Proposal for Business Continuity Plan and Management...

2008/8/6 1

6 August 2008

Proposal for Business Continuity Plan

and Management Review

2008/8/6 2

ContentsContents

About Newton IT / Quality of our services1. BCM & BS25999 Overview2. BCM Development in line with BS259993. BCM Development – Case StudyAppendix

All Rights Reserved @ Newton IT Ltd. 33

Newton IT Limited (Newton) is pleased to have the opportunity topropose for “Business Continuity Plan and Management Review”.

Since our foundation in 1998, Newton IT Limited has continually developed its business and increased its Products & Service offerings. With our combined Anglo Japanese management philosophy, Newton IT has been able to raise its profile of skill sets to meet the demands set by today's dynamically changing IT industry and to provide solutions at every level of our customer requirements and needs.

About Newton ITAbout Newton IT


Quality of Our ServicesQuality of Our Services

Member of The Business Continuity InstituteISO17799 Associate Consultant of BSIBS25999 / ISO9001 / ISO27001 Registered Company (*1)

BCI Qualified Business Continuity Specialists (MBCI, ABCI)Other Specialists Skills

(e.g. CISA, CEH, CISSP, MCSE, CCNA, CCNP)

Provision of Solutions in accordance with International Standards (e.g. ISO27001, BS25999, COBIT, ITIL, ISO9001, ISO20000)

Proven ability to manage Projects on time and within budgetsCorporate lawyer partnership with Legal Authority specialized in

information systems

(*1) The Scope includes the provision of design, implementation and support IT Infrastructure, Consultancy on ISO27001 and Security Policies


1．BCM & BS25999 Overview


BCM BCP

DR

BIA

IMP

Incident

Response

Recovery

Response

Incident

Management

Business

Recovery

DRPBusiness

Continuity

Risk

Assessment

Business

Impact Analysis

MTPD

RPO

RTO

BCM Overview (Terminologies) BCM Overview (Terminologies) Terminologies around BCMTerminologies around BCM


BCM Overview (Timeline)BCM Overview (Timeline)

Incident TimelineIncident Timeline

TIME

Operation R

ate

RTO：8 hours

100％

RPO：20％ of Normal Operation

BC

Ps

Exercise

Assess

Internal Audit

Improvem

ent

20％

（Business As Usual）

10％

60％

Incident Management

Incident

Back to Normal

8hours

Business Continuity

Business Recovery

48hours 3months

Note: RTO: Recovery time objective / RPO: Recovery point objective


Terms and Definition (1/2)Terms and Definition (1/2)【BCM】

Holistic management process that identified potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities

【Business Continuity Strategy】Approach by an organization that will ensure its recovery and continuity in the face of a disaster or other major incident or business interruption

【BCP】Documented collection of procedures and information that is developed, compiled and maintained in readiness of use in an incident to enable an organization to continue to deliver its critical activities at an acceptable predefined level

【IMP】Incident management plan. Clearly defined and documented plan of action for use at the time of an incident, typically covering the key personnel, resources, services and actions needed to implement the incident management process


【Invocation】

Act of declaring that an organization’s business continuity plan needs to be put into effect in order to continue delivery of key products or services

【BIA】

Business impact analysis. Process of analysing business functions and the effect that a business disruption might upon them

【RTO】

Recovery time objective. Target time set for resumption of product, service or activity delivery after an incident. The recovery time objective has to be less than the maximum tolerable period of disruption

【MTPD】

Maximum tolerable period of disruption. Duration after which an organization’s viability will be irrevocably threatened if product and service delivery cannot be resumed

Terms and Definition (2/2)Terms and Definition (2/2)


BS25999 StructureBS25999 Structure (1/2)(1/2)

BS25999 Part1 「Code of Practice」

Embedding BCM in the organization’s culture10

Exercising, maintaining and reviewing BCM arrangements9

Developing and implementing a BCM response8

Determining business continuity strategy7Understanding the organization6BCM programme management5The business continuity management policy4

Overview of business continuity management (BCM)3

Terms and definitions2Scope and applicability1


BS25999 Part2 「Specification」

General3.1

6.2

6.1

5.2

5.1

4.4

4.3

4.2

4.1

3.4

3.3

3.2

Continual improvement

Preventive and corrective actions

Management review of the BCMS

Internal Audit

Exercising, maintaining and reviewing BCM arrangement

Determining business continuity strategy

Developing and implementing a BCM response

Understanding the organization

BCMS documentation and records

Embedding BCM in the organization’s culture

Establishing and managing the BCMS

Maintaining and improving the BCMS

6

Monitoring and reviewing the BCMS

5

Implementing and operating the BCMS

4

Planning the business continuity management system

3

Terms and definitions2

Scope1

BS25999 StructureBS25999 Structure (2/2)(2/2)


