asst. prof. kemathat vibhatavanij ph.d
TRANSCRIPT
Objective of BC and DRP Ensure the preservation of the business in
the face of major disruptions to normalbusiness operation
Identification, selection, implementation, testing and updating processes and specific actions necessary to prudently protect critical business processes from the effect of major system and network disruptions and to ensure the timely restoration of business operations if signification disruption occur
Terrorist attack
Subsequent to 9/11 attacks on WTC and the Pentagon …
The US attorney general advised and encouraged American companies to immediately evaluate and strengthen their security programs
Executive Order 13636 Cybersecurity framework
Natural disaster
Hurricane Katrina Tsunami hit southwestern part of
Thailand Tsunami hit Japan Earthquake in Japan/Chile
Industry and professional std.
NFPA 1600 (Nat’l Fire Protection Assoc.) ISO 22301 (Business Continuity) BS 25999 (Business Continuity Mgmt.) NIST (Nat’l Inst. of Std. and Tech) BCI (Business Continuity Institute) Std. of due care…
Business impacts
Revenue loss (revenue temporary interruption)
Extra expense (OT, rents leases for temporary space)
Compromised customer service (customer inconvenience)
Embarrassment or loss of confidence (external parties)
How to start
BC needs senior leadership support Convince the C-team or the Board Point out the risks “if not having BC”
Risks in three areas○ Financial○ Reputational○ Regulatory
The cost if a disaster were to occur
BCP/DRP phases
Project initiation phase Current state assessment phase Design and development phase Implementation phase Management phase
Project initiation phase Preplanning activities
Establish the organization’s continuity planning scope and objective criteria
Gain and demonstrate management report Form the BCP project implementation team,
referred to hereafter as the CPPT team (continuity planning project team†), and define their roles and responsibilities
Define and obtain continuity project resource requirements
Understanding and leverage current and anticipated disaster avoidance preparations
† Others may call Information Systems Contingency Plan (ISCP)
Current state assessment phase
Provide enterprise management with the practical information. (Having done all of the following items you will understand strategies, goals and objective of the enterprise) Threat analysis Business Impact Analysis/Assessment (BIA) Continuity planning process current state
assessment Benchmark and peer review
Design and development phase
Organization, with the help of CPPT, formulates the most efficient and effective recovery strategies to address the threats and recovery priority identified. Develop and design the most appropriate
continuity strategies Develop the crisis management plan (CMP) and
continuity planning (BCP & DRP) structures Develop continuity and crisis management plan,
infrastructure testing and maintenance activities Design initial acceptance testing of the plans Plan for recovery resource acquisition
Implementation phase CPPT professionals work with the business
process owners or representative to deploy Continuity plans (BCP,DRP) as well as the
enterprise crisis management plan Program short-term and long-term testing Program short-term and long-term maintenance
strategies Program education, training and awareness
processes Program management process
Management phase
Day-to-day management of continuity planning is organized, executed and sustained
CPPT works with the business owner or representatives to address overall continuity planning issues including program oversight and continuity planning manager roles and responsibilities
BCP/DRP phases
Project initiation phase Current state assessment phase Design and development phase Implementation phase Management phase
Project scope development and planning Executive mgmt. support BCP project scope and authorization Executive management leadership and
awareness Continuity planning project team
organization and management Disaster or disruption avoidance and
mitigation Project initiation phase activities and tasks
work plan
Project Scope development and planning Disaster Recovery Planning (DRP) Business Continuity Planning (BCP) Crisis Management Planning Continuous Availability Incident Command System
Executive mgmt. support
Continuity planning touches every single corner of the enterprise e.g. business processes, IT, infrastructures, facilities, personnel, services
Articulate top-down mgmt. support Suitable resource commitment Budget Coverage BCP, DRP and CMP
BCP project scope and authorization Do not attempt to “boil the ocean” Breakdown the project into chunks Business changes … so does the plan Organization changes .. So does the
plan Continuity planner should prepare to
adjust the scope of the project to address current needs
Executive management leadership and awareness Formalizing continuity planning policy Establishing and managing a continuity
budget Defining continuity planning metrics Articulating continuity planning
communications Solve those informal redtape or
unwillingness
Continuity Planning Project Team Organization and management
Made up of Continuity Planning Leadership, Selected Technical, Business Expert (bus. Knowledge and continuity planning process), senior and knowledgeable staff
Remember !!! => team members should be more seasoned manager who understand the need for continuity planning, the goals of the enterprise, and the intricacies of the business processes
Continuity Planning Project Team Organization and management
Continuity planning Project Mgmt. Office techniques
○ PMO approach will provide strategic support to business units and management
