business continutity plan slides v1.1
Post on 07-Apr-2018
235 Views
Preview:
TRANSCRIPT
-
8/6/2019 Business Continutity Plan Slides V1.1
1/34
Business Contingency PlanBusiness Contingency Plan
IT Risk Management: Information Security
-
8/6/2019 Business Continutity Plan Slides V1.1
2/34
What is BCP?What is BCP?
A coordinated strategy involving plans,procedures, and technical measuresthat enable the recovery of information
systems, operations, and data after adisruption.
Purpose of BCP is to minimize
financial losses and to provide rapidrecovery during and after a disaster.
-
8/6/2019 Business Continutity Plan Slides V1.1
3/34
Coverage of BCPCoverage of BCP
Performing some or all of the affected businessprocesses using alternate processing (manual) means(typically acceptable for only short-term disruptions);
Recovering information systems operations at analternate location (typically acceptable for only longterm disruptions or those physically impacting thefacility); and
Implementing of appropriate contingency planningcontrols based on the information systems securityimpact level.
-
8/6/2019 Business Continutity Plan Slides V1.1
4/34
Our Discussion Limited toOur Discussion Limited to
Information Technology
Not Organizational wide
Systems BCP usually covers contigency plan for all
business function (In the event of adisaster). In IT, BCP is often refer to as
DRP (Disaster Recovery Plan/Procedure)
-
8/6/2019 Business Continutity Plan Slides V1.1
5/34
BCP is a form of ResilienceBCP is a form of Resilience
Resilience is the ability to quickly adaptand recover from any known orunknown changes to the environment.
The goal of a resilient organization is to
continue mission essential functions at
all times during any type of disruption.
-
8/6/2019 Business Continutity Plan Slides V1.1
6/34
Information Security in BCPInformation Security in BCPConfidentiality
IntegrityAvailability
-
8/6/2019 Business Continutity Plan Slides V1.1
7/34
Information Security in BCPInformation Security in BCP
Covers the aspect of Availability.
It ensure that business remains available
during the state of a disaster.
Examples:
Bank of Indonesia uses BCP to stay inbusiness in response to Merapi disaster
http://www.republika.co.id/berita/breaking-news/ekonomi/10/11/08/145329-bi-antisipasi-gangguan-sistem-pembayaran-akibat-merapi
-
8/6/2019 Business Continutity Plan Slides V1.1
8/34
Stages in BCPStages in BCP
-
8/6/2019 Business Continutity Plan Slides V1.1
9/34
Develop Contingency PolicyDevelop Contingency Policy
Identify Regulatory Requirements. ISO 27001
Peraturan Bank Indonesia
SCADA Local Policy to ensure service availability
Must be part of overall organizational andsecurity policy.
To minimize loss in terms of financial, service availability andreputation, BCP must be activated in case of a disaster.
Develop Organizational Structure forBCP.
-
8/6/2019 Business Continutity Plan Slides V1.1
10/34
Business Impact Analysis (BIA)Business Impact Analysis (BIA)
BIA purpose is to correlate the systemwith the critical mission/business
processes and services provided, and
based on that information,characterizethe consequences of a disruption.
Results from the BIA should be
appropriately incorporated into theanalysis and strategy development efforts
for the organizations BCPs, and DRP.
-
8/6/2019 Business Continutity Plan Slides V1.1
11/34
Business Impact AnalysisBusiness Impact Analysis
3 Steps involves in performing BIA: Determine mission/business functions and recovery criticality.
Mission/Business functions supported by the system are identified and theimpact of a system disruption to those functions is determined along withoutage impacts and estimated downtime. The downtime should reflect the
maximum time that an organization can tolerate while still maintaining themission.
Identify resource requirements. Realistic recovery effor ts require athorough evaluation of the resources required to resume mission/businessfunctions and related interdependencies as quickly as possible. Examples ofresources that should be identified include facilities, personnel, equipment,software, data files, system components, and vital records.
Identify recovery priorities for system resources.Based upon the resultsfrom the previous activities, system resources can be linked more clearly tocritical mission/business processes and functions. Priority levels can beestablished for sequencing recovery activit ies and resources.
-
8/6/2019 Business Continutity Plan Slides V1.1
12/34
Data collection ActivitiesData collection Activities
-
8/6/2019 Business Continutity Plan Slides V1.1
13/34
-
8/6/2019 Business Continutity Plan Slides V1.1
14/34
TheatTheat AnalysisAnalysis
Performs potential analysis of threats.
Some common threats include thefollowing:
Disease
Earthquake
Fire
Flood
Cyber attack
Sabotage (insider or external t hreat)
Hurricane or other major storm
Utility outage Terrorism
Theft (insider or external threat, vital information or material)
Document Impact Scenario to correlate
possible threats and its scenario.
-
8/6/2019 Business Continutity Plan Slides V1.1
15/34
Main Outcome BIAMain Outcome BIA
Maximum Tolerable Downtime (MTD). MTD defines howlong a specific business process could go unavailable.
Recovery Time Objective (RTO ). RTO defines the maximumamount of time that a system resource can remain unavailablebefore there is an unacceptable impact on other system resources,suppor ted mission/business functions, and the MTD.
