1

Business Continuity Management (BCM)

.
CHAIYAKORN APIWATHANOKUL
CISSP, GCFA, IRCA:ISMS
1

Objectives
Understand objective and scope of BCM Understand the different between BCP & DRP Understand what need to be considered in developing BCP & DRP

Business Continuity Management

Lo Chance Hi Impact Incident is focused more after 9/11 incident

Impact H

High

Low
L

Medium
Possibility H

Definitions
BS 25999-1:2006 Business continuity management BS 25777:2008 Information and communications technology continuity management ICT continuity Capability of the organization to plan for and respond to incidents and disruptions in order to continue ICT services at an acceptable predefined level

Business continuity management (BCM) holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities

Definitions
BS 25999-1:2006 Business continuity management BS 25777:2008 Information and communications technology continuity management ICT disaster recovery Activities and programs that are invokes in response to a disruption and are intended to restore.

business continuity plan (BCP) documented collection of procedures and information that is developed, compiled and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical activities at an acceptable predefine

Disaster Recovery in the Context of a BCM Program

Business Continuity Management
Set Policy, Emergency Operations Committee, Crisis Management Planning, etc.

Disaster Recovery Planning (IT)

Business Continuity Planning (Business)

Restore IT and critical facilities

Continue critical business functions

Recent Standards/Guidelines
Topic Business
GRC, COSO (ERM)CG

ICT
CobiT4.1 (ITG) ISO 38500:2008 (ITG) ISO 27014 (ISG) ISO 27001:2005 (ISMS) BS7799-3:2006 (ISRM) ISO13335-3,4:1998 ISO27005:2008 (ISRM) NIST SP800-30:2002 (ITRM) PAS 77:2006 (ITSCM)

Governance Risk Continuity Crisis

BS31100:2008 (RM) ISO31000:2008 (RM) FEMA141:1993 (EM) PAS 56:2003 (BCI:BCMGPG)

BS 25999:2006 (BCM)
ISO/PAS 22399:2007 (Societal security)

BS 25777:2008 (ICTCM) ISO 24762:2008 (ICT DR)

NIST SP800-34:2002 (ITSC:DRP)

NIST SP800-34rev1:2009 (ITSC:DRP)

Others

PAS 99:2006 (Integrated Management)

Chaiyakorn Apiwathanokul ITILv3 ISO 20000 (ITSMS)

BCM linkage to multiple standards

ISO27001
A.14 Business continuity management

ITILv2
Service Continuity and Availability Management

ITILv3
Service design: IT Service Continuity Mgmt

ISO20000
Service Contingency and Availability Management

10

Compliances
... HIPPA PCI-DSS Critical Infrastructure Act (US)

11

BCM Lifecycle from BS 25999-1:2006

12

BS 25777:2008 ICT Continuity Management

From BS 25999-1:2006

Key ICT continuity management timescales (BS 25777:2008)

14

From ISO/PAS 22399:2007

DRP / BRP Definition

16

Disaster Recovery Planning

Goals of DRP

Business Resumption Planning

BCP Definition

17

Event occurred How serious? Plan? Prepared? Execute Improve

Sources of Information
Disaster Recovery Institute International (DRII) Business Continuity Institute (BCI)

BCMGPG

18

BS 25999 (BCM) BS 25777 (ICTCM) NIST SP800-34 (rev1)

Contingency Planning Guide for Federal Information Systems

Overview of BCP
Direct Benefit Indirect Benefits Overlap with Risk Management BCM vs. BCP vs. COOP

19

Traditional BCP Project Phases

Project Scope Development and Planning Business Impact Analysis (BIA) and Functional Requirements Business Continuity and Recovery Strategy Plan Design and Development Implementation Restoration Feedback and Plan Management

20

Business Continuity Plan Process - snapshot

Appoint an owner Define the objectives and scope Develop and approve a planning process and timetable Create a planning team Decide the structure, format, components and content Determine the strategies and deferment to other plans

21

Determine the circumstances that are beyond the scope Gather information Write and review the plan Schedule ongoing testing and maintenance Test the plan

22

Overview of All BCP Steps

1. 2. 3.

4.
5. 6. 7.