BCMBCM LifecycleLifecycle

The The BCMBCM LifecycleLifecycle

(Ref: BS25999-1 2006)

Understanding the business • Business Impact Analysis

• Risk Assessment

BCM Strategies• Organizational BCM strategy

• Process level BCM strategy

• Resource recovery BCM strategy

Developing / Implementing BCM plans• Business Continuity Plans

• resource recovery and solutions plan

• Disaster Recovery Plans

BCM exercising, maintenance and audit

Embedding a BCM culture• awareness, training and culture


2．BCM development in line with BS25999


Target of the developmentTarget of the development

The Target to Develop

「BCM Lifecycle」itself

The The BCMBCM LifecycleLifecycle

(Ref: BS25999-1 2006)


Process to implement and operate the BCMSProcess to implement and operate the BCMS

Assess the BCM arrangements and identify improvements to be made

BCM Exercise

Document business continuity plans and incident management plans

Incident response structure

Hot to recover each critical activity within its RTO, in taking account resources and suppliers and outsource partners required for resumption and recovery.

Determining choices

Risk Assessment (RA)

Business impact analysis (BIA)

2

1

IV．Exercising, maintaining, and reviewing BCM arrangements

2

1

III． Developing and implementing a BCM response

1

II．Determining business continuity strategy

3

2

1

I. Understand the organization ・ Identify key stakeholders and their needs and expectations

・ Identify activities supporting key services/products

・ Identify impacts resulting from disruption to those activities and determine how these vary over time.

・ Define MTPD and RTO, and identify critical activities

• Assess risks of critical activities and supporting resources

・ Choose and implement risk treatments for each critical activity

Decide BC Strategy based on the results of BIA & RA


Document the BCM (1/2)Document the BCM (1/2)


TIME

Operation R

ate

RTO：8 hours

100％


BC

Ps

Exercise

Assess

Internal Audit

Improvem

ent

20％


10％

60％

Incident Management

Incident

Back to Normal

8hours

Business Continuity

Business Recovery

48hours 3months



Document the BCM (2/2)Document the BCM (2/2)


TIME

Operation R

ate

RTO：8 hours

100％


BC

Ps

Exercise

Assess

Internal Audit

Improvem

ent

20％


10％

60％

Incident Management

Incident

Back to Normal

8hours

Business Continuity

Business Recovery

48hours 3months


POLICY & PLANS POLICY & PLANS

PROCEDURESPROCEDURES

Training Material

Training Result

Test Case

Lesson learnt report

Internal Audit Plan

Internal Audit Result

Incident Management

Plans

Business Continuity & Recovery

Plan

System Recovery

Plan

Business Continuity Policy and BCPs

Business Continuity・Recovery Procedures

System Recovery Procedures

Incident Management Procedures

Improvem

ent Plan


3．BCM Development- Case Study–


Case OverviewCase Overview

Company AIndustry: IT Solutions ProviderKey Services：

IT System design, implementation, maintenance and supports

ConsultingSoftware Development

Number of Staff： 60Turnover： £10 Millions (2006)Office： London, UKNumber of Customers ： 250 CompaniesNumber of Suppliers ： 30 CompaniesInternal IT Infrastructure

Servers： 10Client PC： 120


Understand the organization (Overview 1/2)Understand the organization (Overview 1/2)


BCM Exercise




Determining choices



2

1


2

1


1


3

2

1

I. Understand the organization


Understand the organization (Overview 2/2)Understand the organization (Overview 2/2)In a business continuity context, an understanding of the organization comes from:

BS25999-1:20066. Understanding the organization

•Identify the organization’s objectives, stakeholder obligations and statutory duties• Identify activities and resources supporting the service deliveries• assess the impact and consequences over time of disruptions of those activities and resources

• identify and evaluate the perceived threats that could disrupt the organization’s key services, and the critical activities and resources that support them

BIA

Risk Assessment


Understand the organization : BIA (Stakeholder Analysis)Understand the organization : BIA (Stakeholder Analysis)

etc

Regulatory Bodies

Customers

Relevant ServicesExpectations / NeedsKey Stakeholders

•Identify the organization’s objectives, stakeholder obligations and statutory duties• Identify activities and resources supporting the service deliveries

