Business Continuity Management 1.0 Chapter 1 Business Continuity Management, Business Continuity Planning And Disaster Recovery Planning
1
Chapter 1 Business Continuity Management, Business Continuity Planning And Disaster Recovery Planning
2
Chapter 1 Agenda Chapter 1 – Business Continuity Management, Business Continuity Planning, Disaster Recovery Planning • Concept of Disaster Recovery Process, Business Continuity Plan and Business Continuity Management • Objectives of BCM and BCP. • Need for BCM at Business Level. • Need for BCM at various levels of IT Environment. • Concept of Disaster. • Phases of disaster. • Impact of disaster. 3
Learning Objectives Key concepts of Business Continuity Management (BCM), Business Continuity Planning (BCP), Disaster Recovery Planning (DRP) Key terms related concepts as this is critical for designing, implementing or reviewing business continuity Provide assurance and consulting services in this area.
4
Introduction Bank using Core banking solution with a million accounts, credit cards, loans and customers. Companies using centralized ERP software having operations in multiple locations. An airline serving customers on flights daily using IT for all operations.
5
Introduction Pharmacy system filling millions of prescriptions per year (some of the prescriptions are life-saving). Automobile factory producing manufacturing hundreds of vehicles daily using automated solution. Railways managing thousands of train routes and passengers through automated ticketing and reservation.
6
Failure of IT Server or network failure Disk system failure Hacker break-in
Denial of Service attack Extended power failure Snow storm, earthquake, tornado or fire Spyware, malevolent virus or worm
7
Definitions …1 Crisis: An abnormal situation which threatens the operations, staff, customers or reputation of the enterprise. Incident: An event that has the capacity to lead to loss of or a disruption to an organization’s operations, services, or functions – which, if not managed, can escalate into an emergency, crisis or disaster. 8
Definitions …2 Disaster: An unplanned interruption of normal business process. Risk: Combination of the probability of an event and its consequence. Vulnerability: The degree to which a person, asset, process, information, infrastructure or other resources are exposed to the actions or effects of a risk, event or other occurrence. 9
Definitions …3 Incident Management Plan: A clearly defined and documented plan of action for use at the time of an incident, typically covering the key personnel, resources, services and actions needed to implement the incident management process. Disaster Recovery Planning: A disaster recovery plan (DRP) is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster.
10
Definitions …4 Business Continuity Planning: Business continuity planning is the process of developing prior arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions can continue within planned level of disruption.
Business Continuity Management: A holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats – if realized – might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stake holders, reputation, brand, and value-creating activities. 11
Related Terms Asset
• - Something of value to organisation
Vulnerability
• -Weakness in system safeguards
Threat
• - Potential to harm the system
Exposure
• - Extent of loss when risk materializes
Likelihood
• - Probability that threat will succeed
Attack
• - Set of actions designed to compromise CIA
Risk
• - Potential harm if a threat exploits a vulnerability
Countermeasure
• - Measure that reduces vulnerability of a system
Residual Risk
• - Risk still remaining after the counter measures 12
What is BCP?
Process designed to reduce the organization’s business risk Much more than just a plan for the information systems 13
Risks of inadequate BCP Inadequate BCP could result in risks • • • • •
Inability to maintain critical customer services Damage to market share, reputation or brand Failure to protect Assets including IP and personnel Business control failure Failure to meet contractual or regulatory requirements
14
BCP Manual Documented description of actions to be taken Resources to be used and Procedures to be followed before, during and after a disruptive event. BCP Manual specifies the responsibilities of the BCM team which serve as liasoning teams between the functional area(s) affected and other departments providing support services in the event of an incident or disaster. 15
BCP Manual BCM is a framework that • Proactively improves an enterprise’s resilience against the disruption of its ability to achieve its key objectives. • Provides a rehearsed method of restoring an enterprise’s ability to supply its key products and services to an agreed level within an agreed time after a disruption. • Delivers a proven capability to manage a business disruption and protect the enterprise’s reputation and brand. 16
BCM Policy
A high level document To bring about awareness among To test and review To make a the persons in the business systematic continuity planning scope about the approach for business continuity for the enterprise disaster recovery aspects and its in scope. importance 17
BCM Policy Objective of this policy is to provide a structure through which • Critical services and activities will be identified. • Plans will be developed to ensure continuity of key service delivery following a business disruption. • Invocation of incident management and business continuity plans can be managed.
