3 bcm methodology
TRANSCRIPT
-
8/13/2019 3 BCM Methodology
1/59
1
1
.
CHAIYAKORN APIWATHANOKULCISSP,GCFA, IRCA:ISMS
Business Continuity Management (BCM)
-
8/13/2019 3 BCM Methodology
2/59
2
Objectives
Understand objective and scope of BCM
Understand the different between BCP & DRP
Understand what need to be considered in
developing BCP & DRP
-
8/13/2019 3 BCM Methodology
3/59
Business
Continuity
Management
3
-
8/13/2019 3 BCM Methodology
4/59
Lo Chance Hi Impact Incidentis focused more after 9/11 incident
Impact
Possibility
H
L
L H
High
Low Medium
-
8/13/2019 3 BCM Methodology
5/59
Definitions5
BS 25999-1:2006Business continuity management
Business continuity management
(BCM)
holistic management process thatidentifies potential threats to an
organization and the impacts to
business operations that those threats,
if realized, might cause, and which
provides a framework for building
organizational resilience with thecapability for an effective response that
safeguards the interests of its key
stakeholders, reputation, brand and
value-creating activities
BS 25777:2008Information and communications
technology continuity management
ICT continuity
Capability of the organization to plan forand respond to incidents and
disruptions in order to continue ICT
services at an acceptable predefined
level
-
8/13/2019 3 BCM Methodology
6/59
Definitions6
BS 25999-1:2006Business continuity management
business continuity plan (BCP)
documented collection of proceduresand information that is developed,
compiled and maintained in readiness
for use in an incident to enable an
organization to continue to deliver its
critical activities at an acceptable pre-
define
BS 25777:2008Information and communications
technology continuity management
ICT disaster recovery
Activities and programs that are invokes
in response to a disruption and areintended to restore.
-
8/13/2019 3 BCM Methodology
7/59
7
DisasterRecovery
Planning
(IT)
BusinessContinuity
Planning
(Business)
Business Continuity Management
Restore IT and
critical facilities
Continue critical
business functions
Set Pol icy, Emergency Operation s Comm ittee,
Cr isis Management Plannin g, etc.
Disaster Recovery in the Context of a BCM Program
-
8/13/2019 3 BCM Methodology
8/59
haiyakorn piwathanokul
Recent Standards/GuidelinesTopic Business ICT
Governance GRC, COSO (ERM)CG CobiT4.1 (ITG)ISO 38500:2008 (ITG)
ISO 27014 (ISG)ISO 27001:2005 (ISMS)
RiskBS31100:2008 (RM)
ISO31000:2008 (RM)
BS7799-3:2006 (ISRM)
ISO13335-3,4:1998
ISO27005:2008 (ISRM)NIST SP800-30:2002 (ITRM)
Continuity
Crisis
FEMA141:1993 (EM)
PAS 56:2003 (BCI:BCMGPG)
BS 25999:2006 (BCM)ISO/PAS 22399:2007 (Societal security)
PAS 77:2006 (ITSCM)
BS 25777:2008 (ICTCM)
ISO 24762:2008 (ICT DR)NIST SP800-34:2002 (ITSC:DRP)
NIST SP800-34rev1:2009(ITSC:DRP)
OthersPAS 99:2006 (Integrated
Management)
ITILv3
ISO 20000 (ITSMS)
-
8/13/2019 3 BCM Methodology
9/59
BCM linkage to multiple standards
ISO27001A.14 Business continuity management
ITILv2
Service Continuity and Availability Management ITILv3
Service design: IT Service Continuity Mgmt
ISO20000
Service Contingency and Availability Management
9
-
8/13/2019 3 BCM Methodology
10/59
Compliances
... HIPPA
PCI-DSS
Critical Infrastructure Act (US)
10
-
8/13/2019 3 BCM Methodology
11/59
11
BCM Lifecycle from BS 25999-1:2006
-
8/13/2019 3 BCM Methodology
12/59
BS 25777:2008 ICT Continuity Management
12
-
8/13/2019 3 BCM Methodology
13/59
From BS 25999-1:2006
-
8/13/2019 3 BCM Methodology
14/59
Key ICT continuity management timescales(BS 25777:2008)
14
-
8/13/2019 3 BCM Methodology
15/59
From ISO/PAS 22399:2007
-
8/13/2019 3 BCM Methodology
16/59
16
DRP / BRP Definition
Disaster Recovery Planning
Goals of DRP
Business Resumption Planning
-
8/13/2019 3 BCM Methodology
17/59
17
BCP Definition
Event occurred
How serious?
