VIII Maintenance and Improvement
Because risks and technology often change, management should regularly review and update the business continuity program to reflect the current environment. Periodic reviews allow management to align the business continuity processes with business objectives. Management should use this information to prioritize and focus on system and process corrections and enhancements. Triggers that prompt maintenance and improvement of the business continuity program may include the following:
- Changes in enterprise strategies.
- New or reconfigured products, services, or infrastructure.
- Changes in products and services offered by third-party service providers.
- Deficiencies identified in third-party service provider business continuity processes.
- New legislation, regulatory requirements, or resilience practices.
- Results of operational metric analysis (e.g., key risk indications, key performance indicators).
- Early warning indicators that may identify potential continuity events, crises, or incidents (e.g., frequency and severity of storms, increased cyber attacks, or increases in customer service calls).
- Variances between budgeted and actual business continuity expenses.
- Results from exercises and tests, and lessons learned.
- Changes in the threat landscape (e.g., new capabilities, intent of threat actors).
- Recommendations (e.g., from audits, vulnerability assessments, and penetration tests).
To determine the extent of changes to the business continuity program, BCM program personnel should contact business unit managers regularly to assess the nature of any changes to the business, structure, systems, software, hardware, personnel, or facilities. Management at smaller, less complex entities may perform this function informally; however, the maintenance and improvement concepts remain valid for those entities.
The business continuity program should be reviewed for accuracy and completeness at periodic intervals. Likely areasThe concept of business continuity program review elements aligns with NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems. While this document pertains to federal information systems, the principles are relevant for non-federal information systems. that should be adjusted within the BCP may include:
- Operational requirements.
- Security requirements.
- Technical procedures.
- Hardware, software, and other equipment.
- Team member contact information.
- Vendor contact information.
- Alternate and off-site facility requirements.
- Vital records.
When updating the business continuity program, management should document, track, and resolve any changes. Management should document, analyze, and review lessons learned from adverse events. Understanding these lessons allows management to prepare for future adverse events. Documented procedures for incorporating lessons learned should include:
- Identifying the failure(s).
- Determining the cause(s).
- Evaluating potential solutions.
- Implementing timely corrective actions as appropriate.
- Recording and reviewing corrective actions taken.
As part of the maintenance and improvement process, management should maintain version control of key business continuity documents and ensure that the latest versions are readily available to appropriate personnel. The level of detail in documentation should be commensurate with the nature of the entity’s operations. This information should be accessible during an event and can be maintained by BCM program management and personnel. The BCM documentation should include evidence substantiating periodic updates of the BIA, risk assessment, and BCP(s).
Business continuity document management processes may include the following:
- Roles and responsibilities.
- Document control.
- Version control.
- Storage and disposal.
Management should follow the entity’s information security standards for confidential or sensitive information contained within business continuity documentation. Additionally, management should maintain backup copies of relevant business continuity documentation in the event that the primary repository becomes inaccessible.
VII.K Post-Exercise and Post-Test Actions
IX Board Reporting