Glossary

  • Access Management The process responsible for allowing users to make use of IT services, data or other assets. Access Management helps to protect confidentiality, integrity and availability of assets by ensuring that only authorized users are able to access or modify the assets. It is sometimes referred to as Rights Management or Identify Management.
  • Acquire-as-needed Recovery option in which critical IT and non-IT resources are acquired from a supplier based on the need following a disruption (see also pre-established, pre-arranged (quick-ship)).
  • Alternate office work area An alternate facility containing office equipment and resources (such as desks, telephones, personal computers, fax and copier machines, etc.) needed for staff to perform their office work during the recovery period following a business disruption (see also crisis management center, and work area).
  • Alternate IT recovery facility An alternate facility where IT systems and infrastructure are recovered in the event of a disruption to the primary facility.
  • Alternate manufacturing and production facility An alternate facility where manufacturing and production equipment are recovered in the event of a disruption to the primary facility.
  • Alternate recovery facility Refers to an alternate IT recovery facility, an alternate manufacturing and production facility, or a work area.
  • Announced test Business continuity plan test that is announced to teams prior to execution. Availability Management The process responsible for defining, analyzing, planning, measuring and improving all aspects of the availability of IT services.
  • Availability Management is responsible for ensuring that all IT infrastructure, processes, tools, roles, etc. are appropriate for the agreed service level targets for availability.
  • BRCCI Business Resilience Certification Consortium International
  • BS 7799 Information Security Management Standard published by British Standard Institute. The standard contains two parts:
    • BS 7799-1: 1999 Code of Practice for Information Security Management, and
    • BS 7799-2: 2002 Specification for Information Security Management Systems.
  • Business continuity planning process (BCP process) Defines a life cycle for developing and maintaining a business continuity plan. The BCP process life cycle consists of six phases: risk management, business impact analysis, business continuity strategy development, business continuity plan development, business continuity plan testing, and business continuity plan maintenance.
  • Business continuity planning management (BCP management) Focuses on management and organizational activities related to business continuity planning, such as developing and implementing a business continuity policy, establishing a BCP steering committee, initiating a plan development project, ensuring compliance with laws and regulations, etc.
  • Business continuity planning (BCP)Business continuity planning is a discipline that prepares an organization to maintain continuity of business during a disaster through an implementation of a business continuity plan (see also BCP management, and BCP process).
  • Business continuity plan (BC plan) A document containing procedures and guidelines to help recover and restore disrupted processes and resources to normal operational status within an acceptable time frame following a disaster or a disruptive event.
  • Business continuity teams Teams responsible for development, maintenance, testing, and execution of the business continuity plan.
  • Business continuity test teams (BC test teams) Teams responsible for testing the business continuity plan.
  • Business impact analysis (BIA) A BIA is a process that determines the financial and operational impact of a disruption to a business, and the requirements for recovering from the disruption.
  • Business continuity plan execution phases Business continuity plan is executed in phases which consist of initial response and notification, problem assessment, disaster declaration, plan implementation logistics, recovery and resumption, and normalization phases.
  • Business continuity strategy Business continuity strategy is composed of a set of recovery options that are utilized as alternatives in the event that existing critical resources are unavailable.
  • Business disruption (see disaster)
  • Business function An area of business responsible for one or more related business processes needed to support company’s mission.
  • Business process Business process defines one or more related tasks or activities of a business function.
  • Cache A random access electronic storage (memory) in selected storage controls used to retain frequently used data for faster access.
  • CBRA Certified Business Resilience Auditor
  • CBRITP Certifies Business Resilience It Professional
  • CBRM Certified Business Resilience Manager
  • Checklist test A basic business continuity plan test method that reviews the BC plan to determine the currency and adequacy of the resources and components specified in the plan.
  • Cold site An alternate recovery facility that does not have any recovery resources and infrastructure such as hardware, software, or data and voice communications equipment. A cold site may include basic services such as power, heating, air-conditioning, water, sprinkler systems, and raised floors for computing equipment (see also warm site, and hot site).
  • Commercially available dedicated site An alternate recovery facility, which is dedicated to a single organization, offered as a service by a vendor.
  • Commercially available shared site An alternate recovery facility, which is shared by multiple organizations, offered as a service by a vendor.
  • Company owned remote site An alternate recovery facility at a fixed company owned location to be used for IT recovery in the event of a disaster.
  • Consortium Agreement An agreement made by a group of organizations to share processing facilities and/or office facilities, if one member of the group suffers a disaster.
  • Contingency planning Process of developing advanced arrangements and procedures that enable an organization to respond to an undesired event that negatively impacts the organization.
  • COBIT (Control Objectives for Information and related Technology) It provides guidance and Best Practice for the management of IT Processes.
