Proposal for Business Continuity Plan and Management...
Transcript of Proposal for Business Continuity Plan and Management...
2008/8/6 1
6 August 2008
Proposal for Business Continuity Plan
and Management Review
2008/8/6 2
ContentsContents
About Newton IT / Quality of our services1. BCM & BS25999 Overview2. BCM Development in line with BS259993. BCM Development – Case StudyAppendix
All Rights Reserved @ Newton IT Ltd. 33
Newton IT Limited (Newton) is pleased to have the opportunity topropose for “Business Continuity Plan and Management Review”.
Since our foundation in 1998, Newton IT Limited has continually developed its business and increased its Products & Service offerings. With our combined Anglo Japanese management philosophy, Newton IT has been able to raise its profile of skill sets to meet the demands set by today's dynamically changing IT industry and to provide solutions at every level of our customer requirements and needs.
About Newton ITAbout Newton IT
All Rights Reserved @ Newton IT Ltd. 44
Quality of Our ServicesQuality of Our Services
Member of The Business Continuity InstituteISO17799 Associate Consultant of BSIBS25999 / ISO9001 / ISO27001 Registered Company (*1)
BCI Qualified Business Continuity Specialists (MBCI, ABCI)Other Specialists Skills
(e.g. CISA, CEH, CISSP, MCSE, CCNA, CCNP)
Provision of Solutions in accordance with International Standards (e.g. ISO27001, BS25999, COBIT, ITIL, ISO9001, ISO20000)
Proven ability to manage Projects on time and within budgetsCorporate lawyer partnership with Legal Authority specialized in
information systems
(*1) The Scope includes the provision of design, implementation and support IT Infrastructure, Consultancy on ISO27001 and Security Policies
All Rights Reserved @ Newton IT Ltd. 55
1.BCM & BS25999 Overview
All Rights Reserved @ Newton IT Ltd. 66
BCM BCP
DR
BIA
IMP
Incident
Response
Recovery
Response
Incident
Management
Business
Recovery
DRPBusiness
Continuity
Risk
Assessment
Business
Impact Analysis
MTPD
RPO
RTO
BCM Overview (Terminologies) BCM Overview (Terminologies) Terminologies around BCMTerminologies around BCM
All Rights Reserved @ Newton IT Ltd. 77
BCM Overview (Timeline)BCM Overview (Timeline)
Incident TimelineIncident Timeline
TIME
Operation R
ate
RTO:8 hours
100%
RPO:20% of Normal Operation
BC
Ps
Exercise
Assess
Internal Audit
Improvem
ent
20%
(Business As Usual)
10%
60%
Incident Management
Incident
Back to Normal
8hours
Business Continuity
Business Recovery
48hours 3months
Note: RTO: Recovery time objective / RPO: Recovery point objective
All Rights Reserved @ Newton IT Ltd. 88
Terms and Definition (1/2)Terms and Definition (1/2)【BCM】
Holistic management process that identified potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities
【Business Continuity Strategy】Approach by an organization that will ensure its recovery and continuity in the face of a disaster or other major incident or business interruption
【BCP】Documented collection of procedures and information that is developed, compiled and maintained in readiness of use in an incident to enable an organization to continue to deliver its critical activities at an acceptable predefined level
【IMP】Incident management plan. Clearly defined and documented plan of action for use at the time of an incident, typically covering the key personnel, resources, services and actions needed to implement the incident management process
All Rights Reserved @ Newton IT Ltd. 99
【Invocation】
Act of declaring that an organization’s business continuity plan needs to be put into effect in order to continue delivery of key products or services
【BIA】
Business impact analysis. Process of analysing business functions and the effect that a business disruption might upon them
【RTO】
Recovery time objective. Target time set for resumption of product, service or activity delivery after an incident. The recovery time objective has to be less than the maximum tolerable period of disruption
【MTPD】
Maximum tolerable period of disruption. Duration after which an organization’s viability will be irrevocably threatened if product and service delivery cannot be resumed
Terms and Definition (2/2)Terms and Definition (2/2)
All Rights Reserved @ Newton IT Ltd. 1010
BS25999 StructureBS25999 Structure (1/2)(1/2)
BS25999 Part1 「Code of Practice」
Embedding BCM in the organization’s culture10
Exercising, maintaining and reviewing BCM arrangements9
Developing and implementing a BCM response8
Determining business continuity strategy7Understanding the organization6BCM programme management5The business continuity management policy4
Overview of business continuity management (BCM)3
Terms and definitions2Scope and applicability1
All Rights Reserved @ Newton IT Ltd. 1111
BS25999 Part2 「Specification」
General3.1
6.2
6.1
5.2
5.1
4.4
4.3
4.2
4.1
3.4
