guidance of exercise facilitators. Exercise PlanBCI/DRJA plan designed to periodically evaluate tasks, teams, and procedures that are documented in business continuity plans to ensure the plan’s viability. This can include all or part of the BC plan, but should include mission critical components. FFacilityBCI/DRJPlant, machinery, equipment, property, buildings, vehicles, information systems, transportation facilities, and other items of infrastructure or plant and related systems that have a distinct and quantifiable function or service. BCI Editor’s Note: Also see Infrastructure. FailoverCNSSI-4009The capability to switch over automatically (typically without human intervention or warning) to a redundant or standby information system upon the failure or abnormal termination of the previously active system. FailureITILLoss of ability to operate to specification, or to deliver the required output. The term failure may be used when referring to IT services, processes, activities, configuration items etc. A failure often causes an incident. First ResponderBCI/DRJA member of an emergency service who is first on the scene at a disruptive incident. This would normally be police, fire or ambulance personnel. FunctionITILA team or group of people and the tools they use to carry out one or more processes or activities - for example, the service desk. The term function also has two other meanings: An intended purpose of a configuration item, person, team, process, or IT service. For example one function of an email service may be to store and forward outgoing mails, one function of a business process may be to dispatch goods to customers; to perform the intended purpose correctly, the computer is “functioning “. GGap AnalysisFFIECA comparison that identifies the difference between actual and desired outcomes. Geographic DispersionFCD 1The distribution of personnel, functions, facilities, and other resources in physically different locations from one another. GovernanceITILEnsuring that policies and strategy are actually implemented, and that required processes are correctly followed. Governance includes defining roles and responsibilities, measuring and reporting, and taking actions to resolve any issues identified. Governance, Risk and Compliance (GRC)BCI/DRJGRC is the umbrella term covering an organization's approach across these three areas. Being closely related concerns, governance, risk and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts, wasteful overlaps and gaps. While interpreted differently in various organizations, GRC typically encompasses activities such as corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws and regulations. HHacker CNSSI-4009Unauthorized user who attempts to or gains access to an information system. HazardUNISDRA dangerous phenomenon, substance, human activity or condition that may cause loss of life, injury or other health impacts, property damage, loss of livelihoods and services, social and economic disruption, or environmental damage. UNISDR Editor’s Note: The hazards of concern to disaster risk reduction as stated in footnote 3 of the Hyogo Framework are “... hazards of natural origin and related environmental and technological hazards and risks.” Such hazards arise from a variety of geological, meteorological, hydrological, oceanic, biological, and technological sources, sometimes acting in combination. In technical settings, hazards are described quantitatively by the likely frequency of occurrence of different intensities for different areas, as determined from historical data or scientific analysis. High AvailabilityITILAn approach or design that minimizes or hides the effects of configuration item failure on the users of an IT service. High availability solutions are designed to achieve an agreed level of availability and make use of techniques such as fault tolerance, resilience and fast recovery to reduce the number of incidents, and the impact of incidents. Hot SiteBCI/DRJAn alternate facility that already has in place the computer, telecommunications, and environmental infrastructure required to recover critical business functions or information systems. Human ThreatsBCI/DRJPossible disruptions in operations resulting from human actions as identified during the risk assessment. (i.e. disgruntled employee, terrorism, blackmail, job actions, riots, etc.) IImpactBCI/DRJThe effect, acceptable or unacceptable, of an event on an organization. The types of business impact are usually described as financial and non-financial and are further divided into specific types of impact. Impact AnalysisASISProcess of analyzing all operational functions and the effect that an operational interruption might have upon them. ASIS Editor’s Note: Impact analysis includes business impact analysis – the identification of critical business assets, functions, processes, and resources as well as an evaluation of the potential damage or loss that may be caused to the organization resulting from a disruption (or a change in the business or operating environment). Impact analysis identifies:
