1 Business Continuity Management Presenters: Miloš Kilibarda, Head of Security Department Igor Kutlača, CISSP, Head of BCM Unit Maj 2009.

Slides:



Advertisements
Similar presentations
Museum Presentation Intermuseum Conservation Association.
Advertisements

Business Continuity Training & Awareness by Sulia Toutai (ANZ)
Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.
Business Continuity and Disaster Recovery Planning.
Disaster Preparedness I Lessons Learned Don Hall Thomson Prometric 2006 Annual ConferenceAlexandria, Virginia Council on Licensure, Enforcement and Regulation.
BUSINESS CONTINUITY MANAGEMENT THROUGH STANDARDS AND BEST PRACTICES Jasmina Trajkovski, CISA, CISM.
1 Disaster Recovery “Protecting City Data” Ron Bergman First Deputy Commissioner Gregory Neuhaus Assistant Commissioner THE CITY OF NEW YORK.
Business Continuity Mark Holloway Former Head of Change Management at Co-operative Food.
1 Continuity Planning for transportation agencies.
Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)
BCP/DRP Consultancy Project- An approach
Business Continuity Planning and Disaster Recovery Planning
The Australian/New Zealand Standard on Risk Management
TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Computer Security: Principles and Practice
Session 3 – Information Security Policies
Business Continuity Check List PageOne. - Why Does Your Business Need A Continuity Checklist? Should the unexpected occur, your business will be able.
Business Continuity and You! The Ohio State University Business & Finance Enterprise Continuity Program Quarterly Update October 2008Business and Finance.
Crisis Management Planning Employee Health Safety and Security Expertise Panel · Presenter Name · 2008.
IT Assurance and Reliability Why Should You Care? Richard Oppenheim, CPA, CITP President, SysTrust Services Corporation Presented to ISACA Regional Meeting.
1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
RBTC: Business Continuity 101 July 18, What is Business Continuity? Scenario Part 1 Why is BC important? What types of plans are needed? How do.
Module 3 Develop the Plan Planning for Emergencies – For Small Business –
Continuity of Operations (COOP) Awareness Training.
Making Business Continuity Child’s Play Solutions Ltd Business Continuity Management Contact details: Contact : Mick O’Regan Mobile :
Isdefe ISXXXX XX Your best ally Panel: Future scenarios for European critical infrastructures protection Carlos Martí Sempere. Essen.
ISA 562 Internet Security Theory & Practice
Incident Management By Marc-André Léger DESS, MASc, PHD(candidate) Winter 2008.
David N. Wozei Systems Administrator, IT Auditor.
Business Continuity & Disaster recovery
Business Continuity & Disaster Recovery
Expecting the Unexpected By Shaun Lindfield. Nearly 1 in 5 businesses suffer a major disruption every year. Yours could be next. With no recovery plan,
1 Availability Policy (slides from Clement Chen and Craig Lewis)
By Srosh Abdali.  Disaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure.
Business Continuity Program Orientation (insert presentation date) (This presentation is a template that requires adjustments to meet your needs)
Wipro Consulting Vinay N Disley Implementation Challenges in BCM.
SMS Planning.  Safety management addresses all of the operational activities of the entire organization.  The four (4) components of an SMS are: 1)
INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might.
Phases of BCP The BCP process can be divided into the following life cycle phases: Creation of a business continuity and disaster recovery policy. Business.
Unit 3: Identifying and Safeguarding Vital Records Unit Introduction and Overview Unit objective:  Describe the elements of an effective vital records.
SecSDLC Chapter 2.
9 juni 2009 Alex van Os de Man BCI Forum 2009 Business Impact Analysis Process.
FIRMA 2010 Larry J. Kallembach April 1, MB Financial Headquarters - September 2008 Chicago is a Lakefront city…….
Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.
 How well is your organisation prepared for internal or external emergency situations? ◦ Do you consult with relevant emergency agencies? ◦ Do you.
Swedish Risk Management System Internal management and control Aiming to Transport Administration with reasonable certainty to.
Chapter 3: Business Continuity Planning. Planning for Business Continuity Assess risks to business processes Minimize impact from disruptions Maintain.
Tom Lenart & John Field CT DEMHS Region 2.  Department of Emergency Services and Public Protection (DESPP)  Commission on Fire Prevention and Control.
Exercising, Maintaining and Reviewing BCM Arrangements ERMAN TASKIN
Business Continuity Disaster Planning
CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.
Disaster Recovery Planning (DRP) DRP: The definition of business processes, their infrastructure supports and tolerances to interruptions, and formulation.
INFORMATION DISASTER PREPAREDNESS PLANNING (IDPP).
Business Continuity Planning 101
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
THINK DIFFERENT. THINK SUCCESS.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Chris Lintern Co-operative Financial Services
Business Continuity / Recovery
Business Continuity Plan Training
Alabede, Collura, Walden, Zimmerman
Fundamentals of a Business Impact Analysis
Personal Introduction
CAYMAN ISLANDS MONETARY AUTHORITY
Business Continuity Basics
Developing and testing the Plan
Cyber Security in a Risk Management Framework
Presentation transcript:

