Asst. Prof. Kemathat Vibhatavanij Ph.D.

Objective of BC and DRP Ensure the preservation of the business in

the face of major disruptions to normalbusiness operation

Identification, selection, implementation, testing and updating processes and specific actions necessary to prudently protect critical business processes from the effect of major system and network disruptions and to ensure the timely restoration of business operations if signification disruption occur

Terrorist attack

Subsequent to 9/11 attacks on WTC and the Pentagon …

The US attorney general advised and encouraged American companies to immediately evaluate and strengthen their security programs

Executive Order 13636 Cybersecurity framework

Natural disaster

Hurricane Katrina Tsunami hit southwestern part of

Thailand Tsunami hit Japan Earthquake in Japan/Chile

Industry and professional std.

NFPA 1600 (Nat’l Fire Protection Assoc.) ISO 22301 (Business Continuity) BS 25999 (Business Continuity Mgmt.) NIST (Nat’l Inst. of Std. and Tech) BCI (Business Continuity Institute) Std. of due care…

Enterprise-wide continuity planning business process

Business impacts

Revenue loss (revenue temporary interruption)

Extra expense (OT, rents leases for temporary space)

Compromised customer service (customer inconvenience)

Embarrassment or loss of confidence (external parties)

How to start

BC needs senior leadership support Convince the C-team or the Board Point out the risks “if not having BC”

Risks in three areas○ Financial○ Reputational○ Regulatory

The cost if a disaster were to occur

BCM lifecycle

BCP/DRP phases

Project initiation phase Current state assessment phase Design and development phase Implementation phase Management phase

Project initiation phase Preplanning activities

Establish the organization’s continuity planning scope and objective criteria

Gain and demonstrate management report Form the BCP project implementation team,

referred to hereafter as the CPPT team (continuity planning project team†), and define their roles and responsibilities

Define and obtain continuity project resource requirements

Understanding and leverage current and anticipated disaster avoidance preparations

† Others may call Information Systems Contingency Plan (ISCP)

Current state assessment phase

Provide enterprise management with the practical information. (Having done all of the following items you will understand strategies, goals and objective of the enterprise) Threat analysis Business Impact Analysis/Assessment (BIA) Continuity planning process current state

assessment Benchmark and peer review

Design and development phase

Organization, with the help of CPPT, formulates the most efficient and effective recovery strategies to address the threats and recovery priority identified. Develop and design the most appropriate

continuity strategies Develop the crisis management plan (CMP) and

continuity planning (BCP & DRP) structures Develop continuity and crisis management plan,

infrastructure testing and maintenance activities Design initial acceptance testing of the plans Plan for recovery resource acquisition

Implementation phase CPPT professionals work with the business

process owners or representative to deploy Continuity plans (BCP,DRP) as well as the

enterprise crisis management plan Program short-term and long-term testing Program short-term and long-term maintenance

strategies Program education, training and awareness

processes Program management process

Management phase

Day-to-day management of continuity planning is organized, executed and sustained

CPPT works with the business owner or representatives to address overall continuity planning issues including program oversight and continuity planning manager roles and responsibilities

BCP/DRP phases


Description

Project scope development and planning Executive mgmt. support BCP project scope and authorization Executive management leadership and

awareness Continuity planning project team

organization and management Disaster or disruption avoidance and

mitigation Project initiation phase activities and tasks

work plan

Project Scope development and planning Disaster Recovery Planning (DRP) Business Continuity Planning (BCP) Crisis Management Planning Continuous Availability Incident Command System

Executive mgmt. support

Continuity planning touches every single corner of the enterprise e.g. business processes, IT, infrastructures, facilities, personnel, services

Articulate top-down mgmt. support Suitable resource commitment Budget Coverage BCP, DRP and CMP

BCP project scope and authorization Do not attempt to “boil the ocean” Breakdown the project into chunks Business changes … so does the plan Organization changes .. So does the

plan Continuity planner should prepare to

adjust the scope of the project to address current needs

Executive management leadership and awareness Formalizing continuity planning policy Establishing and managing a continuity

budget Defining continuity planning metrics Articulating continuity planning

communications Solve those informal redtape or

unwillingness

Continuity Planning Project Team Organization and management

Made up of Continuity Planning Leadership, Selected Technical, Business Expert (bus. Knowledge and continuity planning process), senior and knowledgeable staff

