3 BCM Methodology

8/13/2019 3 BCM Methodology

1/59

1

1

.

CHAIYAKORN APIWATHANOKULCISSP,GCFA, IRCA:ISMS

Business Continuity Management (BCM)


2/59

2

Objectives

Understand objective and scope of BCM

Understand the different between BCP & DRP

Understand what need to be considered in

developing BCP & DRP


3/59

Business

Continuity

Management

3


4/59

Lo Chance Hi Impact Incidentis focused more after 9/11 incident

Impact

Possibility

H

L

L H

High

Low Medium


5/59

Definitions5

BS 25999-1:2006Business continuity management

Business continuity management

(BCM)

holistic management process thatidentifies potential threats to an

organization and the impacts to

business operations that those threats,

if realized, might cause, and which

provides a framework for building

organizational resilience with thecapability for an effective response that

safeguards the interests of its key

stakeholders, reputation, brand and

value-creating activities

BS 25777:2008Information and communications

technology continuity management

ICT continuity

Capability of the organization to plan forand respond to incidents and

disruptions in order to continue ICT

services at an acceptable predefined

level


6/59

Definitions6

BS 25999-1:2006Business continuity management

business continuity plan (BCP)

documented collection of proceduresand information that is developed,

compiled and maintained in readiness

for use in an incident to enable an

organization to continue to deliver its

critical activities at an acceptable pre-

define

BS 25777:2008Information and communications

technology continuity management

ICT disaster recovery

Activities and programs that are invokes

in response to a disruption and areintended to restore.


7/59

7

DisasterRecovery

Planning

(IT)

BusinessContinuity

Planning

(Business)

Business Continuity Management

Restore IT and

critical facilities

Continue critical

business functions

Set Pol icy, Emergency Operation s Comm ittee,

Cr isis Management Plannin g, etc.

Disaster Recovery in the Context of a BCM Program


8/59

haiyakorn piwathanokul

Recent Standards/GuidelinesTopic Business ICT

Governance GRC, COSO (ERM)CG CobiT4.1 (ITG)ISO 38500:2008 (ITG)

ISO 27014 (ISG)ISO 27001:2005 (ISMS)

RiskBS31100:2008 (RM)

ISO31000:2008 (RM)

BS7799-3:2006 (ISRM)

ISO13335-3,4:1998

ISO27005:2008 (ISRM)NIST SP800-30:2002 (ITRM)

Continuity

Crisis

FEMA141:1993 (EM)

PAS 56:2003 (BCI:BCMGPG)

BS 25999:2006 (BCM)ISO/PAS 22399:2007 (Societal security)

PAS 77:2006 (ITSCM)

BS 25777:2008 (ICTCM)

ISO 24762:2008 (ICT DR)NIST SP800-34:2002 (ITSC:DRP)

NIST SP800-34rev1:2009(ITSC:DRP)

OthersPAS 99:2006 (Integrated

Management)

ITILv3

ISO 20000 (ITSMS)


9/59

BCM linkage to multiple standards

ISO27001A.14 Business continuity management

ITILv2

Service Continuity and Availability Management ITILv3

Service design: IT Service Continuity Mgmt

ISO20000

Service Contingency and Availability Management

9


10/59

Compliances

... HIPPA

PCI-DSS

Critical Infrastructure Act (US)

10


11/59

11

BCM Lifecycle from BS 25999-1:2006


12/59

BS 25777:2008 ICT Continuity Management

12


13/59

From BS 25999-1:2006


14/59

Key ICT continuity management timescales(BS 25777:2008)

14


15/59

From ISO/PAS 22399:2007


16/59

16

DRP / BRP Definition

Disaster Recovery Planning

Goals of DRP

Business Resumption Planning


17/59

17

BCP Definition

Event occurred

How serious?

Plan?

Prepared?

Execute

Improve


18/59

18

Sources of Information

Disaster Recovery Institute International(DRII)

Business Continuity Institute (BCI)BCMGPG

BS 25999 (BCM)

BS 25777 (ICTCM)

NIST SP800-34 (rev1)Contingency Planning Guide for Federal Information Systems


19/59

19

Overview of BCP

Direct Benefit Indirect Benefits

Overlap with Risk Management

BCM vs. BCP vs. COOP


20/59

20

Traditional BCP Project Phases

Project Scope Development and Planning

Business Impact Analysis (BIA) andFunctional Requirements

Business Continuity and Recovery Strategy Plan Design and Development

Implementation

Restoration Feedback and Plan Management


21/59

21Business Continuity Plan Process - snapshot

Appoint an owner Define the objectives and

scope

Develop and approve aplanning process and

timetable Create a planning team

Decide the structure, format,components and content

Determine the strategiesand deferment to otherplans

Determine thecircumstances that arebeyond the scope

Gather information

Write and review the plan

Schedule ongoing testingand maintenance

Test the plan


22/59

22

Overview of All BCP Steps

1. Policy2. Program Management

3. Understanding the Organization

4. Determining Strategy5. Developing and Implementing Response

6. Testing, Maintaining & Reviewing

7. Embedding BCP


23/59


24/59

24

2. Program Management

Assigning Responsibilities

Initiating BCP in the Organization

Project Management

Ongoing Management Documentation

Incident Readiness & Response


25/59

25

3. Understanding the Organization

BIA Benefits

Objectives

Estimating Recovery Requirements

Evaluating Threats (Risk Assessment)

