7/27/2019 Bcm Download

1/38

Business

ContinuityManageMentA Practical Guide

Stuart Hotchkiss

7/27/2019 Bcm Download

2/38

BUSINESS CONTINUITYMANAGEMENTIn Practice

7/27/2019 Bcm Download

3/38

BCS, The Chartered Institute for IT

Our mission as BCS, The Chartered Institute for IT, is to enable the information society.

We promote wider social and economic progress through the advancement ofinformation technology science and practice. We bring together industry, academics,practitioners and government to share knowledge, promote new thinking, inform thedesign of new curricula, shape public policy and inform the public.

Our vision is to be a world-class organisation for IT. Our 70,000 strong membershipincludes practitioners, businesses, academics and students in the UK andinternationally. We deliver a range of professional development tools for practitionersand employees. A leading IT qualification body, we offer a range of widely recognisedqualifications.

Further Information

BCS, The Chartered Institute for ITFirst Floor, Block DNorth Star House, North Star AvenueSwindon, SN2 1FA, United KingdomT +44 (0) 1793 417 424F +44 (0) 1793 417 444www.bcs.org/contactus

7/27/2019 Bcm Download

4/38

BUSINESS CONTINUITY

MANAGEMENTIn Practice

Stuart Hotchkiss

7/27/2019 Bcm Download

5/38

2010 Stuart Hotchkiss

Stuart Hotchkiss hereby asserts to the Publishers his moral right to be identified as the Author of the Work inaccordance with sections 77 and 78 of the Copyright, Designs and Patents Act 1988.

All rights reserved. Apart from any fair dealing for the purposes of research or private study, or criticism orreview, as permitted by the Copyright Designs and Patents Act 1988, no part of this publication may bereproduced, stored or transmitted in any form or by any means, except with the prior permission in writing ofthe publisher, or in the case of reprographic reproduction, in accordance with the terms of the licences issuedby the Copyright Licensing Agency. Enquiries for permission to reproduce material outside those termsshould be directed to the publisher.

All trade marks, registered names etc acknowledged in this publication are the property of their respectiveowners. BCS and the BCS logo are the registered trade marks of the British Computer Society charity number292786 (BCS).

Published by British Informatics Society Limited (BISL), a wholly owned subsidiary of BCS The CharteredInstitute for IT First Floor, Block D, North Star House, North Star Avenue, Swindon, SN2 1FA, UK.www.bcs.org

ISBN 978-1-906124-72-4

British Cataloguing in Publication Data.A CIP catalogue record for this book is available at the British Library.

Disclaimer:The views expressed in this book are of the author(s) and do not necessarily reflect the views of BCS or BISLexcept where explicitly stated as such. Although every care has been taken by the authors and BISL in thepreparation of the publication, no warranty is given by the authors or BISL as publisher as to the accuracy orcompleteness of the information contained within it and neither the authors nor BISL shall be responsible orliable for any loss or damage whatsoever arising by virtue of such information or any instructions or advice

contained within this publication or by any of the aforementioned.

Typeset by The Charlesworth Group.Printed at CPI Antony Rowe, Chippenham, UK

iv

7/27/2019 Bcm Download

6/38

CONTENTS

About the author xi

Abbreviations xiii

Glossary xv

Preface xxiPreamble xxiii

INTRODUCTION AND PURPOSE 1

Why have business continuity? 1

What exactly is a continuity plan? 1

Business continuity - planning or management? 2

Why does continuity management fail? 3

A real-life continuity plan 3

Outages in practice 5

The BCM lifecycle 6

1 GENERAL ISSUES IN CONTINUITY MANAGEMENT 10

Some terminology 10

Standards 13

Regulatory issues 15

Availability, uptime and reliable components 15

The downtime myth 16

Application and asset approach 17

It wont happen to us 18

Disasters 18

The cost of failure 19The cost of success 20

Customer satisfaction 21

Some industries are different 21

2 IN PRACTICE THE FOUNDATIONS 23

Company strategy 23

Continuity strategy 24

Business continuity policy 25

Planning 26

3 BUSINESS IMPACT ANALYSIS 28Introduction 28

The objectives of the BIA 29

v

7/27/2019 Bcm Download

7/38

7/27/2019 Bcm Download

8/38

14 ORGANISATIONAL ISSUES 90

Where does BCM fit in an organisation? 90Keeping the plan up-to-date 91

15 BUSINESS CONTINUITY AND THE CLOUD 93

16 LESSONS TO LEARN 95

17 CONCLUSION 97

APPENDIX 1: REFERENCE DATA 98

APPENDIX 2: TEMPLATES 102

BIA questionnaire template 102Threat/risk questionnaire template 104

INDEX 107

CONTENTS

vii

7/27/2019 Bcm Download

9/38

7/27/2019 Bcm Download

10/38

LIST OF FIGURES AND TABLES

Figure I.1 Causes of outages 5Figure I.2 Lifecycle of business continuity capability 7Figure 4.1 Heatmap comparing frequency and impact of threats 39

