Professional Documents
Culture Documents
26 November 2013
BCM Courses
IT DRP Course
ABCP
Accumulate BC Experience
CFCP
CBCP
MBCP
26 November 2013
26 November 2013
26 November 2013
1. REDUCE steps taken before an incident to identify and mitigate risk 2. RESPOND Planned reaction to manage during an event 3. RECOVER-- To recover the CRITICAL data 4. RESUME-- To start CRITICAL activity +start recovering non critical data 5. RESTORE-- Resumption of non critical activity 6. RETURN Final movement back to original location
26 November 2013
1. PROJECT INITATION AND MANAGEMENT 2. RISK EVALUATION AND CONTROL 3. BUSINESS IMPACT ANALYSIS
26 November 2013
26 November 2013
BC Program Purpose
Protect your. People Information Operations Organization
For any BC Program protecting people is primary and most important aspect
26 November 2013
BC Program Objectives
Ensure continuity and survival of organization Planned reaction and management of interruption Planned resumption and recovery of operations and systems after an interruption The restoration or replacement of asset to a permanent site after an interruption
26 November 2013
THEN
NOW
26 November 2013
11
Objective:
1. Establish the Need for Business Continuity
Reference relevant legal/regulatory/statutory/contractual requirements and restrictions Like Banking regulations (BC-177) NFPA 1600
(National Fire Protection Association
HIPAA
BASEL II Sarbanes- Oxley
26 November 2013 12
26 November 2013
13
26 November 2013
14
Objective:
1. Identify risk and threats that organisation is exposed to 2. Probability of their occurrence
26 November 2013
15
Threat
Vulnerability
Risk
Cause
Probability
Effect
A S S E T S
26 November 2013
16
a) Information sources
b) Credibility Create methods of information gathering Develop a suitable method to evaluate probability versus severity Establish cost benefit analysis to be associated with the identified loss potential
26 November 2013 17
d) Location of assets
e) Procedural controls
26 November 2013
18
3. Evaluate impact of risks and exposures on those factors essential for conducting business operations: availability of personnel, availability of information technology, availability of communications technology, status of infrastructure (including transportation), etc.
4. Evaluate controls and recommend changes, if necessary, to reduce impact due to risks and exposures Controls to inhibit impact exposures: preventive controls (such as passwords, smoke detectors, and
firewalls) Controls to compensate for impact of exposures: reactive controls (such as hot sites)
26 November 2013 19
26 November 2013
20
Determine qualitative and quantitative impacts of the disruptions Prioritize activities Establish RTO and RPO Establish interdependencies of functions Document the list of vital records
PURPOSE:
To provide business rationale for a business continuity plan To provide a factual, understandable and informative set of findings that mgmt can use to provide direction for development of BCP To communicate the inherent vulnerabilities of the business units
26 November 2013 21
26 November 2013
22
26 November 2013
23
Quantitative
1.
2. 3. 4. 5. 6. 7. 8. 9. Property loss Revenue loss Fines Cash flow Accounts receivable Accounts payable Legal liability Human resources Additional expenses/increased cost of working
Qualitative
1.
2. 3. 4. 5. 6. Human resources Morale Confidence Legal Social and corporate image Financial community credibility
26 November 2013 24
The BIA provides mgmt key information for making strategic decisions regarding business continuity and recovery
26 November 2013
25
OBJECTIVE: 1. Understand Available Alternatives and Their Advantages, Disadvantages, and Cost Ranges, including mitigation as a recovery strategy 2. Identify Viable Recovery Strategies within Business Functional Areas 3. Consolidate Strategies 4. Identify Off-Site Requirements and Alternative Facilities 5. Develop Business Unit Strategies 6. Obtain Commitment from Management for Developed Strategies
26 November 2013
26
26 November 2013
27
1.
OBJECTIVE:
1. Identify Potential Types of Emergencies and the Responses Needed (e.g.,fire , hazardous materials leak, medical) 2. Identify the Existence of Appropriate Emergency Response Procedures 3. Recommend the Development of Emergency Procedures Where None Exist 4. Integrate Disaster Recovery/Business Continuity Procedures with Emergency Response Procedures and Escalation Procedures 5. Identify the Command and Control Requirements of Managing an Emergency 6. Recommend the Development of Command and Control Procedures to Define Roles, Authority, and Communications Processes for Managing an Emergency 7. Ensure Emergency Response Procedures are Integrated with Requirements of Public Authorities (Refer also to Subject Area 10, Coordination With Public Authorities)
26 November 2013
29
3. Identify Command and Control Requirements A. Designing and equipping the Emergency Operations Center
B. Command and decision authority roles during the incident C. Communication vehicles (eg., e-mail, radio, messengers, and cellular telephones, etc.) D. Logging and documentation methods
26 November 2013
31
5. Emergency Response
A. Develop, implement, and exercise emergency response procedures, including determination of priorities for actions in an emergency B. Develop, implement, and exercise procedures such as first aid and medical treatment; identify location and develop procedures for transportation to nearby hospitals Identify Command and Control Requirements
6. Recognize potential need to establish liaison with external agencies (e.g., statutory agencies, emergency services such as fire departments and police, insurers, loss adjusters, etc.), and specify type of information these agencies may require 7. Establish procedures with public authorities for facility access 8. Establish procedures with third-party service providers, including appropriate contractual agreements
26 November 2013 32
2. 3.
Emergency notification procedure for internal and external parties Life safety procedures
4.
5. 6. 7.
Planning must take place before you have a emergency so that there is a coordinated, effective response that protects your organization and minimize the damage
26 November 2013
33
26 November 2013
34
2.
3. 4. 5.
4.
5. 6. 7. 8. 9.
10. Flexible and adaptable 11. Information security inbuilt with the plan REVIEW COMPONENTS: 1.
2. 3. 4. Is the plan consistent with the findings of the BIA Are roles and responsibility defined Are resources in place Can plan be implemented
26 November 2013 36
B. Plan activation:
Notification Disaster declaration procedure Mobilization procedures Damage assessment concepts
26 November 2013
38
26 November 2013
39
26 November 2013
40
26 November 2013
41
6.
Awareness and training activities should be designed to meet the needs of the target audience
26 November 2013
44
26 November 2013
46
26 November 2013
47
26 November 2013
48
7. Facilitate Exercises
a. Execute the exercise(s) as planned above b. Audit exercise actions
26 November 2013
49
12. Audits
A. Audit the BCPs Structure, Contents, and Action Sections 1. Determine if a section in the BCP addresses recovery considerations 2. Evaluate the adequacy of emergency provisions and procedures 3. Recommend improved positions if weaknesses exist B. Audit the BCPs Documentation Control Procedures 1. Determine whether the BCP is available to key personnel 2. Review update procedures 3. Demonstrate that update procedures are effective by auditing test results 4. Examine the provision of secure backup copies of the BCP for emergency use 5. List those individuals with copies of the BCP 6. Ensure that BCP copies are current The goal of testing and exercising your plan is not to find out if it works, but to determine how it doesnt
26 November 2013 51
Units
26 November 2013
52
26 November 2013
53
26 November 2013
54
26 November 2013
55
Perception is Reality
26 November 2013
56
OBJECTIVE: 1. Identify and Establish Liaison Procedures for Emergency Management 2. Coordinate Emergency Management with External Agencies 3. Maintain Current Knowledge of Laws and Regulations Concerning Emergency Management as it pertains to a particular organization
26 November 2013
57
26 November 2013
58
26 November 2013
59
Thank You
Source: http://www.drii.org/DRII/ProfessionalPractices/about_professional.aspx
26 November 2013
60