1 Business Continuity Management Presenters: Miloš Kilibarda, Head of Security Department Igor Kutlača, CISSP, Head of BCM Unit Maj 2009

2 WHY BCM? Gartner estimates that two out of five enterprises that experience a disaster will go out of business within five years. Enterprises can improve those odds – but only if they take the necessary measures before and after the disaster. Aftermath: Disaster Recovery, Gartner, September 2001

3 BSI Code of practice “Holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation and value creating activities.” BCM Deadline for BCP/DRP set by the NBS is end June ‘09 WHAT IS BCM? Business continuity management could be defined as an holistic management process that identifies potential threats and the impacts to business operations those threats, if realized, might cause, thus addressing the implementation of specific measures, mainly organisational, infrastructural and technological ones, that might guarantee the Organisation survival, even if all, or just a part, of the assets supporting its operation capability are lost.

4 BCM OBJECTIVES  Provide an immediate and appropriate response to emergency situations  Protect lives and ensure safety  Reduce business impact  Resume critical business functions  Work with outside vendors during recovery period  Reduce confusion during a crisis  Ensure survivability of the business  Get “up and running” quickly after a disaster  Fulfill the legal and regulatory requirements

5 BEFORE YOU START BCM PROGRAM - FAMILIAR EXCUSES  It will never happen to us.  I’m sure that we could cope.  You can’t plan for the unforeseen.  There are so many potential problems that it is impossible to have an effective plan.  If we don’t have a disaster we’ve wasted money.  Isn’t that why we have insurance?  We are used to things going wrong.  It really doesn’t matter because in an emergency everyone will rally round and get things sorted out.  I don’t have the time – there are more important things to do.

6 BCM PROJECT Project initiation Business Impact Analysis Design of Continuity Solutions Solutions Implementation Test and Verify PHASE 1PHASE 3 PHASE 2 PHASE 4 PHASE 6PHASE 5 RISK ANALYSIS AND SOLUTIONS DESIGN SOLUTIONS BUILDING AND MAINTENANCE Process mapping and analysis identification of vital and critical processes Assessment of economic, regulation and reputation impact Estimates of vulnerability and disaster probability Definition of priority/relevance list of involved processes Definition of continuity solutions in relation to crisis scenarios Cost/benefit evaluation of investment alternatives Final report Map of processes - applications - technologies Development of recovery processes Definition of Crisis Management Model Selection of suppliers and outsourcers Divulge Continuity Plans and Crisis Management Plans Staff training and creation of BC culture Activation of periodic verification processes Test Planning and execution Assess efficiency / effectiveness of Solutions Analysis of critical states discovered in test process Evaluation of new critical processes Update or modify Plans Continuous training of personnel staff Maintenance & Development Write a policy that provides the guidance necessary to develop a BCP and that assigns authority to the necessary roles to carry out these tasks. Top Mgmt Approval

7 High Availability of Infrastructures Test & Certification Maintenance Crisis Management Organizational Model Technological Solutions Organizational Solutions Infrastructural solutions BCM Policy BUSINESS CONTINUITY FRAMEWORK Disaster Recovery High-Reliability Systems Disaster Recovery High-Reliability Systems Business Continuity Plan and Contingency Plan Business Continuity Plan and Contingency Plan

8 GOALS OF BCM Documents and procedures which describe how to activate the business continuity solutions, how to manage crisis situations and how to return to standard operations Model which describes roles, criterions and rules to address, coordinate and manage the emergencies; it must guarantee, in case of a crisis occur, the information and decisions escalation to all the Organisation levels assuring a coordinated control, both managerial and operational, of the crisis Delineates all the technical and organizational procedures needed to overcome an interruption of IT services, applications, communications or data losses, through recovering of systems in alternative sites Business Continuity Plan (BCP) Crisis Management Organisational Model Disaster Recovery Plan The Main deliverables needed to meet the Regulatory requirements

9 RISK vs BCM

10 RTO, RPO  Recovery Time Objective is: –How long can I afford to be without my systems and business- critical applications ?  Recovery Point Objective is: –How much data can I afford to recreate (or lose)? Denotes the time interval between outage and when last good copy of data was made Applications may be down until some/all of data recreated.