• assess the impact and consequences over time of disruptions of those activities and resources

BIA


Understand the organization : BIA (Critical Activities)Understand the organization : BIA (Critical Activities)

DETAILS OF IMPACT（RANGE OF IMPACT /VARY OVER TIME）

Impact

LIKELY IMPACT OF DISRUPTIONLikely

disruptionLEVEL 2LEVEL 1MTPD

IMPACTS RESULTING FROM DISRUPTIONSACTIVITIES

•Identify the organization’s objectives, stakeholder obligations and statutory duties

• Identify activities and resources supporting the service deliveries

• assess the impact and consequences over time of disruptions of those activities and resources

BIA


Understand the organization : Risk Assessment (1/2)Understand the organization : Risk Assessment (1/2)

In a BCM context, the level of risk should be understood specifically in respect of the organization’s critical activities and the risk of a disruption to these;

BS25999-2:2007 4.1.2. Risk Assessment

Critical activities are underpinned by resources such as people, premises, technology, information, supplies and stakeholders

・Identify the threats to these resources

・Identify the vulnerabilities of each resource

・Determine the impact what would be arise if a threat became an incident and caused a business disruption

・ Define and document the risk assessment method (criteria for risk treatment, Identifications of acceptable levels of risk etc)


Understand the organization : Risk Assessment (2/2)Understand the organization : Risk Assessment (2/2)Reference documents;

• Risk Assessment ResultsThreats Vulnerabilities

Probability ofoccurrence (A)

(High 3/Medium 2/Low 1)

Impact (B)(High 3/Medium 2/Low 1)

Value of Risks(C ) = (A) * (B)

Choices(BC Strategy)

Help desk Unavailability of key personnel /inexperienced staff

lack of training, insufficientmanagement of staff 1 3 3 Develop BCPs for Help Desk

Engineers Unavailability of key personnel /inexperienced staff

lack of training, insufficientmanagement of staff 1 3 3 Develop BCPs for Engineers

SUPPLIES The company letter head Lack of the letter head Insufficient logisticsmanagement 1 1 1 Accept the risk

the Office No access to the office Lack of physical security,office location 1 3 3 Back-up Office / Develop BCPs

No access to the office area Office location 1 3 3 Back-up Office / Develop BCPs

Customer information No access to the information No duplicated information 2 3 6Data Replication at DR Site /Develop BCPs and SystemRecovery Procedures

Engineers' skill set No access to the information No duplicated information 2 3 6Data Replication at DR Site /Develop BCPs and SystemRecovery Procedures

Engineers' schedule No access to the information No duplicated information 2 3 6Data Replication at DR Site /Develop BCPs and SystemRecovery Procedures

Email Loss of IT systemNo duplicated IT system,insufficient IT systemmaintenance

1 3 3 System recovery procedures

File Server Loss of IT systemNo duplicated IT system,insufficient IT systemmaintenance


SAP Server Loss of IT systemNo duplicated IT system,insufficient IT systemmaintenance


SAGE Loss of IT systemNo duplicated IT system,insufficient IT systemmaintenance


TTS System Loss of IT systemNo duplicated IT system,insufficient IT systemmaintenance


Mobile Phone Unavailability of Mobile phone No duplicated lines 1 2 2 Accept the risk

Utilities Loss of utilities insufficient contracts, lack ofmaintenance 2 3 6 Review contracts / Back-up

office

Post office Unavailability of Post office Strike, natural disaster 2 1 2 Accept the risk

Supporting Resources

OTHERS

IT SYSTEMS

INFORMATION

PREMISES

PEOPLE


Determining business continuity strategy (1/3)Determining business continuity strategy (1/3)


BCM Exercise




Determining choices



2

1


2

1


1


3

2

1



Determining business continuity strategy (2/3)Determining business continuity strategy (2/3)Strategy options

BS25999-1:2006 7.2 Strategy options

The organization should consider strategic options for its critical activities and the resources that each activity will require on its resumption.