Indicators


26/59

26Understanding the Organization Overview

Business Impact Analysis (BIA) Recovery Requirements Analysis

Risk Assessment (RA)


27/59

27

Business Impact Analysis (BIA)

Identifies, quantifies and qualifies loss Scope & Support required

Documents impact & dependencies

Identify: Activities, Staff, Impact, Time Workshops, Questionnaires, Interviews

Business justifications for budget

Frequency yearly


28/59

28

Business Impact Analysis (BIA)

Technique used for gathering andanalyzing information needed for DRP

Goal: identify critical business processes

Recovery Plans Recovery Time Objectives (RTOs)

Recovery Point Objectives (RPOs)

Maximum Allowable Outage (MAO)

Maximum Allowable Downtime (MAD)

Maximum Tolerable Downtime (MTD)

29


29/59

29


30/59

30

Estimating Continuity Requirements

Total Budget for DisasterAccuracy of BIA

Change in resource allocations

How Much, How Long, Communication Identification of necessary resources

What will be needed when

Yearly or with BIA

31


31/59

Cost Balance31

32


32/59

32

*Courtesy of the National Disaster Coalition


33/59

INDUSTRY STANDARDS

Tier 4: Multiple active power and cooling distribution paths, redundant components, fault tolerant, 99.995% availabilityTier 3: Multiple power and cooling distribution paths, but only one path active, redundant components, concurrently maintainable,

99.982% availability

Tier 2: Single or multi path for power, single cooling distribution path, redundant components, 99.741% availabilityTier 1: Single path for power and cooling distribution, no redundant components, 99.671% availability

Industry Standard Tier Classifications The Uptime Institute

Terminology Definition

10 State-of-the-ArtRedundant power, redundant cooling, redundant UPS, redundant dedicated A/C, redundant generator,

redundant fuel, weather & geographic facility hardening, disaster avoidance

9 Ultra-ReliableRedundant power, redundant cooling, redundant UPS, redundant dedicated A/C, redundant generator,

redundant fuel

8 Reliable-Redundant Dedicated power & cooling, redundant UPS, redundant dedicated A/C, redundant generators

7 Reliable Dedicated power & cooling, UPS, redundant dedicated A/C, generator

6Isolated Mostly

ReliableDedicated power & cooling, UPS, redundant dedicated A/C

5 Isolated Improved Dedicated power & cooling, UPS, dedicated A/C

4Isolated

ConditionedDedicated power & cooling, conditioned power, dedicated A/C

3 Isolated Unreliable Dedicated power & cooling, unconditioned power, dedicated A/C

2Partially Isolated

UnreliableDedicated power, shared cooling, unconditioned power, A/C

1 Unreliable Shared building power & cooling

33

1

2

3

4

34


34/59

SELECTION PROCESS


35/59

CRITERIA DESCRIPTION RATING

SITE LOCATION CRITERIA

Site LocationSpecification

Downtown/city center, office/high tech park, suburban,industrial park, parking, shipping access, etc.

A

Access to FacilityRemoteness/location of the facility. Requires more than oneaccess road

A

EnvironmentalDisaster Avoidance

Requirements for the facility that it not be nearearthquake/fault lines, tornado, not in 100 year flood plain,mudslide or rockslide area

B

Distance from 880

(Data Center)

Not less than 50 Miles and up to 800 miles away. Tradeoffbetween communication latency issues, accessibility, andsurvivability.

B

Market LocationLocation of Recovery Center in a Tier I/II/III city. May impactcost and infrastructure considerations

B

Geography Rank Location for the facility within the United States. C

SECURITY CRITERIA

Rights of Access Provisions for DOE complete control of access to facility. A

ClassifiedProcessing

Provisions to meet DOE requirements for processingclassified information.

A

Physical control offacility

Physical control of facility for security reasons andimmediate access.

B

35


36/59

36


FACILITY CRITERIA

Tier 3 Facility

Tier 3 - Multiple power and cooling distribution paths, withonly one path active, redundant components, concurrentlymaintainable, 99.98% availability. (DR Study Phase 1requirement)

A

Infrastructure Electrical and telecommunications feeds, floor loading,raised floor height, available raised floor.

A

General BuildingSpecifications

Building Height, Class, Age, etc. A

Fire SuppressionFM-200 Fire Suppression System. DR Study Phase 1Requirement

B

AdditionalConditioned Raised

Floor

Additional raised floor to stage equipment on conditionedraised floor and area to support immediate growth.