  • Corporate Governance The system/process by which the directors and officers of an organization are required to carry out and discharge their legal, moral and regulatory accountabilities and responsibilities.
  • Crisis A critical event, which, if not handled in an appropriate manner, may dramatically impact an organization’s profitability, reputation or ability to operate.
  • Crisis Simulation The process of testing an organization’s ability to respond to a crisis in a coordinated timely.
  • Critical business process A business process that is critical for maintaining business continuity.
  • Critical IT resources IT systems and applications that support critical business processes.
  • Critical non-IT resources Non-IT resources used to support critical business processes.
  • Crisis A critical event, which, if not handled in an appropriate manner, may dramatically impact an organization’s profitability, reputation or ability to operate.
  • Crisis communication plan A crisis communication plan guides the crisis management team in providing timely, consistent, and accurate crisis information to the personnel within the organization, business partners, customers, and the public.
  • Crisis Simulation The process of testing an organization’s ability to respond to a crisis in a coordinated timely.
  • Crisis management center (CMC) A facility where the crisis management team can conduct recovery efforts (see also work area, and office work area).
  • Critical data Critical data can include critical IT applications and components needed to support those applications, such as operating systems, databases, and data (see also critical record, and vital record).
  • Critical record Critical records are used by critical processes for legal, regulatory, and operational purposes. Critical records include information contained in documents, drawings, and photographs, etc. (see also critical data, and vital record).
  • Disaster An event that disrupts critical business processes and degrades their service levels to a point where the resulting financial and operational impact to an organization becomes unacceptable.
  • Disaster declaration statement A statement that officially declares a disaster event according to the disaster declaration definitions and procedures specified in the business continuity plan.
  • Disruption (see disaster)
  • Disruptive event (see disaster)
  • Document Registry A list of all key documents within Business Continuity Planning including information such as location, authorship, date of last update, etc.
  • Emergency response plan An emergency response plan contains guidelines and procedures to follow immediately after a disaster in order to prevent loss of life and injuries and minimize damages to the organization’s assets.
  • Emergency Response Team (ERT) Responsible for conducting emergency operations immediately after disruption in order to protect life, property, and the environment. They also facilitate personnel evacuations, internal rescue operations, medical assistance and incident containment.
  • Encryption A data security technique used to protect information from unauthorized inspection or alteration. Information is encoded so that data appears as a meaningless string of letters and symbols during delivery or transmission. Upon receipt, the information is decoded using an encryption key.
  • Escalation The process by which event related information is communicated upwards through an organization's established Chain of Command.
  • Extended outage A lengthy unplanned interruption in system availability due to computer hardware or software problems.
  • Failover The automatic switching of users from a failed primary system to an operational backup system, without manual intervention. Depending on the nature of the problem and the failover processes involved, users may or may not be aware that a failure occurred.
  • Fault tolerance The ability of an IT service or configuration to operate correctly after failure of a component part.
  • FEMA (Federal Emergency Management Agency) The agency's primary purpose is to coordinate the response to a disaster that has occurred in the United States and that overwhelms the resources of local and state authorities. It also provides funds for training of response personnel throughout the United States and its territories as part of the agency's preparedness effort.
  • Financial impact Financial impact measure the extent and severity of financial loss to the business in the event of a disruption.
  • Full-interruption test A full-interruption test activates all components of the business continuity plan and assumes all critical business processes are disrupted. In addition, it can interrupt normal business operations.
  • Gap Analysis A detailed examination to identify risks associated with the differences between Business/Operations requirements and the current available recovery capabilities.
  • GLBA (The Gramm-Leach-Bliley Act) Known as the Financial Services Modernization Act of 1999, includes directives for financial institutions to ensure security and confidentiality of customers’ financial and personal information, and to protect such confidential information against potential threats and hazards.
  • Hot site An alternate facility that contains pre-configured hardware, software, data and voice communications infrastructure needed for recovering critical business processes (see also cold site, and warm site).
  • Human Continuity The ability of an organization to provide support for its associates and their families before, during, and after a business continuity event to ensure a viable workforce. This involves pre planning for potential psychological responses, occupational health and employee assistance programs, and employee communications.
  • Human Threats Possible disruptions in operations resulting from human actions. (i.e., disgruntled employee, terrorism, blackmail, job actions, riots, etc.)
  • Incident An event that is not part of the standard business operations which may impact or interrupt services and in some cases, may lead to disaster.
  • Industry Testing A test designed to validate that business processes, integrated across firms and within the financial industry, which supports the business continuity objectives of the firms, both individually and collectively.
  • Infrastructure The underlying foundation, basic framework, or interconnecting structural elements that support an organization.
