BCI ICT Resilience
-
Upload
oana-dragusin -
Category
Documents
-
view
71 -
download
0
description
Transcript of BCI ICT Resilience
-
www.sungard.co.uk
Ron Miller Principal Consultant
BCM & ICT Continuity Standards:
What are their purposes and how can they
work together?
-
2010 SunGard. | www.sungard.co.uk
What Ill be covering
ISO 27031 and ISO 24762 why?
ICT continuity standards key content and guidance
Principles
Elements
The relationships and integration with the GPG, BS 25999
and ISO 22301
ICT recovery versus resilience, addressing common
issues
2
-
2010 SunGard. | www.sungard.co.uk
It was all about IT DR
-
2010 SunGard. | www.sungard.co.uk
Secto
rs
TIME
1970s 1980s 1990s 2000s
IT Big Business
Medium
Business
Public Sector
BCM growth
-
2010 SunGard. | www.sungard.co.uk
BS 25999 British Standard for Business Continuity Management
Provided guidance for
organizations:
Of all sizes
In all sectors
What they should do to:
Enhance resilience
Provide restoration of key products and services
Deliver proven capability to manage disruption
(but not how they do it!)
-
2010 SunGard. | www.sungard.co.uk
BCM Lifecycle (BS 25999)
Widely adopted
UK and beyond
Used as basis for ISO 22301
and ISO 22313
Used as the basis for other
continuity and resilience
standards
TC223 ISO standards
US BCM standard
-
2010 SunGard. | www.sungard.co.uk
But what about ICT?
-
2010 SunGard. | www.sungard.co.uk
ISO 27000
ISO 27001
5 controls (out of 133)
ISO 27002
Four and a half pages of high-level guidance (out of
130 pages)
8
-
2010 SunGard. | www.sungard.co.uk
BS 25777
-
2010 SunGard. | www.sungard.co.uk
How BS 25777 integrated with BS 25999
-
2010 SunGard. | www.sungard.co.uk
The need for ISO 27031
Increasing dependency on information and
communications technology
Comprehensive guidance established for business
continuity management - BS 25999 and others
Supported by ICT continuity guidance BS 25777
No detailed guidance directly related to ISO 27001
Significant gaps continue to be present between business
and supporting ICT continuity and resilience in many
organisations
11
-
2010 SunGard. | www.sungard.co.uk
BS 25777 evolved into.
ISO 27031
Guidelines for information and communication technology readiness for business continuity
Takes the core elements of BS 25777
Links them to an information security anchor
Provides guidance which expands upon ISO 27002
Helps in the implementation of controls contained within
ISO 27001
12
-
2010 SunGard. | www.sungard.co.uk
ISO 27031
Continues to integrate with
BC
Supports the PDCA process
Planning
Implementing and operating
Assessing, measuring and reviewing
Corrective and preventive actions
Supports ISMS
13
-
2010 SunGard. | www.sungard.co.uk
ISO 24762 what is it?
Guidelines for information
and communications
technology disaster recovery
services provision of information and
communications technology
disaster recovery (ICT DR)
services as part of business
continuity management
applicable to both in-house and outsourced ICT DR service providers of physical facilities and
services.
14
-
2010 SunGard. | www.sungard.co.uk
ISO 24762 is it any good?
No! Based on Singapore standard
ISO consultation process failed
BCM community unaware of its existence until too late
Service-providers unaware of its existence until too late.
Does not integrate with BCM
standards
Does not integrate with ISO
27031
Shining example of how-not-to-develop-a-standard
Now at beginning of revision process.
15
-
2010 SunGard. | www.sungard.co.uk
ISO 24762 who uses it?
Good question!
16
-
2010 SunGard. | www.sungard.co.uk
ISO 24762 - who uses it?
BSi sells it!!