3.3
3.2
Continual improvement
Preventive and corrective actions
Management review of the BCMS
Internal Audit
Exercising, maintaining and reviewing BCM arrangement
Determining business continuity strategy
Developing and implementing a BCM response
Understanding the organization
BCMS documentation and records
Embedding BCM in the organization’s culture
Establishing and managing the BCMS
Maintaining and improving the BCMS
6
Monitoring and reviewing the BCMS
5
Implementing and operating the BCMS
4
Planning the business continuity management system
3
Terms and definitions2
Scope1
BS25999 StructureBS25999 Structure (2/2)(2/2)
All Rights Reserved @ Newton IT Ltd. 1212
BCMBCM LifecycleLifecycle
The The BCMBCM LifecycleLifecycle
(Ref: BS25999-1 2006)
Understanding the business • Business Impact Analysis
• Risk Assessment
BCM Strategies• Organizational BCM strategy
• Process level BCM strategy
• Resource recovery BCM strategy
Developing / Implementing BCM plans• Business Continuity Plans
• resource recovery and solutions plan
• Disaster Recovery Plans
BCM exercising, maintenance and audit
Embedding a BCM culture• awareness, training and culture
All Rights Reserved @ Newton IT Ltd. 1313
2.BCM development in line with BS25999
All Rights Reserved @ Newton IT Ltd. 1414
Target of the developmentTarget of the development
The Target to Develop
「BCM Lifecycle」itself
The The BCMBCM LifecycleLifecycle
(Ref: BS25999-1 2006)
All Rights Reserved @ Newton IT Ltd. 1515
Process to implement and operate the BCMSProcess to implement and operate the BCMS
Assess the BCM arrangements and identify improvements to be made
BCM Exercise
Document business continuity plans and incident management plans
Incident response structure
Hot to recover each critical activity within its RTO, in taking account resources and suppliers and outsource partners required for resumption and recovery.
Determining choices
Risk Assessment (RA)
Business impact analysis (BIA)
2
1
IV.Exercising, maintaining, and reviewing BCM arrangements
2
1
III. Developing and implementing a BCM response
1
II.Determining business continuity strategy
3
2
1
I. Understand the organization ・ Identify key stakeholders and their needs and expectations
・ Identify activities supporting key services/products
・ Identify impacts resulting from disruption to those activities and determine how these vary over time.
・ Define MTPD and RTO, and identify critical activities
• Assess risks of critical activities and supporting resources
・ Choose and implement risk treatments for each critical activity
Decide BC Strategy based on the results of BIA & RA
All Rights Reserved @ Newton IT Ltd. 1616
Document the BCM (1/2)Document the BCM (1/2)
Incident TimelineIncident Timeline
TIME
Operation R
ate
RTO:8 hours
100%
RPO:20% of Normal Operation
BC
Ps
Exercise
Assess
Internal Audit
Improvem
ent
20%
(Business As Usual)
10%
60%
Incident Management
Incident
Back to Normal
8hours
Business Continuity
Business Recovery
48hours 3months
Note: RTO: Recovery time objective / RPO: Recovery point objective
All Rights Reserved @ Newton IT Ltd. 1717
Document the BCM (2/2)Document the BCM (2/2)
Incident TimelineIncident Timeline
TIME
Operation R
ate
RTO:8 hours
100%
RPO:20% of Normal Operation
BC
Ps
Exercise
Assess
Internal Audit
Improvem
ent
20%
(Business As Usual)
10%
60%
Incident Management
Incident
Back to Normal
8hours
Business Continuity
Business Recovery
48hours 3months
Note: RTO: Recovery time objective / RPO: Recovery point objective
POLICY & PLANS POLICY & PLANS
PROCEDURESPROCEDURES
Training Material
Training Result
Test Case
Lesson learnt report
Internal Audit Plan
Internal Audit Result
Incident Management
Plans
Business Continuity & Recovery
Plan
System Recovery
Plan
Business Continuity Policy and BCPs
Business Continuity・Recovery Procedures
System Recovery Procedures
Incident Management Procedures
Improvem
ent Plan
All Rights Reserved @ Newton IT Ltd. 1818
3.BCM Development- Case Study–
All Rights Reserved @ Newton IT Ltd. 1919
Case OverviewCase Overview
Company AIndustry: IT Solutions ProviderKey Services:
IT System design, implementation, maintenance and supports
ConsultingSoftware Development
Number of Staff: 60Turnover: £10 Millions (2006)Office: London, UKNumber of Customers : 250 CompaniesNumber of Suppliers : 30 CompaniesInternal IT Infrastructure
Servers: 10Client PC: 120
All Rights Reserved @ Newton IT Ltd. 2020
Understand the organization (Overview 1/2)Understand the organization (Overview 1/2)
Assess the BCM arrangements and identify improvements to be made
BCM Exercise
Document business continuity plans and incident management plans
Incident response structure
Hot to recover each critical activity within its RTO, in taking account resources and suppliers and outsource partners required for resumption and recovery.
