20/8/2015
HOW TO CREATE A BUSINESS CONTINUITY AND DISASTER RECOVERY STRATEGY THAT WORKS 25 August 2015 Wong Tew Kiat CBCP, MBCI, CITBCM(S), CITPM(S), COMIT(S), Fellow SCS Founder & Managing Director Organisation Resilience Management Pte Ltd
2
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
1
20/8/2015
What is Business Continuity Management (BCM) and Disaster Recovery (DR)?
3
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
Businesses and Infrastructures Building Environment Data Centre IT Systems Critical Services & Associated Activities Communications Backup Generators M & E Infrastructures
4
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
2
20/8/2015
What does BCM do? Risk Assessment
Business Impact Analysis
Programme Management
SS ISO22301 BCM Framework Business Continuity Strategy
BC Plans & Procedures
5
BC Exercise & Test
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
Programme Management • BCM Awareness Education for all Management and Staff? • Trained BCM Staff or only untrained Adhoc Staff for BCM (“CCA”)? • Complying to which Industry and Regulatory Guidelines? • Know your interested parties – customers, regulatory requirements, service providers, vendors and suppliers? • For purpose of compliance or certification only or seriously for purpose of business continuity? • Aligning to which BCM Guidelines – ISO22301, MAS BCM, etc? Laying a STRONG foundation to start BCM Copyright@2015 Organisaton Resilience Management Pte Ltd 6
20 August 2015
3
20/8/2015
Business Impact Analysis and Risk Analysis Have all critical services being identified?
What are the actual risks which will impact these critical services?
Are these risks being treated and mitigated?
Type of Risks: 1. 2. 3. 4. 5. 6.
Environment and Surrounding Risks Process Risks IT Systems Risks – Hardware, Software Network Communications Risks Data Centre Risks – Power & Cooling Outages Cyber Security
7
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
Business Impact Analysis BCM identifies: List of critical services and activities The associated Recovery Time Objectives (RTO) o How quick MUST the critical services be recovered
The associated Recovery Point Objectives (RPO) o Which point of data must be recovered
The Minimum Resource Requirements (MRR) o What do you need to continue the critical services o What are the IT Systems and Data Storage to recover
BCM drives what is required for DR 8
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
4
20/8/2015
Business Impact Analysis and Risk Analysis
Business Impact Analysis
Critical Services
Risks - Fire
Critical IT Systems
Risks - Terrorism
RTO
Risks – Power Outage
RPO
Risks – Data Centre Outage
9
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
“Seeing is Believing”…. See to Assess, Not Ask to Assess 1. Walk-around 2. Identify (See) 3. Assess 4. Mitigate Risks in…..
Data Centre Risks: Power Overloading Hot Spots High Temperatures End-of-Life UPS Batteries / Capacitors
Turn your nightmares into sweet dreams instead. (Even before it happens!)
Technology Risks: End-of-Life – Servers, Software and Network Equipment Source Code Escrow
Critical Services Process Risk Environment Risk Operating Risk
10
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
5
20/8/2015
Business Continuity Strategies Risk Mitigation Plan IT Disaster Recovery – Critical Servers, Storage, Communications Alternate Site Primary Site / Production Site
Secondary Site / Disaster Recovery Site
Capable and ready to failover within RTO and RPO?
11
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
Business Continuity Strategies Capable and ready to failover within RTO and RPO? Change Control Management? Updated patches, fixes and firmware for both sites or only for Production Site?
Do you have critical servers housed in DR Site due to lack of space in Production Site?
Copyright@2015 Organisaton Resilience Management Pte Ltd No end-of-life / end-of-support12 IT/Network equipment?20 August 2015
6
20/8/2015
Business Continuity Strategies
Risk Mitigation Plans Replications of IT Systems and Data Storage Selection of Alterate Data Centre Selection of Work Area Recovery (People)
13
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
14
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
Business Continuity Plans
7
20/8/2015
Business Continuity Plans Points to Ponder: 1. All suitable BCM Plans in place? • • • • •
Emergency & Evacuation Response Plan Incident Response Plan Crisis Management Plan Social Media Management Plan IT Disaster Recovery Plan
• • • • •
Organisation BC Plan Departments’ BC Plans Insurance Plan Pandemic Plan Haze Control Plan
• Including….. : • • • • • •
List of Vital Records and Offsite Records? Management of Casualties and …. ? Selecting Correct Fire-Wardens and First Aiders? Notification procedure of Next-of-Kin / Family Members? Trauma Counselling? Facility Health Check Plan, e.g. Data Centre – Power and Cooling?
15
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
Business Continuity Plans (Con’t) Points to Ponder: 2. When are the BCM Plans maintained and updated? 3. Are staff trained and familiar with BCM Plans? - Training of new staff – Induction Programme? - Training of BCM Coordinators – Organisation and Departments? - Training of competent and adequate pool of Fire Wardens? - Training of adequate pool of first aiders?
4. Where are the BCM Plans when you need them? - How quick can you retrieve the appropriate BC Plans? - How quick can you contact family members of casualties, etc?
