business continutity plan slides v1.1

8/6/2019 Business Continutity Plan Slides V1.1

1/34

Business Contingency PlanBusiness Contingency Plan

IT Risk Management: Information Security


2/34

What is BCP?What is BCP?

A coordinated strategy involving plans,procedures, and technical measuresthat enable the recovery of information

systems, operations, and data after adisruption.

Purpose of BCP is to minimize

financial losses and to provide rapidrecovery during and after a disaster.


3/34

Coverage of BCPCoverage of BCP

Performing some or all of the affected businessprocesses using alternate processing (manual) means(typically acceptable for only short-term disruptions);

Recovering information systems operations at analternate location (typically acceptable for only longterm disruptions or those physically impacting thefacility); and

Implementing of appropriate contingency planningcontrols based on the information systems securityimpact level.


4/34

Our Discussion Limited toOur Discussion Limited to

Information Technology

Not Organizational wide

Systems BCP usually covers contigency plan for all

business function (In the event of adisaster). In IT, BCP is often refer to as

DRP (Disaster Recovery Plan/Procedure)


5/34

BCP is a form of ResilienceBCP is a form of Resilience

Resilience is the ability to quickly adaptand recover from any known orunknown changes to the environment.

The goal of a resilient organization is to

continue mission essential functions at

all times during any type of disruption.


6/34

Information Security in BCPInformation Security in BCPConfidentiality

IntegrityAvailability


7/34

Information Security in BCPInformation Security in BCP

Covers the aspect of Availability.

It ensure that business remains available

during the state of a disaster.

Examples:

Bank of Indonesia uses BCP to stay inbusiness in response to Merapi disaster

http://www.republika.co.id/berita/breaking-news/ekonomi/10/11/08/145329-bi-antisipasi-gangguan-sistem-pembayaran-akibat-merapi


8/34

Stages in BCPStages in BCP


9/34

Develop Contingency PolicyDevelop Contingency Policy

Identify Regulatory Requirements. ISO 27001

Peraturan Bank Indonesia

SCADA Local Policy to ensure service availability

Must be part of overall organizational andsecurity policy.

To minimize loss in terms of financial, service availability andreputation, BCP must be activated in case of a disaster.

Develop Organizational Structure forBCP.


10/34

Business Impact Analysis (BIA)Business Impact Analysis (BIA)

BIA purpose is to correlate the systemwith the critical mission/business

processes and services provided, and

based on that information,characterizethe consequences of a disruption.

Results from the BIA should be

appropriately incorporated into theanalysis and strategy development efforts

for the organizations BCPs, and DRP.


11/34

Business Impact AnalysisBusiness Impact Analysis

3 Steps involves in performing BIA: Determine mission/business functions and recovery criticality.

Mission/Business functions supported by the system are identified and theimpact of a system disruption to those functions is determined along withoutage impacts and estimated downtime. The downtime should reflect the

maximum time that an organization can tolerate while still maintaining themission.

Identify resource requirements. Realistic recovery effor ts require athorough evaluation of the resources required to resume mission/businessfunctions and related interdependencies as quickly as possible. Examples ofresources that should be identified include facilities, personnel, equipment,software, data files, system components, and vital records.

Identify recovery priorities for system resources.Based upon the resultsfrom the previous activities, system resources can be linked more clearly tocritical mission/business processes and functions. Priority levels can beestablished for sequencing recovery activit ies and resources.


12/34

Data collection ActivitiesData collection Activities


13/34


14/34

TheatTheat AnalysisAnalysis

Performs potential analysis of threats.

Some common threats include thefollowing:

Disease

Earthquake

Fire

Flood

Cyber attack

Sabotage (insider or external t hreat)

Hurricane or other major storm

Utility outage Terrorism

Theft (insider or external threat, vital information or material)

Document Impact Scenario to correlate

possible threats and its scenario.


15/34

Main Outcome BIAMain Outcome BIA

Maximum Tolerable Downtime (MTD). MTD defines howlong a specific business process could go unavailable.

