0 Bewertungen0% fanden dieses Dokument nützlich (0 Abstimmungen)
170 Ansichten5 Seiten
Business Continuity Planning (bcp) is the most suitable method to prevent or recover from risks. This paper documents the achievement of risk assessment and BIA in MyLinE and the researcher intend to reach to a comprehensive plan that can be applied for all it services. Convenience, portable, lower cost and higher retention, are the benefits of e-learning that caused it to be very popular all over the world.
Business Continuity Planning (bcp) is the most suitable method to prevent or recover from risks. This paper documents the achievement of risk assessment and BIA in MyLinE and the researcher intend to reach to a comprehensive plan that can be applied for all it services. Convenience, portable, lower cost and higher retention, are the benefits of e-learning that caused it to be very popular all over the world.
Copyright:
Attribution Non-Commercial (BY-NC)
Verfügbare Formate
Als PDF, TXT herunterladen oder online auf Scribd lesen
Business Continuity Planning (bcp) is the most suitable method to prevent or recover from risks. This paper documents the achievement of risk assessment and BIA in MyLinE and the researcher intend to reach to a comprehensive plan that can be applied for all it services. Convenience, portable, lower cost and higher retention, are the benefits of e-learning that caused it to be very popular all over the world.
Copyright:
Attribution Non-Commercial (BY-NC)
Verfügbare Formate
Als PDF, TXT herunterladen oder online auf Scribd lesen
(IJCNS) International Journal of Computer and Network Security, 187
Vol. 2, No. 10, 2010
Adoption OF Business Continuity Planning In IT
Services Case Study: MyLinE Parvaneh Sarshar1 and Mohd Zaidi Abd Rozan2
Universiti Teknologi Malaysia, Faculty of Computer Science and Information System,
1 sparvaneh2@live.utm.my, 2mdzaidi@utm.my
convenience, portable, lower cost and higher retention, are
Abstract: The importance of having information technology (IT) in every single part of any organization is undeniable, the benefits of e-learning that caused it to be very popular all however the systems integrated with it may face some threats, over the world. hazards and risks. One of the most suitable methods to prevent There are many types of risk and challenge associated with or recover from risks is Business Continuity Planning. BCP first e-learning like hack, fire, Internet infrastructure outage, was introduced in IT department but since IT has become wide Communication infrastructure outage and so on. The case spread, it has now been applied beyond IT sector. The case study study that is to be examined is an Online Resource for (MyLinE) chosen by the researcher was because BCP is not Learning in English called MyLinE. Since MyLinE as an IT utilized in their organization and was not capable of mitigating service and a sort of e-learning, probable to be confronted or even identifying existing vulnerabilities and threats, therefore with any of the risks that have been mentioned and there is this research was conducted to investigate the threats that are no suitable plan or strategy in the current service, we need faced by MyLinE, the vulnerabilities that are exploited by the some organized procedures that enable the organization to threats and significantly the impact of the incidents that may be caused by these factors. With adoption of BCP in MyLinE, the recover from a disaster which may cause interruption to the level of threats and vulnerabilities were assessed, mitigation business especially on to its critical parts. Since MyLinE is strategies were delivered to help MyLinE reduce the risk level. being used by 20 universities and institutes all over On the other hand, the Business Impact Analysis (BIA) which Malaysia, interruption in the system are not a wise option to had been conducted, illustrated the importance of mitigation confront. level based on the impact of each incident on the stakeholders. Finally this paper has been developed to document the 2. Literature Review achievement of risk assessment and BIA in MyLinE and the researcher intend to reach to a comprehensive plan that can be British Standards (BSI) [1] defines BCP as a methodology applied for all IT services. used to develop a plan to maintain or store business Keywords: Business Continuity Planning, risk assessment, operations in the required time scales following interruption BIA, IT services to, or failure of, critical business processes. In addition, in [2] it is stated that BCP is a documented collection of procedures and information that is developed, compiled and 1. Introduction maintained in readiness for use in an incident to enable an IT services have been facing unpleasant incidents or organization to continue to deliver its critical activities at an disasters from the moment of birth and there have been acceptable predefined level. always lots of attempts to overcome these incidents. They are two possibilities of incidents; premises-based incidents Same as any other plans, BCP has objectives and goals such as power outage, fire, flood or service-based incidents while being adopted by any organizations, this includes: such as email, venue facilities, and network services and so • avoiding financial ruin on. Specialists have always been trying to defeat these threats to protect IT services, therefore great deals of • maintaining market share solutions have been continuously