Remember !!! => team members should be more seasoned manager who understand the need for continuity planning, the goals of the enterprise, and the intricacies of the business processes

Continuity Planning Project Team Organization and management

Continuity planning Project Mgmt. Office techniques

○ PMO approach will provide strategic support to business units and management

○ CPPT must be able to interact with many levels of management and organization structures

Project mgmt. tools○ The use of Project management methodology

Continuity planning project timeline○ Establish schedules, deadlines and milestones○ Use days, weeks unit rather than months

Conduct continuity planning project kickoff meeting○ Formal kickoff meeting

Kickoff meeting objectives Allow the executive sponsor to introduce the continuity planning

project and describe its value to the enterprise Introduce the CPPT Provide an overview of the continuity planning process Present an overview of the continuity planning methodology Detail the project approach and scope Present the project objectives Review the project schedule Discuss project staffing Describe project deliverables Review the preliminary work plan Identify key business process owners or representative contacts

outside the project team Obtain time commitments from business process owner or

representative team members Answer questions and address concerns

Disaster or disruption avoidance and mitigation CPPT should consider the extent and

status of existing physical, environmental, and information security-related control that might mitigate the effects of an event

Project initiation phase activities and tasks work plan

Project initiation phase

Activity/task DeliverablesPrepare project charter and obtainmanagement approval

Project charter

Prepare and finalize project plan, including work steps, deliverables and milestones

Project work plan

Prepare and finalize project budget Budget Management presentation and approval to move to next phase

BCP/DRP phases


Description

Understanding enterprise strategic planning and org. profile

Continuity planning process support assessment

Business Impact Analysis/Assessment Benchmarking or peer review

Understanding enterprise strategy, goals and objectives Strategic planning document Annual report, audit report Continuity plan Financial and competitive intelligence

Enterprise business process analysis Business process maps (business units, IT system

and infrastructure, critical business partnerships) People and organizations

Organization chart Telephone directory Inventory lists

Time dependencies Time critical business processes and their

dependency Motivation, risks and control objectives

Embrace change management (people, process technology)

Barriers, enablers and rewards Budgets

Budget and resources allocated Technical issues and constraints

Current and future of Business/Technology linking plans

Examine health and vitality of an enterprise’s continuity planning infrastructure and determine if the components are up to date.

Work to conduct: threats assessment, risk assessment and BIA (Business Impact Analysis)

Threat assessment Evaluate the existing organizational

controls and procedures that could reduce the likelihood of a potential interruption of services

Should an interruption take place, the impact of the interruption is minimized and the organization’s asset are safeguarded

BCP project team (CPPT) is concerned specifically with threats as they relate to information and resources that are necessary to support critical business processes

3 types of threat assessment

Physical and personnel security assessment

Environmental security assessment Information security assessment

Physical and personnel security assessment Loss of key personnel, temporary or permanent for

any reason (even retirement) Physical access control weakness Health or accident Supply chain failure Vendor business interruption War/terrorism Shortage of raw materials Surveillance Business interruption and extra expense insurance Emergency response plan and crisis

management plans assessment (next 2 slides)

Emergency response plan and crisis mgmt. plan assessment Identification of affected areas Business processes affected Infrastructure, buildings, and equipment conditions Users’ life safety Consideration of impact on customers, stakeholders,

community etc. Condition of utilities and communications Notification and alerting procedures to crisis managers Providing for safety and security of personnel Personnel notification as necessary Role of executives in crisis management Role of BCP coordinator and team members Role of public relations toward the media, customer, local

officials and employees

Emergency response plan and crisis mgmt. plan assessment Backups and off-site storage Data, applications, and disaster recovery plan Premises accessibility Security Environmental security Communication status Emergency system: phones, mobile phones, radios Communications networks Emergency response procedures Mitigating the damage Declaring a disaster Recovery team structure roles and responsibilities

Envi. security assessment Fire detection and suppression Protection from water damage Utility failure Gas leaks Electrical disruptions and controls HVAC (Heat, Ventilating and Air Conditioning)

controls General utilities review at both the primary and

secondary operations locations, including ensuring that electrical power is sufficient at alternate sites

Telecommunications availability

Infosec. assessment

Off-site data storage deficiencies Logical access control weaknesses Continuity planning – existing strategies

for recoverability of time critical processes and support resources

Change or problem management Identification of single point of failure

Useful info. collected during the Threat Analysis

Current state assessment component Information requested

Physical security Facilities diagrams and supporting documentation

Environmental security Same as the above

Information security Infosec. policies, procedures, std.

