Business Continuity Planning Anjan
-
Upload
anjan-mohapatro -
Category
Documents
-
view
220 -
download
0
Transcript of Business Continuity Planning Anjan
-
7/30/2019 Business Continuity Planning Anjan
1/69
1
Business Continuity Planning (BCP)
Presented by Anjan Mohapatro
-
7/30/2019 Business Continuity Planning Anjan
2/69
2
Business Continuity Plan
Plann ing to ensu re the con t inu at ion o f op erat ion s in th e event o f a ca tas t ro ph ic event .
Business continuity planning goes beyond disaster recovery planning to include the actions to betaken, resources required, and procedures to befollowed to ensure the continued availability of essential services, programs, and operations in theevent of unexpected interruptions.
-
7/30/2019 Business Continuity Planning Anjan
3/69
3
Business Continuity Plan
How to preserve critical business functionsin the face of a disaster/Crisis so that it canmanage and survive the crisis and take appropriateaction to help ensure the organizations continuedViability
A plan for emergency response, backupoperations, and post-disaster recovery maintainedby an activity as a part of its security program thatwill ensure the availability of critical resources andfacilitate the continuity of operations in anemergency situation
-
7/30/2019 Business Continuity Planning Anjan
4/69
4
Business Continuity Plan
Goalto assist theorganization/business to continuefunctioning even though normaloperations are disrupted
Beforedisruption DuringDisruption After DisruptionSteps
-
7/30/2019 Business Continuity Planning Anjan
5/69
5
Why BCP is Required
Proactive rather than Reactive
It is better toplan activitiesahead of timerather
than to reactwhen the timecomes
Maintain businessoperations
Keep the moneycoming in Short and long
term loss of business
Effect oncustomers
Public image Loss of life
-
7/30/2019 Business Continuity Planning Anjan
6/69
6
Utility failuresIntrudersFire/SmokeWater
Natural disasters (earthquakes, snow/hail/ice,lightning, hurricanes)Heat/HumidityElectromagnetic emanationsHostile activityTechnology failur e
The Problem
-
7/30/2019 Business Continuity Planning Anjan
7/69
7
The Problem
50%
25%
10%
10%5%
Errors & Omissions Fire,water,electrical Dishonest employees
Disgruntled employees Outside Threats
-
7/30/2019 Business Continuity Planning Anjan
8/69
8
Utility failuresIntrudersFire/SmokeWater
Natural disasters (earthquakes, snow/hail/ice,lightning, hurricanes)Heat/HumidityElectromagnetic emanationsHostile activityTechnology failur e
The Problem
-
7/30/2019 Business Continuity Planning Anjan
9/69
9
The Controls
Information SecurityRedundancy
Backed up data Alternate equipment Alternate communications Alternate facilities
Alternate personnel Alternate procedures
-
7/30/2019 Business Continuity Planning Anjan
10/69
Key Elements
Disaster Recovery Business Recovery Contingency Planning Crisis Management
-
7/30/2019 Business Continuity Planning Anjan
11/69
Create a Business ContinuityManagement Team
Lead by Top Management
Responsible for creating andMaintaining, testing andImplementing comprehensive
BCP Top down approach Awareness at all levels
Key PlayersSenior OfficialsInternal AuditRisk ManagementLegalFinance/Budget
ProcurementSafety
-
7/30/2019 Business Continuity Planning Anjan
12/69
Corporate Policy
BCP Policy committed to undertake all reasonable andappropriate steps to protect people, property and allbusiness interests is essential.
Corporate policy should contain a definition of crisis Responsibility for systems ,resources and key business
process should be clearly identified BCP team should include top senior leaders, major
organizational functions and support groups, widespread acceptance.
Communicated throughout the organization
-
7/30/2019 Business Continuity Planning Anjan
13/69
Business Continuity Process Assess - identify and triage all threats (BIA) Evaluate - assess likelihood and impact of
each threat Prepare plan for contingent operations
Mitigate - identify actions that may eliminaterisks in advance Respond take actions necessary to minimize
the impact of risks that materialize Recover return to normal as soon as possible
-
7/30/2019 Business Continuity Planning Anjan
14/69
BIA
Any organizational impacts that could resultfrom an interruption of normal operationsshould be examined.