Determining choices
Risk Assessment (RA)
Business impact analysis (BIA)
2
1
IV.Exercising, maintaining, and reviewing BCM arrangements
2
1
III. Developing and implementing a BCM response
1
II.Determining business continuity strategy
3
2
1
I. Understand the organization
All Rights Reserved @ Newton IT Ltd. 2121
Understand the organization (Overview 2/2)Understand the organization (Overview 2/2)In a business continuity context, an understanding of the organization comes from:
BS25999-1:20066. Understanding the organization
•Identify the organization’s objectives, stakeholder obligations and statutory duties• Identify activities and resources supporting the service deliveries• assess the impact and consequences over time of disruptions of those activities and resources
• identify and evaluate the perceived threats that could disrupt the organization’s key services, and the critical activities and resources that support them
BIA
Risk Assessment
All Rights Reserved @ Newton IT Ltd. 2222
Understand the organization : BIA (Stakeholder Analysis)Understand the organization : BIA (Stakeholder Analysis)
etc
Regulatory Bodies
Customers
Relevant ServicesExpectations / NeedsKey Stakeholders
•Identify the organization’s objectives, stakeholder obligations and statutory duties• Identify activities and resources supporting the service deliveries
• assess the impact and consequences over time of disruptions of those activities and resources
BIA
All Rights Reserved @ Newton IT Ltd. 2323
Understand the organization : BIA (Critical Activities)Understand the organization : BIA (Critical Activities)
DETAILS OF IMPACT(RANGE OF IMPACT /VARY OVER TIME)
Impact
LIKELY IMPACT OF DISRUPTIONLikely
disruptionLEVEL 2LEVEL 1MTPD
IMPACTS RESULTING FROM DISRUPTIONSACTIVITIES
•Identify the organization’s objectives, stakeholder obligations and statutory duties
• Identify activities and resources supporting the service deliveries
• assess the impact and consequences over time of disruptions of those activities and resources
BIA
All Rights Reserved @ Newton IT Ltd. 2424
Understand the organization : Risk Assessment (1/2)Understand the organization : Risk Assessment (1/2)
In a BCM context, the level of risk should be understood specifically in respect of the organization’s critical activities and the risk of a disruption to these;
BS25999-2:2007 4.1.2. Risk Assessment
Critical activities are underpinned by resources such as people, premises, technology, information, supplies and stakeholders
・Identify the threats to these resources
・Identify the vulnerabilities of each resource
・Determine the impact what would be arise if a threat became an incident and caused a business disruption
・ Define and document the risk assessment method (criteria for risk treatment, Identifications of acceptable levels of risk etc)
All Rights Reserved @ Newton IT Ltd. 2525
Understand the organization : Risk Assessment (2/2)Understand the organization : Risk Assessment (2/2)Reference documents;
• Risk Assessment ResultsThreats Vulnerabilities
Probability ofoccurrence (A)
(High 3/Medium 2/Low 1)
Impact (B)(High 3/Medium 2/Low 1)
Value of Risks(C ) = (A) * (B)
Choices(BC Strategy)
Help desk Unavailability of key personnel /inexperienced staff
lack of training, insufficientmanagement of staff 1 3 3 Develop BCPs for Help Desk
Engineers Unavailability of key personnel /inexperienced staff
lack of training, insufficientmanagement of staff 1 3 3 Develop BCPs for Engineers
SUPPLIES The company letter head Lack of the letter head Insufficient logisticsmanagement 1 1 1 Accept the risk
the Office No access to the office Lack of physical security,office location 1 3 3 Back-up Office / Develop BCPs
No access to the office area Office location 1 3 3 Back-up Office / Develop BCPs
Customer information No access to the information No duplicated information 2 3 6Data Replication at DR Site /Develop BCPs and SystemRecovery Procedures
Engineers' skill set No access to the information No duplicated information 2 3 6Data Replication at DR Site /Develop BCPs and SystemRecovery Procedures
Engineers' schedule No access to the information No duplicated information 2 3 6Data Replication at DR Site /Develop BCPs and SystemRecovery Procedures