Business impact assessment Existing bus. impact assessment reports or doc., audit report etc.

Emergency response procedure Written emergency response procedures documentation

Existing continuity plan Written or automated continuity plans, audit reports

Insurance coverage Insurance documentation

Off-site backup site inventory/backup processes

Backup media inventory info., backup process operational information

Continuity planning bus. proc. Organizational charts, tel. books, continuity planning policies, std., procedures

Risk management

Risk management includes identification of risks; appreciation of their impact on the business and

the likely frequency of occurrence; and implementation of steps to reduce that frequency to an acceptable level. Although risk assessment and

business impact analysis are often treated as separate activities, for all practical purposes they

are part of the overall process of risk management

• Interview key Infrastructure and business managers

• Mitigation risk factors

Interview key Infrastructure and business managersCurrent state assessment component

Positions to interview

Physical security Facilities mgmt., data center mgmt., riskmgmt., physical security mgmt.

Environmental security Same as the aboveInformation security Infosec mgmt., data center mgmt. Business impact assessment Continuity planning mgmt.Emergency response procedure same as Physec. and key BU mgmt. rep.Existing continuity plan Continuity planning mgmt., data center

mgmt., crisis mgmt., risk mgmt.Insurance coverage Risk mgmt.Off-site backup site inventory/backup process

Data center mgmt., media storage mgmt.

Continuity planning business process

Continuity planning mgmt. Sr. mgmt. rep., data center mgmt., risk mgmt.

Mitigation of risk factorsCurrent state assessment

componentEx. Quick-hit opportunities

Physical security Develop physec. policies and proceduresImplement physec. Ctrl.

Environmental security Develop enviSec. policies and proceduresImplement enviSec. Ctrl.

Information security Implement various infosec. ctrl. Develop infosec. policies and procedures. Conduct risk analysis

Business impact assessment Bus. process analysis can reveal various quick-hit opportunities for continuity planning as well as other noncontinuity-planning-related projects

Emergency response procedure Development of emergency response procedures. Development of crisis mgmt. plans. Testing assistance

Mitigation of risk factors

Current state assessment component

Ex. Quick-hit opportunities

Existing continuity plan Testing assistance. Enhancement of outdated plans

Insurance coverage Reduction in premium studies. Expanded continuity planning infrastructure

Off-site backup site inventory/backup process

Implementation of specialized automated backup systems. Regular audits of off-sitebackup

Continuity planning business process

Reengineering the continuity planning process. Defining appropriate continuity planning matrix

Provide enterprise management with a prioritized list of time-critical business processes, and estimate a Recovery Time Objective (RTO) for each of the time critical processes and the components of the enterprise that support those processes

Action summary Assessment and prioritization of all business functions

and processes, including their interdependencies, as part of a workflow analysis

Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution’s business functions and processes

Identification of the legal and regulatory requirements for the institution’s business functions and processes

Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution’s business functions and processes

Estimation of Recovery Time Objectives (RTO), Recovery Point Objectives (RPO), and recovery of the critical path

RPO (Recovery Point Objectives): Represent the point in time, prior to a disruption or system outage, to which mission/business process data can be recoveredRTO (Recovery Time Objectives): The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processesMTD (Maximum Tolerable Downtime): Represent the total amount of time the system owner/authorizing official is willing to accept for a mission/business process outage or disruption and includes all impact considerations

Benchmark and peer review Provide opportunities to leverage best

practice measurements into opportunities for substantial performance improvement

Help identify processes and practices that serve as models for streamlining, redesigning, or reengineering within an organization

Help establish strategic plans based on maximum organizational potential

Allow realistic, yet aggressive, goal setting for action plans and agendas

Benchmark and peer review Provide an effective context for developing

metrics and measures that help executive management identify improvement opportunities and successes

