Business Continuity Risk Management IT Service Continuity

Transcription

1 Business Continuity Risk Management IT Service Continuity The Three Musketeers All for one, one for all Author: Athol Culpan, Isaacs George and Ray Botardo

2 Agenda Introductions Athol Culpan Case Study Overview Athol Culpan Business Continuity Management (BCM) Isaacs George Risk Management Ray Botardo IT Service Continuity Management (ITSCM) Athol Culpan Challenges and Lessons Learned Panel (Athol, Isaacs & Ray) Conclusion Questions and Answers

3 Introductions Isaacs George Business Continuity Manager Datacom Public and Private sector experience including Consulting Business Continuity Institute (BCI Certified), PMP, ITIL Contact details: Mobile: Ray Botardo Process Team Manager Datacom Public and Private sector experience including Consulting CISM, PMP, COBIT 5, ITIL, ISO Contact details: Mobile: Athol Culpan IT Service Continuity Manager Public and Private sector experience including Consulting ITIL 3 Expert, Prince2 Practitioner, ISO Contact details: Mobile: athol.culpan@datacom.co.nz

4

5 Case Study Introduction Datacom needed to build an internal capability in the area of BCM and ITSCM. The benefits for doing this are as follows: Assisting Datacom customers with their BCM requirements where asked to do so Expectation from our customers to meet our contractual obligations in the case of a disaster Datacom subscribe to the ITIL Good Practice guidelines Strong investment by Datacom in BCM and Disaster Recovery

6 Datacom BCP Approach BCP Directive Datacom Systems Limited (DSL) New Zealand DSL WGTN DSL AKL DSL CHCH Common Risks Common Actions BU 1 BU 2 BU 3 Unit Specific Risks Unit Specific Actions BCP Information Dependencies ITSCM Planning

7

8 High Impact, Low Probability Events earthquakes, tsunamis, volcanoes

9 BC The Big Picture The relationship between BC, DR, Risk, Security and IT Management Risk Management Information Security Management Business Continuity Management Disaster Recovery (DR) IT Management

10 What is Business Continuity? What it s isn t it s not just Disaster Recovery (DR)! A holistic approach to identify potential threats/risks to an organisation and quantify the effects of those threats/risks if they eventuate Purpose is to build resilience in and protect sources of value in the organisation Resilience is the ability of an organisation to absorb, respond to and recover from a disruption or unexpected event To reiterate - BCM is holistic (applies to the whole organisation), cross-functional and cross-enterprise

11 Process and Approach - Based on the Business Continuity Institute s (BCI) Good Practice Guideline BCM Lifecycle

12 Terminology Recovery Time Objective (RTO) - How long business process can be without IT application before significant damage to finances or reputation occurs or where required by legal or regulatory requirements Recovery Point Objective (RPO) - How much data the business process can recreate or afford to loose Maximum Tolerable Period of Disruption (MTPD) - The maximum amount of time that the business can survive without the business process in any form (manual or automated)

13 Business Impact Analysis (BIA)

14 Dependencies for each business function

15

16 Risks Possibility that the threat can lead to a disruption or loss of service Can be specific to a business unit, or, common across several business units (e.g. fire, earthquake, theft, malware attack) Defined by: Severity (impact to the business) Occurrence (probability) Level of Control (practices, processes, technology) RPN (Risk Priority Number) = S x O x C

17 Risk Analysis Cycle Risk Mitigation Actions Avoid Accept Risk Treatment Transfer Mitigate Prioritize (RPN ranking) RPN= S x O x C Risk Rating (S,O,C) Severity Occurrence Level of Control Review Risks Identify Current Control Risk Scenario Threat Category Threat Identification Risk Identification Specific Unit or Multiple Groups? Environment Process People Technology

18 Risk Assessment

19

20 ITSCM Support overall Business Continuity Management (BCM) process by ensuring that the required IT resources can be recovered within business related agreed upon time frames Provide pre-determined levels of service under exceptional conditions Common responsibilities & Risk management Selection of options based on business requirements Definition of roles and responsibilities Alignment of IT recovery plans and BCM exercising (testing) Resources include hardware, software, staff, and physical environmental The technical and operational aspects of your total Business Continuity Plan

21 BCM and ITSCM ITSCM must be aligned to the Business Continuity Lifecycle ITSCM must be a part of the overall Business Continuity Plan and not dealt with in isolation ITSCM is the technical component of BCM IT Focus

22 Critical Business Process Recovery Metrics

23 How did ITSCM align with BCM ITSCM follow a similar approach to BCM except from a technology and IT systems perspective - ITSCM was able to leverage off the BIA exercise in DSL (ITSCM also participated in these exercises) The BIA helped identity what business processes were critical and what technology and IT Systems are required to support it. The RTO and RPO were determined by the business units (not IT) within DSL themselves and in this way could be matched to what was required in ITSCM Plans. The risk identification and management helped with determining risk mitigation and prevention from a technology perspective.

24 DR Planning &Testing DR Planning ITSCM prepares for the worst case scenario Not just how to recovery from a disaster but also how to return to normal How to prevent/minimize the disaster from occurring in the first place Investigates, develops and implements recovery options when a service interruption reaches a pre-defined point DR Exercises (Testing) Ensure that your processes and procedures will work in the event of a true disaster Types - Walk-throughs, Full tests, Partial tests, Scenario tests Involve IT and the business Defined objects and critical success factors Can t test everything

25 IT Service Continuity Management Yellowpages.mpg

26 Challenges and Lessons Learnt Challenges: Obtaining the required time from each business unit to explain the purpose of Business Continuity and how this is of benefit to them and the wider organisation. This is an additional task to their business as usual activities The time required to create the strategy and approach and roll this to all business units takes considerable time. Usually much longer than planned at the start! Lessons Learnt: Obtaining senior management buy-in and continued support is crucial to ensure the success of the whole BC programme of work Requires persistence and drive to push this programme through and show benefits to business units of applying BC eg their concerns/risks can be quantified and addressed by management

27 Challenges and Lessons Learnt Contracts with suppliers can be worthless in a major disaster Despite promises of rapid SLA s Despite penalty clauses that might apply should SLA s not be met Be Prepared: If Not: Develop systems that enable your business to be self sufficient for at least 48 hours (industry recommendation)

28 Conclusion Time for Q & A Thank You