指導 教授 : 盧淵源 教授 第七組成員 : 陳源裕 8922404021 潘呂美 ...
description
Transcript of 指導 教授 : 盧淵源 教授 第七組成員 : 陳源裕 8922404021 潘呂美 ...
-
: : 8922404021 9421408007 9421408040 9421408029 9222404002 9122404012
NSYSU--2005 *060112
Task ForceHistory Review : (5 min.)Infrastructure :(15~20 min.)Case Study(25 ~30min.) TFT-LCD Industrial Risk: General Industrial Risk: Service Field Risk & Control:
NSYSU--2005 *060112
ContentReview & History General Description of RiskGeneral Description of BCP General Description of BCM
NSYSU--2005 *060112
Review & History
NSYSU--2005 *060112
Management Golden Triangle
NSYSU--2005 *060112
Risk & BCP & BCM
NSYSU--2005 *060112
Risk & BCP & BCM.
NSYSU--2005 *060112
Risk & BCP & BCM 921 SARS3ABhopal 911
NSYSU--2005 *060112
ICS 1970
1980
NSYSU--2005 *060112
ICS
ICS
NSYSU--2005 *060112
Why ICS?///
NSYSU--2005 *060112
Fundamental of CIS
NSYSU--2005 *060112
Function of CIS /
NSYSU--2005 *060112
Function of CIS
NSYSU--2005 *060112
Function of CISICS
NSYSU--2005 *060112
Main Function of CISICS
NSYSU--2005 *060112
Organization For example
NSYSU--2005 *060112
Some misconceptions . . .We take regular backupsWe have, trained staffIsnt it a dead investment?We can operate without computersIt will nothappento usWe have insurance coverIt is not our main Business and we accept the risk
NSYSU--2005 *060112
Some missed comments . . .Later.Excellent! We will have it some dayTake care of it NOWWhat our techies are doing?We are not in NYWe will cross the bridge
NSYSU--2005 *060112
General Description of Risk
NSYSU--2005 *060112
Risk NATURAL
UNINTENTIONAL
INTENTIONAL
NSYSU--2005 *060112
E Security Physical Logical Network Access Security
NSYSU--2005 *060112
Risk EvaluationDisaster Event ScenariosRisk Ranking of FunctionsCriticalVitalSensitiveNon-critical
NSYSU--2005 *060112
Varying Levels of Disaster
NON DISASTER
DISASTER
CATASTROPHES
NSYSU--2005 *060112
Risk - Measures of likelihood
LevelLikelihoodDefinition5Almost CertainEvent is expected to occur during next business cycle4LikelyEvent will probably to occur during next business cycle3PossibleEvent might occur sometime2Unlikely Event can occur sometime1RareEvent may occur in exceptional circumstances
NSYSU--2005 *060112
Measures of Consequences
LevelConsequenceDefinition5CatastropheLong term business objectives will be significantly impaired.4MajorSignificant impact on long term Business objectives3ModerateObjectives will have impact, and needs more time to recover.2Minor Short term business objective may be hindered, 1InsignificantDoes not affect the long term objectives of business
NSYSU--2005 *060112
Qualitative risk analysis Matrix
Likelihood Consequence InsignificantMinorModerateMajorCatastropheAlmost CertainHHigh RiskHEEEExtreme RiskLikelyMModerateHHEEPossibleLMHEEUnlikelyLLMHERareLLow RiskLMHH
NSYSU--2005 *060112
Impact Analysis :Loss of key staff;Loss of vital records;Global issues, such as change in political climate;Difficulty of operational integration across borders;Disruption of importing and exporting functions;Critical labor relationships;New revenue streams;Supplier disruptions; andRegulatory controls.
NSYSU--2005 *060112
Impact Analysis :Extraordinary recovery expenses;Technology recovery requirements;Special recovery resource requirements;Critical disaster-specific information systems support;Internal and external dependencies;Existing and required work-around procedures; andInsight into the organizations current state of preparedness.