B

Primary BuildingUse

Primary use of building, i.e. laboratory, manufacturing, datacenter, recovery center, office, mixed use, other

B


37/59

37


USAGE CRITERIA

CostsSite cost, labor pool availability, proximity to 880,infrastructure, connectivity, etc.

A

Length of UsagePotential for restrictive time limits for use if using acommercial provider.

A

InfrastructureDisaster Avoidance

Away from Airport, Highways, railroad tracks, electrical sub-stations.

A

PoliticalConsiderations Considerations based on external political factors

B

OwnershipSandia leased or owned, DOE leased or owned, militaryleased or owned and service provider leased or owned,lease expiration dates.

B

Accommodationsfor Support Staff

Availability of hotels and long-term accommodations tohouse support staff potentially for extended periods of time.

B

Food CateringServices

Availability of balanced meals should be available for anextended outage.

B

38


38/59

38

4. Determining Strategy

Determining BC Strategies Strategy Options

Activity Continuity Options

Resource Level Consolidation Indicators

39


39/59

39

Recovery Alternatives

Alternative Description Readiness Cost

Multipleprocessing /mirrored site

Fully redundant identicalequipment & data

Highest level of availability& readiness

Highest

Mobilesite/Trailer

Designed, self-containedIT & communications

Variable drive time; loaddata & test systems

High

Hot site

Fully provisioned IT &office, HVAC,

infrastructure, &communications

Short time to load data, testsystems. May be yours or

vendor staffHigh

Warm site

Partially IT equipped,

some office, data & voice,infrastructure

Days or weeks.

Need equipment, data,communications

Moderate

Cold siteMinimal infrastructure,

HVAC

Weeks or more. Need all IT,office equipment, &

communicationsLowest

40


40/59

40

Processing Agreements

Agreement Description Considerations

Reciprocal orMutual Aid

Two or more organizationsagree to recover critical

operations for each other.

Technology upgrades/obsolescence or business

growth. Security and accessby partner users.

Contingency

Alternate arrangements ifprimary provider is

interrupted, i.e., voice ordata communications.

Providers may share paths orlease from each other.

Question them.

Service BureauAgreement with applicationservice provider to processcritical business function.

Evaluate their loading,geography and ask about

backup mode.

41


41/59

41

5. Developing and Implementing Response

Incident Response Structure Incident Management Plan

Business Continuity Plan

Activity Response Plans Indicators

42


42/59

Sample Call Tree

43

6 T ti M i t i i & R i i


43/59

43


Test Program Testing BCP Arrangements

Maintaining BCP Arrangements

Reviewing BCP Arrangements Indicators

44


44/59

44

Types Process Participants Frequency Complexity

Desk CheckCheck the contents of theplan, aids in maintenance

Author Often LOW

Walk

through

Check interaction and

roles of participants

Author & Main

people

SimulationIncludes: Business plans,Buildings, Communication

Main people &Auditors

Activitytesting

Moves work to another

site.Recreates the existing

work from the displacedsite

Everyone atlocation

FullShuts down and Relocate

all workEveryone at

both locationsRare HIGH

Testing Types


45/59

45

WHAT COULD POSSIBLY HAPPEN HERE?

46


46/59

46

7. Embedding BCP

Assessing Level of Awareness & Training Developing BCP within the Culture

Monitoring Cultural Change

Indicators

47


47/59

47

Embedding BCP Overview

Part of the culture Steps

Assess

Design

Check

48


48/59

48

Factors for Success

Supported by senior management Everyone is aware

Everyone is invested

Everyone agrees

49


49/59

49

Assessing the Level of Awareness & Training

Where are we now? Training framework in place

Measurement criteria

Repeated frequently

50


50/59

50

Developing BCP Within The Organizations Culture

Training, Education, Awareness Define the Message

Cost effective delivery

Design, Delivery, Delivery

51

BCP S


51/59

5

BCP Summary

Overview All Steps1. Policy

2. Program Management

3. Understanding the Organization4. Determining Strategy

5. Developing and Implementing Response


7. Embedding BCP

52


52/59

BCM SLIDES .

6 C


53/59

53

6 BCM

BCP 1 BCP BCP


54/59

BCM (2)


55/59

55

BCM (2)

BCP

BCP

BCP


56/59


57/59

BCMISO 27002

Control 14.1

Information Continuity

management

ISO 24762

ICT DR Services

Telecom

Power

Supply

DR site

Asset

Mgmt

Fire

Protection

Vendor

MgmtLogicalAccess

Control

DR plan

Physical

Access

Control

Risk

Mitigation

ISO 27005

Risk Assessment

58


58/59

ISO 24762ICT DR Services

Telecom

Power

Supply

DR site

Asset

Mgmt

Fire

Protection

VendorMgmt Logical

Access

Control

DR plan

Physical

Access

Control

RiskMitigation

59


59/59

Question ?

3 BCM Methodology

Documents

Transcript of 3 BCM Methodology