Recovery Time Objective (RTO ). RTO defines the maximumamount of time that a system resource can remain unavailablebefore there is an unacceptable impact on other system resources,suppor ted mission/business functions, and the MTD.

Recovery Point Objective (RPO). The RPO represents thepoint in time, prior to a disruption or system outage, to whichmission/business process data can be recovered (given the mostrecent backup copy of the data) after an outage. Because the RTO

must ensure that the MTD is not exceeded, the RTO mustnormally be shorter than the MTD.


16/34

Risk AssessmentRisk Assessment

Risk Assessment is an important partin classifying BIA dan Controls.

By performing risk assessment, each assetwill be identify its risk, categorize itand identify controls appropriate.


17/34

Risk AssessmentRisk Assessment


18/34

Identify Controls NeededIdentify Controls Needed

Controls can be Deterrent, Preventive,

Detect and Correct.

Depending of the BIA results, Controls

can be selected.


19/34

Risk Assessment and BIARisk Assessment and BIA

Outcomes in performing Risk Assessment

is to select appropriate controls toreduce Risk.

Outcomes in conducting BIA is todetermine MTD, RTO and RPO.


20/34

Creating Contingency Strategies andCreating Contingency Strategies and

PlanPlan Contingency strategies are created to

mitigate the risks for the contingencyplanning family of controls and cover the

full range of backup, recovery,contingency planning, testing, andongoing maintenance.


21/34

Creating Contingency Strategies andCreating Contingency Strategies and

PlanPlan


22/34

Testing, Training and ExerciseTesting, Training and Exercise

(TT&E)(TT&E) Organization should be in a state of

readinesswhenever disaster strikes.

In order for organization staff to fullyaware of a contingency plan, thereshould be a periodical TT&E of BCP totest its capability and effectiveness

(Time frame could be based onregulatory requirements).


23/34

TestingTesting

Testing enablesplan deficiencies to beidentified and addressed by validating oneor more of the system components and the

operability of the plan. Testing can take on several forms and

accomplish several objectives but should beconducted in as close to an operating

environment as possible. Each information system component should be

tested to confirm the accuracy of individualrecovery procedures.


24/34

What can be tested?What can be tested?

These are the components in IT that can

be tested: Notification procedures;

System recovery on an alternate platform frombackup media;

Internal and external connectivity;

System performance using alternate equipment;

Restoration of normal operations


25/34

TrainingTraining

Training for personnel with contingency planresponsibilities should focus on familiarizingthem with their roles in accordance to the

contingency strategy and teaching skillsnecessary to accomplish those roles.

This approach helps ensure that staff isprepared to participate in tests and

exercises as well as actual outage events. Training should be provided at least annually.


26/34

What can be trained?What can be trained?

Cross-team coordination and communication;

Repor ting procedures;

Security requirements;

Team-specific processes (Activation and Notification,Recovery, and Reconstitution Phases); and

Individual responsibilities (Activation and Notification,Recovery, and Reconstitution Phases).


27/34

ExcerciseExcercise

2 Types:

Tabletop Exercise

Classroom types

Scenario questions

Functional Exercise

Simulation exercise

Real time

Most effective


28/34

ExcerciseExcercise

For low-impact systems, a tabletop exercise at anorganization-defined frequency is sufficient.

The tabletop should simulate a disruption.

For moderate-impact systems, a functional exercise

at an organization-defined frequency should beconducted.

An element of system recovery from backup media should beincluded.

For high-impact systems, a full-scale functionalexercise at an organization-defined frequency should beconducted.

A system failover to the alternate location.


29/34

Plan MaintenancePlan Maintenance

It is essential that the BCP be reviewedand updated regularly, as part of theorganizations change management

process, to ensure that new informationis documented and contingency measures

are revised if required.

Certain elements, such as contact lists,will require more frequent reviews.


30/34

Plan MaintenancePlan Maintenance


31/34

BS 25999BS 25999

BS British Standard 25999

International Standard on BCM

Certification is available


32/34

BS 25999BS 25999


33/34

Steps to BS 25999Steps to BS 25999


34/34

FinishFinish

business continutity plan slides v1.1

Documents