○ CPPT must be able to interact with many levels of management and organization structures
Project mgmt. tools○ The use of Project management methodology
Continuity planning project timeline○ Establish schedules, deadlines and milestones○ Use days, weeks unit rather than months
Conduct continuity planning project kickoff meeting○ Formal kickoff meeting
Kickoff meeting objectives Allow the executive sponsor to introduce the continuity planning
project and describe its value to the enterprise Introduce the CPPT Provide an overview of the continuity planning process Present an overview of the continuity planning methodology Detail the project approach and scope Present the project objectives Review the project schedule Discuss project staffing Describe project deliverables Review the preliminary work plan Identify key business process owners or representative contacts
outside the project team Obtain time commitments from business process owner or
representative team members Answer questions and address concerns
Disaster or disruption avoidance and mitigation CPPT should consider the extent and
status of existing physical, environmental, and information security-related control that might mitigate the effects of an event
Project initiation phase activities and tasks work plan
Project initiation phase
Activity/task DeliverablesPrepare project charter and obtainmanagement approval
Project charter
Prepare and finalize project plan, including work steps, deliverables and milestones
Project work plan
Prepare and finalize project budget Budget Management presentation and approval to move to next phase
BCP/DRP phases
Project initiation phase Current state assessment phase Design and development phase Implementation phase Management phase
Understanding enterprise strategic planning and org. profile
Continuity planning process support assessment
Business Impact Analysis/Assessment Benchmarking or peer review
Understanding enterprise strategy, goals and objectives Strategic planning document Annual report, audit report Continuity plan Financial and competitive intelligence
Enterprise business process analysis Business process maps (business units, IT system
and infrastructure, critical business partnerships) People and organizations
Organization chart Telephone directory Inventory lists
Time dependencies Time critical business processes and their
dependency Motivation, risks and control objectives
Embrace change management (people, process technology)
Barriers, enablers and rewards Budgets
Budget and resources allocated Technical issues and constraints
Current and future of Business/Technology linking plans
Examine health and vitality of an enterprise’s continuity planning infrastructure and determine if the components are up to date.
Work to conduct: threats assessment, risk assessment and BIA (Business Impact Analysis)
Threat assessment Evaluate the existing organizational
controls and procedures that could reduce the likelihood of a potential interruption of services
Should an interruption take place, the impact of the interruption is minimized and the organization’s asset are safeguarded
BCP project team (CPPT) is concerned specifically with threats as they relate to information and resources that are necessary to support critical business processes
3 types of threat assessment
Physical and personnel security assessment
Environmental security assessment Information security assessment
Physical and personnel security assessment Loss of key personnel, temporary or permanent for
any reason (even retirement) Physical access control weakness Health or accident Supply chain failure Vendor business interruption War/terrorism Shortage of raw materials Surveillance Business interruption and extra expense insurance Emergency response plan and crisis
management plans assessment (next 2 slides)
Emergency response plan and crisis mgmt. plan assessment Identification of affected areas Business processes affected Infrastructure, buildings, and equipment conditions Users’ life safety Consideration of impact on customers, stakeholders,
community etc. Condition of utilities and communications Notification and alerting procedures to crisis managers Providing for safety and security of personnel Personnel notification as necessary Role of executives in crisis management Role of BCP coordinator and team members Role of public relations toward the media, customer, local
officials and employees
Emergency response plan and crisis mgmt. plan assessment Backups and off-site storage Data, applications, and disaster recovery plan Premises accessibility Security Environmental security Communication status Emergency system: phones, mobile phones, radios Communications networks Emergency response procedures Mitigating the damage Declaring a disaster Recovery team structure roles and responsibilities
Envi. security assessment Fire detection and suppression Protection from water damage Utility failure Gas leaks Electrical disruptions and controls HVAC (Heat, Ventilating and Air Conditioning)
controls General utilities review at both the primary and
secondary operations locations, including ensuring that electrical power is sufficient at alternate sites
Telecommunications availability
Infosec. assessment
Off-site data storage deficiencies Logical access control weaknesses Continuity planning – existing strategies
for recoverability of time critical processes and support resources
Change or problem management Identification of single point of failure
Useful info. collected during the Threat Analysis
Current state assessment component Information requested
Physical security Facilities diagrams and supporting documentation
Environmental security Same as the above
Information security Infosec. policies, procedures, std.