Strategies might be required the following organizational resources;

・People

・Premises

・IT Systems

・Information

・Supplies

・Stakeholders

Decide BC Strategy

IT System Strategy

Supply management

Strategy

Premises Strategy


Determining business continuity strategy (3/3)Determining business continuity strategy (3/3)Reference documents;

Business Continuity Strategic Options

Option 1: Restore data from back-uptape Option 2: Data replication at DR site Option 3: System and data replication at

DR site

People The existing staff Train the existing staff Train the existing staff

Premises Back-up office DR site / Back-up Office DR Site / Back-up office

IT The existing back-up tape Server for data duplication Servers for system and data replications

Supplies Data restore manuals Transportation to/from DR site, datarecovery manual

Transportation to/from DR site, system anddata recovery manual

Others Purchasing new server to restore data fromback-up tape Contract with DR site Contract with DR site

Feasibility High High High

Effectiveness(MTPD) Low High High

Cost Low Medium High

Required

Resouces

Adequacy


Developing and implementing a BCM response (1/2)Developing and implementing a BCM response (1/2)


BCM Exercise




Determining choices



2

1


2

1


1


3

2

1



Developing a BCM Response

BS25999-2:2007 4.3.3 Business continuity plans and incident management plans

The organization shall have documented plans (e.g. Incident management plans, business continuity plans) that detail how the organization will manage an incident and how it will recover or maintain its activities to a predetermined level in the event of an disruption.

Developing and implementing a BCM response (2/2)Developing and implementing a BCM response (2/2)

BS25999-2:2007 4.3.2. Incident Management Structure

The organization shall nominate incident response personnel (e.g. Incident management team which consist of the management) with the necessary responsibility, authority and competence to manage an incident.


Developing and implementing a BCM response (Invocation of plans)Developing and implementing a BCM response (Invocation of plans)

INCIDENT

What has gone wrong?

IMPACT ANALYSIS

Which critical processes will be stopped?

DURATION ANALYSIS

How long can the disruption be expected to last?

INFORMATION GAP ANALYSIS

Do we have enough information to assess the incident?

If we wait to get more information will we be able to safely invoke?

INVOKE DR SITE

Send the Recovery staff to DR site and start system recovery

SEND EVERYONE ELSE BACK-UP OFFICE

All staff other than Recovery staff to go back-up office (or home)

START BUSINESS CONTINUITY & RECOVERY

Implement Business Continuity Plans

TIME LINE

IMT

BCPsDRPs

IMPs


1. BC Policy

2. Objectives and scope

3. Roles and responsibilities

4. Plans invocation

5. Document management

6. Contact list

1. Task and action lists

2. Emergency contact lists

3. Activities・Site evaluation procedure・Safety and first aid・Safety briefing ・Staff/customer communications

4. Media response

5. Response to key stakeholders

6. Incident management team

7. Appendix (sample)・access to the sites・communications with insurance

companies・Secure facilities and premises

1. Task and action lists・Plans Invocation ・Available services・Transpiration・Manual operation and system

recovery operation procedures

2. Required resources・People・Premises・IT systems・Information and supplies etc

3. Owner of the BCP

4. Check sheet

The Company-level BCP

Incident Management Plans Team’s BCPs

Developing and implementing a BCM response (Contents of plans)Developing and implementing a BCM response (Contents of plans)


Exercising, maintaining, and reviewing BCM arrangements (1/2)Exercising, maintaining, and reviewing BCM arrangements (1/2)


BCM Exercise




Determining choices



2

1


2

1


1


3

2

1



1. Test policy

2. Objective

3. Scope

4. Success criteria

5. Roles and responsibilities

6. Test method

7. Test schedule

BCP Test plans

1. Objective

2. Scope

• Test scenario

• Success criteria

• Test result

• Recommended improvement action

• Improvement action target date

Lesson learnt report

1. ・・・

2. ・・・

3. ・・・

Internal Audit Plans

1. ・・・

2. ・・・

3. ・・・

Internal Audit Report

Exercising, maintaining, and reviewing BCM arrangements (2/2)Exercising, maintaining, and reviewing BCM arrangements (2/2)

1. ・・・

2. ・・・

3. ・・・

Improvement Action Plans

2008/8/6 35

AppendixAppendix


Introduction of Key StaffIntroduction of Key Staff

Aki Sudo (Senior Consultant)Aki Sudo is an experienced Business and IT Governance consultant with more than 10 years experience, including the audit and risk management for organizations in a variety of sectors. Aki is a Certified Information System Auditor (CISA), BCI Business Continuity Professional member (MBCI), ISO27001 specialist and BS25999 specialist.

Kieran McDonagh (Senior Consultant)Kieran McDonagh is an experienced Operational and IT risk consultant with more than fifteen years experience in reviewing and managing risks for organizations in a variety of sectors. Kieran is a Certified Information System Auditor (CISA) and BCI member .

Proposal for Business Continuity Plan and Management...

Documents

Transcript of Proposal for Business Continuity Plan and Management...