You are on page 1of 59

1

Business Continuity Management (BCM)

อ.ไชยกร อภิวฒ ั โนกุล
CHAIYAKORN APIWATHANOKUL
CISSP, GCFA, IRCA:ISMS
1

Objectives
Understand objective and scope of BCM  Understand the different between BCP & DRP  Understand what need to be considered in developing BCP & DRP

2

3

Business Continuity Management

Lo Chance – Hi Impact Incident is focused more after 9/11 incident

Impact H

High

L

Low
L

Medium
Possibility H

5

Definitions
BS 25999-1:2006 Business continuity management BS 25777:2008 Information and communications technology continuity management ICT continuity Capability of the organization to plan for and respond to incidents and disruptions in order to continue ICT services at an acceptable predefined level

Business continuity management (BCM) holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities

6 Definitions BS 25999-1:2006 Business continuity management BS 25777:2008 Information and communications technology continuity management ICT disaster recovery Activities and programs that are invokes in response to a disruption and are intended to restore. business continuity plan (BCP) documented collection of procedures and information that is developed. compiled and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical activities at an acceptable predefine .

etc.Disaster Recovery in the Context of a BCM Program Business Continuity Management Set Policy. Crisis Management Planning. Emergency Operations Committee. 7 Disaster Recovery Planning (IT) Business Continuity Planning (Business) Restore IT and critical facilities Continue critical business functions .

COSO (ERM)CG ICT CobiT4.4:1998 ISO27005:2008 (ISRM) NIST SP800-30:2002 (ITRM) PAS 77:2006 (ITSCM) Governance Risk Continuity Crisis BS31100:2008 (RM) ISO31000:2008 (RM) FEMA141:1993 (EM) PAS 56:2003 (BCI:BCMGPG) BS 25999:2006 (BCM) ISO/PAS 22399:2007 (Societal security) BS 25777:2008 (ICTCM) ISO 24762:2008 (ICT DR) NIST SP800-34:2002 (ITSC:DRP) NIST SP800-34rev1:2009 (ITSC:DRP) Others PAS 99:2006 (Integrated Management) Chaiyakorn Apiwathanokul ITILv3 ISO 20000 (ITSMS) .1 (ITG) ISO 38500:2008 (ITG) ISO 27014 (ISG) ISO 27001:2005 (ISMS) BS7799-3:2006 (ISRM) ISO13335-3.Recent Standards/Guidelines Topic Business GRC.

14 Business continuity management ITILv2 – Service Continuity and Availability Management ITILv3 – Service design: IT Service Continuity Mgmt ISO20000 – Service Contingency and Availability Management .9 BCM linkage to multiple standards     ISO27001 – A.

10 Compliances พ.  HIPPA  PCI-DSS  Critical Infrastructure Act (US)  .บ.ร.

11 BCM Lifecycle from BS 25999-1:2006 .

12 BS 25777:2008 ICT Continuity Management .

From BS 25999-1:2006 .

Key ICT continuity management timescales (BS 25777:2008) 14 .

From ISO/PAS 22399:2007 .

DRP / BRP Definition  16 Disaster Recovery Planning – Goals of DRP  Business Resumption Planning .

BCP Definition    17    Event occurred How serious? Plan? Prepared? Execute Improve .

Sources of Information Disaster Recovery Institute International (DRII)  Business Continuity Institute (BCI)  BCMGPG 18 BS 25999 (BCM)  BS 25777 (ICTCM)  NIST SP800-34 (rev1)  Contingency Planning Guide for Federal Information Systems .

BCP vs. COOP  19 .Overview of BCP Direct Benefit  Indirect Benefits  Overlap with Risk Management  BCM vs.

Traditional BCP Project Phases Project Scope Development and Planning  Business Impact Analysis (BIA) and Functional Requirements  Business Continuity and Recovery Strategy  Plan Design and Development  Implementation  Restoration  Feedback and Plan Management  20 .