Plan?
Prepared?
Execute
Improve
-
8/13/2019 3 BCM Methodology
18/59
18
Sources of Information
Disaster Recovery Institute International(DRII)
Business Continuity Institute (BCI)BCMGPG
BS 25999 (BCM)
BS 25777 (ICTCM)
NIST SP800-34 (rev1)Contingency Planning Guide for Federal Information Systems
-
8/13/2019 3 BCM Methodology
19/59
19
Overview of BCP
Direct Benefit Indirect Benefits
Overlap with Risk Management
BCM vs. BCP vs. COOP
-
8/13/2019 3 BCM Methodology
20/59
20
Traditional BCP Project Phases
Project Scope Development and Planning
Business Impact Analysis (BIA) andFunctional Requirements
Business Continuity and Recovery Strategy Plan Design and Development
Implementation
Restoration Feedback and Plan Management
-
8/13/2019 3 BCM Methodology
21/59
21Business Continuity Plan Process - snapshot
Appoint an owner Define the objectives and
scope
Develop and approve aplanning process and
timetable Create a planning team
Decide the structure, format,components and content
Determine the strategiesand deferment to otherplans
Determine thecircumstances that arebeyond the scope
Gather information
Write and review the plan
Schedule ongoing testingand maintenance
Test the plan
-
8/13/2019 3 BCM Methodology
22/59
22
Overview of All BCP Steps
1. Policy2. Program Management
3. Understanding the Organization
4. Determining Strategy5. Developing and Implementing Response
6. Testing, Maintaining & Reviewing
7. Embedding BCP
-
8/13/2019 3 BCM Methodology
23/59
-
8/13/2019 3 BCM Methodology
24/59
24
2. Program Management
Assigning Responsibilities
Initiating BCP in the Organization
Project Management
Ongoing Management Documentation
Incident Readiness & Response
-
8/13/2019 3 BCM Methodology
25/59
25
3. Understanding the Organization
BIA Benefits
Objectives
Estimating Recovery Requirements
Evaluating Threats (Risk Assessment)
Indicators
-
8/13/2019 3 BCM Methodology
26/59
26Understanding the Organization Overview
Business Impact Analysis (BIA) Recovery Requirements Analysis
Risk Assessment (RA)
-
8/13/2019 3 BCM Methodology
27/59
27
Business Impact Analysis (BIA)
Identifies, quantifies and qualifies loss Scope & Support required
Documents impact & dependencies
Identify: Activities, Staff, Impact, Time Workshops, Questionnaires, Interviews
Business justifications for budget
Frequency yearly
-
8/13/2019 3 BCM Methodology
28/59
28
Business Impact Analysis (BIA)
Technique used for gathering andanalyzing information needed for DRP
Goal: identify critical business processes
Recovery Plans Recovery Time Objectives (RTOs)
Recovery Point Objectives (RPOs)
Maximum Allowable Outage (MAO)
Maximum Allowable Downtime (MAD)
Maximum Tolerable Downtime (MTD)
29
-
8/13/2019 3 BCM Methodology
29/59
29
-
8/13/2019 3 BCM Methodology
30/59
30
Estimating Continuity Requirements
Total Budget for DisasterAccuracy of BIA
Change in resource allocations
How Much, How Long, Communication Identification of necessary resources
What will be needed when
Yearly or with BIA
31
-
8/13/2019 3 BCM Methodology
31/59
Cost Balance31
32
-
8/13/2019 3 BCM Methodology
32/59
32
*Courtesy of the National Disaster Coalition
-
8/13/2019 3 BCM Methodology
33/59
INDUSTRY STANDARDS
Tier 4: Multiple active power and cooling distribution paths, redundant components, fault tolerant, 99.995% availabilityTier 3: Multiple power and cooling distribution paths, but only one path active, redundant components, concurrently maintainable,
99.982% availability
Tier 2: Single or multi path for power, single cooling distribution path, redundant components, 99.741% availabilityTier 1: Single path for power and cooling distribution, no redundant components, 99.671% availability
Industry Standard Tier Classifications The Uptime Institute
Terminology Definition
10 State-of-the-ArtRedundant power, redundant cooling, redundant UPS, redundant dedicated A/C, redundant generator,
redundant fuel, weather & geographic facility hardening, disaster avoidance
9 Ultra-ReliableRedundant power, redundant cooling, redundant UPS, redundant dedicated A/C, redundant generator,
redundant fuel
8 Reliable-Redundant Dedicated power & cooling, redundant UPS, redundant dedicated A/C, redundant generators
7 Reliable Dedicated power & cooling, UPS, redundant dedicated A/C, generator
6Isolated Mostly
ReliableDedicated power & cooling, UPS, redundant dedicated A/C
5 Isolated Improved Dedicated power & cooling, UPS, dedicated A/C
4Isolated
ConditionedDedicated power & cooling, conditioned power, dedicated A/C
3 Isolated Unreliable Dedicated power & cooling, unconditioned power, dedicated A/C
2Partially Isolated
UnreliableDedicated power, shared cooling, unconditioned power, A/C
1 Unreliable Shared building power & cooling
33
1
2
3
4
34
-
8/13/2019 3 BCM Methodology
34/59
SELECTION PROCESS
-
8/13/2019 3 BCM Methodology
35/59
CRITERIA DESCRIPTION RATING
SITE LOCATION CRITERIA
Site LocationSpecification
Downtown/city center, office/high tech park, suburban,industrial park, parking, shipping access, etc.