  • ISO (International Organization for Standardization) ISO, a network of national standards institutes of 148 countries, is the world’s largest developer of technical standards. It has issued standards such as ISO 9000, ISO 14000, and ISO/IEC 17799.
  • ISO/IEC 17799 Code of practice for information security management. It contains comprehensive guidelines and directions for initiating, implementing, and maintaining information security within an organization (see also BS 7799).
  • Journaling The process of logging changes or updates to a database since the last full backup. Journals can be used to recover previous versions of a file before updates were made, or to facilitate disaster recovery, if performed remotely, by applying changes to the last safe backup.
  • Key Tasks Priority procedures and actions in a Business Continuity Plan that must be executed within the first few minutes/hours of the plan invocation.
  • Lead Time The time it takes for a supplier to make equipment, services, or supplies available after receiving an order. Business continuity plans should try to minimize lead time by creating service level agreements (SLA) with suppliers or alternate suppliers in advance of a Business Continuity event rather than relying on the suppliers' best efforts.
  • Line rerouting A service offered by many regional telephone companies allowing the computer center to quickly reroute the network of dedicated lines to a backup site.
  • Loss Adjuster Designated position activated at the time of a Business Continuity event to assist in managing the financial implications of the event and should be involved as part of the management team where possible.
  • Loss Reduction The technique of instituting mechanisms to lessen the exposure to a particular risk. Loss reduction involves planning for, and reacting to, an event to limit its impact. Examples of loss reduction include sprinkler systems, insurance policies, and evacuation procedures.
  • Lost data The data which is lost between the time of the last backup of data and the business disruption event (see also work backlog).
  • Maximum tolerable downtime (MTD) Length of time a process can be unavailable before the company experiences significant losses. MTD corresponds to time period between the disruptive event and start of normal processing.
  • Mission-Critical Application Applications that support business activities or processes that could not be interrupted or unavailable for 24 hours or less without significantly jeopardizing the organization.
  • Mobile site It is an alternate recovery facility in a mobilized vehicle that is delivered to a desired location. It is typically pre-configured with desks, chairs, hardware, software, data and voice communications equipment.
  • NFPA (National Fire Protection Association) A non-profit organization with a focus on reducing the worldwide burden of fire and other hazards on the quality of life. It is responsible for developing the NFPA 1600 standard for disaster/emergency management and business continuity programs.
  • NFPA 1600 A standard for disaster/emergency management and business continuity programs issued by NFPA and endorsed by FEMA.
  • Network Outage An interruption of voice, data, or IP network communications.
  • NT (Notification team) Responsible for notifying business continuity teams and personnel needed to execute the plan
  • Off-site data storage facility An alternate facility where copies of the critical data are stored. In the event of a disruption, the stored critical data is retrieved from the alternate facility and used during recovery (see also off-site storage facility, and off-site record storage facility).
  • Off-site record storage facility An alternate facility where copies of the critical and vital records are stored. In the event of a disruption, the stored records are retrieved from the alternate facility and used to recover from the disruption (see also off-site storage facility and off-site data storage facility)
  • Off-site storage facility A facility where the copies of the critical data, critical records, and vital records can be stored (see also off-site data storage facility, and off-site record storage facility).
  • On-line Catalog Application This is a web-based catalog application that customers can use to obtain product information through the internet.
  • Operational impact Operational impact is a negative effect of a disruption on various qualitative aspects of business operations, such as efficiency, satisfaction, image, confidence, and control.
  • Original facility A facility which a business uses to conduct its normal business operations. In order to differentiate it from an alternate recovery facility, this facility is described in various terms such as original facility or site, primary facility or site, and damaged facility or site.
  • Parallel test In this test, systems are recovered at the alternate recovery facility using the last backup of data while the production environment continues to function as normal. Any transactions at the production environment are recorded manually and re-entered into recovered systems at the alternate recovery facility. At the end of the test the state of both environments at the alternate recovery facility and original facility are compared.
  • Peer Review A review of a specific component of a plan by personnel (other than the owner or author) with appropriate technical or business knowledge for accuracy and completeness.
  • Recovery areas Areas of business with critical resources that need to be recovered in the event of a business disruption. Typical recovery areas include IT systems and infrastructure, manufacturing and production, work areas, and critical data and critical/vital records.
  • Recovery option An alternative option for recovering disrupted critical resources. For example, a cold site, warm site, and hot site are three options for recovering IT systems and infrastructure.
  • Recovery point objective (RPO) Refers to the tolerance for the loss of data measured in terms of the time between the last backup of data and the disaster event. RPO is an indicator of how much lost data can be recovered once systems are recovered and updated with the last backup of data.
  • Recovery priority Sequence for recovering critical business processes.