Figure 4.2 Heatmap comparing impact of events with preparation 40Figure 4.3 Revenue loss projection 41Figure 5.1 Lifecycle of risk analysis and management 45

Table I.1 Event: Water leak 4Table I.2 Assessing a risk scenario 8Table 1.1 Strategic statements and action plans 25Table 3.1 MTOs and daily revenues for product groups 31Table 3.2 Calculating revenue losses 33Table 3.3 Supporting functions 34Table 5.1 Probabilities of threats occurring 48

Table 5.2 Probabilities multiplied by impact 49Table 6.1 Failure scenarios for ATM datacentre 55Table 7.1 Examples of risk scenarios 63Table 8.1 Procedure table 64Table 8.2 Example procedure 65Table 8.3 Example of procedure contacts list 67Table 9.1 Example of desk test results 70Table 9.2 Differences between desk test and live test actions 72Table 11.1 Responsibilities of managers for business continuity 79Table 11.2 Breakdown of product managers role in business continuity 80Table 11.3 Communications matrix for major incidents 85

Table 12.1 Internal communications matrix 87Table 13.1 Training plan 88Table A1.1 Overview of typical RTOs and RPOs for different sectors 98Table A1.2 Typical timescales for continuity strategies 99Table A1.3 Typical RTOs and RPOs for IT by levels of importance 100Table A2.1 Typical BIA questionnaire template 103Table A2.2 BCM threat/risk exposure questionnaire 104Table A2.3 Table for summarising threats and countermeasures 104Table A2.4 Table for summarising outages over last three years 105Table A2.5 Summary sheet for contingency plans 106

ix

7/27/2019 Bcm Download

11/38

7/27/2019 Bcm Download

12/38

ABOUT THE AUTHOR

Stuart Hotchkiss is a business consultant in Hewlett Packard TechnologyServices EMEA. He has over 30 years of experience in IT from many domains, ofwhich the last 16 have been in security and business continuity. This book

shares some of that experience. The opinions in it are his alone.

xi

7/27/2019 Bcm Download

13/38

7/27/2019 Bcm Download

14/38

ABBREVIATIONS

AS Australian Standards

ATM Automated Teller Machine

BCM Business Continuity Management

BCP Business Continuity Planning

BIA Business Impact Analysis

CIA Confidentiality, Integrity and Availability (of data)

CPU Central Processing Unit

DR Disaster Recovery

HR Human Resources

IEC International Electrotechnical Commission

ISO International Organization for Standardization

ITIL Information Technology Infrastructure Library

ITSCM IT Service Continuity Management

LAN Local Area Network

LOB Line of Business

MTO Maximum Tolerable Outage

NZS New Zealand Standard

P&L Profit and Loss

RPO Recovery Point Objective

RTC Recovery Time Capability

RTO Recovery Time Objective

SAN Storage Area Network

SPOF Single Point of Failure

xiii

7/27/2019 Bcm Download

15/38

7/27/2019 Bcm Download

16/38

GLOSSARY

Asset Physical items such as computer systems, vehicles and buildings.Resource has a broader definition (see below).

Business Continuity Management (BCM) The process of developing andmaintaining a complete business continuity plan which will ensure thecontinuity of a business when disruptions occur. BCM covers plan developmentbased on the business impact analysis, the exercising of the plan and theregular updating of the plan to reflect new threats, risks and businesscircumstances.

Business Continuity Plan (BCP) The documented procedures defining whathappens when risk scenarios materialise. The plan should cover all scenariosand procedures and act as guide when business disruption occurs. The businesscontinuity plan is updated and maintained via the BCM process defined above.

Business Impact Analysis (BIA) This is the process of determining whichareas of a business have potential losses requiring mitigation and what controlsare needed. Controls can reduce or, occasionally, eliminate risk and loss.Controls cost money and, in a BIA, the objective is also to balance the cost ofthese with ri