Help establish or spread a continuous improvement philosophy throughout an organization

Increase the level of employee involvement in performance improvement

Focus growing numbers of personnel on the search for an assimilation of best practices

Help identify new products and services

BCP/DRP phases


Provide the CPPT with the occasion to thoughtfully consider and design the most suitable continuity planning process strategies, programs, plan and short- and long-term testing, maintenance, training, and measurement processes

Recovery strategy development DRP recovery strategies for IT BCP recovery strategies for enterprise

business processes Work plan development

Building continuity plan Testing/Maintenance/Training

DRP recovery strategies for IT

Address IT resource requirements The CPPT must work with IT to define

and agree upon functional and technical requirements for IT recovery strategies e.g. IT infrastructure, full production backup System hardware resources System data storage requirements Unique hardware resources

Recovery site Cold site: an IT location that is capable of

supporting IT functionality, but is not already equipped with IT and supporting equipment (RTO > 1 week)

Warm site: an IT location that is capable of hosting IT operations and contain some level of IT equipment on-site that may or may not be operationally capable (RTO > 3 days)

Hot site: the site has the equipment, software and communication capabilities to facilitate a recovery within a few minutes or hours

Mobile site: can be warm or hot-site

Data and software backup Electronic vaulting

Send data and software backups directly to a facilities to ensure the availability

Remote journaling Replicate data transaction or other categories of

data in a real-time or near-real-time manner @ a 2nd

processing site Off-site storage

Store those backups at a 2nd secure off-site location Database shadowing and mirroring

Using RAID technology to store data Cloud storage

Other recovery alternative considerations Workspace and facilities Virtual business partner Logistics and supplies Support agreement

BCP recovery strategies for enterprise business processes

CPPT should use the enterprise business process maps of time-critical business process as a guide Business process/function/unit priorities Time-critical process descriptions IT infrastructure and systems needs RTO,RPO Cost/benefit analysis for each potential

recovery alternative, including manual workaround procedures

BCP recovery strategies for enterprise business processes

Developing facilities recovery strategies Integration of DRP and BCP into crisis

management process Identify recovery alternatives Conducting the recovery alternative

meetings Developing continuity plan documents and

infrastructure strategies Developing testing/maintenance/training

strategies

Work plan development

Building continuity plan Document the plan with precise recovery

guidelines and assign tasks to specific recovery team members

Scope, objectives and assumptions Execution and logistical information Inventory information

Testing/maintenance/training strategies

Scope, obj. and assumptions Introductory information and a description

of the purpose of the continuity plan e.g. background, scope, objectives etc.

Plan maintenance responsibilities (who specifically is assigned maintenance responsibilities and what are their timeframes)

Plan testing responsibilities (who specifically is assigned testing responsibilities and their timeframes)

Execution and logistical info.

Recovery team structure RMT (Recovery Mgmt. Team): leading the

recovery efforts, declaring disaster, communicating, authorizing recovery expenses

Damage assessment team: quickly assess current situation, ascertain whether the event will render IT and bus. Unavailable for longer than RTO

Recovery plan logistic information

Execution and logistical info. Recovery team structure

RMT (Recovery Mgmt. Team): leading the recovery efforts, declaring disaster, communicating, authorizing recovery expenses

Damage assessment team: quickly assess current situation, ascertain whether the event will render IT and bus. Unavailable for longer than RTO

Backup activation team: initiate recovery procedures, moving to alternate sites, transfer people, equipment, other resources, recovering the most Time Critical Processes and System

Restoration team: diagnosis the damage and for restoration

Primary site/service reactivation team: preparing the primary site or capability for reactivation, full test of the newly renovated system

Execution and logistical info. Recovery plan logistical information

Documenting activities and tasks associated with the recovery of time-critical system and business processes (after identifying and assigning the recovery team’s responsibility)

Detail recovery procedure, checklists, precise steps to recover time-critical apps.

Assign recovery team PERSONNEL(S) who is/are responsible for executing the specific recovery procedures

Assign a location where the recovery activities are to take place e.g. EOC (Emergency Op. Ctr.)