NSYSU--2005 *060112
Which business units, operations and processes are essential to the survival of the organization;How quickly essential business units or processes have to be back in operation before the impacts are catastrophic;What are the most plausible recovery alternatives to meet the recovery windows;What resources are needed to resume operations at a survival level for the essential parts of the business;What elements must be pre-positioned in order to meet the recovery windows;
NSYSU--2005 *060112
Impact Analysis : DecisionWhat will be reused and recovered and to what capacity levels over what period of time;What changes, if any, need to be implemented in the supply chain, inventory and distribution management programs;How to address the organizations internal and external interdependencies; andWhat recovery and continuity policies and procedures must be in place to address both a short-term disaster such as a brief systems failure or a long-term major property loss.
NSYSU--2005 *060112
Critical Recovery Time Period
Depends on the nature of businessApplications to be recoveredEnd User Computing ResourcesProcessing Priorities
NSYSU--2005 *060112
Critical ParameterCritical Business FunctionsAcceptable Recovery TimeResources CommittedMajor DivisionsSupport ServicesBusiness OperationsData Processing Support
NSYSU--2005 *060112
Business ContinuityWhy is it the responsibility of Senior Management?What are the components of Business Continuity Plan?Senior ManagementUser ManagementUser & Data Processing ProceduresPersonnel who must respond to Disaster Scenarios are most important
NSYSU--2005 *060112
Key Decision Making PersonnelTeam LeadersEquipment and S/w VendorsRecovery Site RepresentativesNetwork Re-routing ServicesOffsite Media CustodiansInsurance AgentsContract Services
NSYSU--2005 *060112
ProceduresEmergency Action ProcedureNotification ProcedureDisaster DeclarationSystems RecoveryNetwork RecoveryUser Recovery (Manual Procedures)Salvage Operations
NSYSU--2005 *060112
BCP & Reconstruction MethodologiesEmergency Action TeamDamage Assessment TeamEmergency Management TeamOffsite Storage TeamsSoftware TeamApplication TeamSecurity TeamEmergency Operations Team
NSYSU--2005 *060112
Computer Hardware AlternativesHot SitesReady to Operate Within Several HoursNot for long term extended useNetwork ComponentWarm SitesPartially Configured with network connectionsWithout Main ComputerCold SitesSite with only basic environment
NSYSU--2005 *060112
Off-Site FacilitiesSecurity and Control of Off-Site FacilitiesPhysical Access ControlsEnvironmental Monitoring & ControlMedia and Documentation BackupPeriodic Backup ProceduresFrequency of RotationVarious Media and Documentation CreatedInventory (list) must be maintainedAutomated Tape Management System
NSYSU--2005 *060112
Basic PremiseSenior Management InvolvementCost EffectiveMultiple Levels of Recovery Disaster Recovery PlanDrills, Upgrades and Audits
NSYSU--2005 *060112
DRP TestingGoals of TestingTo validate (and identify flaws in) plan procedures and strategies; To obtain information about recovery strategy implementation time;To demonstrate output performance of systems, networks and backup in recovery mode and compare with the same in production mode;To demonstrate recovery plan adequacy to examiners, auditors and management;To adapt existing plans to encompass new requirements of the business;To familiarize recovery teams with their roles within the plan.
NSYSU--2005 *060112
Risk Management - final 1) 2) 3) 4) 5) 6) 7) 8) 9) 10)
NSYSU--2005 *060112
Risk Management - final 1. 2. 3.
NSYSU--2005 *060112
1. 2. 3. 4. 5. Risk Management - final
NSYSU--2005 *060112
1 2 3 4
Risk Management - final
NSYSU--2005 *060112
Risk Management
NSYSU--2005 *060112
General Description of BCP(Business Contingency Plan)
NSYSU--2005 *060112
Business continuity planning
PreventionResponseResumptionRecoveryRestoration
NSYSU--2005 *060112
BCPThe process of: developmenttesting maintenance of a plan To assist the organisation:recover critical IT systems in an effective and efficient manner to ensure minimal business disruption
NSYSU--2005 *060112
BCPDRP (Disaster Recovery Plan)Plan to recover out from a Disaster
BCP (Business continuity plan)Plan for Business Continuity Planning In case of Disasters/ Non Disasters
NSYSU--2005 *060112
BCP Objectives:Ensuring health and life safety protection;Minimizing interruptions to business/service operations;Resuming critical operations within a specified time after a disaster;Minimizing financial loss;Assuring clients, customers, community, suppliers, employees and share holders and stakeholders that their interests are protected; andMaintaining a positive public image of the organization
NSYSU--2005 *060112
NSYSU--2005 *060112
NSYSU--2005 *060112
NSYSU--2005 *060112
BCP Methodology Risk Assessment - Identifying and assessing threats and vulnerabilitiesBusiness Impact Analysis - Ascertaining economic impact of disasters on business functions and processesPlanning - Formulating comprehensive plan covering the assets, employees and business goalsImplementation and testing - Iterating on testing and refinementMaintenance - Reviewing on ongoing basis to keep the plan up-to-date
NSYSU--2005 *060112
Call Tree
NSYSU--2005 *060112
BCP - final Business Continuity Plan, BCP
NSYSU--2005 *060112
General Description of BCM (Business Contingency Management)
NSYSU--2005 *060112
BCM Business Continuity Management is the act of anticipating incidents which will affect mission critical functions and processes for the organization and ensuring that it responds to any incident in a planned and rehearsed manner.