IncidentNFPA 1600An event that has the potential to cause interruption, disruption, loss, emergency, crisis, disaster, or catastrophe. Incident Command SystemBCI/DRJCombination of facilities, equipment, personnel, procedures, and communications operating within a common organizational structure with responsibility for the command, control, and coordination of assigned resources to effectively direct and control the response and recovery to an incident. The flexible design of the ICS allows its span of control to expand or contract as the scope of the situation changes. Incident Management Plan (IMP)BCI/DRJA clearly defined and documented plan of action for use at the time of an incident, typically covering the key personnel, resources, services and actions needed to implement the incident management process. Incident Management System (IMS)NFPA 1600The combination of facilities, equipment, personnel, procedures, and communications operating within a common organizational structure, designed to aid in the management of resources during incidents. Incident Management TeamBCI/DRJA group of individuals responsible for developing and implementing a comprehensive plan for responding to a disruptive incident. The team consists of a core group of decision-makers trained in incident management and prepared to respond to any situation. Incident ManagerBCI/DRJCommands the local Emergency Operations Center (EOC) reporting up to senior management on the recovery progress. Has the authority to invoke the recovery plan. Incident ResponseBCI/DRJThe response of an organization to a disaster or other significant event that may significantly impact the organization, its people, or its ability to function productively. An incident response may include evacuation of a facility, initiating a disaster recovery plan, performing damage assessment, and any other measures necessary to bring an organization to a more stable status. Incident Response PlanNIST SP800-34The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of an incident against an organization’s IT systems(s). Information Technology (IT)ITILThe use of technology for the storage, communication or processing of information. The technology typically includes computers, telecommunications, applications and other software. The information may include business data, voice, images, video, etc. Information technology is often used to support business processes through IT services. InsuranceBCI/DRJA contract to finance the cost of risk. Should a named risk event (loss) occur, the insurance contract will pay the holder the contractual amount. Types of InsuranceBusiness Interruption Insurance (BCI/DRJ): Business Interruption (BI) insurance coverage is a term used widely within the insurance industry, relating to the requirement for calculation of adequate insurance, covering financial loss due to temporary business cessation. Contingent Business Interruption Insurance (Adjusters International): A form of business income insurance covering an insured against loss of income and continuing a major supplier, a major customer, or a major location where the insured is a satellite and will lose business if the major shuts down, or (for sales representatives) a manufacturing supplier. Extra Expense Insurance (Adjusters International): Insurance covering the additional cost to maintain operations or get back in operation more quickly, following property loss; it can be written alone or in conjunction with business income insurance. Interagency Agreement (IAA)FCD 1A written agreement entered into between two federal agencies, or major organizational units within an agency, which specifies the goods to be furnished or tasks to be accomplished by one agency (the servicing agency) in support of the other (the requesting agency). InterdependenciesFFIECWhere two or more departments, processes, functions, and/or third parties support one another in some fashion. Internal AuditISO 22301Audit conducted by, or on behalf of, the organization itself for management review and other internal purposes, and which might form the basis for an organization’s self-declaration of conformity. IT Service Continuity Management (ITSCM)ITILThe process responsible for managing risks that could seriously impact IT services. ITSCM ensures that the IT service provider can always provide minimum agreed service levels, by reducing the risk to an acceptable level and planning for the recovery of IT services. ITSCM should be designed to support business continuity management. JJust-in-Time (JIT)BCI/DRJSystem whereby dependencies for critical business processes are provided exactly when required, without requiring intermediate inventory. LLikelihoodBCIChance of something happening, whether defined, measured or estimated objectively or subjectively. It can use general descriptors (such as rare, unlikely, likely, almost certain), frequencies or mathematical probabilities. It can be expressed qualitatively or quantitatively. BCI Editor’s Note: The vagueness of this term makes its use in BCM of very limited value. LossBCI/DRJUnrecoverable resources that are redirected or removed as a result of a business continuity event. Such losses may be loss of life, revenue, market share, competitive stature, public image, facilities, or operational capability. MMalicious Code (Malware)NIST SP 800-83A program that is covertly inserted into another program with the intent to destroy data, run destructive or intrusive programs, or otherwise compromise the confidentiality, integrity, or availability of the victim’s data, applications, or operating system. Types of MalwareRansomware (SANS Institute): A type of malware that is a form of extortion. It works by encrypting a victim's hard drive denying them access to key files. The victim must then pay a ransom to decrypt the files and gain access to them again. Spyware (CNSSI-4009): Software