provided. • minimizing negative publicity One of the most powerful remedies used to overcome and recover from the likely risks and their impacts on the • identifying hazards that may affect critical functions or business before, during and after an incident or a disaster is activities Business Continuity Planning (BCP), to be studied in this Based on [9] the overall goals of a business continuity plan research. Business Continuity Planning is a very essential are to ensure customers, trading partners and regulatory tool used in many businesses and the need of this plan in all agencies maintain confidence in the business and to resume the organizations especially for their IT services is deniable. business as usual for employees as soon as possible. Since ten years ago, some new concepts such as Computer Fulmer [4] says that the most common reasons for Based Training, Computer Based Assessment have been neglecting BCP are: introduced to the IT world especially among academic • lack of time and resources organizations. Today, those terms are represented by “e- • lack of top management support learning”. Factors like flexibility, greater collaboration, • lack of money 188 (IJCNS) International Journal of Computer and Network Security, Vol. 2, No. 10, 2010 • too many causes of disasters to plan for, effectively [6]. For this research, since there is not a specific framework • little awareness of potential hazards that can suit all the organizations, and the BCP frameworks • lack of knowledge in developing a plan vary based on the objectives; • Lack of sense of urgency • the type of the products and services that the Although in today's environment, where technology reaches company is delivering, into every corner of almost every organization, business • the size of the organization, continuity planning has become imperative, unfortunately, it Therefore the researcher decided to come up with a falls very low on a long list of IT priorities. [5] combination of some frameworks that can be best for The difference between BCP and BCM (Business Continuity MyLinE which is an IT service. Management) refers to Business Continuity Planning (a This modified framework is a combination and modification process) or Business Continuity Plan (the documentation) of three different frameworks which have been retrieved and before an organization can develop BCM program, it from literature review. This framework has five phases and should have BCP in advance. BCM is inclusive of BCP is cyclic, which means BCP never ends and this process activities, as well as, the on-going activities. [14] Figure 1 continues and is being updated. shows this difference.
Figure 3. Modified framework
3.1 Phase One: Project foundation
Project foundation or project initiation is the very first phase Figure 1. Differences between BCP and BCM [14] of developing a Business Continuity Plan. The most important factor for starting a Business Continuity Plan is Since understanding the differences between different having the senior management support. To kick off the contingency plans such as BCP, DRP (Disaster Recovery project, these steps are critical [12]; Planning) or IRP (incident Recovery Planning) has been a • establish a business continuity working group and controversial issue, figure 2 from [13] can show these give it specific objectives, differences and contingency planning steps so it can be • empower the group by including key business and understood by everyone. technical stakeholders who have the decision- making authority to make it happen. This phase of the framework has been derived from MAMPU (Malaysia Administrative Modernization and Management Planning Unit) standard for BCM [15]. It consists of five sub-steps: 3.1.1. Purpose In the very first step of each plan or project, the purpose of the project should be mentioned. 3.1.2. Objectives In this sub-process the objectives of developing a BCP and Implementation of a suitable framework must be covered. Figure 2. Contingency Plan steps 3.1.3. Scope The scope of the plan should be defined. 3. Framework 3.1.4. BCM team structure A wide variety of frameworks and models are available for The members of the plan who are going to be engaged business continuity planning (BCP) [10], [11], [7] & [8]. before, during and after a disaster should be identified. Except for the project initiation stage in BCP development, these models are not exactly the same in the other stages. 3.1.5. Roles and responsibilities (IJCNS) International Journal of Computer and Network Security, 189 Vol. 2, No. 10, 2010 All the responsibilities should be defined well and assigned as soon as possible and to keep the extraordinary expenses to the responding employees. Training may be applied when to a minimum. needed. Two important steps in developing a plan are recovery team notification and documentation. In BCP the responsibilities 3.2 Phase Two: Business Assessment are assigned to each member of the team and the This phase has been retrieved from British Standard [16] documentation of the plan should be very good and user and it consists of two very prominent sub-processes: friendly so the members can understand their duties soon in 3.2.1. Risk Assessment order not to waste any time. Risk Assessment is an evaluation of the exposures present in 3.5 Phase Five: Testing and maintenance an organization’s external and internal environment. It In this final step which has been derived from J.C.Barnes identifies