NSYSU--2005 *060112
Future Developments BCM process
Understanding
Your Business
Business
Continuity
Management
Strategies
Develop and
Implement BCM
Plans & Solution(s)
Building &
Embedding a
BCM Culture
Exercising,
Maintenance
and Audit
B C M
Programme
Management
NSYSU--2005 *060112
The McKinsey report estimated that business interruption costs totaled $1.8 billion building damage costs reached $30 billion. Trauma and stress affecting the ability of personnel to perform effectively.Companies had failed to update disaster recovery capacity requirements as their business needs grew. 911-Outcome
NSYSU--2005 *060112
It is less expensive to avoid or mitigate a risk than to restore resources to "business as usual" after an interruption event.If the business continues to operate in the face of an interruption event, it will keep its customers satisfied (and not lose them to the competition) may pick up some new customersIt may lower insurance costs and enhance the business standing in the financial community Why BCM?
NSYSU--2005 *060112
Need of BCPOrganization/Business survival might depend on it.Interruptions cost money. Downtime results in increased expenses, lost revenue, and lost customers. Contractual obligation. Most large companies stipulate in their contracts that suppliers must deliver the services or products they've contracted for - no matter what. Statutory requirement. Many countries made BCP as statutory requirement for running business
NSYSU--2005 *060112
Need of BCM Ever-growing dependence on IT.Business and government cannot function if computers are inoperable. For business, the stakes are high:inability to serve customers, loss of goodwill, missed opportunities, inability to competedirect financial loss due to the inability to conduct financial transactions or ship productslegal liabilities.
NSYSU--2005 *060112
Business & BCM
NSYSU--2005 *060112
Business Continuity Management
BCM Includes: A project for development of Business Continuity Plan Disaster Recovery Procedures Plan Testing Documentation of Plans Monitoring and updating. Assets Identification Business Impact Analysis Assets Classification Alternate procedures Cost-Benefit analysis
NSYSU--2005 *060112
Business Continuity Management
Disaster Recovery ProceduresRecovery prioritiesRecovery arrangementsPlan TestingPaper Test/Walk Through/Table-top testPreparedness TestSystem testDrills.Documentation of Plans
NSYSU--2005 *060112
Business Continuity Management
Monitoring and updating.Periodic testing Test result and adjustments Changes in:AssetsPersons/Team/Contact detail EnvironmentThreats New Threats and VulnerabilitiesMaintenance of up-to-date Documentation
NSYSU--2005 *060112
DRP Types of test
Modular tests Test a set of procedures Strategy tests Validate entire strategy Determine implementation times of plan strategiesParallel tests Validation of recovery strategys capability to handle the anticipated workload Establishing shift schedules for recovery operations Mock disasters A disaster scenario is articulated and recovery teams step through procedures to cope with the interruption
NSYSU--2005 *060112
Building BlocksTeams andResponsibilitiesEffectiveCommunicationRecoveryStrategyEmergencyProcedures Prioritisationof ActivitiesInsuranceBCPCross-trainedPersonnelPeriodic Reviewand UpdationTesting and AdministrationProper Documentation
NSYSU--2005 *060112
BCP-finalPart 1 BCM InfrastructurePart 2 BCMS
NSYSU--2005 *060112
Future Developments BCM process
Understanding
Your Business
Business
Continuity
Management
Strategies
Develop and
Implement BCM
Plans & Solution(s)
Building &
Embedding a
BCM Culture
Exercising,
Maintenance
and Audit
B C M
Programme
Management
NSYSU--2005 *060112
General Description of BCM Flow
NSYSU--2005 *060112
0-1hr.1hr.-2days2days-/BCM
NSYSU--2005 *060112
NSYSU--2005 *060112
NSYSU--2005 *060112
NSYSU--2005 *060112
/ /
NSYSU--2005 *060112
1.2.1.2.1.2.1.2.1.2.