Policy Program Management Understanding the Organization Determining Strategy Developing and Implementing Response Testing, Maintaining & Reviewing Embedding BCP

1. Policy
Reflecting Organizational Context Policy Contents Program Scope Outsourced Activities

23

2. Program Management

24

Assigning Responsibilities Initiating BCP in the Organization Project Management Ongoing Management Documentation Incident Readiness & Response

3. Understanding the Organization

25

BIA
Benefits Objectives

Estimating Recovery Requirements Evaluating Threats (Risk Assessment) Indicators

Understanding the Organization Overview

26

Business Impact Analysis (BIA) Recovery Requirements Analysis Risk Assessment (RA)

Business Impact Analysis (BIA)

27

Identifies, quantifies and qualifies loss Scope & Support required Documents impact & dependencies Identify: Activities, Staff, Impact, Time Workshops, Questionnaires, Interviews Business justifications for budget Frequency yearly

Business Impact Analysis (BIA)

Technique used for gathering and analyzing information needed for DRP Goal: identify critical business processes Recovery Plans

28

Recovery Time Objectives (RTOs) Recovery Point Objectives (RPOs) Maximum Allowable Outage (MAO) Maximum Allowable Downtime (MAD) Maximum Tolerable Downtime (MTD)

29

Estimating Continuity Requirements

30

Total Budget for Disaster Accuracy of BIA Change in resource allocations How Much, How Long, Communication Identification of necessary resources What will be needed when Yearly or with BIA

31

Cost Balance

32

*Courtesy of the National Disaster Coalition *Courtesy of the National Disaster Coalition

INDUSTRY STANDARDS
Tier 4: Multiple active power and cooling distribution paths, redundant components, fault tolerant, 99.995% availability Tier 3: Multiple power and cooling distribution paths, but only one path active, redundant components, concurrently maintainable, 99.982% availability Tier 2: Single or multi path for power, single cooling distribution path, redundant components, 99.741% availability Tier 1: Single path for power and cooling distribution, no redundant components, 99.671% availability Industry Standard Tier Classifications The Uptime Institute

Terminology 10 State-of-the-Art

9 Ultra-Reliable

Definition Redundant power, redundant cooling, redundant UPS, redundant dedicated A/C, redundant generator, redundant fuel, weather & geographic facility hardening, disaster avoidance Redundant power, redundant cooling, redundant UPS, redundant dedicated A/C, redundant generator, redundant fuel

8 Reliable-Redundant Dedicated power & cooling, redundant UPS, redundant dedicated A/C, redundant generators 7 Reliable 6 Isolated Mostly Reliable Dedicated power & cooling, UPS, redundant dedicated A/C, generator Dedicated power & cooling, UPS, redundant dedicated A/C Dedicated power & cooling, UPS, dedicated A/C Dedicated power & cooling, conditioned power, dedicated A/C

5 Isolated Improved

Isolated Conditioned

3 Isolated Unreliable Dedicated power & cooling, unconditioned power, dedicated A/C

Partially Isolated Unreliable

Dedicated power, shared cooling, unconditioned power, A/C Shared building power & cooling

1 Unreliable

33

34

SELECTION PROCESS

CRITERIA

DESCRIPTION SITE LOCATION CRITERIA

RATING

Site Location Specification

Access to Facility Environmental Disaster Avoidance Distance from 880 (Data Center) Market Location Geography Rank

Downtown/city center, office/high tech park, suburban, industrial park, parking, shipping access, etc.
Remoteness/location of the facility. Requires more than one access road Requirements for the facility that it not be near earthquake/fault lines, tornado, not in 100 year flood plain, mudslide or rockslide area Not less than 50 Miles and up to 800 miles away. Tradeoff between communication latency issues, accessibility, and survivability. Location of Recovery Center in a Tier I/II/III city. May impact cost and infrastructure considerations Location for the facility within the United States. SECURITY CRITERIA

A
A B

B B C

Rights of Access Classified Processing Physical control of facility

Provisions for DOE complete control of access to facility. Provisions to meet DOE requirements for processing classified information. Physical control of facility for security reasons and immediate access.