Identify critical process and document it-purchasing, manufacturing,supplychain
Process should be ranked as HML Assess Impact if crisis were to Happen
Human cost Financial cost Corporate Image cost
-
7/30/2019 Business Continuity Planning Anjan
15/69
BIA Review Factors
All Hazards Analysis
Likelihood of Occurrence
Impact of Outage on Operations System Interdependence
Revenue Risk
Personnel and Liability Risks
-
7/30/2019 Business Continuity Planning Anjan
16/69
LTU CISP Security 16
The Steps in a BCP - 1
Risk Assessment/Analysis Potential failure scenarios (risks) Likelihood of failure Cost of failure, quantify impact of threat
Assumed maximum downtime Annual Loss Expectancy Worst case assumptions Based on business process model? Or IT model? Identify critical functions and supporting resources
Balance impact and countermeasure cost Key -
Potential damage Likelihood
-
7/30/2019 Business Continuity Planning Anjan
17/69
LTU CISP Security 17
Definitions
Threat any event which could have an undesirable impact
Vulnerability absence or weakness of a risk-reducing safeguard, potential to allow a
threat to occur with greater frequency, greater impact, or both Exposure a measure of the magnitude of loss or impact on the value of the asset
Risk the potential for harm or loss, including the degree of confidence of
the estimate
-
7/30/2019 Business Continuity Planning Anjan
18/69
LTU CISP Security 18
Definitions
Quantitative Risk Analysis quantified estimates of impact, threat frequency, safeguard effectiveness and
cost, and probability
Powerful aid to decision making Difficult to do in time and cost
Qualitative Risk Analysis minimally quantified estimates Exposure scale ranking estimates Easier in time and money
Less compelling Risk Analysis is performed as a continuum from fully qualitative to less
than fully quantitative
-
7/30/2019 Business Continuity Planning Anjan
19/69
LTU CISP Security 19
Results
Loss impact analysis Recovery time frames
Essential business functions Information systems applications
Recommended recovery priorities & strategies Goals
Understand economic & operational impact Determine recovery time frame (business/DP/Network) Identify most appropriate strategy Cost/justify recovery planning Include BCP in normal decision making process
-
7/30/2019 Business Continuity Planning Anjan
20/69
LTU CISP Security 20
Threats
Hardware failure Utility failure Natural disasters Loss of key personnel
Human errors Neighborhood hazards Tampering Disgruntled employees Emanations Unauthorized access Safety Improper use of technology Repetition of errors Cascading of errors
Illogical processing Translation of user needs
(technical requirements) Inability to control technology Equipment failure Incorrect entry of data Concentration of data Inability to react quickly Inability to substantiate
processing Concentration of
responsibilities Erroneous/falsified data Misuse
-
7/30/2019 Business Continuity Planning Anjan
21/69
LTU CISP Security 21
Risk Analysis Steps
1 - Identify essential business functions Dollar losses or added expense Contract/legal/regulatory requirements Competitive advantage/market share
Interviews, questionnaires, workshops 2 - Establish recovery plan parameters Prioritize business functions
3 - Gather impact data/Threat analysis Probability of occurrence, source of help Document business functions Define support requirements Document effects of disruption Determine maximum acceptable outage period Create outage scenarios
-
7/30/2019 Business Continuity Planning Anjan
22/69
LTU CISP Security 22
Risk Analysis Steps
4 - Analyze and summarize Estimate potential losses
Destruction/theft of assets
Loss of data Theft of information Indirect theft of assets Delayed processing Consider periodicity
Combine potential loss & probability Magnitude of risk is the ALE (Annual Loss Expectancy) Guide to security measures and how much to spend
-
7/30/2019 Business Continuity Planning Anjan
23/69
Prioritize Risk Factors
Personal Safety RiskServices RiskOperational Risk
Revenue RiskLiability RiskGood Will (Societal) Risk
-
7/30/2019 Business Continuity Planning Anjan
24/69
What Are External Risks?
External Risks are risks presented byfactors outside the enterprise; theseinclude risk present in natural disaster,labor strife, the possible failures of
business partners, suppliers, publicutilities, transportation,telecommunications, and otherbusinesses.