• Incident management and business continuity plans are subject to ongoing testing, revision and updation. • Planning and management responsibility are assigned to a member of the relevant senior management team. 18
Objectives and Goals of BCP Primary Objectives of BCP • To minimize loss by minimizing the cost associated with disruptions • To enable an organisation to survive a disaster • To re-establish normal business operations 19
Objectives and Goals of BCP Key Objectives of Contingency Plan
• Provide for the safety and well-being of people on the premises at the time of disaster • Continue critical business operations • Minimise the duration of a serious disruption to operations and resources • Minimise immediate damage and losses
20
Objectives and Goals of BCP Key Objectives of Contingency Plan • Establish management succession and emergency powers • Facilitate effective co-ordination of recovery tasks • Reduce the complexity of the recovery effort • Identify critical lines of business and supporting functions
21
Objectives and Goals of BCP Goals of Business Continuity Plan • Identify weaknesses and implement a disaster prevention program • Minimise the duration of a serious disruption to business operations
• Facilitate effective co-ordination of recovery tasks • Reduce the complexity of the recovery effort
22
Business Impact Analysis (BIA) Assess the impacts that would occur if the activity was disrupted over a period of time Identify the maximum time period after a disruption within which the activity needs to be resumed Identify critical business processes
23
Objectives of Business Continuity Planning…1 Manage the risk which could lead to disastrous events Reduce the time taken to recover from an incident Minimize the risks in recovery process Reduce costs involved in revival of business
24
Objectives of Business Continuity Planning…2 Reduce the likelihood of a disruption occurring that affects the business through a risk management process
Protect staff and their welfare – ensure staff know their roles and responsibilities Prevent or reduce damage to the organization’s reputation and image Preserve and maintain relationships with customers Safeguard organization’s market share and/or competitive advantage 25
Business Continuity Planning “Business Continuity Planning (BCP) is the
Creation and validation of a practical logistical plan For how an organization Will recover and restore partially or Completely interrupted critical (urgent) functions
Within a predetermined time after a disaster or extended disruption.”
26
Business Continuity Areas Business resumption planning
• The operation’s piece of business continuity planning
Disaster recovery planning
• The technological aspect of business continuity planning
Crisis management
• The overall co-ordination of an organization's response to a crisis in an effective timely manner 27
DR and BC Disaster Recovery
• Disaster recovery focuses on the IT or technology systems that support business functions.
BCM
Disaster Recovery
• It is a subset of business continuity.
Business Continuity
28
Elements of Business Continuity Disaster Recovery
Recover mission-critical technology and applications at an alternate site.
Business Recovery
Recover the business process at an alternate site. Workspace recovery.
Contingency Planning
To manage an external event that has far-reaching impact on the business. 29
Business Continuity Life Cycle
Recovery Alternatives
Risk Assessment
Recovery Plan validation
Recovery Plan implementation
30
What comprises a Business Continuity Management?
Incident Response Plan
Disaster Recovery Plan
Business Continuity Plan
Business Continuity Management
31
Need for BCM Business Point of View • Heavy Dependence on Information, Communication and technologies • To ensure that critical business functions will be available to customers, suppliers, regulators, and other entities that must have access to those functions • To maintain service, consistency, and recoverability. • Critical industries like Banks, Insurance Companies, Stock Exchanges, Airline Companies, Railways, Multinational Companies, Government Agencies rely on IT Infrastructure 32
Need for BCM Information Technology Mail Servers and Communication lines like Internet, Phone and Fax are also essentially the important components of the Infrastructure. Critical IT Resources like Servers, Workstations, Network and Communication, Operating system software, business applications software, essential utility software, Data Centers, Support Desks, IT Personnel, Disks, Tapes etc. Software like the Core Banking Systems, SWIFT Financial Messaging Services, Airline Communication Services, Stock Market Trading Applications, ERP Systems, e-commerce sites and many more are critical where no downtime is tolerated.