that is secretly or surreptitiously installed into an information system to gather information on individuals or organizations without their knowledge; a type of malicious code. Virus (CNSSI-4009): A computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus might corrupt or delete data on a computer, use e-mail programs to spread itself to other computers, or even erase everything on a hard disk. Worm (NIST SP 800-47): A computer program or algorithm that replicates itself over a computer network and usually performs malicious actions. Managed ServicesITILA perspective on IT services which emphasizes the fact that they are managed. The term managed services is also used as a synonym for outsourced IT services. Management SystemISO 22301Set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives. ISO Editor’s Note: 1) A management system can address a single discipline or several disciplines. 2) The system elements include the organization’s structure, roles and responsibilities, planning, operation, etc. 3) The scope of a management system can include the whole of the organization, specific and identified functions of the organization, specific and identified sections of the organization, or one or more functions across a group of organizations. Manual proceduresBCI/DRJAn alternative method of working following a loss of IT systems. As working practices rely more and more on computerized activities, the ability of an organization to fallback to manual alternatives lessens. However, temporary measures and methods of working can help mitigate the impact of the event for a short period. Manual WorkaroundITILA workaround that requires manual intervention. Manual workaround is also used as the name of a recovery option in which the business process operates without the use of IT services. This is a temporary measure and is usually combined with another recovery option. Maximum Tolerable Downtime (MTD)NIST SP 800-34The amount of time mission/business process can be disrupted without causing significant harm to the organization’s mission. MetricITILSomething that is measured and reported to help manage a process, IT service or activity. Mission Essential Functions (MEFs)FCD 1The limited set of agency-level Government functions that must be continued throughout, or resumed rapidly after, a disruption of normal activities. Mission StatementITILA short but complete description of the overall purpose and intentions of that organization. It states what is to be achieved but not how this should be done. MitigationNFPA 1600Activities taken to reduce the impacts from hazards. MobilizationBCI/DRJThe activation of the recovery organization in response to a disaster declaration. Mutual AidAS/NZS 5050Formalized and documented reciprocal arrangements between two or more organizations providing for unilateral, bilateral or multilateral assistance in specified circumstances. Mutual Aid AgreementASISPre-arranged agreement developed between two or more entities to render assistance to the parties of the agreement. [ISO/PAS 22399 2007] NNatural HazardUNISDRNatural process or phenomenon that may cause loss of life, injury or other health impacts, property damage, loss of livelihoods and services, social and economic disruption, or environmental damage. UNISDR Editor’s Note: Natural hazards are a sub-set of all hazards. The term is used to describe actual hazard events as well as the latent hazard conditions that may give rise to future events. Natural hazard events can be characterized by their magnitude or intensity, speed of onset, duration, and area of extent. For example, earthquakes have short durations and usually affect a relatively small region, whereas droughts are slow to develop and fade away and often affect large regions. In some cases hazards may be coupled, as in the flood caused by a hurricane or the tsunami that is created by an earthquake. OOffsite LocationBCI/DRJA site at a safe distance from the primary site where critical data (computerized or paper) and/or equipment is stored from where it can be recovered and used at the time of a disruptive incident if original data, material or equipment is lost or unavailable. Off-Site StorageBCI/DRJAny place physically located a significant distance away from the primary site, where duplicated and vital records (hard copy or electronic and/or equipment) may be stored for use during recovery. OperationalITILThe lowest of three levels of Planning and delivery (Strategic, Tactical, Operational). Operational Activities include the day-to-day or short-term Planning or delivery of a Business Process or IT Service Management Process. The term Operational is also a synonym for Live. Organization HeadFCD 1The highest-ranking official of an organization, or a successor or designee who has been selected by that official in orders of succession. OutageDRIPeriod of time after disruption that a service, system, process or business function is expected to be unusable or inaccessible. OutsourcingBCI/DRJThe transfer of business functions to an independent (internal and/or external) third party supplier. PPandemicFFIECAn epidemic or infectious disease that can have a worldwide impact. Plan MaintenanceBCI/DRJThe management process of keeping an organization’s BCM competence and capability up-to-date, fit-for-purpose and effective. PreparednessBCI/DRJActivities implemented prior to an incident that may be used to support and enhance mitigation of, response to, and recovery from disruptions. Preventative