-
7/30/2019 Business Continuity Planning Anjan
25/69
Loss of Lifelines
What will we do if there is not power?
No phone service?
No Water?
Government services?
How will the public react?
-
7/30/2019 Business Continuity Planning Anjan
26/69
Develop Scenarios
How bad will the big one be?
Extended Power, Water, or Telecom Outages? Supply Chain Disruptions? Civil unrest?
Develop various scenarios and pick which ones toplan for.
-
7/30/2019 Business Continuity Planning Anjan
27/69
Evaluating Alternatives
Functionality - provides an acceptable level of
service Practicality - is reasonable in terms of the time
and resources needed to acquire, test, andimplement the plan
Cost Benefit - cost is justified by the benefit to bederived from the plan
-
7/30/2019 Business Continuity Planning Anjan
28/69
-
7/30/2019 Business Continuity Planning Anjan
29/69
LTU CISP Security 29
The Steps in a BCP - 2
Strategy Development (Alternative Selection) Management support Team structure Strategy selection
Cost effective Workable
-
7/30/2019 Business Continuity Planning Anjan
30/69
Resources required for recoveryIdentify resources required for recovery and resumption.
ReSources personnel,hardware,software,specilisedequipment, facility/space and critical records
Backing up and storing critical and vital business records
in a safe and accessible location is a prerequisite.Risk assessment and BIA provide the foundation onwhich organisations BCP can rest.
-
7/30/2019 Business Continuity Planning Anjan
31/69
Crisis Management and Response team development
Establishment of appropriate administrative structure to
deal with crisis management.Clear definition of the management structure authorityfor decisions and responsibility for implementation.
Should have crisis management team to lead incidentresponse.
Team should comprises of members of critical business
process lead by senior management.Crisis mnagement team supported by response teams.
Response plans to address various aspects of potentialcrises
-
7/30/2019 Business Continuity Planning Anjan
32/69
Crisis Management and Response team development
Establishment of appropriate administrative structure to
deal with crisis management.Clear definition of the management structure authorityfor decisions and responsibility for implementation.
Should have crisis management team to lead incidentresponse.
Team should comprises of members of critical business
process lead by senior management.Crisis mnagement team supported by response teams.
Response plans to address various aspects of potentialcrises
-
7/30/2019 Business Continuity Planning Anjan
33/69
LTU CISP Security 33
The Steps in a BCP - 3
Implementation (Plan Development) Specify resources needed for recovery Make necessary advance arrangements Mitigate exposures
-
7/30/2019 Business Continuity Planning Anjan
34/69
LTU CISP Security 34
The Steps in a BCP - 3
Risk Prevention/Mitigation Security - physical and information (access) Environmental controls Redundancy - Backups/Recoverability
Journaling, Mirroring, Shadowing On-line/near-line/off-line
Insurance Emergency response plans Procedures
Training Risk management program
-
7/30/2019 Business Continuity Planning Anjan
35/69
Mitigation StrategiesCost effective mitigation strategies should be employed
to prevent or lessen the impact of potential crises.Securing equipments and tables by strapping to the wallpreventation from earthquake ,Sprinkler systems canlessen the risk of fire ,a strong records management canmitigate the loss of key datas.
Resources required for mitigation process should beidentified.
Systems and resources should be monitored continuallyas a part of mitigation startegy
-
7/30/2019 Business Continuity Planning Anjan
36/69
MTDEstablish an estimate of the maximum tolerable
downtime (MTD) for each business process.Determine how long process can be non functionalbefore impacts becomes unacceptable
Determine how soon process should berestored(Shortest allowable outage restored first)
Identify alternate procedures to a process
Evaluate costs of alternate procedures vs waiting forsystem to be restored
Determine the priorities and processes for recovery of
critical business processes .
