Beruflich Dokumente
Kultur Dokumente
Business continuity planning goes beyond disaster recovery planning to include the actions to be taken, resources required, and procedures to be followed to ensure the continued availability of essential services, programs, and operations in the event of unexpected interruptions.
2
Goal
to assist the organization/business to continue functioning even though normal operations are disrupted
Steps
Before disruption
During Disruption
After Disruption
Proactive rather than Reactive It is better to plan activities ahead of time rather than to react when the time comes
Maintain business operations Keep the money coming in Short and long term loss of business
The Problem Utility failures Intruders Fire/Smoke Water Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes) Heat/Humidity Electromagnetic emanations Hostile activity Technology failure
The Problem
Errors & Omissions Disgruntled employees Fire,water,electrical Outside Threats Dishonest employees
10% 10%
5%
50%
25%
The Problem Utility failures Intruders Fire/Smoke Water Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes) Heat/Humidity Electromagnetic emanations Hostile activity Technology failure
The Controls
Backed
up data Alternate equipment Alternate communications Alternate facilities Alternate personnel Alternate procedures
Key Elements
Disaster Recovery Business Recovery Contingency Planning Crisis Management
Corporate Policy
BCP Policy committed to undertake all reasonable and appropriate steps to protect people, property and all business interests is essential. Corporate policy should contain a definition of crisis Responsibility for systems ,resources and key business process should be clearly identified BCP team should include top senior leaders, major organizational functions and support groups, wide spread acceptance. Communicated throughout the organization
BIA
Any organizational impacts that could result from an interruption of normal operations should be examined. Identify critical process and document itpurchasing, manufacturing,supplychain Process should be ranked as HML Assess Impact if crisis were to Happen
Human cost Financial cost Corporate Image cost
Likelihood of Occurrence
Impact of Outage on Operations
System Interdependence
Revenue Risk Personnel and Liability Risks
Definitions
Threat
any event which could have an undesirable impact
Vulnerability
absence or weakness of a risk-reducing safeguard, potential to allow a threat to occur with greater frequency, greater impact, or both Exposure a measure of the magnitude of loss or impact on the value of the asset
Risk
the potential for harm or loss, including the degree of confidence of the estimate
17
Definitions
Quantitative Risk Analysis
quantified estimates of impact, threat frequency, safeguard effectiveness and cost, and probability Powerful aid to decision making Difficult to do in time and cost
Risk Analysis is performed as a continuum from fully qualitative to less than fully quantitative
18
Results
Loss impact analysis Recovery time frames
Essential business functions Information systems applications
Threats
Hardware failure Utility failure Natural disasters Loss of key personnel Human errors Neighborhood hazards Tampering Disgruntled employees Emanations Unauthorized access Safety Improper use of technology Repetition of errors Cascading of errors
Illogical processing Translation of user needs (technical requirements) Inability to control technology Equipment failure Incorrect entry of data Concentration of data Inability to react quickly Inability to substantiate processing Concentration of responsibilities Erroneous/falsified data Misuse
20
21
Combine potential loss & probability Magnitude of risk is the ALE (Annual Loss Expectancy) Guide to security measures and how much to spend
22
Personal Safety Risk Services Risk Operational Risk Revenue Risk Liability Risk Good Will (Societal) Risk
Loss of Lifelines
What will we do if there is not power?
No phone service?
No Water? Government services? How will the public react?
Develop Scenarios
How bad will the big one be? Extended Power, Water, or Telecom Outages? Supply Chain Disruptions? Civil unrest? Develop various scenarios and pick which ones to plan for.
Evaluating Alternatives
Functionality - provides an acceptable level of service Practicality - is reasonable in terms of the time and resources needed to acquire, test, and implement the plan Cost Benefit - cost is justified by the benefit to be derived from the plan
29
Identify resources required for recovery and resumption. ReSources personnel,hardware,software,specilised equipment, facility/space and critical records Backing up and storing critical and vital business records in a safe and accessible location is a prerequisite.
Risk assessment and BIA provide the foundation on which organisations BCP can rest.
Establishment of appropriate administrative structure to deal with crisis management. Clear definition of the management structure authority for decisions and responsibility for implementation. Should have crisis management team to lead incident response. Team should comprises of members of critical business process lead by senior management. Crisis mnagement team supported by response teams. Response plans to address various aspects of potential crises
Establishment of appropriate administrative structure to deal with crisis management. Clear definition of the management structure authority for decisions and responsibility for implementation. Should have crisis management team to lead incident response. Team should comprises of members of critical business process lead by senior management. Crisis mnagement team supported by response teams. Response plans to address various aspects of potential crises
33
34
Mitigation Strategies
Cost effective mitigation strategies should be employed to prevent or lessen the impact of potential crises. Securing equipments and tables by strapping to the wall preventation from earthquake ,Sprinkler systems can lessen the risk of fire ,a strong records management can mitigate the loss of key datas. Resources required for mitigation process should be identified. Systems and resources should be monitored continually as a part of mitigation startegy
MTD
Establish an estimate of the maximum tolerable downtime (MTD) for each business process. Determine how long process can be non functional before impacts becomes unacceptable Determine how soon process should be restored(Shortest allowable outage restored first) Identify alternate procedures to a process Evaluate costs of alternate procedures vs waiting for system to be restored Determine the priorities and processes for recovery of critical business processes.
