chapter 11 business continuity management. 2 objectives define disaster understand the process for...
TRANSCRIPT
2
Objectives
Define disaster Understand the process for developing a business
continuity plan Describe the four components of a business
continuity plan Delineate the roles and responsibilities of
leadership, the business continuity team, users & business partners
Be familiar with testing, maintenance & auditing techniques
3
What Is a Disaster?
A disaster is a disruption of normal business functions where the expected time for returning to normalcy would seriously impact the organization’s ability to maintain operations, including customer commitments and regulatory compliance
It may result from a malicious act, a natural event, or a human mistake
4
What Is a Disaster? Cont.
Risk Analysis A Risk Analysis will determine the threats that can
disrupt operations, the likelihood of occurrence and the mitigating controls that can be deployed
Once threats have been identified, their impact on the company must be determined
5
What Is a Disaster? Cont.
Business Impact Analysis A BIA provides metrics such as:
The impact disruptions would have on the business The tolerance of downtime on a per-system basis The prioritization of critical business processes in case
of such interruptions Resource requirements needed to restore time-critical
business processes
6
What Is a Disaster? Cont.
Result of a Business Impact Analysis (BIA): To provide direction and guidance to those who
plan the response, recovery and continuity efforts
7
Disaster Strikes Without Warning
Disasters are by default unexpected, but should not be unanticipated
Knowing what to do prior to a disaster occurring is the key to successfully weathering the storm
This is only possible if: A plan is drafted prior to the disaster occurring Employees are trained and understand their role
8
Business Continuity Plan (BCP) Components
Must be a written document Must be approved by upper management Must be made available and communicated to all
employees Must be tested Must be reviewed on a scheduled basis
9
Business Continuity Plan (BCP) Components Cont.
Disaster preparation Disaster response Business contingency Business recovery
10
Business Continuity Plan (BCP) Components Cont. According to PricewaterhouseCoopers, a
BCP should be built according to these assumptions:
Events occur at the worst possible time Worst-case scenario – loss of building and systems Key personnel may not be available Training of new personnel may be required Critical third parties may be affected Other locations &/or business partners are similarly
affected
11
Business Continuity Plan (BCP) Components Cont. Disaster preparation
Address what needs to be done in anticipation of a disaster
The preparation plans are an outcome of the RA Identifying threats and their likelihood leads to identifying
and deploying controls
12
Business Continuity Plan (BCP) Components Cont. Disaster response
Addresses what should be done immediately following a significant incident Defines who has the authority to declare a disaster Defines who has the authority to contact external entities Defines evacuation procedures Defines emergency communication & notification
procedures
13
Business Continuity Plan (BCP) Components Cont. Business continuity
Addresses alternate business processes used throughout the company prior to full recovery
It may include: Activating a designated hot site Redirecting requests to alternate locations Using manual procedures
Focuses on how the company goes on providing the same function, products and/or services absent normal operating conditions
14
Business Continuity Plan (BCP) Components Cont. Business recovery
Addresses the process of recovering information systems to their original state (or a facsimile of) sing a prioritized & systematic methodology
May include: The use of backup tapes to restore data Rebuilding a couple of servers Rebuilding an entire Network Operating Center
15
Business Continuity Plan (BCP) Components Cont. NIST’s DR & BCP development methodology
Obtaining commitment from leadership to dedicate appropriate resources to ensure the plan’s success
Conducting a risk assessment and BIA Identifying preventive controls Developing recovery strategies & procedures Developing operational contingency plans and procedures Plan testing, training and exercises Plan maintenance
16
Preparing for Disaster
Disaster preparation requires the following to be predefined: Establishing an organizational structure to respond to an
emergency Designating an emergency command center Preparing notification procedures Designating alternate operations sites Investing in redundant infrastructure or alternate sites for
data processing Developing & implementing procedures to support
response, recovery and continuity activities
17
Preparing for Disaster Cont.
Organizational structure The chain of command may change during a
disaster Process must exists for a seamless transition of
power The succession of executive leadership should be
codified by the board of directors The BC Team assumes the authority for the
response, continuity & recovery efforts Employees may be asked to assume duties
normally outside of their job description
18
Preparing for Disaster Cont.
Command center location Purpose: to have a predefined location where the
BC Team members report in case of a disaster Used to direct operations, but also as a meeting
center There should be a primary and alternate
command centers
19
Preparing for Disaster Cont.
Command center location (cont.) The primary and alternate command centers
should be stocked with all the required equipment, including: Copies of the BCP Tables and chairs Whiteboards Phones
All BC Team members should have keys and/or codes to enter the command centers
20
Preparing for Disaster Cont.