Assign the presumed timeframe for the recovery activities

Identify to whom the recovery teams are to report, what they should report and when they report (in what time frame)

Inventory information Inventory info. should be gathered and

documented prior to the disaster for ease of access

Detail listing of people, equipment, documentation, supplies, hardware, software, vendors, other suppliers, critical apps, required data processing reports, network/comm. capabilities, vital records, transportation, data backup, backup facilities, back up site direction and amenities, civil authorities, in/ex customer, recovery site personnel (3rd party vendor), off-site storage personnel (3rd party vendor), location of emergency fund

These info. has to be singled out rather than included in the text of the continuity plan itself

Wrap up the continuity plan Continuity plan contents

Plan overview and assumptions Responsibilities for development, testing and

maintaining the plans Continuity team structure and reporting requirements Detailed procedures for recovery of time-critical

processes, apps, net, sys, facilities Recovery locations and Emergency Operations

Centers (EOC) Emergency operations comm. Channels Recovery timeframes Supporting inventory info. (hardware, software,

network, data, people, space, transportation, external agents, documentation etc.)

Testing/MA/Training

Plan objective, scope and assumption Plan testing MA Training requirements

Plan obj., scope and assumption

Accurately reflect the continuity strategy Raise awareness Train his/her particular continuity

responsibilities

Call a meeting, may have an outsider e.g. IA (internal auditor)

Distribute a copy of the continuity plan (the plan, the business, the structure)

Activities and tasks

Testing Measurement criteria

Test evaluation criteria and effectiveness, test document

Test schedule Should not impact regular production work

Test timeframes How long should the test take?

Participants Achieve max. possible training benefit for the most

participants Test script

What are the instructions to the test participants?

Maintenance

Regular review and updates Internal/External audit

Version control Contact lists, contracts, plan version

Distribution of updated plans MUST ensure plan distribution control since

some information may have personal information

Training

Why do we NEED training? It’s all about PEOPLE ISSUE than technical

issue … and those are … business processes,

recovery processes, plan testing and MA, human error, recover the organization

BCP/DRP phases


The agreed upon strategies and action plans are deployed

Objective of Implementation phase

Implementation work plans Consolidate and validate IT and business op. Schedule deployment Meeting

Organizational unit plan deployment Initial version of the continuity plan Validate recovery team Identify people who are assigned in this project

Monitor implementation CPPT must monitor IT and business operation

implementation efforts and support those efforts as required

BCP/DRP phases


Focus activities, tasks and responsibilities associated with organizing and executing the day-to-day management of continuity plan process

Example of “building a plan”

Medium sized org. (1,000-3,000 staff with two data centers)

Emergency notification list Vital records backup and recovery Business Impact Analysis (BIA) Strategy development Alternate site selection Contingency plan development

Emergency notification list

Emergency notification list (1 month) People who can and will response to an

emergency

Title Name Home phone Work phone Mobile number

Emergency mgmt. team leader

John Smith (508)555-3546 (508)855-1234 (508)555-3452

HR team leader Mary Flounder (508)555-6765 (508)855-2779 (508)555-9876

Vital records backup and recovery Vital records backup and recovery

(within the first 6 months) Access to all records needed to operate the

organizationCommon Vital Records (Legal records)Anything with signatureCustomer correspondence (statement, letters back and forth, requests, etc.)Customer conversations (recorded interactions with customer service rep.)Accounting recordsJustification proposals/documentsTranscripts/minutes of meetings with legal significancePaper with value- stock certificates, bonds, etc.Legal documents- letter of incorporation, etc.

Vital records backup and recoveryCommon Vital Records (Business Records)

Databases and contact lists for employees, customers, vendors, partners or others that your business unit deals with regularly or at a time of emergency (include ENL)Business unit contingency plans

Procedure/application manuals that your employees normally use and proceduremanuals for operation in your alternate site if different from aboveBackup files from production server/applications owned by your business unit that support your critical functionsReference documents use by your employees on a regular basis

Calendar files or print out particularly if your business unit schedules appointments with customersSource code

Asst. Prof. Kemathat Vibhatavanij Ph.D.

Documents

Transcript of Asst. Prof. Kemathat Vibhatavanij Ph.D.