33
Need for BCM Key terms • Business Contingency • An event with the potential to disrupt computer operations, thereby disrupting critical mission and business functions • Eg. power outage, hardware failure, fire, or storm. If the event is very destructive, it is often called a disaster 34
Need for BCM Key terms • BCP Process • A process designed to reduce the risk to an enterprise from an unexpected disruption of its critical functions and assure continuity of minimum level of services necessary for critical operations
• Purpose is to ensure that vital business functions (critical business operations) are recovered and operationalized within an acceptable timeframe 35
Need for BCM Key terms • Business Continuity Planning (BCP)
• Ability of enterprises to recover from a disaster and continue operations with least impact • Independent audit to confirm adequacy and appropriateness to meet enterprise needs 36
Disaster
A disruption of business operations that stops an organization from providing critical services caused by the absence of critical resources.
A disaster is a natural or man-made (or technological) hazard resulting in
an event of substantial extent causing significant physical damage or destruction, loss of life, or drastic change to the environment
Vulnerabilities are weaknesses
associated with an organization’s assets. 37
Types of Disasters Natural Disaster E.g. fire, earthquake, tsunami, typhoon, floods, tornado, lightning,
blizzards,
freezing
temperatures,
heavy
snowfall, pandemic, severe hailstorms, volcano .
Artificial/Man-Made Disaster E.g. Terrorist Attack, Bomb Threat, Chemical Spills, Civil Disturbance, Electrical Failure, Fire, HVAC Failure, Water Leaks, Water Stoppage, Strikes, Hacker Attacks, Viruses, Human Error, Loss Of Telecommunications, Data Center Outrage, Lost Data, Corrupted Data, Loss
Of Network Services, Power Failure etc. 38
Phases of Disaster CRISIS EMERGENCY RESPONSE RECOVERY
RESTORATION
39
Phases of Disaster - example Examples of Disaster
Impact on Phases
Serious Fire during working Hours All phases in full
Serious Fire working hours
outside
during All the phases, however, no staff and public evacuation
Very Minor fire during working Crisis Phase only, staff and public hours evacuation but perhaps no removal of valuable objects, Fire Service Summoned to deal with the fire Gas mail leak outside during Only emergency response phase working hours, repaired after is appropriate some hours 40
Impact of Disaster Loss of Human Life
Loss of Productivi ty
Revenue Losses Loss of Market Share & Goodwill Litigation
41
Summary The management of Business Continuity Plans, Disaster Recovery Plans and Incident Responses are collectively known as Business Continuity management.
The ultimate objective of a BCM is to recover from a crisis as fast as possible and at the lowest possible cost. Business Continuity is applicable to organizations of all sizes and types of business. Business Continuity is most crucial to enterprises which employ a lot of IT Resources for their critical business functions. 42
Summary Disaster is an event that causes interruption to the ongoing business functions which is either natural or manmade. Disaster would normally go through Crisis Phase, Emergency Response Phase, Recovery Phase and Restoration Phase. 43
Questions
44
1. An organization's disaster recovery plan should address early recovery of: A. B. C. D.
All information systems processes. All financial processing applications. Only those applications designated by the IS Manager. Processing in priority order, as defined by business management.
Answer: D Business management should know what systems are critical and when they need to process well in advance of a disaster. It is their responsibility to develop and maintain the plan. Adequate time will not be available for this determination once the disaster occurs. IS and the information processing facility are service organizations that exist for the purpose of assisting the general user management in successfully performing their jobs. 45
2.
Which of the following is MOST important to have in a disaster recovery plan?