MeasuresBCI/DRJControls aimed at deterring or mitigating undesirable events from taking place. PreventionASISMeasures that enable an organization to avoid, preclude, or limit the impact of a disruption. [ISO/PAS 22399 2007] Primary Operating FacilityFCD 1The facility where an organization’s leadership and staff operate on a day-to-day basis. PriorityITILA category used to identify the relative importance of an incident, problem or change. Priority is based on impact and urgency, and is used to identify required times for actions to be taken. For example, the SLA may state that priority incidents must be resolved within 12 hours. ProgramFCD 1A group of related initiatives managed in a coordinated way, so as to obtain a level of control and benefits that would not be possible from the individual management of the initiatives. Programs may include elements of related work outside the scope of the discrete initiatives in the program. RReadinessBCI/DRJActivities implemented prior to an incident that may be used to support and enhance mitigation of, response to, and recovery from disruptions. It is also often called preparedness. Reciprocal AgreementBCI/DRJAgreement between two organizations (or two internal business groups) similar equipment/environment that allows each one to recover at the other’s location. ReconstitutionFCD 1The process by which surviving and/or replacement organization personnel resume normal operations. RecoveryNFPA 1600Activities and programs designed to return conditions to a level that is acceptable to the entity. Recovery Point Objective (RPO)ISO 22301Point to which information used by an activity must be restored to enable the activity to operate on resumption. ISO Editor’s Note: Can also be referred to as “maximum data loss”. Recovery ProceduresCNSSI-4009Actions necessary to restore data files of an information system and computational capability after a system failure. Recovery StrategiesSingapore MASDefined, management-approved and tested course of action in response to operational disruptions. Recovery Time Estimate (RTE)AS/NZS 5050Estimated period of time required to restore a particular level of functionality after taking into account any uncertainties. Recovery Time Objective (RTO)ASISTime goal for the restoration and recovery of functions or resources based on the acceptable down time and acceptable level of performance in case of a disruption of operations. Recovery TimelineBCI/DRJThe sequence of recovery activities, or critical path, which must be followed to resume an acceptable level of operation following a business interruption. The timeline may range from minutes to weeks, depending upon the recovery requirements and methodology. RedundancyFCD 1The state of having duplicate capabilities, such as systems, equipment, or resources. RegulationISACARules or laws defined and enforced by an authority to regulate conduct. RemediationCNSSI-4009The act of mitigating a vulnerability or a threat. Residual RiskBCI/DRJThe level of risk remaining after all cost-effective actions have been taken to lessen the impact, probability and consequences of a specific risk or group of risks, subject to an organization’s risk appetite. ResilienceFCD 1The ability to prepare for and adapt to changing conditions and recover rapidly from operational disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents. Resource ManagementNFPA 1600A system for identifying available resources to enable timely access needed to prevent, mitigate, prepare for, respond to, maintain continuity during, or recover from an incident. ResponseUNISDR
Response PlanASISDocumented collection of procedures and information that is developed, compiled, and maintained in readiness for use in an incident. Response TimeITILA measure of the time taken to complete an operation or transaction. (ITIL) RestorationBCI/DRJProcess of planning for and/or implementing procedures for the repair of hardware, relocation of the primary site and its contents, and returning to normal operations at the permanent operational location. ResumptionBCI/DRJThe process of planning for and/or implementing the restarting of defined business processes and operations following a disaster. This process commonly addresses the most critical business functions within BIA specified timeframes. Return on Investment (ROI)ITILA measurement of the expected benefit of an investment. In the simplest sense it is the net profit of an investment divided by the net worth of the assets invested. RiskITILA possible event that could cause harm or loss, or affect the ability to achieve objectives. A risk is measured by the probability of a threat, the vulnerability of the asset to that threat, and the impact it would have if it occurred. Types of RiskBusiness Risk (BCI/DRJ) Risk that internal and external factors, such as inability to provide a service or product, or a fall in demand for an organization’s products or services will result in an unexpected loss. Disaster Risk (UNISDR) The potential disaster losses, in lives, health status, livelihoods, assets and services, which could occur to a particular community or a society over some specified future time period. Comment: The definition of disaster risk reflects the concept of disasters as the outcome of continuously present conditions of risk. Disaster risk comprises different types of potential losses which are often difficult to quantify. Nevertheless, with knowledge of the prevailing hazards and the patterns