Notification of personnel Notification procedures should be documented in
the DR plan for both types of disasters: Those that can be predicted Those that cannot be predicted
Notification procedures must include contact information for both business hours and outside of business hours
21
Preparing for Disaster Cont.
Notification of personnel (cont.) A call tree is a common notification method
where specific individuals are given the role of contacting others to alert them of the situation The call tree should account for primary &
alternate contact methods Procedures to deal with an individual not being
reachable should be included in the plan
22
Preparing for Disaster Cont.
Relocation of operations Operations may need to be relocated because of:
Natural, environmental disaster Flood, tornado, ice storm
Physical disaster Loss of power, loss of communication lines
Relocation strategies must be in place prior to the need to relocate occurs
23
Preparing for Disaster Cont.
Relocation of operations (cont.) Relocation strategies include:
Delivery functions, which provide services or products to the customer
Operational business functions, which provide the core infrastructure of the company, like accounting and HR
All staff may not be required to relocate, just enough to handle critical functions and an acceptable level of operations
24
Preparing for Disaster Cont.
Relocation of operations (cont.) The relocation plan must address:
Staffing levels Space considerations Utility & environmental needs Transportation Logistics
25
Preparing for Disaster Cont.
Alternate data center sites Provide facilities for continued information
processing activity 5 different types of sites are available:
Hot site: fully operational location w/ redundant equipment. The data has been streamed to the site on a real-time
basis, or close to real time
26
Preparing for Disaster Cont.
Alternate data center sites (cont.) Provide facilities for continued information
processing activity 5 different types of sites are available:
Warm site: Configured to support operations including
communications capabilities, peripheral devices, power and HVAC.
Spare computers may be located there which then would need to be configured in the event of a disaster
Date must be restored
27
Preparing for Disaster Cont.
Alternate data center sites (cont.) Provide facilities for continued information
processing activity 5 different types of sites are available:
Cold site: Available alternate location Equipped with power, HVAC and secure access
28
Preparing for Disaster Cont.
Alternate data center sites (cont.) Provide facilities for continued information
processing activity 5 different types of sites are available:
Mobile site: Self-contained unit Equipped with the required hardware, software and
peripherals Data needs to be restored
29
Preparing for Disaster Cont.
Alternate data center sites (cont.) Provide facilities for continued information
processing activity 5 different types of sites are available:
Mirrored site: Two backup sites, geographically separated Mirrored backup datacenters with redundant bandwidth
and power Any information sent to one backup site is automatically
mirrored to the other one Data is replicated to backup sites in real time
30
Responding to a Disaster
Disaster response can be either chaotic or orderly If chaotic, this bad start will have repercussions
throughout the disaster and after A proven, tested plan, which has been
successfully communicated to all employees, is what separates order from chaos
31
Responding to a Disaster Cont.
Four stages of disaster response Detection Notification Declaration Activation
32
Responding to a Disaster Cont.
Detection All employees share the responsibility of remaining
aware of potential disasters. Early detection is, as always, important
Notification It is the responsibility of the first person who discovers a
disaster to report it to a member of the BCT Notification can be made in person, on the phone, via
email, as long as reception is confirmed
33
Responding to a Disaster Cont.
Declaration Situation is evaluated by the BC Team If warranted, the BC plan is activated BC Team notifies Management Managers are then responsible to alert their own staff Managers are responsible for keeping an updated
employee list
34
Responding to a Disaster Cont.
Activation The BCT Leader is the one with the responsibility to
activate the plan If the BCT Leader is not available, the alternate team
leader takes the responsibility to activate the plan If both are unavailable, responsibility falls to the first
available team member
35
Responding to a Disaster Cont.
Activation (cont.) At this point, decisions need to be made about
The command center Relocation of personnel & operations The recovery site
The BCT is the authoritative body to: Activate the plan Set policy Establish procedures during disaster & recovery periods
36
Responding to a Disaster Cont.
Non-operational business concerns Public Safety Employee Relations Media Relations Customer Relations Crime
37
Responding to a Disaster Cont.
Public safety The first order of priority is the safety of all employees,
visitors, vendors, business partners, consultants Communications must be established with the police,
fire department, and other emergency organizations If required, communications must be established with
federal organizations such as Fed Emergency Management Agency (FEMA)
38
Responding to a Disaster Cont.
Employee Relations Employees must be kept abreast of the situation Employees should be clearly told to either report at an
alternate location or go home and remain on stand-by Managers need to use their leadership skills and make
all communications with the employees straight-forward Safety and security of personnel and their families may
need to be arranged
39
Responding to a Disaster Cont.
Media Relations Important to not allow miscommunications and
misinformation Only one employee is officially authorized to interact with
the media Employees should be instructed to:
Have no comments Forward all media information requests to the dedicated
person in charge of media relations
40
Responding to a Disaster Cont.