Entrapment
Selected vulnerabilities made attractive
37
38
Remedial Measures
Alter environment Erect barriers Improve procedures Early detection Contingency plans Risk assignment (insurance) Agreements Stockpiling Risk acceptance
39
Remedial Measures
Fire
Detection, suppression
Water
Detection, equipment covers, positioning
Electrical
UPS, generators
Environmental
Backups
40
41
Custome rs
Conduit Organizations
Organization
Ve ndors
Contact Information
Contact information of crisis management team and response team should be maintained. Information should be updated regularly . Compliance audits should be conducted to enforce BCP Policies.
Emergency equipment
Protests/riots
Product or manufacture failure Hostile takeover Terrorism Lawsuits
Operational: Security officers check posts, employee awareness programmes, surveillance and counter intelligence Technological: Intrusion Detection, access control, cctv, package and baggage screening.
Legislative changes
Corporate policy changes Changes to competitive environment Changes to supply based environment Warning of natural disasters
Cash flow changes Potential for civil or political instability Hostile labor negotiations Strikes
Declare a Crisis
The point at which a situation is declared as a criisis should be clearly defined ,documented and fit every specific and controlled parameters.
Save lives and reduce chances of further injuries and deaths Protect assets Restore critical business processes and systems Reduce downtime Protect reputation damage
Communications
Effective communications is one of the most important ingredients in crisis management.
Identify the Audience Internal and external audience should be identified to convey crisis and organizational response. It is often appropriate to segment the audiences. Messages tailored specifically for a group can be released. Internal Audience
Communications
External Audience
Present and potential Customers/clients Contractors and vendors Media Govt and regulatory agencies
EMERGENCY RESPONDERS
Communications should be timely and honest An audience should hear the news from the organization Should provide objective and subjective assessment All employees should be informed at the same time Give bad news all at once do not sugar coat it Provide regular updates
Communications- Face to face meetings, News conference, Voice mail, Company intranet and internet sites, toll free hotline, special newsletter, local and national newspaper
Resource Management
Family Representatives : Family representative program in case of injuries and fatality. Family representative should be some one other than the Person who performed the notification. Link between the Organization and The Employees family.
Financial Support During the crisis there may be financial implications for the organization and the families of the employees. Implications may include financial support to victims family
Pay roll : Should be functional throughout the crisis.
Logistics
Logistical decisions made in advance will impact the success or failure of a good BCP Crisis Management Centre Should be identified in advance. This is the initial site used by the crisis management team and response team for directing and overseeing crisis management activities. It should have uninterruptible power supply, computer communication, heating and ventilating conditions system and other support systems. Emergency supplies should be identified and kept in the centre.
Access control system should be implemented with the members of team given 24x7 access.
A secondary Crisis management centre should be identified in the event that the primary centre is impacted due to the crisis
Logistics
Alternate Worksite Organization should have alternate worksite identified for business recovery and resumption. Offsite storage Allows rapid crisis response and business recovery. Critical documents and information are stored. Sufficient distance form the primary facility Financial and Insurance issue : Existing funding and Insurance policies should be examined ,additional funding and insurance coverage should be identified and obtained Amount of fund required for continuity of operations should be identified
Some cash and credit should be available for weekend and after office hours .
Insurance providers should be contacted as soon as possible.
Logistics
Transportation at the time of Crisis may be a challenge
Evacuation of personnel Transportation to an alternate site Supplies to an alternate site Transportation of critical data to alternate site Transportation of staff with special needs. Suppliers/Service Providers Critical vendor or service provider agreements should be established and contact information maintained. Evaluate their ability to provide necessary supplies and services in the case of far reaching crisis.
Identify resources that may be borrowed from other organizations during a crisis as well as mutual support that may be shared with other organization.
Damage and Impact assessment : Once the Crisis Management team is activated damage should be assessed . All incidents should be recorded and documented including the response actions.
Crisis Involving Physical Damage Crisis Management team should be mobilized at site .
Entry approval by Public safety authority. Make a preliminary assessment of the extent of damage and the likely length of time that the facility will be unusable.
Recovery
Once the extent of damage is known process recovery should be prioritized and a schedule for resumptions determined and documented.
Recovery
Once the extent of damage is known process recovery should be prioritized and a schedule for resumptions determined and documented.
Implementing plan
BCP is a living document ,evolutionary that grows and changes with the organization and remains relevant and actionable.
Educate and train only as valuable as others have the knowledge of it. Time commitment from all stakeholders
Crisis management team and response teams are to be trained at least annually , new members when they join Responsibilities and accountabilities authority should be clearly defined.
Trains team members Provides mechanism for maintaining/updating the plan Upper management comfort
LTU CISP Security 65
66
Test Monitoring
Test Monitoring Assign observers to take notes during the test. Video tape/Audio recording can be done .Assign to document events chronologically Testing scenarios should be designed using the events identified in the risk assessment
Participants should understand their individual roles and should be allowed to interact freely
After completion of exercise/test it should be critically evaluated, effectiveness of the test, desired level of goals attended.
LTU CISP Security 67
BCP should be reviewed and evaluated according to the predetermined schedule. Reviewed every time a risk assessment is carried out. Major trends in the sector or industry or any initiative taken should initiate a review. New regulatory requirement Test and exercise results.
Recovery
Once the extent of damage is known process recovery should be prioritized and a schedule for resumptions determined and documented.