Recovery Point Objective (RPO). The RPO represents thepoint in time, prior to a disruption or system outage, to whichmission/business process data can be recovered (given the mostrecent backup copy of the data) after an outage. Because the RTO
must ensure that the MTD is not exceeded, the RTO mustnormally be shorter than the MTD.
-
8/6/2019 Business Continutity Plan Slides V1.1
16/34
Risk AssessmentRisk Assessment
Risk Assessment is an important partin classifying BIA dan Controls.
By performing risk assessment, each assetwill be identify its risk, categorize itand identify controls appropriate.
-
8/6/2019 Business Continutity Plan Slides V1.1
17/34
Risk AssessmentRisk Assessment
-
8/6/2019 Business Continutity Plan Slides V1.1
18/34
Identify Controls NeededIdentify Controls Needed
Controls can be Deterrent, Preventive,
Detect and Correct.
Depending of the BIA results, Controls
can be selected.
-
8/6/2019 Business Continutity Plan Slides V1.1
19/34
Risk Assessment and BIARisk Assessment and BIA
Outcomes in performing Risk Assessment
is to select appropriate controls toreduce Risk.
Outcomes in conducting BIA is todetermine MTD, RTO and RPO.
-
8/6/2019 Business Continutity Plan Slides V1.1
20/34
Creating Contingency Strategies andCreating Contingency Strategies and
PlanPlan Contingency strategies are created to
mitigate the risks for the contingencyplanning family of controls and cover the
full range of backup, recovery,contingency planning, testing, andongoing maintenance.
-
8/6/2019 Business Continutity Plan Slides V1.1
21/34
Creating Contingency Strategies andCreating Contingency Strategies and
PlanPlan
-
8/6/2019 Business Continutity Plan Slides V1.1
22/34
Testing, Training and ExerciseTesting, Training and Exercise
(TT&E)(TT&E) Organization should be in a state of
readinesswhenever disaster strikes.
In order for organization staff to fullyaware of a contingency plan, thereshould be a periodical TT&E of BCP totest its capability and effectiveness
(Time frame could be based onregulatory requirements).
-
8/6/2019 Business Continutity Plan Slides V1.1
23/34
TestingTesting
Testing enablesplan deficiencies to beidentified and addressed by validating oneor more of the system components and the
operability of the plan. Testing can take on several forms and
accomplish several objectives but should beconducted in as close to an operating
environment as possible. Each information system component should be
tested to confirm the accuracy of individualrecovery procedures.
-
8/6/2019 Business Continutity Plan Slides V1.1
24/34
What can be tested?What can be tested?
These are the components in IT that can
be tested: Notification procedures;
System recovery on an alternate platform frombackup media;
Internal and external connectivity;
System performance using alternate equipment;
Restoration of normal operations
-
8/6/2019 Business Continutity Plan Slides V1.1
25/34
TrainingTraining
Training for personnel with contingency planresponsibilities should focus on familiarizingthem with their roles in accordance to the
contingency strategy and teaching skillsnecessary to accomplish those roles.
This approach helps ensure that staff isprepared to participate in tests and
exercises as well as actual outage events. Training should be provided at least annually.
-
8/6/2019 Business Continutity Plan Slides V1.1
26/34
What can be trained?What can be trained?
Cross-team coordination and communication;
Repor ting procedures;
Security requirements;
Team-specific processes (Activation and Notification,Recovery, and Reconstitution Phases); and
Individual responsibilities (Activation and Notification,Recovery, and Reconstitution Phases).
-
8/6/2019 Business Continutity Plan Slides V1.1
27/34
ExcerciseExcercise
2 Types:
Tabletop Exercise
Classroom types
Scenario questions
Functional Exercise
Simulation exercise
Real time
Most effective
-
8/6/2019 Business Continutity Plan Slides V1.1
28/34
ExcerciseExcercise
For low-impact systems, a tabletop exercise at anorganization-defined frequency is sufficient.
The tabletop should simulate a disruption.
For moderate-impact systems, a functional exercise
at an organization-defined frequency should beconducted.
An element of system recovery from backup media should beincluded.
For high-impact systems, a full-scale functionalexercise at an organization-defined frequency should beconducted.
A system failover to the alternate location.
-
8/6/2019 Business Continutity Plan Slides V1.1
29/34
Plan MaintenancePlan Maintenance
It is essential that the BCP be reviewedand updated regularly, as part of theorganizations change management
process, to ensure that new informationis documented and contingency measures
are revised if required.
Certain elements, such as contact lists,will require more frequent reviews.
-
8/6/2019 Business Continutity Plan Slides V1.1
30/34
Plan MaintenancePlan Maintenance
-
8/6/2019 Business Continutity Plan Slides V1.1
31/34
BS 25999BS 25999
BS British Standard 25999
International Standard on BCM
Certification is available
-
8/6/2019 Business Continutity Plan Slides V1.1
32/34
BS 25999BS 25999
-
8/6/2019 Business Continutity Plan Slides V1.1
33/34
Steps to BS 25999Steps to BS 25999
-
8/6/2019 Business Continutity Plan Slides V1.1
34/34
FinishFinish
top related