Business Continuity Plan Process .snapshot Appoint an owner  Define the objectives and scope  Develop and approve a planning process and timetable  Create a planning team  Decide the structure. components and content  Determine the strategies and deferment to other plans  21 Determine the circumstances that are beyond the scope  Gather information  Write and review the plan  Schedule ongoing testing and maintenance  Test the plan  . format.

22 Overview of All BCP Steps 1. Policy Program Management Understanding the Organization Determining Strategy Developing and Implementing Response Testing. 4. Maintaining & Reviewing Embedding BCP . 5. 6. 7. 2. 3.

1. Policy Reflecting Organizational Context  Policy Contents  Program Scope  Outsourced Activities  23 .

Program Management    24    Assigning Responsibilities Initiating BCP in the Organization Project Management Ongoing Management Documentation Incident Readiness & Response .2.

3. Understanding the Organization  25 BIA – Benefits – Objectives Estimating Recovery Requirements  Evaluating Threats (Risk Assessment)  Indicators  .

Understanding the Organization Overview 26 Business Impact Analysis (BIA)  Recovery Requirements Analysis  Risk Assessment (RA)  .

Time Workshops. quantifies and qualifies loss Scope & Support required Documents impact & dependencies Identify: Activities.Business Impact Analysis (BIA)      27   Identifies. Questionnaires. Interviews Business justifications for budget Frequency yearly . Staff. Impact.

Business Impact Analysis (BIA) Technique used for gathering and analyzing information needed for DRP  Goal: identify critical business processes  Recovery Plans  28 – – – – – Recovery Time Objectives (RTOs) Recovery Point Objectives (RPOs) Maximum Allowable Outage (MAO) Maximum Allowable Downtime (MAD) Maximum Tolerable Downtime (MTD) .

29 .

Communication Identification of necessary resources What will be needed when Yearly or with BIA .Estimating Continuity Requirements      30   Total Budget for Disaster Accuracy of BIA Change in resource allocations How Much. How Long.

31 Cost Balance .

32 *Courtesy of the National Disaster Coalition *Courtesy of the National Disaster Coalition .

redundant UPS. unconditioned power. redundant fuel 8 Reliable-Redundant Dedicated power & cooling.741% availability Tier 1: Single path for power and cooling distribution. redundant UPS. dedicated A/C 1 2 Partially Isolated Unreliable Dedicated power. disaster avoidance Redundant power. redundant fuel. single cooling distribution path. shared cooling. 99. weather & geographic facility hardening. but only one path active. redundant components. redundant dedicated A/C. A/C Shared building power & cooling 1 Unreliable 33 . redundant components. fault tolerant. dedicated A/C Dedicated power & cooling.995% availability Tier 3: Multiple power and cooling distribution paths. 99. UPS. redundant dedicated A/C. redundant dedicated A/C Dedicated power & cooling. redundant components.INDUSTRY STANDARDS Tier 4: Multiple active power and cooling distribution paths. redundant generators 7 Reliable 6 Isolated Mostly Reliable Dedicated power & cooling. redundant dedicated A/C. unconditioned power. redundant dedicated A/C. redundant generator.671% availability Industry Standard Tier Classifications – The Uptime Institute Terminology 10 State-of-the-Art 4 9 Ultra-Reliable Definition Redundant power. conditioned power. 99. 99. redundant cooling. generator Dedicated power & cooling. no redundant components. UPS. redundant generator. concurrently maintainable. UPS. redundant UPS. redundant cooling.982% availability Tier 2: Single or multi path for power. dedicated A/C 3 5 Isolated Improved 2 4 Isolated Conditioned 3 Isolated Unreliable Dedicated power & cooling.

34 SELECTION PROCESS .

Tradeoff between communication latency issues. suburban. Requires more than one access road Requirements for the facility that it not be near earthquake/fault lines. etc. mudslide or rockslide area Not less than 50 Miles and up to 800 miles away. Provisions to meet DOE requirements for processing classified information. A A B 35 . not in 100 year flood plain. tornado. accessibility. and survivability. industrial park. May impact cost and infrastructure considerations Location for the facility within the United States.CRITERIA DESCRIPTION SITE LOCATION CRITERIA RATING Site Location Specification Access to Facility Environmental Disaster Avoidance Distance from 880 (Data Center) Market Location Geography Rank Downtown/city center. parking. Remoteness/location of the facility. office/high tech park. SECURITY CRITERIA A A B B B C Rights of Access Classified Processing Physical control of facility Provisions for DOE complete control of access to facility. Location of Recovery Center in a Tier I/II/III city. shipping access. Physical control of facility for security reasons and immediate access.