-
7/30/2019 Business Continuity Planning Anjan
37/69
LTU CISP Security 37
The Steps in a BCP - 3
Decision Making Cost effectiveness
Total cost
Human intervention requirements Manual functions are weakest
Overrides and defaults Shutdown capability Default to no access
Design openness Least Privilege
Minimum information Visible safeguards
Entrapment Selected vulnerabilities made attractive
-
7/30/2019 Business Continuity Planning Anjan
38/69
LTU CISP Security 38
The Steps in a BCP - 3
Decision Making Universality Compartmentalization, defense in depth Isolation
Completeness Instrumentation Independence of controller and subject Acceptance Sustainability
Auditability Accountability Recovery
-
7/30/2019 Business Continuity Planning Anjan
39/69
LTU CISP Security 39
Remedial Measures
Alter environment Erect barriers Improve procedures
Early detection Contingency plans Risk assignment (insurance) Agreements
Stockpiling Risk acceptance
-
7/30/2019 Business Continuity Planning Anjan
40/69
LTU CISP Security 40
Remedial Measures
Fire Detection, suppression
Water Detection, equipment covers, positioning
Electrical UPS, generators Environmental
Backups
Good housekeeping
Backup procedures Emergency response procedures
-
7/30/2019 Business Continuity Planning Anjan
41/69
LTU CISP Security 41
The Steps in a BCP - 3
Plan Development Specify resources needed for recovery Team-based Recovery plans Mitigation steps Testing plans
Prepared by those who will carry them out
-
7/30/2019 Business Continuity Planning Anjan
42/69
Review External Dependencies
Suppliers
Subcontractors
Vendors
Your
Organization
Clients /Customers
Conduit
Organizations
Infrastructure Dependence (power, telecom, etc.)
System Up Time (computing, data,networks, etc.)
C I f i
-
7/30/2019 Business Continuity Planning Anjan
43/69
Contact InformationContact information of crisis management team and
response team should be maintained.Information should be updated regularly .
Compliance audits should be conducted to enforce BCP
Policies.Policy violations should be highlighted and correctiveactions to be taken
M it i S t d R
-
7/30/2019 Business Continuity Planning Anjan
44/69
Monitoring Systems and ResourcesResources include
Emergency equipment
Fire alarms' and suppression systems
Local resources and vendors
Alternate work sites
System backups and offsite storage.
A id d t d d t ti
-
7/30/2019 Business Continuity Planning Anjan
45/69
Avoidance ,deterrence and detectionBCP should address the specifics of potential crisis and
include overall deterrence and any precursors andwarning signs ,detection measures.
Workplace violence
Natural disasters Protests/riots
Product or manufacture failure
Hostile takeover
Terrorism
Lawsuits
A id d t d d t ti
-
7/30/2019 Business Continuity Planning Anjan
46/69
Avoidance ,deterrence and detectionEmployee should be appropriately motivated to feel
personally responsible for avoidance ,deterrence anddetection.
Facilities enhancing Avoidance
Architectural Natural or manmade barriersOperational: Security officers check posts, employeeawareness programmes, surveillance and counter
intelligenceTechnological: Intrusion Detection, access control, cctv,package and baggage screening.
P t ti l C i i R g iti
-
7/30/2019 Business Continuity Planning Anjan
47/69
Potential Crisis RecognitionIf potential crisis exists. Organization should be able to
recognize when specific dangers occur .Identification of danger signals coupled with thelikelihood of an event is indicative of an imminent crisis.
Unusual changes in sales volume Legislative changes
Corporate policy changes
Changes to competitive environment
Changes to supply based environment
Warning of natural disasters
P t ti l C i i R g iti
-
7/30/2019 Business Continuity Planning Anjan
48/69
Potential Crisis RecognitionIdentification of danger signals coupled with the
likelihood of an event is indicative of an imminent crisis. Cash flow changes
Potential for civil or political instability
Hostile labor negotiations
Strikes
Report Potential crisis
-
7/30/2019 Business Continuity Planning Anjan
49/69
Report Potential crisisCertain departments and functions are well placed to
observe warning signs of imminent crisis. Personnelassigned to these functions should be trainedappropriately.
Crisis should be communicated to all EMPLOYEES
A Potential crisis once recognized should be immediatelyreported.
Parameters for notification criteria should be established,documented and adhered to by all employees.
Report Potential crisis
-
7/30/2019 Business Continuity Planning Anjan
50/69
Report Potential crisisQualified personnel should have ready access to theupdated ,confidential listings of persons andorganizations to be contacted when certain conditions orparameters of a potential crisis are met.
