information technology & management INFORMATION SYSTEMS ...
Transcript of information technology & management INFORMATION SYSTEMS ...
ILLINOIS INSTITUTE OF TECHNOLOGY
information technology & management
INFORMATIONSYSTEMS
MANAGEMENTsecurivysecurivyt
A New Model for Business Contingency Operations
Ray TrygstadDirector of Information Technology, Center for Professional DevelopmentAssociate Director,
Information Technology and Management Degree Programs
ILLINOIS INSTITUTE OF TECHNOLOGY
©2008 Ray Trygstad
2
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Introduction
New model for business contingency response team structure
BackgroundTermsTeam Structures in common useThe Contingency Response Team structure
Contingency Response OfficerTeam structure ©2008 Ray Trygstad
3
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
What is a “contingency”?
An event that has a potential or proven ability to disrupt normal operations of the organization
Organization could be a business, a government agency, a university, a non-profit that carries out what can broadly be termed as “business activities” of some kind
Response to business contingencies often falls on IT
Particularly the IT Security function Incident often are specifically IT-security related
4
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Contingencies are a Business Issue!
BUT and this is a really big but: Business contingency response is first and foremost a MANAGEMENT responsibility
Addressing ability of the organization to continue to operate in situations which put the ability of the organization's operations in serious jeopardy
Although the largest area of complexity in continuity of operations is in the IT area, management cannot “dump” responsibility for continued operations solely on IT
5
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
When do We Need Contingency Response?
Natural events Hurricane, tornado, flood, earthquake, fire
Human initiated events Operator error, sabotage, malicious code and other computer-based attacks, accidents, military actions, terrorist attacks
Operating Environment events Equipment failure, software errors, telecommunications/network outage, electric power failure
6
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Event Sequence to Contingency
RISK MANAGEMENTSecurity Control
Implementation
Contingency Planning
RISK MANAGEMENT CONTINGENCY PLAN
EXECUTION
EmergencyEvent
NIST Special Publication 800-34
7
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Terminology
Many terms in useInconsistant and imprecise
BS 25999 and HB292-2006 (Australia) use “Business Continuity Management” (BCM)NIST SP 800-34 uses both “Business Continuity” and “Continuity of Operations”NFPA 1600 uses “Disaster/Emergency Management and Business Continuity” but refers to an instance as an “incident”
8
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Terminology
HB291-2004 (Australia) provides a good definition:
“Business Continuity Management provides the availability of processes and resources in order to ensure the continued achievement of critical objectives”
I am going to use the term “Business Contingency Operations” because
Although “BCM” is a de facto standard, there is really no “standard”It’s the most descriptive term for the area I am addressing
9
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Contingency Response Teams
Although it is prescribed only in a rudimentary fashion in most standards documents, contingency response in most organizations is done through the use of teamsBS 25999-1:2006 discusses the Incident Management Team or Crisis Management TeamHB292-2006 & NFPA 1600 not at all
10
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Contingency Response Teams
NIST 800-34 goes a little “team happy”:
Management TeamDamage Assessment TeamOperating System Administration TeamSystems Software TeamServer Recovery Team (e.g., client server, Web server) LAN/WAN Recovery TeamDatabase Recovery TeamNetwork Operations Recovery TeamApplication Recovery Team(s)Telecommunications Team
Hardware Salvage TeamAlternate Site Recovery Coordination TeamOriginal Site Restoration/Salvage Coordination TeamTest TeamAdministrative Support TeamTransportation and Relocation TeamMedia Relations TeamLegal Affairs TeamPhysical/Personnel Security TeamProcurement Team (equipment and supplies)
11
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Contingency Response Teams
WHEW!A bit much, eh?
