Bcm Download

Click here to load reader

  • date post

    02-Apr-2018
  • Category

    Documents

  • view

    224
  • download

    0

Embed Size (px)

Transcript of Bcm Download

  • 7/27/2019 Bcm Download

    1/38

    Business

    ContinuityManageMentA Practical Guide

    Stuart Hotchkiss

  • 7/27/2019 Bcm Download

    2/38

    BUSINESS CONTINUITYMANAGEMENTIn Practice

  • 7/27/2019 Bcm Download

    3/38

    BCS, The Chartered Institute for IT

    Our mission as BCS, The Chartered Institute for IT, is to enable the information society.

    We promote wider social and economic progress through the advancement ofinformation technology science and practice. We bring together industry, academics,practitioners and government to share knowledge, promote new thinking, inform thedesign of new curricula, shape public policy and inform the public.

    Our vision is to be a world-class organisation for IT. Our 70,000 strong membershipincludes practitioners, businesses, academics and students in the UK andinternationally. We deliver a range of professional development tools for practitionersand employees. A leading IT qualification body, we offer a range of widely recognisedqualifications.

    Further Information

    BCS, The Chartered Institute for ITFirst Floor, Block DNorth Star House, North Star AvenueSwindon, SN2 1FA, United KingdomT +44 (0) 1793 417 424F +44 (0) 1793 417 444www.bcs.org/contactus

  • 7/27/2019 Bcm Download

    4/38

    BUSINESS CONTINUITY

    MANAGEMENTIn Practice

    Stuart Hotchkiss

  • 7/27/2019 Bcm Download

    5/38

    2010 Stuart Hotchkiss

    Stuart Hotchkiss hereby asserts to the Publishers his moral right to be identified as the Author of the Work inaccordance with sections 77 and 78 of the Copyright, Designs and Patents Act 1988.

    All rights reserved. Apart from any fair dealing for the purposes of research or private study, or criticism orreview, as permitted by the Copyright Designs and Patents Act 1988, no part of this publication may bereproduced, stored or transmitted in any form or by any means, except with the prior permission in writing ofthe publisher, or in the case of reprographic reproduction, in accordance with the terms of the licences issuedby the Copyright Licensing Agency. Enquiries for permission to reproduce material outside those termsshould be directed to the publisher.

    All trade marks, registered names etc acknowledged in this publication are the property of their respectiveowners. BCS and the BCS logo are the registered trade marks of the British Computer Society charity number292786 (BCS).

    Published by British Informatics Society Limited (BISL), a wholly owned subsidiary of BCS The CharteredInstitute for IT First Floor, Block D, North Star House, North Star Avenue, Swindon, SN2 1FA, UK.www.bcs.org

    ISBN 978-1-906124-72-4

    British Cataloguing in Publication Data.A CIP catalogue record for this book is available at the British Library.

    Disclaimer:The views expressed in this book are of the author(s) and do not necessarily reflect the views of BCS or BISLexcept where explicitly stated as such. Although every care has been taken by the authors and BISL in thepreparation of the publication, no warranty is given by the authors or BISL as publisher as to the accuracy orcompleteness of the information contained within it and neither the authors nor BISL shall be responsible orliable for any loss or damage whatsoever arising by virtue of such information or any instructions or advice

    contained within this publication or by any of the aforementioned.