Email Loss of IT systemNo duplicated IT system,insufficient IT systemmaintenance
1 3 3 System recovery procedures
File Server Loss of IT systemNo duplicated IT system,insufficient IT systemmaintenance
1 3 3 System recovery procedures
SAP Server Loss of IT systemNo duplicated IT system,insufficient IT systemmaintenance
1 3 3 System recovery procedures
SAGE Loss of IT systemNo duplicated IT system,insufficient IT systemmaintenance
1 3 3 System recovery procedures
TTS System Loss of IT systemNo duplicated IT system,insufficient IT systemmaintenance
1 3 3 System recovery procedures
Mobile Phone Unavailability of Mobile phone No duplicated lines 1 2 2 Accept the risk
Utilities Loss of utilities insufficient contracts, lack ofmaintenance 2 3 6 Review contracts / Back-up
office
Post office Unavailability of Post office Strike, natural disaster 2 1 2 Accept the risk
Supporting Resources
OTHERS
IT SYSTEMS
INFORMATION
PREMISES
PEOPLE
All Rights Reserved @ Newton IT Ltd. 2626
Determining business continuity strategy (1/3)Determining business continuity strategy (1/3)
Assess the BCM arrangements and identify improvements to be made
BCM Exercise
Document business continuity plans and incident management plans
Incident response structure
Hot to recover each critical activity within its RTO, in taking account resources and suppliers and outsource partners required for resumption and recovery.
Determining choices
Risk Assessment (RA)
Business impact analysis (BIA)
2
1
IV.Exercising, maintaining, and reviewing BCM arrangements
2
1
III. Developing and implementing a BCM response
1
II.Determining business continuity strategy
3
2
1
I. Understand the organization
All Rights Reserved @ Newton IT Ltd. 2727
Determining business continuity strategy (2/3)Determining business continuity strategy (2/3)Strategy options
BS25999-1:2006 7.2 Strategy options
The organization should consider strategic options for its critical activities and the resources that each activity will require on its resumption.
Strategies might be required the following organizational resources;
・People
・Premises
・IT Systems
・Information
・Supplies
・Stakeholders
Decide BC Strategy
IT System Strategy
Supply management
Strategy
Premises Strategy
All Rights Reserved @ Newton IT Ltd. 2828
Determining business continuity strategy (3/3)Determining business continuity strategy (3/3)Reference documents;
Business Continuity Strategic Options
Option 1: Restore data from back-uptape Option 2: Data replication at DR site Option 3: System and data replication at
DR site
People The existing staff Train the existing staff Train the existing staff
Premises Back-up office DR site / Back-up Office DR Site / Back-up office
IT The existing back-up tape Server for data duplication Servers for system and data replications
Supplies Data restore manuals Transportation to/from DR site, datarecovery manual
Transportation to/from DR site, system anddata recovery manual
Others Purchasing new server to restore data fromback-up tape Contract with DR site Contract with DR site
Feasibility High High High
Effectiveness(MTPD) Low High High
Cost Low Medium High
Required
Resouces
Adequacy
All Rights Reserved @ Newton IT Ltd. 2929
Developing and implementing a BCM response (1/2)Developing and implementing a BCM response (1/2)
Assess the BCM arrangements and identify improvements to be made
BCM Exercise
Document business continuity plans and incident management plans
Incident response structure
Hot to recover each critical activity within its RTO, in taking account resources and suppliers and outsource partners required for resumption and recovery.
Determining choices
Risk Assessment (RA)
Business impact analysis (BIA)
2
1
IV.Exercising, maintaining, and reviewing BCM arrangements
2
1
III. Developing and implementing a BCM response
1
II.Determining business continuity strategy
3
2
1
I. Understand the organization
All Rights Reserved @ Newton IT Ltd. 3030
Developing a BCM Response
BS25999-2:2007 4.3.3 Business continuity plans and incident management plans
The organization shall have documented plans (e.g. Incident management plans, business continuity plans) that detail how the organization will manage an incident and how it will recover or maintain its activities to a predetermined level in the event of an disruption.