Business impact assessment Existing bus. impact assessment reports or doc., audit report etc.
Emergency response procedure Written emergency response procedures documentation
Existing continuity plan Written or automated continuity plans, audit reports
Insurance coverage Insurance documentation
Off-site backup site inventory/backup processes
Backup media inventory info., backup process operational information
Continuity planning bus. proc. Organizational charts, tel. books, continuity planning policies, std., procedures
Risk management
Risk management includes identification of risks; appreciation of their impact on the business and
the likely frequency of occurrence; and implementation of steps to reduce that frequency to an acceptable level. Although risk assessment and
business impact analysis are often treated as separate activities, for all practical purposes they
are part of the overall process of risk management
• Interview key Infrastructure and business managers
• Mitigation risk factors
Interview key Infrastructure and business managersCurrent state assessment component
Positions to interview
Physical security Facilities mgmt., data center mgmt., riskmgmt., physical security mgmt.
Environmental security Same as the aboveInformation security Infosec mgmt., data center mgmt. Business impact assessment Continuity planning mgmt.Emergency response procedure same as Physec. and key BU mgmt. rep.Existing continuity plan Continuity planning mgmt., data center
mgmt., crisis mgmt., risk mgmt.Insurance coverage Risk mgmt.Off-site backup site inventory/backup process
Data center mgmt., media storage mgmt.
Continuity planning business process
Continuity planning mgmt. Sr. mgmt. rep., data center mgmt., risk mgmt.
Mitigation of risk factorsCurrent state assessment
componentEx. Quick-hit opportunities
Physical security Develop physec. policies and proceduresImplement physec. Ctrl.
Environmental security Develop enviSec. policies and proceduresImplement enviSec. Ctrl.
Information security Implement various infosec. ctrl. Develop infosec. policies and procedures. Conduct risk analysis
Business impact assessment Bus. process analysis can reveal various quick-hit opportunities for continuity planning as well as other noncontinuity-planning-related projects
Emergency response procedure Development of emergency response procedures. Development of crisis mgmt. plans. Testing assistance
Mitigation of risk factors
Current state assessment component
Ex. Quick-hit opportunities
Existing continuity plan Testing assistance. Enhancement of outdated plans
Insurance coverage Reduction in premium studies. Expanded continuity planning infrastructure
Off-site backup site inventory/backup process
Implementation of specialized automated backup systems. Regular audits of off-sitebackup
Continuity planning business process
Reengineering the continuity planning process. Defining appropriate continuity planning matrix
Provide enterprise management with a prioritized list of time-critical business processes, and estimate a Recovery Time Objective (RTO) for each of the time critical processes and the components of the enterprise that support those processes
Action summary Assessment and prioritization of all business functions
and processes, including their interdependencies, as part of a workflow analysis
Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution’s business functions and processes
Identification of the legal and regulatory requirements for the institution’s business functions and processes
Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution’s business functions and processes
Estimation of Recovery Time Objectives (RTO), Recovery Point Objectives (RPO), and recovery of the critical path
RPO (Recovery Point Objectives): Represent the point in time, prior to a disruption or system outage, to which mission/business process data can be recoveredRTO (Recovery Time Objectives): The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processesMTD (Maximum Tolerable Downtime): Represent the total amount of time the system owner/authorizing official is willing to accept for a mission/business process outage or disruption and includes all impact considerations
Benchmark and peer review Provide opportunities to leverage best
practice measurements into opportunities for substantial performance improvement
Help identify processes and practices that serve as models for streamlining, redesigning, or reengineering within an organization
Help establish strategic plans based on maximum organizational potential
Allow realistic, yet aggressive, goal setting for action plans and agendas
Benchmark and peer review Provide an effective context for developing
metrics and measures that help executive management identify improvement opportunities and successes
Help establish or spread a continuous improvement philosophy throughout an organization