A A B 35

CRITERIA

DESCRIPTION FACILITY CRITERIA

RATING

Tier 3 Facility

Tier 3 - Multiple power and cooling distribution paths, with only one path active, redundant components, concurrently maintainable, 99.98% availability. (DR Study Phase 1 requirement)

Infrastructure General Building Specifications Fire Suppression Additional Conditioned Raised Floor Primary Building Use

Electrical and telecommunications feeds, floor loading, raised floor height, available raised floor.
Building Height, Class, Age, etc. FM-200 Fire Suppression System. DR Study Phase 1 Requirement Additional raised floor to stage equipment on conditioned raised floor and area to support immediate growth. Primary use of building, i.e. laboratory, manufacturing, data center, recovery center, office, mixed use, other

A A B

36

CRITERIA

DESCRIPTION USAGE CRITERIA

RATING

Costs

Site cost, labor pool availability, proximity to 880, infrastructure, connectivity, etc. Potential for restrictive time limits for use if using a commercial provider. Away from Airport, Highways, railroad tracks, electrical substations. Considerations based on external political factors Sandia leased or owned, DOE leased or owned, military leased or owned and service provider leased or owned, lease expiration dates. Availability of hotels and long-term accommodations to house support staff potentially for extended periods of time. Availability of balanced meals should be available for an extended outage.

Length of Usage
Infrastructure Disaster Avoidance Political Considerations Ownership Accommodations for Support Staff Food Catering Services

A
A B B

37

4. Determining Strategy

38

Determining BC Strategies Strategy Options Activity Continuity Options Resource Level Consolidation Indicators

Recovery Alternatives
Alternative
Multiple processing / mirrored site Mobile site/Trailer

39

Description
Fully redundant identical equipment & data Designed, self-contained IT & communications Fully provisioned IT & office, HVAC, infrastructure, & communications Partially IT equipped, some office, data & voice, infrastructure Minimal infrastructure, HVAC

Readiness
Highest level of availability & readiness Variable drive time; load data & test systems Short time to load data, test systems. May be yours or vendor staff Days or weeks. Need equipment, data, communications Weeks or more. Need all IT, office equipment, & communications

Cost
Highest

High

Hot site

High

Warm site

Moderate

Cold site

Lowest

Processing Agreements
Agreement Description Two or more organizations agree to recover critical operations for each other. Alternate arrangements if primary provider is interrupted, i.e., voice or data communications. Considerations

40

Reciprocal or Mutual Aid

Technology upgrades/ obsolescence or business growth. Security and access by partner users. Providers may share paths or lease from each other. Question them.

Contingency

Service Bureau

Agreement with application service provider to process critical business function.

Evaluate their loading, geography and ask about backup mode.

5. Developing and Implementing Response

41

Incident Response Structure Incident Management Plan Business Continuity Plan Activity Response Plans Indicators

42

Sample Call Tree

6. Testing, Maintaining & Reviewing

43

Test Program Testing BCP Arrangements Maintaining BCP Arrangements Reviewing BCP Arrangements Indicators

Testing Types
Types
Desk Check Walk through Simulation

44

Process
Check the contents of the plan, aids in maintenance Check interaction and roles of participants Includes: Business plans, Buildings, Communication

Participants
Author Author & Main people Main people & Auditors

Frequency
Often

Complexity
LOW

Activity testing

Moves work to another site. Recreates the existing work from the displaced site
Shuts down and Relocate all work

Everyone at location

Full

Everyone at both locations

Rare

HIGH

WHAT COULD POSSIBLY HAPPEN HERE?

45

7. Embedding BCP
Assessing Level of Awareness & Training Developing BCP within the Culture Monitoring Cultural Change Indicators

46

Embedding BCP Overview

Part of the culture Steps

47

Assess Design Check

48

Factors for Success

Supported by senior management Everyone is aware Everyone is invested Everyone agrees

Assessing the Level of Awareness & Training Where are we now? Training framework in place Measurement criteria Repeated frequently

49

50

Developing BCP Within The Organizations Culture

Training, Education, Awareness Define the Message Cost effective delivery Design, Delivery, Delivery

BCP Summary
Overview All Steps 1. Policy 2. Program Management 3. Understanding the Organization 4. Determining Strategy 5. Developing and Implementing Response 6. Testing, Maintaining & Reviewing 7. Embedding BCP

51

52

BCM
SLIDES .

 6 BCM

BCP 1 BCP BCP

53

 BCM (1)
BCP 54

 BCM (2)

BCP

BCP BCP

55

 BCM (3)

56

BCM
ISO 27002 Control 14.1 Information Continuity management
ISO 27005 Risk Assessment ISO 24762 ICT DR Services
Vendor Mgmt Power Supply Fire Protection Risk Mitigation Logical DR site Access Control Asset Mgmt Telecom DR plan Physical Access Control

58

ISO 24762 ICT DR Services

Vendor Mgmt DR site Power Supply Telecom Asset Mgmt DR plan Risk Mitigation Logical Access Control Physical Access Control

Fire Protection

59

Question ?