HOW TO CREATE A BUSINESS CONTINUITY AND DISASTER RECOVERY STRATEGY THAT WORKS

20/8/2015 HOW TO CREATE A BUSINESS CONTINUITY AND DISASTER RECOVERY STRATEGY THAT WORKS 25 August 2015 Wong Tew Kiat CBCP, MBCI, CITBCM(S), CITPM(S),...
Author: Jacob Harmon
46 downloads 0 Views 2MB Size
20/8/2015

HOW TO CREATE A BUSINESS CONTINUITY AND DISASTER RECOVERY STRATEGY THAT WORKS 25 August 2015 Wong Tew Kiat CBCP, MBCI, CITBCM(S), CITPM(S), COMIT(S), Fellow SCS Founder & Managing Director Organisation Resilience Management Pte Ltd

2

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

1

20/8/2015

What is Business Continuity Management (BCM) and Disaster Recovery (DR)?

3

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

Businesses and Infrastructures Building Environment Data Centre IT Systems Critical Services & Associated Activities Communications Backup Generators M & E Infrastructures

4

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

2

20/8/2015

What does BCM do? Risk Assessment

Business Impact Analysis

Programme Management

SS ISO22301 BCM Framework Business Continuity Strategy

BC Plans & Procedures

5

BC Exercise & Test

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

Programme Management • BCM Awareness Education for all Management and Staff? • Trained BCM Staff or only untrained Adhoc Staff for BCM (“CCA”)? • Complying to which Industry and Regulatory Guidelines? • Know your interested parties – customers, regulatory requirements, service providers, vendors and suppliers? • For purpose of compliance or certification only or seriously for purpose of business continuity? • Aligning to which BCM Guidelines – ISO22301, MAS BCM, etc? Laying a STRONG foundation to start BCM Copyright@2015 Organisaton Resilience Management Pte Ltd 6

20 August 2015

3

20/8/2015

Business Impact Analysis and Risk Analysis Have all critical services being identified?

What are the actual risks which will impact these critical services?

Are these risks being treated and mitigated?

Type of Risks: 1. 2. 3. 4. 5. 6.

Environment and Surrounding Risks Process Risks IT Systems Risks – Hardware, Software Network Communications Risks Data Centre Risks – Power & Cooling Outages Cyber Security

7

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

Business Impact Analysis  BCM identifies:  List of critical services and activities  The associated Recovery Time Objectives (RTO) o How quick MUST the critical services be recovered



The associated Recovery Point Objectives (RPO) o Which point of data must be recovered

 The Minimum Resource Requirements (MRR) o What do you need to continue the critical services o What are the IT Systems and Data Storage to recover

 BCM drives what is required for DR 8

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

4

20/8/2015

Business Impact Analysis and Risk Analysis

Business Impact Analysis

Critical Services

Risks - Fire

Critical IT Systems

Risks - Terrorism

RTO

Risks – Power Outage

RPO

Risks – Data Centre Outage

9

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

“Seeing is Believing”…. See to Assess, Not Ask to Assess 1. Walk-around 2. Identify (See) 3. Assess 4. Mitigate Risks in…..

Data Centre Risks: Power Overloading Hot Spots High Temperatures End-of-Life UPS Batteries / Capacitors

Turn your nightmares into sweet dreams instead. (Even before it happens!)

Technology Risks: End-of-Life – Servers, Software and Network Equipment Source Code Escrow

Critical Services Process Risk Environment Risk Operating Risk

10

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

5

20/8/2015

Business Continuity Strategies  Risk Mitigation Plan  IT Disaster Recovery – Critical Servers, Storage, Communications  Alternate Site Primary Site / Production Site

Secondary Site / Disaster Recovery Site

Capable and ready to failover within RTO and RPO?

11

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

Business Continuity Strategies Capable and ready to failover within RTO and RPO? Change Control Management? Updated patches, fixes and firmware for both sites or only for Production Site?

Do you have critical servers housed in DR Site due to lack of space in Production Site?

Copyright@2015 Organisaton Resilience Management Pte Ltd No end-of-life / end-of-support12 IT/Network equipment?20 August 2015

6

20/8/2015

Business Continuity Strategies

Risk Mitigation Plans Replications of IT Systems and Data Storage Selection of Alterate Data Centre Selection of Work Area Recovery (People)

13

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

14

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

Business Continuity Plans

7

20/8/2015

Business Continuity Plans Points to Ponder: 1. All suitable BCM Plans in place? • • • • •

Emergency & Evacuation Response Plan Incident Response Plan Crisis Management Plan Social Media Management Plan IT Disaster Recovery Plan

• • • • •

Organisation BC Plan Departments’ BC Plans Insurance Plan Pandemic Plan Haze Control Plan

• Including….. : • • • • • •

List of Vital Records and Offsite Records? Management of Casualties and …. ? Selecting Correct Fire-Wardens and First Aiders? Notification procedure of Next-of-Kin / Family Members? Trauma Counselling? Facility Health Check Plan, e.g. Data Centre – Power and Cooling?

15

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

Business Continuity Plans (Con’t) Points to Ponder: 2. When are the BCM Plans maintained and updated? 3. Are staff trained and familiar with BCM Plans? - Training of new staff – Induction Programme? - Training of BCM Coordinators – Organisation and Departments? - Training of competent and adequate pool of Fire Wardens? - Training of adequate pool of first aiders?