Increase the level of employee involvement in performance improvement
Focus growing numbers of personnel on the search for an assimilation of best practices
Help identify new products and services
BCP/DRP phases
Project initiation phase Current state assessment phase Design and development phase Implementation phase Management phase
Provide the CPPT with the occasion to thoughtfully consider and design the most suitable continuity planning process strategies, programs, plan and short- and long-term testing, maintenance, training, and measurement processes
Recovery strategy development DRP recovery strategies for IT BCP recovery strategies for enterprise
business processes Work plan development
Building continuity plan Testing/Maintenance/Training
DRP recovery strategies for IT
Address IT resource requirements The CPPT must work with IT to define
and agree upon functional and technical requirements for IT recovery strategies e.g. IT infrastructure, full production backup System hardware resources System data storage requirements Unique hardware resources
Recovery site Cold site: an IT location that is capable of
supporting IT functionality, but is not already equipped with IT and supporting equipment (RTO > 1 week)
Warm site: an IT location that is capable of hosting IT operations and contain some level of IT equipment on-site that may or may not be operationally capable (RTO > 3 days)
Hot site: the site has the equipment, software and communication capabilities to facilitate a recovery within a few minutes or hours
Mobile site: can be warm or hot-site
Data and software backup Electronic vaulting
Send data and software backups directly to a facilities to ensure the availability
Remote journaling Replicate data transaction or other categories of
data in a real-time or near-real-time manner @ a 2nd
processing site Off-site storage
Store those backups at a 2nd secure off-site location Database shadowing and mirroring
Using RAID technology to store data Cloud storage
Other recovery alternative considerations Workspace and facilities Virtual business partner Logistics and supplies Support agreement
BCP recovery strategies for enterprise business processes
CPPT should use the enterprise business process maps of time-critical business process as a guide Business process/function/unit priorities Time-critical process descriptions IT infrastructure and systems needs RTO,RPO Cost/benefit analysis for each potential
recovery alternative, including manual workaround procedures
BCP recovery strategies for enterprise business processes
Developing facilities recovery strategies Integration of DRP and BCP into crisis
management process Identify recovery alternatives Conducting the recovery alternative
meetings Developing continuity plan documents and
infrastructure strategies Developing testing/maintenance/training
strategies
Work plan development
Building continuity plan Document the plan with precise recovery
guidelines and assign tasks to specific recovery team members
Scope, objectives and assumptions Execution and logistical information Inventory information
Testing/maintenance/training strategies
Scope, obj. and assumptions Introductory information and a description
of the purpose of the continuity plan e.g. background, scope, objectives etc.
Plan maintenance responsibilities (who specifically is assigned maintenance responsibilities and what are their timeframes)
Plan testing responsibilities (who specifically is assigned testing responsibilities and their timeframes)
Execution and logistical info.
Recovery team structure RMT (Recovery Mgmt. Team): leading the
recovery efforts, declaring disaster, communicating, authorizing recovery expenses
Damage assessment team: quickly assess current situation, ascertain whether the event will render IT and bus. Unavailable for longer than RTO
Recovery plan logistic information
Execution and logistical info. Recovery team structure
RMT (Recovery Mgmt. Team): leading the recovery efforts, declaring disaster, communicating, authorizing recovery expenses
Damage assessment team: quickly assess current situation, ascertain whether the event will render IT and bus. Unavailable for longer than RTO
Backup activation team: initiate recovery procedures, moving to alternate sites, transfer people, equipment, other resources, recovering the most Time Critical Processes and System
Restoration team: diagnosis the damage and for restoration
Primary site/service reactivation team: preparing the primary site or capability for reactivation, full test of the newly renovated system
Execution and logistical info. Recovery plan logistical information
Documenting activities and tasks associated with the recovery of time-critical system and business processes (after identifying and assigning the recovery team’s responsibility)
Detail recovery procedure, checklists, precise steps to recover time-critical apps.