Developing and implementing a BCM response (2/2)Developing and implementing a BCM response (2/2)
BS25999-2:2007 4.3.2. Incident Management Structure
The organization shall nominate incident response personnel (e.g. Incident management team which consist of the management) with the necessary responsibility, authority and competence to manage an incident.
All Rights Reserved @ Newton IT Ltd. 3131
Developing and implementing a BCM response (Invocation of plans)Developing and implementing a BCM response (Invocation of plans)
INCIDENT
What has gone wrong?
IMPACT ANALYSIS
Which critical processes will be stopped?
DURATION ANALYSIS
How long can the disruption be expected to last?
INFORMATION GAP ANALYSIS
Do we have enough information to assess the incident?
If we wait to get more information will we be able to safely invoke?
INVOKE DR SITE
Send the Recovery staff to DR site and start system recovery
SEND EVERYONE ELSE BACK-UP OFFICE
All staff other than Recovery staff to go back-up office (or home)
START BUSINESS CONTINUITY & RECOVERY
Implement Business Continuity Plans
TIME LINE
IMT
BCPsDRPs
IMPs
All Rights Reserved @ Newton IT Ltd. 3232
1. BC Policy
2. Objectives and scope
3. Roles and responsibilities
4. Plans invocation
5. Document management
6. Contact list
1. Task and action lists
2. Emergency contact lists
3. Activities・Site evaluation procedure・Safety and first aid・Safety briefing ・Staff/customer communications
4. Media response
5. Response to key stakeholders
6. Incident management team
7. Appendix (sample)・access to the sites・communications with insurance
companies・Secure facilities and premises
1. Task and action lists・Plans Invocation ・Available services・Transpiration・Manual operation and system
recovery operation procedures
2. Required resources・People・Premises・IT systems・Information and supplies etc
3. Owner of the BCP
4. Check sheet
The Company-level BCP
Incident Management Plans Team’s BCPs
Developing and implementing a BCM response (Contents of plans)Developing and implementing a BCM response (Contents of plans)
All Rights Reserved @ Newton IT Ltd. 3333
Exercising, maintaining, and reviewing BCM arrangements (1/2)Exercising, maintaining, and reviewing BCM arrangements (1/2)
Assess the BCM arrangements and identify improvements to be made
BCM Exercise
Document business continuity plans and incident management plans
Incident response structure
Hot to recover each critical activity within its RTO, in taking account resources and suppliers and outsource partners required for resumption and recovery.
Determining choices
Risk Assessment (RA)
Business impact analysis (BIA)
2
1
IV.Exercising, maintaining, and reviewing BCM arrangements
2
1
III. Developing and implementing a BCM response
1
II.Determining business continuity strategy
3
2
1
I. Understand the organization
All Rights Reserved @ Newton IT Ltd. 3434
1. Test policy
2. Objective
3. Scope
4. Success criteria
5. Roles and responsibilities
6. Test method
7. Test schedule
BCP Test plans
1. Objective
2. Scope
• Test scenario
• Success criteria
• Test result
• Recommended improvement action
• Improvement action target date
Lesson learnt report
1. ・・・
2. ・・・
3. ・・・
Internal Audit Plans
1. ・・・
2. ・・・
3. ・・・
Internal Audit Report
Exercising, maintaining, and reviewing BCM arrangements (2/2)Exercising, maintaining, and reviewing BCM arrangements (2/2)
1. ・・・
2. ・・・
3. ・・・
Improvement Action Plans
2008/8/6 35
AppendixAppendix
All Rights Reserved @ Newton IT Ltd. 3636
Introduction of Key StaffIntroduction of Key Staff
Aki Sudo (Senior Consultant)Aki Sudo is an experienced Business and IT Governance consultant with more than 10 years experience, including the audit and risk management for organizations in a variety of sectors. Aki is a Certified Information System Auditor (CISA), BCI Business Continuity Professional member (MBCI), ISO27001 specialist and BS25999 specialist.
Kieran McDonagh (Senior Consultant)Kieran McDonagh is an experienced Operational and IT risk consultant with more than fifteen years experience in reviewing and managing risks for organizations in a variety of sectors. Kieran is a Certified Information System Auditor (CISA) and BCI member .