4. Where are the BCM Plans when you need them? - How quick can you retrieve the appropriate BC Plans? - How quick can you contact family members of casualties, etc?

16

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

8

20/8/2015

Business Continuity Exercises Points to Ponder: 1. Annual Fire Drill? • • • • • • •

Fire Drill Exercise always end with just accounting of people? Practice on how to evacuate safely to assembly area? Practice with fire-fighting with guidance from SCDF? Practice on Incident Response / Incident Management? Practice on management of “Casualties”? Practice to notify family members of casualties? Practice on first aid treatment, e.g. CPR?

17

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

Business Continuity Exercises (Con’t) Points to Ponder: 2. Annual Table-Top Exercise? • Table-top BCM Exercise conducted every year? • Exercise using BCM Plans or just from your thought? • Exercise with different scenarios from identified risks?

3. Full Integrated BCM Exercise? • When was the last full integrated BCM Exercise? • Exercise including emergency evacuation, first aid, incident response, crisis management, etc….. • Exercise starts immediately at DR Site/Alternate Site? 18

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

9

20/8/2015

Industry Guidelines 2003 – MAS BCM Guidelines 2003 – SPRING BCM Guidelines 2001

2004 – MAS Outsourcing Guidelines 2004 – SS507 Certification for DR/BC Provider 2005 2005–– SPRING SPRINGBCM BCM---- >> TR19 TR19BCM BCMStandards Standards 2006 – SPRING: Flu Pandemic BC Guide for SMEs

2003 / 2009

2008 – TR19 BCM Standards -- > SS540 BCM 2009 – SGX BCM Rules for member firms 2012 – ICT Resiliency Management Systems 2012 – SS540 -- > ISO22391 BCM Requirements

2010

Copyright@2015 Organisaton Resilience Management Pte Ltd 2013 – MAS Technology Risk Management (TRM) 20 August 2015 19

Industry Guidelines 2003 – MAS BCM Guidelines

MAS 7 BCM Principles for all FSI

2003 – SPRING BCM Guidelines

Non-FSI and SMBs to be BCM Ready

2004 – MAS Outsourcing Guidelines

Suppliers & Vendors to be BCM ready

2004 – SS507 Certification for DR/BC Provider

DR/BC Readiness & Competencies

2005 2005––SPRING SPRINGBCM BCM---->>TR19 TR19BCM BCMStandards Standards

Non-FSI and SMBs to be BCM Ready

2006 – SPRING: Flu Pandemic BC Guide for SMEs

After SARS - > H1N1, MERS, Ebola

2008 – TR19 BCM Standards -- > SS540 BCM

More than 200 Companies are certified

2009 – SGX BCM Rules for member firms

BCM for SGX Member firms

2012 – ICT Resiliency Management Systems

Agencies - DC and IT Availabilities

2012 – SS540 -- > ISO22301 BCM Requirements

SS540 converted to ISO22301 BCMS

2013 – MAS Technology Risk Management (TRM) 20

Copyright@2015 Organisaton Resilience TVRA, Security, Data Management Centre andPteITLtd Sys 20 August 2015

10

20/8/2015

Business Continuity Requirements Regulatory Guidelines MAS Business Continuity Management Guidelines 2003 IDA ICT Resiliency Management Guidelines - 2012

MAS Outsourcing Guidelines 2004 MAS Technology Risk Management (TRM) Guidelines 2013

Financial Institutions

Government Agencies

Suppliers / Vendors / Service Providers of all Industries

ISO22301 Business Continuity Management Systems - 2012 Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

21

Industry Guidelines + Business Continuity Requirements Vendors & Suppliers

Companies

Accountability

Regulatory Authorities

Accountability

Customers

Service

General Public

MAS BCM Guidelines Providers MAS Outsourcing Guidelines MAS TRM Guidelines ICTRMS Copyright@2015 Organisaton Resilience Management Pte Ltd ISO22301 20 August 2015 22

11

20/8/2015

Alert Levels

Dengue Alert Colour Codes Pandemic DORSCON Alerts

23

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

IT Availability

Pandemic Plan

Staff Competency

BCM - Alert Levels

24

BCM Readiness Alert Level ?

Suppliers & Vendors

Data Centre Resiliency

Weakest Link

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

12

20/8/2015

Alert Level - ?

The BCM Readiness:

95% - 100% ?

25

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

Singapore Computer Society Appointed us as the Authorised Training Provider for CITBCM (Certification in IT BCM) Sep 2015 Nov 2015 @ Changi Airport T3 Crowne Plaza Hotel

26

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

13

20/8/2015

Expect the Unexpected

• Murphy’s Law – “Anything that can go wrong will go wrong”

• John Wooden – 1910 – “Failure to prepare is preparing to fail.”

• Chinese Proverb – 不怕 一 万 , 只怕 万 一

27

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

Peace of Mind Resilience Turn your nightmares into sweet dreams instead. (Even before it happens!)

28

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

14

20/8/2015

Thank You Wong Tew Kiat CBCP, MBCI, CITBCM(S), CITPM(S), COMIT(S), Fellow SCS Founder & Managing Director Organisation Resilience Management Pte Ltd 欧亚美业务持续管理有限公司 M +65 98585127 E + [email protected] W + www.ormgt.com.sg

29

Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015

15

Suggest Documents