Primary use of building. i. available raised floor. 99. etc. (DR Study Phase 1 requirement) A Infrastructure General Building Specifications Fire Suppression Additional Conditioned Raised Floor Primary Building Use Electrical and telecommunications feeds. data center.e. recovery center. redundant components. with only one path active. office. raised floor height. DR Study Phase 1 Requirement Additional raised floor to stage equipment on conditioned raised floor and area to support immediate growth. concurrently maintainable. FM-200 Fire Suppression System. mixed use. other A A B B B 36 . laboratory.98% availability. Class.Multiple power and cooling distribution paths. Building Height. manufacturing. Age.CRITERIA DESCRIPTION FACILITY CRITERIA RATING Tier 3 Facility Tier 3 . floor loading.

lease expiration dates. proximity to 880. labor pool availability. infrastructure. A Length of Usage Infrastructure Disaster Avoidance Political Considerations Ownership Accommodations for Support Staff Food Catering Services A A B B B B 37 . Away from Airport. etc. Highways. railroad tracks. military leased or owned and service provider leased or owned. connectivity. Potential for restrictive time limits for use if using a commercial provider. Availability of balanced meals should be available for an extended outage. DOE leased or owned. Availability of hotels and long-term accommodations to house support staff potentially for extended periods of time.CRITERIA DESCRIPTION USAGE CRITERIA RATING Costs Site cost. electrical substations. Considerations based on external political factors Sandia leased or owned.

Determining Strategy      38 Determining BC Strategies Strategy Options Activity Continuity Options Resource Level Consolidation Indicators .4.

HVAC. data & voice. data. office equipment. self-contained IT & communications Fully provisioned IT & office. HVAC Readiness Highest level of availability & readiness Variable drive time. infrastructure Minimal infrastructure. Need equipment. test systems. infrastructure. communications Weeks or more. load data & test systems Short time to load data. some office. & communications Partially IT equipped. May be yours or vendor staff Days or weeks. & communications Cost Highest High Hot site High Warm site Moderate Cold site Lowest . Need all IT.Recovery Alternatives Alternative Multiple processing / mirrored site Mobile site/Trailer 39 Description Fully redundant identical equipment & data Designed.

. geography and ask about backup mode. . i. Evaluate their loading. Providers may share paths or lease from each other. voice or data communications.Processing Agreements Agreement Description Two or more organizations agree to recover critical operations for each other. Alternate arrangements if primary provider is interrupted. Considerations 40 Reciprocal or Mutual Aid Technology upgrades/ obsolescence or business growth. Security and access by partner users. Contingency Service Bureau Agreement with application service provider to process critical business function.e. Question them.

5. Developing and Implementing Response      41 Incident Response Structure Incident Management Plan Business Continuity Plan Activity Response Plans Indicators .

42 Sample Call Tree .

Maintaining & Reviewing      43 Test Program Testing BCP Arrangements Maintaining BCP Arrangements Reviewing BCP Arrangements Indicators . Testing.6.

aids in maintenance Check interaction and roles of participants Includes: Business plans. Recreates the existing work from the displaced site Shuts down and Relocate all work Everyone at location Full Everyone at both locations Rare HIGH . Communication Participants Author Author & Main people Main people & Auditors Frequency Often Complexity LOW Activity testing Moves work to another site. Buildings.Testing Types Types Desk Check Walk through Simulation 44 Process Check the contents of the plan.

WHAT COULD POSSIBLY HAPPEN HERE? 45 .

Embedding BCP Assessing Level of Awareness & Training  Developing BCP within the Culture  Monitoring Cultural Change  Indicators  46 .7.

Embedding BCP Overview Part of the culture  Steps  47 – Assess – Design – Check .