  • Recovery time objective (RTO) Length of time available for recovering disrupted systems and resources.
  • Recovery time requirements Time frames that collectively represent the requirements to recover from a disruption, such as Maximum Tolerable Downtime (MTD), Recovery Time Objective (RTO), Recovery Point Objective (RPO), and Work Recovery Time (WRT).
  • Remote Capture Process that is used to scan and transmit check images and data electronically.
  • Remote mirroring One of the backup methods wherein the data is mirrored at a alternate recovery facility to provide continuous availability using technology such as transaction routers, and proprietary fault tolerant redundant systems.
  • Resource Dependencies Are characterized as a list of IT and non-IT resources required by a critical process to perform its normal operation.
  • Risk A chance or likelihood of a threat source causing an event with adverse business impacts.
  • Risk acceptance Risk control option which accepts the risk of a threat as tolerable and does not require additional steps to reduce or eliminate the risk.
  • Risk assessment Risk assessment is a process that begins with the identification of potential threats to an organization and ends with a set of risk values for those threats.
  • Risk avoidance Risk control option which avoids the risk altogether.
  • Risk control option Options for controlling the risks of threats. Risk control options can be divided into four areas: risk acceptance, risk avoidance, risk reduction, and risk transfer.
  • Risk mitigation Risk control option which reduces the risk to an acceptable level.
  • Risk transfer Risk control option which transfers the risk to another entity or organization (e.g. an insurance company).
  • Roll Call The process of identifying that all employees, visitors and contractors have been safely evacuated and accounted for following an evacuation of a building or site.
  • Self Insurance The pre-planned assumption of risk in which a decision is made to bear loses that could result from a Business Continuity event rather than purchasing insurance to cover those potential losses.
  • Simulation test In this test, business disruption is simulated and business continuity test teams execute tasks and procedures specified in one or more parts of the business continuity plan. Some tasks and procedures may be simulated to minimize the cost and interruptions to normal business operations.
  • Stand Down Formal notification that the response to a Business Continuity event is no longer required or has been concluded.
  • SAN (Storage Area Network) Another backup method where high speed high performance network enables computers with different operating systems to communicate with one storage device.
  • Storage Virtualization A backup method where it combines multiple storage devices into a logical, virtual storage device that can be centrally managed. It is presented as a single storage pool.
  • Tape backups Traditional backups using tape media.
  • Task List Defined mandatory and discretionary tasks allocated to teams and/or individual roles within a Business Continuity Plan.
  • Threat event A disruptive event caused by a threat source (e.g. a power outage event caused by an ice storm - a threat source).
  • Threat source The source of a threat event. (e.g. an ice storm can be a source of a power outage - a threat source).
  • Unannounced test Business continuity plan test which is initiated without a prior announcement of the test to the BC test team.
  • Unexpected loss The worst-case financial loss or impact that a business could incur due to a particular loss event or risk. The unexpected loss is calculated as the expected loss plus the potential adverse volatility in this value. It can be thought of as the worst financial loss that could occur in a year over the next 20 years.
  • Uninterruptible Power Supply (UPS) A backup power supply with enough power to allow a safe and orderly shutdown of the central processing unit should there be a disruption or shutdown of electricity.
  • Validation Script A set of procedures within the Business Continuity Plan to validate the proper function of a system or process before returning it to production operation.
  • Vital records Critical records that are either irreplaceable, or difficult or expensive to reproduce (see also critical data, and critical record).
  • Voice Recovery The restoration of an organization's voice communications system.
  • Walkthrough test Business continuity test teams meet to verbally walkthrough the activities, procedures, and tasks they are expected to follow during the execution of the business continuity plan. This test allows the members of business continuity test teams to review and critique each others’ test activities and performance. It is also known as a tabletop test.
  • Warm site An alternate recovery facility containing some of the required hardware, software, machinery, equipment, and data and voice communications infrastructure that must be prepared and configured for recovery activities following a business disruption. A full recovery requires additional systems and equipment at a warm site (see also cold site, and hot site).
  • Wide Area High Availability Clustering This backup method uses software and hardware based equipment organized as in a wide area network that can be automatically reconfigured to replace a failed machine.
  • Work-around procedure Alternate procedures for handling work and processing transactions in the event of a disruption to normal procedures.
  • Work backlog Work collected manually between the time of the disruption event and systems/resource recovery (see also lost data).
  • Work area Alternate office work area or crisis management center or both (see also office work area, crisis management center, and recovery areas).
  • Work recovery time (WRT) Length of time needed to recover lost data, work backlog, and manually captured work once systems/resources are recovered and repaired. WRT corresponds to the time between systems/resource recovery and the start of normal processing.
TOP