12
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
BS 25999/BCI Approach
GOLD Strategic Senior (Incident) Management
SILVER Tactical Business Continuity Team
BRONZE OperationalIncident Response & Business Unit
Resumption Teams
Esca
latio
n
Control
The
Business Continuity Institute Business Continuity Management GOOD PRACTICE GUIDELINES 2008
13
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Contingency Response Teams
Regardless of how you approach it, experience has shown team approach is the best method Most literature discusses 3 or 4 primary teams:
Incident Response TeamDisaster Recovery TeamBusiness Continuity Teamand sometimesCrisis Management Team
14
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Response Team Employment
Common wisdom prescribes employment of the teams in sequential order on a handover basisFirst the Incident Response Team ...respondsIf the incident cannot be brought under control or escalates, it becomes a disaster Disaster Recovery Team takes over
15
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Response Team Employment
If operations cannot be continued at the organization’s primary site Business Continuity Team facilitates operations at an alternative siteCrisis Management Team invoked as necessary
Normally deals with issues surrounding loss of life or serious injuries as well as media relationsThey just sort of “drift in and out” of the picture
16
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
My Experience
Aviation Safety Officer curriculum at the Naval Postgraduate School, created by USC’s Institute for Safety and Systems Management M.S. in Systems Management; curriculum also created by USC Institute for Safety and Systems ManagementI learned that contingency response is contingency response is contingency response
17
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
My Experience
From a process perspective, responding to an aircraft crash is no different than responding to a mainframe crashThe military has developed a finely-tuned response to incidents; & provides lessons we can all learn from Drawn heavily upon this background & experience in creating this concept
18
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Contingency Response Team
One of the issues that I view as a serious weakness in contemporary models for contingency response teams is who manages the overall response3-team model presupposes handovers between teams but presents serious continuity problemsMy model adds an additional “team”: the Contingency Response Team
Could also call it the Contingency Management Team
19
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Contingency Response TeamContingency Response Team folds in all responsibilities normally exercised by the Crisis Management Team but extend this to provide 1.
Initial response including activation of the appropriate Plan: Incident Response, Disaster Recovery, Business Continuity
2.
Ongoing administrative and facilities support of other teams as they execute their function
3.
Wrap up functions as contingency operations draw to close and normal operations resume
Exactly what the name implies: the core on which all contingency response rests
20
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Contingency Response Team
©2008 Ray Trygstad
21
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Contingency Response Officer
Key position on this teamNot the Contingency Response Team Leader but is the person “on call”“Contingency Response Officer” (CRO)or “Contingency Response Manager”On duty for a 24 hour period Key point of contact for ANY contingency in the organizationOrganization members need to have drilled into them if something out of the ordinary happens CALL OR PAGE THE CRO
22
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Contingency Response Officer
CRO must be sufficiently senior to make “snap”decisions affecting the health and future of the organization
Must have the trust of C-level managementDoes not have to be an IT person but must have sufficient knowledge of IT to initiate response to an IT or IT security incidentSmall organization at least 3 Large organization as many as 10During on-call period CRO must be immediately available by cell phone or pageShould be near enough to the primary physical facility to be there quickly
23
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Contingency Response Staffing
Supporting the CRO: 2 on-call administrative personnel
Execute a calling treeKeep a running record of events Perform any duties as directed by the CRONot decision makers but need to be on a 24 hour duty cycleMust be immediately available by cell phone or page Near enough to the primary physical facility to be there very quickly
24
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Contingency Response Staffing
The armed services responds very quickly to incidents because they have had a “duty section” structure in place since...well...foreverThis implements the same concept at a civilian level
25
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Contingency Response Notification
Immediate response personnel (CRO and admin support) have cell phones/ pagers supplied by the organization
Handed off at relief each dayONLY one number to call/page CRO●Detached from who
is actually on duty
26
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Contingency Response Team
Composition of remainder of the team is much like you would find on a Crisis Management Team
PR to handle media relationsLegal to handle legal & compliance Management-level facilities member to expedite facilities issues
Team core ought to consist of executive assistants and senior administrators
Not necessarily managers but the people who actually get things doneYou all know who these people are…
27
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Contingency Response Team
Contingency Response Team Leader should be as senior a person in the organization as you can convince management the position ought to be!
NOT a micromanager! Should relieve the CRO as soon as the situation is relatively under control and the Team Leader has been fully briefed
28
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Expansion of Concept/Model
I am working to expand this concept in two directions
An academic paper documenting the literature and clearly delineating the concept and design (I am an academic and I do have to get published)A whitepaper with a practical guide for implementation
29
ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe
curi
ity
Contact