of population and socio-economic development, disaster risks can be assessed and mapped, in broad terms at least. Operational Risk (BCI/DRJ) The risk of loss resulting from inadequate or failed procedures and controls. This includes loss from events related to technology and infrastructure, failure, business interruptions, staff related problems, and from external events such as regulatory changes. Risk AcceptanceBCI/DRJA management decision to take no action to mitigate the impact of a particular risk. Risk AnalysisBCI/DRJThe quantification of threats to an organization and the probability of them being realized. Risk AppetiteBCI/DRJTotal amount of risk that an organization is prepared to accept, tolerate, or be exposed to at any point in time. Risk Assessment / AnalysisBCI/DRJProcess of identifying the risks to an organization, assessing the critical functions necessary for an organization to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event. Risk AvoidanceBCI/DRJAn informed decision to not become involved in or to withdraw from a risk situation. Risk CategoriesBCI/DRJRisks of similar types are grouped together under key headings, otherwise known as ‘risk categories’. These categories include reputation, strategy, financial, investments, operational infrastructure, business, regulatory compliance, outsourcing, people, technology and knowledge. Risk CriteriaISO 31000Terms of reference against which the significance of a risk is evaluated. Risk EvaluationAS/NZS 5050Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable. Risk ManagementUAE NCEMAStructured development and application of management culture, policy, procedures and practices to the tasks of identifying, analyzing, evaluating, controlling and responding to risk. Risk MitigationCNSSI-4009Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process. Risk ReductionBCI/DRJA selective application of appropriate techniques and management principles to reduce either probability of an occurrence or its impact, or both. Risk ToleranceASISOrganization’s readiness to bear the risk after risk treatments in order to achieve its objectives [ISO/IEC Guide 73]. ASIS Editor’s Note: Risk tolerance can be limited by legal or regulatory requirements. Risk TransferBCI/DRJA common technique used by risk managers to address or mitigate potential exposures of the organization. A series of techniques describing the various means of addressing risk through insurance and similar products. Root CauseITILThe underlying or original cause of an incident or problem.
Root Cause Analysis (RCA)ITILAn activity that identifies the root cause of an incident or problem. RCA typically concentrates on IT infrastructure failures. SSalvageBCI/DRJThe recovery of personal effects, documentation, office, and computer equipment. ScenarioBCI/DRJA pre-defined set of business continuity events and conditions that describe, for planning purposes, an interruption, disruption, or loss related to some aspect(s) of an organization’s business operations to support conducting a BIA, developing a continuity strategy, and developing continuity and exercise plans. DRJ Editor’s Note: Scenarios are neither predictions nor forecasts. ScopeITILThe boundary, or extent, to which a process, procedure, certification, contract etc. applies. SecurityCNSSI-4009A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach. Security ControlsNIST SP 800-34The management, operational, and technical controls (i.e., FIPS199) safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. Service Level Agreement (SLA)BCI/DRJA formal agreement between a service provider (whether internal or external) and their client (whether internal or external), which covers the nature, quality, availability, scope and response of the service provider. The SLA should cover day- to-day situations and disaster situations, as the need for the service may vary in a disaster. Service ProviderITILAn organization supplying services to one or more internal customers or external customers. Single Point of Failure (SPOF)ITILAny Configuration Item that can cause an Incident when it fails, and for which a Countermeasure has not been implemented. A SPOF may be a person, or a step in a Process or Activity, as well as a Component of the IT Infrastructure. See Failure. Situational AwarenessCNSSI-4009Within a volume of time and space, the perception of an enterprise’s security posture and its threat environment; the comprehension/meaning of both taken together (risk); and the projection of their status into the near future. StakeholderBCI/DRJIndividual or group having an interest in the performance or success of an organization e.g., customers, partners, employees, shareholders, owners, the local community, first responders, government, and regulators. StandardNFPA1600/ITIL
StrategicITIL(Service Strategy) The highest of three levels of Planning and delivery (Strategic, Tactical, Operational). Strategic Activities include Objective setting and long term Planning to achieve the overall Vision. SuccessionFCD 1A formal, sequential assumption of a position’s authorities and responsibilities, to the extent not otherwise limited by law, by the holder of another specified position as identified in statute, executive order, or other presidential directive, or by relevant D/A policy, order, or regulation if there is no applicable executive order, other presidential directive, or statute in the event of a vacancy in office or a position holder dies, resigns, or is otherwise unable to perform the functions and duties of that pertinent position. SupplierITILA third party responsible for supplying goods or services. Supply ChainBCI/DRJThe linked processes that begins with the acquisition of raw material and extends through the delivery of products or services to the end user across the modes of transport. The supply chain may include suppliers, vendors, manufacturing facilities, logistics providers, internal distribution centers, distributors, wholesalers, and other entities that lead to the end user. T