Some dubious claims by
vendors
Experts offering advice
17
-
2010 SunGard. | www.sungard.co.uk
Concepts and Principles
18
-
2010 SunGard. | www.sungard.co.uk
Concepts and Principles of ISO 27031
ICT Readiness for BC
IRBC
Complements and supports BCM and/or ISMS
Improving the incident detection capabilities
Preventing a sudden or drastic failure
Enabling an acceptable degradation of operational status should the failure be unstoppable;
Further shorten recovery time; and
Minimising impact upon eventual occurrence of the incident.
19
-
2010 SunGard. | www.sungard.co.uk
The relationship between IRBC and BCM
20
-
2010 SunGard. | www.sungard.co.uk
The relationship between IRBC and BCM
21
-
2010 SunGard. | www.sungard.co.uk
ICT Readiness Principles
22
-
2010 SunGard. | www.sungard.co.uk
Key principles
Incident prevention
Incident detection
Response
Recovery
Improvement
23
-
2010 SunGard. | www.sungard.co.uk 24
-
2010 SunGard. | www.sungard.co.uk
Incident prevention
Iterative process
ICT Readiness promotes resilience
Facilitates identification of
critical components in each
of the elements which make
up the ICT environment
Relates ICT criticality to
wider business criticalities
Priorities also driven by BC
requirements
25
-
2010 SunGard. | www.sungard.co.uk
Incident prevention
Iterative process Justifies resource and
budget for appropriate
resilience measures
Monitors the performance of
resilience measures
Review and improvement
following exercises, tests
and incidents
26
-
2010 SunGard. | www.sungard.co.uk
Incident prevention
People
27
-
2010 SunGard. | www.sungard.co.uk
Incident prevention
People
Facilities
28
-
2010 SunGard. | www.sungard.co.uk
Incident prevention
People
Facilities
Technology
29
-
2010 SunGard. | www.sungard.co.uk
Incident prevention
People
Facilities
Technology
Data
30
-
2010 SunGard. | www.sungard.co.uk
Incident prevention
People
Facilities
Technology
Data
Processes
31
-
2010 SunGard. | www.sungard.co.uk
Incident prevention
People
Facilities
Technology
Data
Processes
Suppliers
32
-
2010 SunGard. | www.sungard.co.uk
Incident detection
IRBC promotes
Response BEFORE an incident occurs, upon detection of one
or a series of related events
that become incidents
Detecting incidents at the earliest opportunity minimizes
impact to services, reduces
recovery effort, and preserves
quality of service
Investment in detection should be linked to the business
continuity needs
33
-
2010 SunGard. | www.sungard.co.uk
Incident detection
People
Facilities
Technology
Hardware failures
Malfunctions in racks, servers, storage arrays, tape devices
Network
Data connectivity interruptions, intrusion detection etc.
Software
Upgrade issues, unauthorised software, malware etc.
Data
Corrupted datasets, incomplete datasets etc.
Processes
System changes, maintenance etc.
Suppliers
Power failure, telecoms outage
34
-
2010 SunGard. | www.sungard.co.uk
Response
IRBC promotes
existing good
practice
Confirm nature and extent of incident
Take control of situation
Contain the incident
Communicate with stakeholders
(Not necessarily a chronological order.)
35
-
2010 SunGard. | www.sungard.co.uk
Response
Confirm nature and
extent of incident
Acquire information
Assess
How does it affect the elements of the ICT
environment?
How might this affect
service-users and the critical
activities of the
organisation?
36
-
2010 SunGard. | www.sungard.co.uk
Response
Take control of situation
Automatic or manual failover?
Determine priorities for mitigating incident
People
Facilities
Technology
Data
Processes
Suppliers
Determine resource requirements
Communicate
37
-
2010 SunGard. | www.sungard.co.uk
Response
Contain the incident
Auto or manual failover?
Direct resources to manage situation
Communicate
Is there concurrent
activation of BC Incident
Management?