A. B. C. D.
Backup of compiled object programs Reciprocal processing agreement Phone contact list Supply of special forms
Answer: A Of the choices, a backup of compiled object programs is the most important in a successful recovery. A reciprocal processing agreement is not as important, because alternative equipment can be found after a disaster occurs. A phone contact list may aid in the immediate aftermath, as would an accessible supply of special forms, but neither is as important as having access to required programs. 46
3. Which of the following BEST describes the difference between a disaster recovery plan and a business continuity plan? A. The disaster recovery plan works for natural disasters whereas the business continuity plan works for non-planned operating incidents such as technical failures. B. The disaster recovery plan works for business process recovery and information systems whereas the business continuity plan works only for information systems. C. The disaster recovery plan defines all needed actions to restore to normal operation after an un-planned incident whereas the business continuity plan only deals with critical operations needed to continue working after an un-planned incident. D. The disaster recovery plan is the awareness process for employees whereas the business continuity plan contains the procedures themselves to recover the operation. Answer: C The difference pertains to the scope of each plan. A disaster recovery plan recovers all operations, whereas a business continuity plan retrieves business continuity (minimum requirements to provide services to the customers or clients). Choices A, B and D are incorrect because the type of plan (recovery or continuity) is independent from the sort of disaster or process and it includes both awareness campaigns and procedures.
47
4. The MOST significant level of business continuity planning program development effort is generally required during the:
A. Early stages of planning. B. Evaluation stage. C. Maintenance stage. D. Testing Stage. Answer: A A company in the early stages of business continuity planning (BCP) will incur the most significant level of program development effort, which will level out as the BCP program moves into maintenance, testing and evaluation stages. It is during the planning stage that an IS Auditor will play an important role in obtaining senior management's commitment to resources and assignment of BCP responsibilities. 48
5.
A. B. C. D.
Disaster recovery planning for a company's computer system usually focuses on
Operations turnover procedures. Strategic long-range planning. The probability that a disaster will occur. Alternative procedures to process transactions.
Answer: D It is important that disaster recovery identify alternative processes that can be put in place while the system is not available.
49
6. A. B. C. D.
An unplanned interruption of normal business process is? Risk Vulnerability Disaster Resilience
Answer: C Disaster is event which interrupts business processes sufficiently to threaten the viability of the organization. Risk is a combination of the probability of an event and its consequence. Vulnerability is the degree to which a person, asset, process, information, infrastructure or other resources are exposed to the actions or effects of a risk, event or other occurrence. Resilience is the ability of an organization to resist being affected by the incident. 50
7. Which of the following strategy does not encompass disaster recovery plan ? A. B. C. D.
Preventive Detective Corrective Administrative
Answer: D There are three basic strategies that encompass a disaster recovery plan: preventive measures, detective measures, and corrective measures. Preventive measures will try to prevent a disaster from occurring. These measures seek to identify and reduce risks. Detective measures are taken to discover the presence of any unwanted events within the IT infrastructure. Their aim is to uncover new potential threats. Corrective measures are aimed to restore a system after a disaster or otherwise unwanted event takes place. 51
8.
Which of the following is not a fundamental of BCP?
A. Manage the risks which could lead to disastrous events. B. Minimize the risks involved in the recovery process. C. Reduce the costs involved in reviving the business from the incident D. Mitigate negative publicity Answer: D Mitigate negative publicity is an objective of Business continuity management is to rest all are the fundamental aim of BCP. 52
9. A. B. C. D.
Which phase starts with a damage assessment? Crisis Phase Emergency Response Phase Recovery Phase Restoration Phase
Answer: D Restoration phase will start with a damage assessment, usually within a day or so of the disaster, when the cause for evacuation or stopping of operations has ended, normal working will be restarted. During the Restoration Phase, any damage to the premises and facilities will be repaired. 53
10. Which of the following is of utmost important during an impact of disaster? A. B. C. D.
Loss of Productivity Loss of Revenue Loss of Human Life Loss of Goodwill & Market Share
Answer: C Protection of human life is of utmost importance and, the overriding principle behind continuity plans. Rest all are to be considered later.
54
Thank you! Questions? Email:
[email protected]
55