whether or not the facility housing the proposed framework [3], while the plan is completed and organization is susceptible to floods, hurricanes, tornadoes, being approved by senior management, it needs to be tested hack, sabotage, etc. It then documents what mitigating steps to make sure that it works very well. Testing is an important have been taken to address these threats [3]. step, since shows the planners and the team that the plan is Based on [16], Risk assessment consists of risk analysis and accurate but some of the organizations ignore or neglect to risk evaluation. do it. In organizations with an exhaustive plan, the testing is • Risk analysis should include: done every 6 months to once a year. 1. identification of assets After making sure that the plan is doing well, it should then 2. valuation of the identified assets be maintained. Most BCPs that are written are not 3. identification of significant threats and maintained. Within a year or less the plan becomes useless vulnerabilities for the identified assets because staffs have changed, vendors are different, and the 4. assessment of the likelihood of the threats and resources required to get the product out the door have vulnerabilities to occur evolved. By maintaining the plan on a regular basis, the • Risk evaluation includes: organization will avoid the time required to create a plan 1. calculation and evaluation of risks based on a from scratch and it will be prepared whenever a disaster predefined risk scale strikes. 3.2.2. Business Impact Analysis A BIA is an assessment of an organization’s business 4. Application and findings functions to develop an understanding of their criticality, Before proceeding with any analysis, it is very important to recovery time objectives, and resource needs. By going understand about the case study which is MyLinE, at UTM. through a Business Impact Analysis, the organization will Interviews have been conducted with MyLinE manager and gain a common understanding of functions that are critical MyLinE admin. The goal of interview is to find out the to its survival. It will enable the client to achieve more current situation of MyLinE towards risk and to find out effective planning at a lower cost by focusing on essential what they have done up to now to prevent or solve a disaster corporate functions [3]. when it occurs and how risky is the system that they are The business impact analysis is an evaluation of the effects housing. of extended outages on the ability to continue mission From this interview these result have been achieved; critical business functions. An analysis is business impact • It is an online self-access resource for learning driven, and is both qualitative and quantitative. A business English to enhance English language impact analysis should measure impacts on business communication skills among students at tertiary elements including, financial, operations, customers, level. regulatory compliance and long-term obligations [17]. • The goal of making it a self-access learning resource is that it persuades students to be 3.3 Phase Three: Strategy selection responsible for their learning. This phase is about selecting a strategy to mitigate the risks • MyLinE has lots of activities and learning and and vulnerabilities. One of the most important objectives of teaching resources to help the students and this phase is to decrease the total cost of the impact and the lecturers to improve their English proficiencies. chosen solution. This phase is a proposed framework by • Currently MyLinE has over 200,000 users in 20 J.C.Barnes [3]. universities and institutes all over Malaysia. A large number of users will be affected and the 3.4 Phase Four: Plan development consequences considered disastrous and a disruption will In this step, the Business Continuity Plan for the case study definitely have a severe impact on reputation of MyLinE and will be delivered. This phase is also from J.C.Barnes UTM. In addition, the threats are most likely to occur by proposed framework [3]. When a disaster happens, only the technical problems and usually resulted in more than 4 companies with a powerful BCP can survive, the phase of hours but less than 24 hours, but they may repeat frequently developing a comprehensive plan is very important. The within 30 days. Besides, when a business disruption happens objectives of a plan are to get the organization into business it causes a delay and missed deliverables and it will affect 190 (IJCNS) International Journal of Computer and Network Security, Vol. 2, No. 10, 2010 all 20 universities which shows that risk level and existing BCP and test it regularly, so it can always be vulnerability in MyLinE is definitely high. applicable, and if a change occurs in the system, BCP can be BCP framework that has been illustrated in figure 3 has updated easily and it will not lead to losing the existing BCP been applied for this case study. After developing project and having a new one, which is very costly for all foundation in the first step, two types of questionnaires were organizations. conducted, threats and vulnerability questionnaire and BIA questionnaire. References For identifying threats and evaluation of the identified threats and vulnerabilities, a questionnaire with two phases [1] BSI , Information technology – Code of practice for was needed. Through factor analysis, the numbers of factors information security management BS ISO/IEC achieved from questionnaire are reduced. For identifying the 17799:2000, BSI, pp.56-60, 2001 impact of the risks, second questionnaire for BIA in four [2] BSI, Business continuity management –Part 2: different types for four different kinds of stakeholders, was Specification, BS 25999-2, 2007 developed. Based on this questionnaire, the respondents [3] J.C.Barnes, 'A Guide to Business Continuity Planning', were asked to rank the impact that these risks could have on John Wiley & Sons, Chichester, UK, 2001. them if occur on the assets of MyLinE, based on the [4] Kenneth L. Fulmer, 'Business Continuity Planning: A following scale: Step-by-Step Guide with Planning Forms', Rothstein 1 à Almost No impact Associates, Third Edition 2005. 