48 Factors for Success Supported by senior management  Everyone is aware  Everyone is invested  Everyone agrees  .

Assessing the Level of Awareness & Training Where are we now?  Training framework in place  Measurement criteria  Repeated frequently  49 .

Delivery  . Delivery.50 Developing BCP Within The Organization’s Culture Training. Education. Awareness  Define the Message  Cost effective delivery  Design.

Program Management 3. Testing. Developing and Implementing Response 6. Maintaining & Reviewing 7.BCP Summary Overview All Steps 1. Policy 2. Embedding BCP 51 . Determining Strategy 5. Understanding the Organization 4.

ชุตม ิ า นิม ่ สุวรรณ .52 การตรวจสอบประเมินเรือ ่ ง BCM อ ้างอิง SLIDES จาก อ.

ิ ธิภาพ 6 ปัจจ ัยสาค ัญของ BCM ทีม ่ ป ี ระสท       การวางแผนรองร ับการดาเนินธุรกิจอย่าง ต่อเนือ ่ งในล ักษณะภาพรวมทว ่ ั ทงองค์ ั้ กร การวิเคราะห์ผลกระทบต่อธุรกิจและการ ี่ งอย่างครอบคลุม ประเมินความเสย ขอบเขตครอบคลุมมากกว่าการกูร ้ ะบบ เทคโนโลยีสารสนเทศ มีแผนการทดสอบ BCP อย่างน้อยปี ละ 1 ครง ั้ BCP และผลการทดสอบควรได้ร ับการ ตรวจสอบอย่างเป ็ นอิสระ การปร ับปรุง BCP เป ็ นระยะ การกากับดูแลโดยคณะกรรมการและผู้บริหารระดับสูง 53 .

แนวทางการตรวจสอบ BCM (1) เรือ ่ งทีจ ่ ะประเมิน  ความเหมาะสมของแผนรองร ับการดาเนินธุรกิจ อย่างต่อเนือ ่ งในระด ับภาพรวม ทงองค์ ั้ กร  คุณภาพของการกาก ับดูแล BCP และการสน ับสนุน ของคณะกรรมการและ ผูบ ้ ริหารระด ับสูง  ความเพียงพอของการจ ัดทาการวิเคราะห์ผลกระทบ ต่อธุรกิจ และ ี่ ง การประเมินความเสย ี่ งใน  ความเหมาะสมของการบริหารความเสย กระบวนการดาเนินธุรกิจ อย่างต่อเนือ ่ ง 54 .

แนวทางการตรวจสอบ BCM (2)   ความเหมาะสมของการทดสอบ BCP ความครอบคลุมและความสอดคล้องของแผน รองร ับการดาเนินงานด้านเทคโนโลยีสารสนเทศ อย่างต่อเนือ ่ ง ก ับ BCP ของฝ ่ ายงานอืน ่ ๆ และรวม ่ นหนึง เป ็ นสว ่ ของ BCP ขององค์กร  ความพร้อมของการสารองและความสามารถใช ้ งานระบบเทคโนโลยีสารสนเทศได้เหมือนในภาวะ ปกติ 55 .

แนวทางการตรวจสอบ BCM (3)   ความครอบคลุมของการเตรียมการสาหร ับ ่ าวะปกติ กระบวนการกูศ ้ น ู ย์ประมวลผล กล ับคืนสูภ ความร ัดกุมของวิธก ี ารปฏิบ ัติงานด้านการร ักษา ความปลอดภ ัย  ความครอบคลุมของการระบุกจ ิ กรรมสาค ัญที่ ดาเนินการโดยผูใ ้ ห้บริการภายนอก 56 .

BCM ISO 27002 Control 14.1 Information Continuity management ISO 27005 Risk Assessment ISO 24762 ICT DR Services Vendor Mgmt Power Supply Fire Protection Risk Mitigation Logical DR site Access Control Asset Mgmt Telecom DR plan Physical Access Control .

58 ISO 24762 ICT DR Services Vendor Mgmt DR site Power Supply Telecom Asset Mgmt DR plan Risk Mitigation Logical Access Control Physical Access Control Fire Protection .

59 Question ? .