Assign recovery team PERSONNEL(S) who is/are responsible for executing the specific recovery procedures
Assign a location where the recovery activities are to take place e.g. EOC (Emergency Op. Ctr.)
Assign the presumed timeframe for the recovery activities
Identify to whom the recovery teams are to report, what they should report and when they report (in what time frame)
Inventory information Inventory info. should be gathered and
documented prior to the disaster for ease of access
Detail listing of people, equipment, documentation, supplies, hardware, software, vendors, other suppliers, critical apps, required data processing reports, network/comm. capabilities, vital records, transportation, data backup, backup facilities, back up site direction and amenities, civil authorities, in/ex customer, recovery site personnel (3rd party vendor), off-site storage personnel (3rd party vendor), location of emergency fund
These info. has to be singled out rather than included in the text of the continuity plan itself
Wrap up the continuity plan Continuity plan contents
Plan overview and assumptions Responsibilities for development, testing and
maintaining the plans Continuity team structure and reporting requirements Detailed procedures for recovery of time-critical
processes, apps, net, sys, facilities Recovery locations and Emergency Operations
Centers (EOC) Emergency operations comm. Channels Recovery timeframes Supporting inventory info. (hardware, software,
network, data, people, space, transportation, external agents, documentation etc.)
Plan obj., scope and assumption
Accurately reflect the continuity strategy Raise awareness Train his/her particular continuity
responsibilities
Call a meeting, may have an outsider e.g. IA (internal auditor)
Distribute a copy of the continuity plan (the plan, the business, the structure)
Activities and tasks
Testing Measurement criteria
Test evaluation criteria and effectiveness, test document
Test schedule Should not impact regular production work
Test timeframes How long should the test take?
Participants Achieve max. possible training benefit for the most
participants Test script
What are the instructions to the test participants?
Maintenance
Regular review and updates Internal/External audit
Version control Contact lists, contracts, plan version
Distribution of updated plans MUST ensure plan distribution control since
some information may have personal information
Training
Why do we NEED training? It’s all about PEOPLE ISSUE than technical
issue … and those are … business processes,
recovery processes, plan testing and MA, human error, recover the organization
BCP/DRP phases
Project initiation phase Current state assessment phase Design and development phase Implementation phase Management phase
Objective of Implementation phase
Implementation work plans Consolidate and validate IT and business op. Schedule deployment Meeting
Organizational unit plan deployment Initial version of the continuity plan Validate recovery team Identify people who are assigned in this project
Monitor implementation CPPT must monitor IT and business operation
implementation efforts and support those efforts as required
BCP/DRP phases
Project initiation phase Current state assessment phase Design and development phase Implementation phase Management phase
Focus activities, tasks and responsibilities associated with organizing and executing the day-to-day management of continuity plan process
Example of “building a plan”
Medium sized org. (1,000-3,000 staff with two data centers)
Emergency notification list Vital records backup and recovery Business Impact Analysis (BIA) Strategy development Alternate site selection Contingency plan development
Emergency notification list
Emergency notification list (1 month) People who can and will response to an
emergency
Title Name Home phone Work phone Mobile number
Emergency mgmt. team leader
John Smith (508)555-3546 (508)855-1234 (508)555-3452
HR team leader Mary Flounder (508)555-6765 (508)855-2779 (508)555-9876
Vital records backup and recovery Vital records backup and recovery
(within the first 6 months) Access to all records needed to operate the
organizationCommon Vital Records (Legal records)Anything with signatureCustomer correspondence (statement, letters back and forth, requests, etc.)Customer conversations (recorded interactions with customer service rep.)Accounting recordsJustification proposals/documentsTranscripts/minutes of meetings with legal significancePaper with value- stock certificates, bonds, etc.Legal documents- letter of incorporation, etc.
Vital records backup and recoveryCommon Vital Records (Business Records)
Databases and contact lists for employees, customers, vendors, partners or others that your business unit deals with regularly or at a time of emergency (include ENL)Business unit contingency plans
Procedure/application manuals that your employees normally use and proceduremanuals for operation in your alternate site if different from aboveBackup files from production server/applications owned by your business unit that support your critical functionsReference documents use by your employees on a regular basis
Calendar files or print out particularly if your business unit schedules appointments with customersSource code