TacticalITILThe middle of three levels of planning and delivery (strategic, tactical, operational). Tactical activities include the medium-term plans required to achieve specific objectives, typically over a period of weeks to months. Technological HazardUNISDRA hazard originating from technological or industrial conditions, including accidents, dangerous procedures, infrastructure failures or specific human activities, that may cause loss of life, injury, illness or other health impacts, property damage, loss of livelihoods and services, social and economic disruption, or environmental damage. UNISDR Editor’s Note: Examples of technological hazards include industrial pollution, nuclear radiation, toxic wastes, dam failures, transport accidents, factory explosions, fires, and chemical spills. Technological hazards also may arise directly as a result of the impacts of a natural hazard event. Telework SiteFCD 1An approved worksite where an employee performs his or her duties other than the location from which the employee would otherwise work. TestBCI/DRJA pass/fail evaluation of infrastructure (example-computers, cabling, devices, hardware) and\or physical plant infrastructure (example- building systems, generators, utilities) to demonstrate the anticipated operation of the components and system. Tests are often performed as part of normal operations and maintenance. Tests are often included within exercises. Test PlanFFIECA document that is based on the institution’s test scope and objectives and includes various testing methods. TestingASISActivities performed to evaluate the effectiveness or capabilities of a plan relative to specified objectives or measurement criteria. Testing usually involves exercises designed to keep teams and employees effective in their duties, and to reveal weaknesses in the preparedness and response/continuity/recovery plans. [ASIS International Business Continuity Guideline 2005] ThreatASISPotential cause of an unwanted incident, which may result in harm to individuals, assets, a system or organization, the environment, or the community. Threat AssessmentCNSSI-4009Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat. Threat MonitoringCNSSI-4009Analysis, assessment, and review of audit trails and other information collected for the purpose of searching out system events that may constitute violations of system security. TrainingBCI/DRJTraining is more formal than awareness. It aims to build knowledge and skills to enhance competency in job performance. Whereas awareness is generally targeted at all staff, training is directed at staff with specific duties and responsibilities. For example, staff involved in the recovery should be equipped and adequately prepared with the necessary knowledge and skill to undertake recovery activities. Training forms part of the awareness, training and education learning continuum. TriggerBCI/DRJAn event that causes a system to initiate a response. UUnified CommandNIMSAn [Incident Command System] ICS application used when more than one agency has incident jurisdiction or when incidents cross political jurisdictions. VVital RecordsBCI/DRJRecords essential to the continued functioning or reconstitution of an organization during and after an emergency and also those records essential to protecting the legal and financial rights of that organization and of the individuals directly affected by its activities. Similar TermsEssential Records (FCD 1) Information systems and applications, electronic and hardcopy documents, references, and records needed to support essential functions during a continuity event. The two basic categories of essential records are emergency operating records and rights and interest records. Emergency operating records are essential to the continued functioning or reconstitution of an organization. Rights and interest records are critical to carrying out an organization’s essential legal and financial functions and vital to the protection of the legal and financial rights of individuals who are directly affected by that organization’s activities. The term “vital records” refers to a specific sub-set of essential records relating to birth, death, and marriage documents. Legal and Financial Rights Records (FCD 1) Vital records essential to protect the legal and financial rights of the government and the individuals directly affected by its activities. Examples include accounts receivable records, social security records, payroll records, retirement records, and insurance records. These records were formerly defined as ‘‘rights-and- interests’’ records. VulnerabilityBCI/DRJThe degree to which a person, asset, process, information, infrastructure or other resources are exposed to the actions or effects of a risk, event or other occurrence. Vulnerability AssessmentCNSSI-4009Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation. WWalk-ThroughISACAA thorough demonstration or explanation that