Types of Notification
Notifications in a crisis situation should be timely andclear and should use variety of procedures andtechnologies.
Sometimes notification systems are also impacted by thedisaster thus redundancies built into the notification
Assessment of the situation: size of the problem
potential for escalation, possible impact of the situation.
Declare a Crisis
-
7/30/2019 Business Continuity Planning Anjan
51/69
Declare a CrisisThe point at which a situation is declared as a criisisshould be clearly defined ,documented and fit everyspecific and controlled parameters.
Activities that declaring a crisis will trigger
Evacuation,shelter and relocation
Safety protocol
Response site and alternate site activation
Team deployment
Operational Changes
Execute the Plan
-
7/30/2019 Business Continuity Planning Anjan
52/69
Execute the PlanBCP should be developed around worst case scenario, responsecan be scaled up to match the actual crisis .
Goals should protect the following interests
Save lives and reduce chances of further injuries and deaths
Protect assets
Restore critical business processes and systems
Reduce downtime
Protect reputation damage
Control media coverage
Maintain Customer relation
Communications
-
7/30/2019 Business Continuity Planning Anjan
53/69
CommunicationsEffective communications is one of the most importantingredients in crisis management.
Identify the Audience
Internal and external audience should be identified to conveycrisis and organizational response. It is often appropriate to
segment the audiences. Messages tailored specifically for a groupcan be released.
Internal Audience
Employees and their families
Business owners and Partners
Board of Directors
Communications
-
7/30/2019 Business Continuity Planning Anjan
54/69
CommunicationsExternal Audience
Present and potential Customers/clients
Contractors and vendors
Media
Govt and regulatory agencies Local law enforcement
Investors and shareholders
Surrounding Communities EMERGENCY RESPONDERS
Communications With Audience
-
7/30/2019 Business Continuity Planning Anjan
55/69
Communications With Audience Communications should be timely and honest
An audience should hear the news from the organization Should provide objective and subjective assessment
All employees should be informed at the same time
Give bad news all at once do not sugar coat it
Provide regular updates
Communications- Face to face meetings, News conference,Voice mail, Company intranet and internet sites, toll freehotline, special newsletter, local and national newspaper
Communications With Audience
-
7/30/2019 Business Continuity Planning Anjan
56/69
Communications With AudienceOfficial Spokesman : The company should designate a singleprimary spokesperson . This person should be trained in media
relationship prior to crisis. All in formations should be funneledthrough a single source to assure that the messages beingdelivered are consistent.
Resource Management :
How Human resources are managed will decide success or failureof Crisis management
Accounting for All Individuals : A system should be devised by
which all personnel can be accounted for quickly after the onset of a crisis.
Accurate contact information should be maintained and updated
Notification of Next of Kin by a senior manager in case of injury orfatality
Resource Management
-
7/30/2019 Business Continuity Planning Anjan
57/69
Resource ManagementFamily Representatives : Family representative programin case of injuries and fatality. Family representativeshould be some one other than the Person whoperformed the notification.
Link between the Organization and The Employees
family .Financial Support During the crisis there may befinancial implications for the organization and the
families of the employees. Implications may includefinancial support to victims family
Pay roll : Should be functional throughout the crisis.
Logistics
-
7/30/2019 Business Continuity Planning Anjan
58/69
LogisticsLogistical decisions made in advance will impact the success orfailure of a good BCP
Crisis Management Centre Should be identified in advance. Thisis the initial site used by the crisis management team andresponse team for directing and overseeing crisis managementactivities.
It should have uninterruptible power supply, computercommunication, heating and ventilating conditions system andother support systems. Emergency supplies should be identifiedand kept in the centre.
Access control system should be implemented with the membersof team given 24x7 access.
A secondary Crisis management centre should be identified in the
event that the primary centre is impacted due to the crisis
Logistics
-
7/30/2019 Business Continuity Planning Anjan
59/69
LogisticsAlternate Worksite Organization should have alternate worksiteidentified for business recovery and resumption.
Offsite storage Allows rapid crisis response and businessrecovery. Critical documents and information are stored. Sufficientdistance form the primary facility
Financial and Insurance issue : Existing funding and Insurancepolicies should be examined ,additional funding and insurancecoverage should be identified and obtained
Amount of fund required for continuity of operations should beidentified
Some cash and credit should be available for weekend and afteroffice hours .