11 Through the Business Impact Score we can correctly define the RTO (Recovery Time Objective), that is the maximum acceptable time for the reactivation of the process Return to normal operations Time RTO Correctly Estimated = lower cost of realization Critical Event Solutions Activation End of crisis Level of Operations RTO

12 Operational Risk (Basel II) Business Continuity Management is focused on mitigating risks deriving from low-probability, high-loss events High Probability Low Loss (Control) High Probability High Loss (Prevent) Low Probability Low Loss (Accept) Low Probability High Loss (PLAN) Probability HIGH LOW HIGH Business Impact Risks/Events targeted by BCM - Operational Risk and Business Continuity - Operational Risk is defined by Basel II Agreement as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events” OPERATIONAL RISK

13 Destruction / unavailability of buildings Interruption of IT Systems (internal/outsourced) Interruption of infrastructure systems Unavailability of essential workforce Loss of documentation or specific equipment BUSINESS CONTINUITY SCENARIOS & SOLUTIONS BCM approach considers all risk scenarios defined by standard guidelines, defining different typologies of solutions: technological, organizational and infrastructural. The BCM is not only Disaster Recovery, but it manages all the assets that support business (Human Resources, Processes, Infrastructures,...) Technological Organizational Crisis Scenarios Category of solutions Solutions Disaster Recovery (DR) and Dealing Rooms Campus Technological solutions that guarantee the continuity of Information Systems Infrastructural Business Continuity Plan (BCP) Organizational solutions that manage every single scenario (also to support the technological solutions) High Availability of infrastructures / critical services Solutions that manage the interruption of infrastructure systems (e.i.: power supply, conditioning systems, etc.) For natural causes (e.g. earthquake) or human action (e.g. terrorist attack) (e.g. malfunctions, hacking) (e.g.: black out, TLC outage) (e.g. strikes, epidemic) (e.g. theft, fire, flooding)

14 Use of back-up data Contingency procedure/ Use of Back-up data Mitigation and damage adjustment Damage adjustment Preventive training of alternative resources Transfer of operation to other structure within the Bank/Quick Guides Support of staff of the same office/service Support by staff of the same office/service Contingency procedure Mitigation and damage adjustment Damage adjustment Transfer of operation to other structure within the Bank or to alternative back-up site Mitigation and damage adjustment Damage adjustment Contingency procedure Mitigation and damage adjustment Damage adjustment Emergency 1 Ordinary Event Emergency 2 Extraordinary Simple Event Emergency 3 Extraordinary Severe Event Emergency 4- Crisis Disaster Event BCM THE SCOPE OF BCM ACTIVITIES The combination of two dimensions determines the BCM Coverage matrix, which is focalized on cases of higher impact Interruption of IT Systems (internal/outsourced) Destruction / unavailability of buildings Interruption of infrastructure systems Unavailability of essential workforce Loss of data or specific equipment Disaster Recovery

15 RECOVERY SOLUTIONS Asynchronous replication Asynchronous replication Tape Backup Recovery Time Time to restore Business Operations Continuous availability Rapid recovery Cost / compexsity Recovery Minutes HoursDays The recovery mechanism depends on your acceptable level of downtime anb budget Synchronous replication

16 RECOVERY SOLUTIONS Cost to recover Cost of disruption Recovery Time Objective Cost Time The BCM team must balance the cost to recover against the cost of the disruption. The balancing point becomes the recovery time objective.

17 TECHNOLOGICAL SOLUTIONS – DISASTER RECOVERY.. Banca Intesa, according to the approach described, is consolidating within the global BCM framework a technological and organizational solution in order to ensure the full recovery of IT services, which is based on a reciprocal backup between the four IT sites Italy Site A-B and Serbia Site A-B BIB DR Serbia Site A Serbia Site B High Availability Campus “Dual-site” ITALY Site AITALY Site B

18 BUSINESS CONTINUITY LIFE CYCLE

19 WEAKNESSES IN BCM  Inadequate senior management support.  Insufficient financial support.  Failure to take a holistic approach.  Lack of clear understanding of the responsibilities for the initiation, development, implementation and ongoing management/maintenance of the plans and the process.  Inappropriate ownership – BC manager- rather than by line management.  Failure to involve all relevant parties – (for example internal audit.)  Inadequate contact with, and understanding of, the role of the emergency services.  Poor risk analysis/business impact analysis.  Insufficient or inadequate training/awareness.  Insufficient or inadequate testing/exercising.  Not right balance between clear action plans and detailed operational plans.  Inappropriate mechanism for keeping the plans current – documentation out of date.  Plans do not reflect latest organizational, systems, process or technological changes.  Plans not held in a place where they are readily accessible when required.

20 ARE YOU READY FOR BCM ?  Do you have an active BCM programme?  Is there a responsible person for managing the programme?  Has a risk management/BCM culture been established?  Has a risk analysis or BIA been done and has management endorsed the priorities and criticality which that process has defined?  Is there an crisis management team?  If there is a serious incident, are you aware of your role?  Do key executives know their roles in a crisis?  Are you familiar with the basics of the business continuity plan?  Have key executives got a copy of the plan at a location where it would be quickly accessible?  Is the plan tested regularly?  Does the plan deal with how to handle the media?  Do contracts with key suppliers require that these organisations have a BCP?  Are you aware of the arrangements for moving to alternative sites?  Have the plans and processes been audited/appraised by external experts?

21 Thanks Q & A