16
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
8
20/8/2015
Business Continuity Exercises Points to Ponder: 1. Annual Fire Drill? • • • • • • •
Fire Drill Exercise always end with just accounting of people? Practice on how to evacuate safely to assembly area? Practice with fire-fighting with guidance from SCDF? Practice on Incident Response / Incident Management? Practice on management of “Casualties”? Practice to notify family members of casualties? Practice on first aid treatment, e.g. CPR?
17
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
Business Continuity Exercises (Con’t) Points to Ponder: 2. Annual Table-Top Exercise? • Table-top BCM Exercise conducted every year? • Exercise using BCM Plans or just from your thought? • Exercise with different scenarios from identified risks?
3. Full Integrated BCM Exercise? • When was the last full integrated BCM Exercise? • Exercise including emergency evacuation, first aid, incident response, crisis management, etc….. • Exercise starts immediately at DR Site/Alternate Site? 18
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
9
20/8/2015
Industry Guidelines 2003 – MAS BCM Guidelines 2003 – SPRING BCM Guidelines 2001
2004 – MAS Outsourcing Guidelines 2004 – SS507 Certification for DR/BC Provider 2005 2005–– SPRING SPRINGBCM BCM---- >> TR19 TR19BCM BCMStandards Standards 2006 – SPRING: Flu Pandemic BC Guide for SMEs
2003 / 2009
2008 – TR19 BCM Standards -- > SS540 BCM 2009 – SGX BCM Rules for member firms 2012 – ICT Resiliency Management Systems 2012 – SS540 -- > ISO22391 BCM Requirements
2010
Copyright@2015 Organisaton Resilience Management Pte Ltd 2013 – MAS Technology Risk Management (TRM) 20 August 2015 19
Industry Guidelines 2003 – MAS BCM Guidelines
MAS 7 BCM Principles for all FSI
2003 – SPRING BCM Guidelines
Non-FSI and SMBs to be BCM Ready
2004 – MAS Outsourcing Guidelines
Suppliers & Vendors to be BCM ready
2004 – SS507 Certification for DR/BC Provider
DR/BC Readiness & Competencies
2005 2005––SPRING SPRINGBCM BCM---->>TR19 TR19BCM BCMStandards Standards
Non-FSI and SMBs to be BCM Ready
2006 – SPRING: Flu Pandemic BC Guide for SMEs
After SARS - > H1N1, MERS, Ebola
2008 – TR19 BCM Standards -- > SS540 BCM
More than 200 Companies are certified
2009 – SGX BCM Rules for member firms
BCM for SGX Member firms
2012 – ICT Resiliency Management Systems
Agencies - DC and IT Availabilities
2012 – SS540 -- > ISO22301 BCM Requirements
SS540 converted to ISO22301 BCMS
2013 – MAS Technology Risk Management (TRM) 20
Copyright@2015 Organisaton Resilience TVRA, Security, Data Management Centre andPteITLtd Sys 20 August 2015
10
20/8/2015
Business Continuity Requirements Regulatory Guidelines MAS Business Continuity Management Guidelines 2003 IDA ICT Resiliency Management Guidelines - 2012
MAS Outsourcing Guidelines 2004 MAS Technology Risk Management (TRM) Guidelines 2013
Financial Institutions
Government Agencies
Suppliers / Vendors / Service Providers of all Industries
ISO22301 Business Continuity Management Systems - 2012 Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
21
Industry Guidelines + Business Continuity Requirements Vendors & Suppliers
Companies
Accountability
Regulatory Authorities
Accountability
Customers
Service
General Public
MAS BCM Guidelines Providers MAS Outsourcing Guidelines MAS TRM Guidelines ICTRMS Copyright@2015 Organisaton Resilience Management Pte Ltd ISO22301 20 August 2015 22
11
20/8/2015
Alert Levels
Dengue Alert Colour Codes Pandemic DORSCON Alerts
23
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
IT Availability
Pandemic Plan
Staff Competency
BCM - Alert Levels
24
BCM Readiness Alert Level ?
Suppliers & Vendors
Data Centre Resiliency
Weakest Link
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
12
20/8/2015
Alert Level - ?
The BCM Readiness:
95% - 100% ?
25
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
Singapore Computer Society Appointed us as the Authorised Training Provider for CITBCM (Certification in IT BCM) Sep 2015 Nov 2015 @ Changi Airport T3 Crowne Plaza Hotel
26
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
13
20/8/2015
Expect the Unexpected
• Murphy’s Law – “Anything that can go wrong will go wrong”
• John Wooden – 1910 – “Failure to prepare is preparing to fail.”
• Chinese Proverb – 不怕 一 万 , 只怕 万 一
27
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
Peace of Mind Resilience Turn your nightmares into sweet dreams instead. (Even before it happens!)
28
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
14
20/8/2015
Thank You Wong Tew Kiat CBCP, MBCI, CITBCM(S), CITPM(S), COMIT(S), Fellow SCS Founder & Managing Director Organisation Resilience Management Pte Ltd 欧亚美业务持续管理有限公司 M +65 98585127 E +
[email protected] W + www.ormgt.com.sg
29
Copyright@2015 Organisaton Resilience Management Pte Ltd 20 August 2015
15