Insurance providers should be contacted as soon as possible.
Logistics
-
7/30/2019 Business Continuity Planning Anjan
60/69
LogisticsTransportation at the time of Crisis may be a challenge
Evacuation of personnel Transportation to an alternate site
Supplies to an alternate site
Transportation of critical data to alternate site
Transportation of staff with special needs .
Suppliers/Service Providers Critical vendor or serviceprovider agreements should be established and contactinformation maintained. Evaluate their ability to providenecessary supplies and services in the case of far
reaching crisis.
Mutual Aid Agreements
-
7/30/2019 Business Continuity Planning Anjan
61/69
Mutual Aid Agreements Identify resources that may be borrowed from other
organizations during a crisis as well as mutual supportthat may be shared with other organization.
Damage and Impact assessment : Once the CrisisManagement team is activated damage should be
assessed . All incidents should be recorded anddocumented including the response actions.
Crisis Involving Physical Damage Crisis Management
team should be mobilized at site .Entry approval by Public safety authority. Make a
preliminary assessment of the extent of damage and thelikely length of time that the facility will be unusable .
Recovery
-
7/30/2019 Business Continuity Planning Anjan
62/69
Recovery Once the extent of damage is known process recovery
should be prioritized and a schedule for resumptionsdetermined and documented.
Resumptiions of critical process
Resumptions of other processes
Return to Normal operations - Return to pre crisisnormal /New normal
Organization springs back to productive work Crisis may be officially declared over
Recovery
-
7/30/2019 Business Continuity Planning Anjan
63/69
Recovery Once the extent of damage is known process recovery
should be prioritized and a schedule for resumptionsdetermined and documented.
Resumptiions of critical process
Resumptions of other processes
Return to Normal operations - Return to pre crisisnormal /New normal
Organization springs back to productive work Crisis may be officially declared over
Implementing plan
-
7/30/2019 Business Continuity Planning Anjan
64/69
Implementing plan BCP is a living document ,evolutionary that grows and
changes with the organization and remains relevant andactionable.
Educate and train only as valuable as others have theknowledge of it. Time commitment from all stakeholders
Crisis management team and response teams are to betrained at least annually , new members when they joinResponsibilities and accountabilities authority should be
clearly defined. Educate and train all personnel.
-
7/30/2019 Business Continuity Planning Anjan
65/69
LTU CISP Security 65
Test the BCP
Plan Testing Proves feasibility of recovery process Verifies compatibility of backup facilities
Ensures adequacy of team procedures Identifies deficiencies in procedures
Trains team members
Provides mechanism for maintaining/updating theplan
Upper management comfort
-
7/30/2019 Business Continuity Planning Anjan
66/69
LTU CISP Security 66
The Steps in a BCP - Finally
Plan Testing Checklist Structured Walkthroughs
Life exercises/Simulations Periodic off-site recovery tests/Parallel Full interruption drills
-
7/30/2019 Business Continuity Planning Anjan
67/69
LTU CISP Security 67
Test MonitoringTest Monitoring Assign observers to take notesduring the test. Video tape/Audio recording can bedone .Assign to document events chronologically
Testing scenarios should be designed using the
events identified in the risk assessmentParticipants should understand their individual rolesand should be allowed to interact freely
After completion of exercise/test it should becritically evaluated, effectiveness of the test, desiredlevel of goals attended.
Develop BCP Review Schedule
-
7/30/2019 Business Continuity Planning Anjan
68/69
Develop BCP Review Schedule BCP should be reviewed and evaluated according to the
predetermined schedule.
Reviewed every time a risk assessment is carried out.
Major trends in the sector or industry or any initiativetaken should initiate a review.
New regulatory requirement
Test and exercise results.
Recovery
-
7/30/2019 Business Continuity Planning Anjan
69/69
Recovery Once the extent of damage is known process recovery
should be prioritized and a schedule for resumptionsdetermined and documented.
Resumptiions of critical process
Resumptions of other processes
Return to Normal operations - Return to pre crisisnormal /New normal
Organization springs back to productive work Crisis may be officially declared over