Liaise with rest of
organisation
Activate relevant contingency arrangements
38
-
2010 SunGard. | www.sungard.co.uk
Response
Communicate
Communication essential all the way through the
response process
Integration with overall BC incident management
process
39
-
2010 SunGard. | www.sungard.co.uk
Recovery
Technical recovery plans
In conjunction with organisational business
continuity plans
Failover of immediately time-critical systems
Recovery of less time-sensitive systems
Manage recovery process
Over hours, days, weeks..
40
-
2010 SunGard. | www.sungard.co.uk
Improvement
IRBC promotes
improvement
Lessons learned from exercises
Audits/self assessment
Feedback from periodic BIAs and risk
assessments
Corrective action following incidents
Preventive action
41
-
2010 SunGard. | www.sungard.co.uk
The ICT Resilience Gap
Why do organisations
get it wrong?
The consequences of
the gap
42
-
2010 SunGard. | www.sungard.co.uk
Managing Expectations?
ICT Teams plan for this?
-
2010 SunGard. | www.sungard.co.uk
Managing Expectations?
Service users expect this?
-
2010 SunGard. | www.sungard.co.uk
Information value is the key
IT departments are
custodians of information
They are NOT the owners of
the information
They do not know its value
Value is not always about money
Value can be reputational, service-related etc.
45
-
2010 SunGard. | www.sungard.co.uk
Managing Expectations?
Mismatch of expectations
IT Youll get what we choose to give you
Business What do you mean? Dont you give us
EVERYTHING?????
Constraints
Technological
Budgetary
Resource
Fundamental misunderstandings about business and role
of technology
Fundamental misunderstandings about the holistic nature
of ICT
-
2010 SunGard. | www.sungard.co.uk
The example of email
-
2010 SunGard. | www.sungard.co.uk
The impact of ICT loss
Impacts are not always
obvious
ICT requirements post-
disruption can be quite
different from business-as-
usual
Criticality of the same data
can vary widely across the
organisation not all data is born equal!
Recovery is frequently not an option
48
-
2010 SunGard. | www.sungard.co.uk
The consequences
Mismatch of ICT resilience implementation and
organisational requirements
Wasteful of expenditure and resource
Provides the WRONG ICT environment in the WRONG timescales
IT departments frequently concentrate on DR rather than resilience and continuity
We dont need to bother about uptime because we know we have good DR
They dont ask users the right questions
Business departments dont know/share continuity requirements
RTOs
RPOs
Each sides knowledge of information availability capabilities and requirements remains unknown to the other
49
-
2010 SunGard. | www.sungard.co.uk
The consequences
The organisation
implements an
information security
programme which fails
to deliver on information
availability
50
-
2010 SunGard. | www.sungard.co.uk
ICT Resilience
How can the costs be justified?
How can ISO 27031 help?
51
-
2010 SunGard. | www.sungard.co.uk
Getting value for money
Mechanism for realism in
service-user BCM
requirements
Relates RTOs and RPOs to Minimum Business Continuity
Objectives
Rationalises IT DR spend
Justifies cost to the business
Resilience versus
Recovery
-
2010 SunGard. | www.sungard.co.uk
ISO 27031 and BS 25999
Holistic view of ICT and how it fits
within the organisation
People
Facilities
Technology
Data
Processes
Suppliers
..and how they fit into the principles of:
Incident prevention
Incident detection
Response
Recovery
Improvement
-
2010 SunGard. | www.sungard.co.uk
-
2010 SunGard. | www.sungard.co.uk
Embedding ICT Readiness
Provides a framework for
ensuring ICT Readiness is
aligned with business
requirements
Gets IT and service-users
involved in validation
Provides budgetary and
business rationale for
investment in ICT
resilience
-
2010 SunGard. | www.sungard.co.uk
Supports and complements BS 25999 and ISO 27001
Provides the guidance which supports BCM and
information security goals
ICT Readiness is driven by business/organizational
requirements (not the other way round)
ICT Readiness and resilience capabilities feed back into
organizational goals
Ensures that information availability is tackled as
effectively as confidentiality and integrity.
-
2010 SunGard. | www.sungard.co.uk