details each step of a process. Wallet CardFFIECPortable information cards that provide emergency communications information for customers and employees. Warm SiteBCI/DRJAn alternate processing site which is equipped with some hardware, and communications interfaces, electrical and environmental conditioning which is only capable of providing backup after additional provisioning, software or customization is performed. Cited ReferencesAdjusters International (2020)Adjusters International Insurance Glossary TermsAI has helped policyholders of all types recover from many of the worst natural and man-made disasters. In 1996, Adjusters International recognized the need to provide expertise, advocacy, and service to eligible government entities and non-profit organizations that had suffered a disaster and were seeking recovery under FEMA's public assistance grants program -- guiding them through the complicated application process. In 2016 Adjusters International merged with Tidal Basin, the leading experts in preparedness and disaster recovery. Link (as of 06/2020):Click HereAS NZS 5050(2010)Australia AS NZS 5050Australia AS/NZS 5050:2010 explains how to apply AS/NZS IS 31000:2009 [Risk management -- Principles and guidelines] to disruption related risks. It includes detailed guidance particular to the features of these risks and to the risk management framework through which they are managed. Link (as of 06/2018):Click HereASIS (2009)ASIS InternationalFounded in 1955, ASIS International is a global community of security practitioners, each of whom has a role in the protection of assets - people, property, and/or information. The glossary terms used are contained in Security and Resilience in Organizations and Their Supply Chains (ORM.1)[ASIS_SPC.1-2009_Item_No._1842] Link (as of 06/2018):Click HereBCI/DRJ (2018)Business Continuity Institute / Disaster Recovery JournalThese two international trade publications combined their glossaries into a single glossary. While some terms in their glossary may have different definitions, all references in the DRI Glossary for Resilience indicate a joint BCI/DRJ definition Link (as of 06/2018):Click HereCNSSI-4009 (2015)Committee on National Security Systems (CNSS) GlossaryThis instruction applies to all U.S. Government Departments, Agencies, Bureaus and Offices; supporting contractors and agents; that collect, generate process, store, display, transmit or receive classified or controlled unclassified information or that operate, use, or connect to National Security Systems (NSS), as defined herein. Link (as of 06/2018):Click HereDRI (2018)Disaster Recovery Institute InternationalDisaster Recovery Institute (DRI) International first published its Glossary for Resiliency in 2014. In its second major release, DRI International maintained several terms from the first version that were no longer supported by reference documents. The Committee determined these terms to be important and relevant to the resilience community, and now maintain these terms as DRI International terms. Link (as of 06/2018):Click HereFCD-1 (2017)U.S. Department of Homeland Security - Federal Emergency Management Agency Federal Continuity Directive 1Federal Continuity Directive 1 (FCD-1) implements Federal requirements for establishing the framework, requirements, and processes to support the development of Federal departments and agencies continuity programs and by specifying and defining elements of a continuity plan. Link (as of 06/2018):Click HereFFIEC (2015)Federal Financial Institutions Examination CouncilThe Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB) and to make recommendations to promote uniformity in the supervision of financial institutions. Link (as of 06/2018):Click HereHIPAA (2001)Health Insurance Portability and Accountability Act of 1996HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA does the following: Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs; Reduces health care fraud and abuse; Mandates industry-wide standards for health care information on electronic billing and other processes; and Requires the protection and confidential handling of protected health information. Link (as of 06/2018):Click HereISACA (2018)ISACA GlossaryISACA provides practical guidance, benchmarks and other effective tools for all enterprises that use information systems. Through its comprehensive guidance and services, ISACA defines the roles of information systems governance, security, audit and assurance professionals worldwide. The COBIT framework and the CISA, CISM, CGEIT and CRISC certifications are ISACA brands respected and used by these professionals for the benefit of their enterprises. Link (as of 06/2018):Click HereISO 22301 (2012)International Standard ISO 22301 - Societal security - Business continuity management systems – RequirementsISO 22301 is an International Standard for business continuity management, that specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. Link (as of 06/2018):Click HereISO 31000 (2009)International Standard ISO 31000 - Risk management - Principles and guidelinesThis International Standard provides principles and generic guidelines on risk management. This International Standard can be used by any public, private or community enterprise, association, group or individual. Therefore, this International Standard is not specific to any industry or sector. Link (as of 06/2018):Click HereITIL (2011)ITIL PracticesITIL (formerly an acronym for Information