2 à Moderate impact [5] Susan Snedaker, ' Business Continuity and Disaster 3 à Significant impact Recovery Planning for IT Professionals', Burlington, MA. Syngress Publishing, Inc., 2007. The result of the questionnaires and the analysis of the data [6] Roberta J.Witty, 'Research Roundup: Business is shown in appendix 1. Continuity Management and IT Disaster Recovery', In step three, for the threats and vulnerabilities that were Gartner, January 2009 threatening MyLinE, some strategies are required that can [7] Pitt, M.and Goyal, S. (2004), “Business continuity mitigate this threats and the following impact of the risks on planning as a facilities management tool”, Facilities, the system and stakeholders. Based on the vulnerabilities of Vol. 22, No. 3/4, 2004, pp 87-99. MyLinE, the researcher came up with this strategies and it [8] BCPG, (1998), PACE - Business Continuity Planning is hoped that they can be useful in order to help MyLinE Guide (BCPG), Office of Government Commerce prevent or overcome disasters. (OGC), London, UK, May 1998. In phase four, a comprehensive business continuity plan has [9] Jim Hoffer, 'Backing Up Business - Industry Trend or been developed and been submitted to the MyLinE manager Event', Health Management Technology, Jan, 2001 and the plan has been tested in phase five by the MyLinE [10] Elliott, D. et al. (2002), Business continuity employees and the required changes and strategies are being management-a crisis management approach, Routledge, applied, some plan exercise programs have been established 2002 and then some training for employees was considered. [11] Savage, M. (2002), “Business continuity planning”, Work study, Vol. 51, No. 5, 2002, pp 254-261. 5. Conclusion [12] Wing Lam, 'ensuring business continuity', 2002 [13] Michael E.Whitman and Herbert J.Mattord, In this paper, several achievements have been obtained, 'management of information security', Course from interview, the current situation of MyLinE toward Technology- Cengage Learning, 2008 disasters and business continuity planning has been defined. [14] http://www.bcprm.com/demo/bcm/htmlhelp/ProjectMan From literature review; assets, threats and vulnerabilities agement.htm, [online] (Retrieved on 10/12/2009) that may threaten MyLinE have been identified. Soon after, [15] http://gcert.mampu.gov.my/doc, [online] (Retrieved on via questionnaires, the valuation of assets, threats and 15/04/2010) vulnerabilities and risk assessment have been conducted. [16] BSI , Information security management systems – Part From questionnaires, business impact analysis (BIA) has 3: Guidelines for information security risk been delivered and finally, some useful mitigation strategies management, BS 7799-3: 2006 have been proposed by the researcher. [17] Robert McDonald, 'New Considerations for Security Since BCP is very critical for all organizations, especially Compliance, Reliability and Business Continuity', 2008. for the ones that are holding important information and data such as MyLinE, the researcher highly recommend to Author’s Profile MyLinE unit that they have to take BCP seriously, because Parvaneh Sarshar received her B.S. the importance of having BCP in any organization have degree in Computer Engineering from been proved. Azad University of Lahijan in 2008 and Another recommendation is that to consider the mitigation M.S. degrees in IT-Management from strategies that the researcher has suggested to them, and try University Technology Malaysia (UTM) to adopt them based on their importance priorities, budget in 2010. She is now doing some research and alignment with mission, vision and goal of MyLinE. on the impact of social networks on Finally, MyLinE staff should not neglect to update the different concepts and new ideas on BCP. (IJCNS) International Journal of Computer and Network Security, 191 Vol. 2, No. 10, 2010
Mohd Zaidi Abd Rozan (Dr.) received
his B.Sc. (Hons.) in Physics & Comp w. Ed., and M.Sc. IT from Universiti Teknologi Malaysia (UTM), Malaysia. He received a Doctorate of Engineering (D. Eng) in Information Science & Control Engineering from Nagaoka University of Technology, Japan. He is also a PRINCE2 Certified & Registered Project Management Practitioner. Currently, he is the Head Department of Information Systems, Faculty of Computer Science & Information Systems, Universiti Teknologi Malaysia (UTM), and also the UTM MSc IT- Entrepreneurship (SKIT) Programme Coordinator. He is the Founder and Leader of PRIMELAB (Project Innovation Management & tEchnoentrepreneurship). His research interests are IT Project Management, Technopreneurship, Disaster Management, Profiling and Data Mining utilizing Multivariate Approach. He holds a Radio Amateur Licence, with callsign 9W2DZD.