A
Access to FacilityRemoteness/location of the facility. Requires more than oneaccess road
A
EnvironmentalDisaster Avoidance
Requirements for the facility that it not be nearearthquake/fault lines, tornado, not in 100 year flood plain,mudslide or rockslide area
B
Distance from 880
(Data Center)
Not less than 50 Miles and up to 800 miles away. Tradeoffbetween communication latency issues, accessibility, andsurvivability.
B
Market LocationLocation of Recovery Center in a Tier I/II/III city. May impactcost and infrastructure considerations
B
Geography Rank Location for the facility within the United States. C
SECURITY CRITERIA
Rights of Access Provisions for DOE complete control of access to facility. A
ClassifiedProcessing
Provisions to meet DOE requirements for processingclassified information.
A
Physical control offacility
Physical control of facility for security reasons andimmediate access.
B
35
-
8/13/2019 3 BCM Methodology
36/59
36
CRITERIA DESCRIPTION RATING
FACILITY CRITERIA
Tier 3 Facility
Tier 3 - Multiple power and cooling distribution paths, withonly one path active, redundant components, concurrentlymaintainable, 99.98% availability. (DR Study Phase 1requirement)
A
Infrastructure Electrical and telecommunications feeds, floor loading,raised floor height, available raised floor.
A
General BuildingSpecifications
Building Height, Class, Age, etc. A
Fire SuppressionFM-200 Fire Suppression System. DR Study Phase 1Requirement
B
AdditionalConditioned Raised
Floor
Additional raised floor to stage equipment on conditionedraised floor and area to support immediate growth.
B
Primary BuildingUse
Primary use of building, i.e. laboratory, manufacturing, datacenter, recovery center, office, mixed use, other
B
-
8/13/2019 3 BCM Methodology
37/59
37
CRITERIA DESCRIPTION RATING
USAGE CRITERIA
CostsSite cost, labor pool availability, proximity to 880,infrastructure, connectivity, etc.
A
Length of UsagePotential for restrictive time limits for use if using acommercial provider.
A
InfrastructureDisaster Avoidance
Away from Airport, Highways, railroad tracks, electrical sub-stations.
A
PoliticalConsiderations Considerations based on external political factors
B
OwnershipSandia leased or owned, DOE leased or owned, militaryleased or owned and service provider leased or owned,lease expiration dates.
B
Accommodationsfor Support Staff
Availability of hotels and long-term accommodations tohouse support staff potentially for extended periods of time.
B
Food CateringServices
Availability of balanced meals should be available for anextended outage.
B
38
-
8/13/2019 3 BCM Methodology
38/59
38
4. Determining Strategy
Determining BC Strategies Strategy Options
Activity Continuity Options
Resource Level Consolidation Indicators
39
-
8/13/2019 3 BCM Methodology
39/59
39
Recovery Alternatives
Alternative Description Readiness Cost
Multipleprocessing /mirrored site
Fully redundant identicalequipment & data
Highest level of availability& readiness
Highest
Mobilesite/Trailer
Designed, self-containedIT & communications
Variable drive time; loaddata & test systems
High
Hot site
Fully provisioned IT &office, HVAC,
infrastructure, &communications
Short time to load data, testsystems. May be yours or
vendor staffHigh
Warm site
Partially IT equipped,
some office, data & voice,infrastructure
Days or weeks.