    Typeset by The Charlesworth Group.Printed at CPI Antony Rowe, Chippenham, UK

    iv

  • 7/27/2019 Bcm Download

    6/38

    CONTENTS

    About the author xi

    Abbreviations xiii

    Glossary xv

    Preface xxiPreamble xxiii

    INTRODUCTION AND PURPOSE 1

    Why have business continuity? 1

    What exactly is a continuity plan? 1

    Business continuity - planning or management? 2

    Why does continuity management fail? 3

    A real-life continuity plan 3

    Outages in practice 5

    The BCM lifecycle 6

    1 GENERAL ISSUES IN CONTINUITY MANAGEMENT 10

    Some terminology 10

    Standards 13

    Regulatory issues 15

    Availability, uptime and reliable components 15

    The downtime myth 16

    Application and asset approach 17

    It wont happen to us 18

    Disasters 18

    The cost of failure 19The cost of success 20

    Customer satisfaction 21

    Some industries are different 21

    2 IN PRACTICE THE FOUNDATIONS 23

    Company strategy 23

    Continuity strategy 24

    Business continuity policy 25

    Planning 26

    3 BUSINESS IMPACT ANALYSIS 28Introduction 28

    The objectives of the BIA 29

    v

  • 7/27/2019 Bcm Download

    7/38

  • 7/27/2019 Bcm Download

    8/38

    14 ORGANISATIONAL ISSUES 90

    Where does BCM fit in an organisation? 90Keeping the plan up-to-date 91

    15 BUSINESS CONTINUITY AND THE CLOUD 93

    16 LESSONS TO LEARN 95

    17 CONCLUSION 97

    APPENDIX 1: REFERENCE DATA 98

    APPENDIX 2: TEMPLATES 102

    BIA questionnaire template 102Threat/risk questionnaire template 104

    INDEX 107

    CONTENTS

    vii

  • 7/27/2019 Bcm Download

    9/38

  • 7/27/2019 Bcm Download

    10/38

    LIST OF FIGURES AND TABLES

    Figure I.1 Causes of outages 5Figure I.2 Lifecycle of business continuity capability 7Figure 4.1 Heatmap comparing frequency and impact of threats 39

    Figure 4.2 Heatmap comparing impact of events with preparation 40Figure 4.3 Revenue loss projection 41Figure 5.1 Lifecycle of risk analysis and management 45

    Table I.1 Event: Water leak 4Table I.2 Assessing a risk scenario 8Table 1.1 Strategic statements and action plans 25Table 3.1 MTOs and daily revenues for product groups 31Table 3.2 Calculating revenue losses 33Table 3.3 Supporting functions 34Table 5.1 Probabilities of threats occurring 48

    Table 5.2 Probabilities multiplied by impact 49Table 6.1 Failure scenarios for ATM datacentre 55Table 7.1 Examples of risk scenarios 63Table 8.1 Procedure table 64Table 8.2 Example procedure 65Table 8.3 Example of procedure contacts list 67Table 9.1 Example of desk test results 70Table 9.2 Differences between desk test and live test actions 72Table 11.1 Responsibilities of managers for business continuity 79Table 11.2 Breakdown of product managers role in business continuity 80Table 11.3 Communications matrix for major incidents 85

    Table 12.1 Internal communications matrix 87Table 13.1 Training plan 88Table A1.1 Overview of typical RTOs and RPOs for different sectors 98Table A1.2 Typical timescales for continuity strategies 99Table A1.3 Typical RTOs and RPOs for IT by levels of importance 100Table A2.1 Typical BIA questionnaire template 103Table A2.2 BCM threat/risk exposure questionnaire 104Table A2.3 Table for summarising threats and countermeasures 104Table A2.4 Table for summarising outages over last three years 105Table A2.5 Summary sheet for contingency plans 106

    ix

  • 7/27/2019 Bcm Download

    11/38

  • 7/27/2019 Bcm Download

    12/38

    ABOUT THE AUTHOR

    Stuart Hotchkiss is a business consultant in Hewlett Packard TechnologyServices EMEA. He has over 30 years of experience in IT from many domains, ofwhich the last 16 have been in security and business continuity. This book

    shares some of that experience. The opinions in it are his alone.

    xi

  • 7/27/2019 Bcm Download

    13/38

  • 7/27/2019 Bcm Download

    14/38

    ABBREVIATIONS

    AS Australian Standards

    ATM Automated Teller Machine

    BCM Business Continuity Management

    BCP Business Continuity Planning

    BIA Business Impact Analysis

    CIA Confidentiality, Integrity and Availability (of data)

    CPU Central Processing Unit

    DR Disaster Recovery

    HR Human Resources

    IEC International Electrotechnical Commission

    ISO International Organization for Standardization

    ITIL Information Technology Infrastructure Library

    ITSCM IT Service Continuity Management

    LAN Local Area Network

    LOB Line of Business

    MTO Maximum Tolerable Outage

    NZS New Zealand Standard

    P&L Profit and Loss

    RPO Recovery Point Objective

    RTC Recovery Time Capability

    RTO Recovery Time Objective

    SAN Storage Area Network

    SPOF Single Point of Failure

    xiii

  • 7/27/2019 Bcm Download

    15/38

  • 7/27/2019 Bcm Download

    16/38

    GLOSSARY

    Asset Physical items such as computer systems, vehicles and buildings.Resource has a broader definition (see below).

    Business Continuity Management (BCM) The process of developing andmaintaining a complete business continuity plan which will ensure thecontinuity of a business when disruptions occur. BCM covers plan developmentbased on the business impact analysis, the exercising of the plan and theregular updating of the plan to reflect new threats, risks and businesscircumstances.

    Business Continuity Plan (BCP) The documented procedures defining whathappens when risk scenarios materialise. The plan should cover all scenariosand procedures and act as guide when business disruption occurs. The businesscontinuity plan is updated and maintained via the BCM process defined above.

    Business Impact Analysis (BIA) This is the process of determining whichareas of a business have potential losses requiring mitigation and what controlsare needed. Controls can reduce or, occasionally, eliminate risk and loss.Controls cost money and, in a BIA, the objective is also to balance the cost ofthese with ri