NSYSU--2005 *060112
NSYSU--2005 *060112
NSYSU--2005 *060112
1h2h20w4h8h12h24h48h1w2w4w8w12w
NSYSU--2005 *060112
Case Study-1
NSYSU--2005 *060112
CS2-
NSYSU--2005 *060112
CS2
NSYSU--2005 *060112
1 2 3 4 5 6 7 CS-2
NSYSU--2005 *060112
8 9 10 11 12 13 14 CS2-
NSYSU--2005 *060112
CS2-
V.P.
/
NSYSU--2005 *060112
CS2- CEO/CFO 2025
NSYSU--2005 *060112
CS3-()Emergency Response Team(ERT)()
NSYSU--2005 *060112
CS3-ERPThe safety & hygiene contingency plan for handling the accidents of chemical leakageEmergency response plan for fire incidentNatural disaster prevent and relieve measure planWater shortage emergency response planElectric power interruption emergency response planTyphoon preparedness and emergency response planEmergency medical treatment contingency plan procedureContagious diseases contingency plan procedureEmergency response plan for avian influenzaEmergency response plan for earthquake incidentSPEC NO.SPEC NO.SPEC NO.SPEC NO.SPEC NO.SPEC NO.SPEC NO.SPEC NO.SPEC NO.SPEC NO.
NSYSU--2005 *060112
CS3-
NSYSU--2005 *060112
CS3-
NSYSU--2005 *060112
CS3-
NSYSU--2005 *060112
CS3-
NSYSU--2005 *060112
CS3-
NSYSU--2005 *060112
CS3- () ()()
NSYSU--2005 *060112
CS3-
NSYSU--2005 *060112
CS4-
PESTSWOT (SBRs) IT
IT
:- ---
NSYSU--2005 *060112
CS4-
PESTSWOT (SBRs)
NSYSU--2005 *060112
Strategic Business Risks (SBRs) CS4-
SBR1
SBR2
SBR3
SBR4
SBR5
SBR6
NSYSU--2005 *060112
= CS4-IT/MIS Audit/Risk ,,,,!
NSYSU--2005 *060112
IT CS4-IT/MIS Audit/Risk :E-BusinessERP/MRPPDMIntranetsExtranets::
NSYSU--2005 *060112
IT CS4-IT/MIS Audit/Risk IT :(Confidential)(Integrity)(Available)
NSYSU--2005 *060112
CS4-IT/MIS Audit/Risk E-mailE-mail
NSYSU--2005 *060112
CS4-IT/MIS Audit/Risk Security =+DetectRespond
NSYSU--2005 *060112
CS4-IT/MIS Audit/Risk 2. ISMS
NSYSU--2005 *060112
CS4-IT/MIS Audit/Risk
NSYSU--2005 *060112
ISO 17799 / BS 7799 security requirements established by the British GovernmentFISMA requirements established by GAO for federal govt. COBIT requirements established by Information Systems Audit and Control Association (ISACA)IETF Site Security Handbook and User Security HandbookCIS Rulers Minimum standards of due care from The Center for Internet Security, a new world-wide standards consortiumThe Top 20 Internet Security Threats from SANSVISA's ten requirements for 21,000 organizations with the VISA logoSAS 70 and SysTrust requirements established by the AICPA
CS4-IT/MIS Audit/Risk
NSYSU--2005 *060112
BS 7799-2 CS4-IT/MIS Audit/Risk
NSYSU--2005 *060112
CS5-0800011686&
NSYSU--2005 *060112
CS6-SARS & Bird Flu INGSARS (SARS)
NSYSU--2005 *060112
No risk is tolerable and " acceptable " Thank you so much for your listening!