Need equipment, data,communications
Moderate
Cold siteMinimal infrastructure,
HVAC
Weeks or more. Need all IT,office equipment, &
communicationsLowest
40
-
8/13/2019 3 BCM Methodology
40/59
40
Processing Agreements
Agreement Description Considerations
Reciprocal orMutual Aid
Two or more organizationsagree to recover critical
operations for each other.
Technology upgrades/obsolescence or business
growth. Security and accessby partner users.
Contingency
Alternate arrangements ifprimary provider is
interrupted, i.e., voice ordata communications.
Providers may share paths orlease from each other.
Question them.
Service BureauAgreement with applicationservice provider to processcritical business function.
Evaluate their loading,geography and ask about
backup mode.
41
-
8/13/2019 3 BCM Methodology
41/59
41
5. Developing and Implementing Response
Incident Response Structure Incident Management Plan
Business Continuity Plan
Activity Response Plans Indicators
42
-
8/13/2019 3 BCM Methodology
42/59
Sample Call Tree
43
6 T ti M i t i i & R i i
-
8/13/2019 3 BCM Methodology
43/59
43
6. Testing, Maintaining & Reviewing
Test Program Testing BCP Arrangements
Maintaining BCP Arrangements
Reviewing BCP Arrangements Indicators
44
-
8/13/2019 3 BCM Methodology
44/59
44
Types Process Participants Frequency Complexity
Desk CheckCheck the contents of theplan, aids in maintenance
Author Often LOW
Walk
through
Check interaction and
roles of participants
Author & Main
people
SimulationIncludes: Business plans,Buildings, Communication
Main people &Auditors
Activitytesting
Moves work to another
site.Recreates the existing
work from the displacedsite
Everyone atlocation
FullShuts down and Relocate
all workEveryone at
both locationsRare HIGH
Testing Types
-
8/13/2019 3 BCM Methodology
45/59
45
WHAT COULD POSSIBLY HAPPEN HERE?
46
-
8/13/2019 3 BCM Methodology
46/59
46
7. Embedding BCP
Assessing Level of Awareness & Training Developing BCP within the Culture
Monitoring Cultural Change
Indicators
47
-
8/13/2019 3 BCM Methodology
47/59
47
Embedding BCP Overview
Part of the culture Steps
Assess
Design
Check
48
-
8/13/2019 3 BCM Methodology
48/59
48
Factors for Success
Supported by senior management Everyone is aware
Everyone is invested
Everyone agrees
49
-
8/13/2019 3 BCM Methodology
49/59
49
Assessing the Level of Awareness & Training
Where are we now? Training framework in place
Measurement criteria
Repeated frequently
50
-
8/13/2019 3 BCM Methodology
50/59
50
Developing BCP Within The Organizations Culture
Training, Education, Awareness Define the Message
Cost effective delivery
Design, Delivery, Delivery
51
BCP S
-
8/13/2019 3 BCM Methodology
51/59
5
BCP Summary
Overview All Steps1. Policy
2. Program Management
3. Understanding the Organization4. Determining Strategy
5. Developing and Implementing Response
6. Testing, Maintaining & Reviewing
7. Embedding BCP
52
-
8/13/2019 3 BCM Methodology
52/59
BCM SLIDES .
6 C
-
8/13/2019 3 BCM Methodology
53/59
53
6 BCM
BCP 1 BCP BCP
-
8/13/2019 3 BCM Methodology
54/59
BCM (2)
-
8/13/2019 3 BCM Methodology
55/59
55
BCM (2)
BCP
BCP
BCP
-
8/13/2019 3 BCM Methodology
56/59
-
8/13/2019 3 BCM Methodology
57/59
BCMISO 27002
Control 14.1
Information Continuity
management
ISO 24762
ICT DR Services
Telecom
Power
Supply
DR site
Asset
Mgmt
Fire
Protection
Vendor
MgmtLogicalAccess
Control
DR plan
Physical
Access
Control
Risk
Mitigation
ISO 27005
Risk Assessment
58
-
8/13/2019 3 BCM Methodology
58/59
ISO 24762ICT DR Services
Telecom
Power
Supply
DR site
Asset
Mgmt
Fire
Protection
VendorMgmt Logical
Access
Control
DR plan
Physical
Access
Control
RiskMitigation
59
-
8/13/2019 3 BCM Methodology
59/59
Question ?