Customer relations Customers must be kept informed They are concerned:
Is the bank still able to service my needs?
Crime Disaster situation tends to spawn crime Property & personnel should receive enhanced security
as outlined in the DR/BC plan
41
Planning for Contingencies
Business contingency procedures Should be task-based Should be step-by-step Different than SOPs
SOPs assume normal operation conditions
42
Planning for Contingencies Cont.
Business contingency documentation Should follow the same form as SOP
documentation Simple step Hierarchical Graphic flowchart
BCOPs: Are written to be easily understood Should include short & direct sentences
43
Recovering from Disaster
Recovery strategies The path to bringing the company back to normal
business environment A plan should be in place, that breaks down each
category of the overall recovery effort to simplify the daunting recovery process: Mainframe Network Communications Infrastructure Facilities
44
Recovering from Disaster Cont.
Recovery procedures All procedures should be designed, tested,
documented and approved prior to when the disaster strikes
Procedures should be written as if the person who will be following them is not intimately familiar with the information system or component
Procedures should explain what needs to be done, when, where and how.
The key is to respond fast using predefined steps
45
Recovering from Disaster Cont.
Recovery manual Comprehensive document that incorporates
recovery procedures on a system- or device-specific basis
Should include a table of contents and an index
46
Testing and Maintaining the Plan
Proactive testing of the plan is essential Until tested, the plan is theoretical at best The tests should prove that the procedures and
the plan are: Relevant Operable under adverse conditions Accurate
Tests are used to discover errors and inadequacies
47
Testing and Maintaining the Plan Cont. Five testing methods
Preliminary review Structured walkthrough Tabletop simulation Parallel (functional) testing Full-scale testing
48
Testing and Maintaining the Plan Cont.
Preliminary review Plan & procedures distributed to all functional areas for
review All critical processes should be validated All personnel, responsibilities have been identified
49
Testing and Maintaining the Plan Cont.
Structured walkthrough Representatives from each functional area meet to walk
through the plan & procedures to verify accuracy & completeness
Can also be used as a training exercise to clarify & highlight critical elements
50
Testing and Maintaining the Plan Cont.
Tabletop simulation Focus is on testing a specific scenario Participate practice the appropriate steps to deal with the
fictitious disaster chosen in the scenario Only the materials and data available in a real disaster are
used Outcome: identify the strengths and weaknesses of the
plan in a non-threatening environment
51
Testing and Maintaining the Plan Cont.
Parallel (functional) testing Operational test of a specific system or activity Redundant backup systems are brought online and
processing capabilities compared to real operational output Continuity procedures: manual or alternate processes are
initiated Goal: to validate plan and procedures and provide
experience in case a real disaster were to occur
52
Maintaining the Plan
Business environments are dynamic: the plan should be reviewed and edited regularly to match the changes that occur in the company and/or the industry in which the company is involved
The plan cannot be reviewed without the risk assessment being reviewed as well
Responsibility for maintaining the plan should be assigned to a specific role such as the ISO
53
Agreements with Vendors
BC may depend on vendors providing services, equipment, facilities, and personnel
There must be corresponding Service level agreements (SLAs) to identify: How quickly the vendor would respond The type and quantity of replacement equipment that would
be guaranteed to be available Personnel & facilities availability Status of the organization in the event of a major disaster
involving multiple vendor clients SLAs should be reviewed annually
54
Auditing the Plan
Some industries regulated by federal mandates are required to have a BCP
Regulators/auditors review the BCP for: Relevancy Management approval Completeness Accuracy Organization
55
Auditing the Plan Cont.
Regulators/auditors will look for answers for the following questions Is the plan written? Has management approved the plan? How often are the risk assessment & business impact
analysis reviewed? By whom? How often is the plan reviewed? By whom? Are all policies & procedures documented?
56
Auditing the Plan Cont.
Regulators/auditors will look for answers for the following questions (cont.) Where is the documentation stored? Who is on the BCP Team? What training have they received? What training has the user community received? How has the plan been tested?
57
Auditing the Plan Cont.
Regulators/auditors will look for answers for the following questions (cont.) : Is there a written testing plan? How often is the plan tested? Are the results documented? If third parties are involved, what is the process for
testing/verifying their procedures? Who is responsible for maintaining the plan?
58
Summary
A disaster can strike at any time. The organization must be prepared to respond in order to continue to provide services/products to their clients.
It is the responsibility of executive management to insure that threats are evaluated, impact to business processes recognized, and resources allocated.
This requires the creation & maintenance of an audited business continuity plan and of a set of ancillary procedures.