Technology Infrastructure Library) is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. Link (as of 06/2018):Click HereNFPA 1600 (2013)National Fire Protection Association Publication 1600 - Standard on Disaster/ Emergency Management and Business Continuity ProgramsThe NFPA Standards Council established the Disaster Management Committee in January 1991. The committee was given the responsibility for developing documents relating to preparedness for, response to, and recovery from disasters resulting from natural, human, or technological events. The first document that the committee focused on was NFPA 1600, Recommended Practice for Disaster Management Link (as of 06/2018):Click HereNIMS (2008)National Incident Management SystemNIMS uses the Federal Emergency Management Administration (FEMA) Incident Command System (ICS) Training Glossary Link (as of 06/2018):Click HereNIST SP 800-34 (2010)National Institute on Standards and Technology (NIST) Special Publication (SP) 800-34 Revision 1 - Contingency Planning Guide for Federal Information SystemsNIST SP 800-34 Rev 1 assists organizations in understanding the purpose, process, and format of information system contingency planning development through practical, real-world guidelines. This guidance document provides background information on interrelationships between information system contingency planning and other types of security and emergency management-related contingency plans, organizational resiliency, and the system development life cycle. This document provides guidance to help personnel evaluate information systems and operations to determine contingency planning requirements and priorities. Link (as of 06/2018):Click HereSANS (2020)SANS InstituteThe SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and by far the largest source for information security training and security certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - the Internet Storm Center. Link (as of 06/2020):Click HereSingapore MAS (2004)Monetary Authority of SingaporeAs Singapore's central bank, the Monetary Authority of Singapore (MAS) promotes sustained, non- inflationary economic growth through appropriate monetary policy formulation and close macroeconomic surveillance of emerging trends and potential vulnerabilities. It manages Singapore's exchange rate, foreign reserves and liquidity in the banking sector. MAS is also an integrated supervisor overseeing all financial institutions in Singapore -- banks, insurers, capital market intermediaries, financial advisors, and the stock exchange. Link (as of 06/2018):Click HereUAE NCEMA (2011)United Arab Emirates National Emergency Crisis and Disasters Management AuthorityThe mission of NCEMA is to enhance the UAE’s capabilities in managing emergency, crisis and disaster by: setting the requirements of business continuity, enabling quick recovery through joint planning, and coordinating communication both at the national and local level. Link (as of 06/2018):Click HereUNDRR Glossary (2016)United Nations Office for Disaster Risk Reduction (UNISDR) TerminologyBy its resolution 69/284 of 3 June 2015, the General Assembly established an open-ended intergovernmental expert working group comprising experts nominated by States and supported by the United Nations Office for Disaster Risk Reduction, with the involvement of relevant stakeholders, for the development of a set of possible indicators to measure global progress in the implementation of the Sendai Framework for Disaster Risk Reduction 2015-2030, coherent with the work of the Inter- Agency and Expert Group on Sustainable Development Goal Indicators. Link (as of 06/2018):Click HereGlossary ChangesThe following are changes to terms and references made from the 2014 version of the DRI Glossary for Resiliency. 1. Overall Changes to DRI Glossary
2. Terms Added
aa. Strategic is added using ITIL definition to correspond to Tactical bb. Succession added with new definition from FCD-1 cc. Telework Site added with new definition from FCD-1 dd. Unified Command added with definition from NIMS ee. Virus, with definition from CNSSI-4009, was added as a type of Malicious Code ff. Worm, with definition from NIST SP 800-47, was added as a type of Malicious Code 3. Terms Changed
4. Terms Moved
5. Terms Removed
6. Other Changes
How do you determine when to use the IR DR and BC plans?How do you determine when to use the IR, DR, and BC plans? The Business Continuity plan is used concurrently with the DR plan and when the damage is major or ongoing, and requires more than simple restoration of information resources. The BC plan establishes critical business functions at an alternate site.
Which form of BC DR testing has the most impact on operations?Which form of BC/DR testing has the most impact on operations? C. The full test will involve every asset in the organization, including all personnel. The others will have lesser impact, except for D, which is a red herring.
Which of the following is the transfer of live transactions to an off site facility?Remote Journaling - The transfer of live transactions to an off-site facility.
When an incident takes place the disaster recovery DR plan?When an incident takes place, the disaster recovery (DR) plan is invoked before the incident response (IR) plan. In most organizations, the COO is responsible for creating the IR plan. In a warm site, all services and communications links are fully configured and the site can be fully functional within minutes.
|