How to Derive Value from Business Continuity Planning

Similar documents
Session 5: Business Continuity, with Business Impact Analysis

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Implementing a Global Business

Disaster Recovery and Business Continuity Planning (Mile2)

TSC Business Continuity & Disaster Recovery Session

Implementing a BCM Programme

Infocomm Professional Development Forum 2011

Building a BC/DR Control Library and Regulatory Response Program

REPORT 2015/149 INTERNAL AUDIT DIVISION

Certified Information Security Manager (CISM) Course Overview

Business Continuity Management Standards A Side-by-Side Comparison

Disaster recovery strategic planning: How achievable will it be?

Enterprise GRC Implementation

Introduction to Business Continuity Management

MHA Consulting BCM Metrics Resiliency Through Measurement

Certified Information Systems Auditor (CISA)

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager.

Using ITIL to Measure Your BCP

WHITE PAPER OCTOBER 2017 VMWARE ENTERPRISE RESILIENCY. Integrating Resiliency into Our Culture and DNA

MassMutual Business Continuity Disclosure Statement

Keeping it Simple Driving BCM Program Adoption Through Simplification

Addressing Vulnerabilities By Integrating Your Incident Response Plans. Brian Coates Enaxis Consulting

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

PECB Change Log Form

Introduction to Business continuity Planning

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Global Statement of Business Continuity

BCM Program Development

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

Secrets to Success! Accountability in Global Organizations. Marisa Rogers & Jenifer Garone, Microsoft Ruby Zefo, Intel

Mid-Market Data Center Purchasing Drivers, Priorities and Barriers

Appendix 3 Disaster Recovery Plan

7 th BICSI Southeast Asia Conference 2009 Building the Next Generation Broadband Network

Business continuity management and cyber resiliency

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Data Governance Quick Start

How to Conduct a Business Impact Analysis and Risk Assessment

DHS Overview of Sustainability and Environmental Programs. Dr. Teresa R. Pohlman Executive Director, Sustainability and Environmental Programs

10 Reasons Why Your DR Plan Won t Work

Turning Risk into Advantage

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

ISE Canada Executive Forum and Awards

Technical Recovery Planning

Best-in-Class Crisis Preparation: Maximize Readiness with the Four T s. Business Continuity Readiness Overview

OVERVIEW BROCHURE GRC. When you have to be right

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

ServiceNow knowledge 2016

Business Continuity and Disaster Recovery

IT Audit Process Prof. Liang Yao Week Six IT Audit Planning

Disaster Recovery Webinar August 11, 2015

RSA Advanced Cyber Defence Summit

INTELLIGENCE DRIVEN GRC FOR SECURITY

TABLE OF CONTENTS ONLY IT Resiliency Benchmarking Report

Writing a business continuity plan according to ISO Presenter: Dejan Kosutic

Critical Cyber Asset Identification Security Management Controls

NORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

North American Portability Management, LLC LNPA Transition Contingency Rollback. Industry Working Session January 16 th, 2018

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

NERC Staff Organization Chart Budget 2017

EQUINIX BUSINESS CONTINUITY ADVANCED SERVICES KEEP YOUR BUSINESS UP AND RUNNING

34% DOING MORE WITH LESS How Red Hat Enterprise Linux shrinks total cost of ownership (TCO) compared to Windows. I n a study measuring

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

How to Embed BCP: A Strategic Roadmap. Content

San Francisco Department of Public Health. IT and Epic Project Update

SFC strengthens internet trading regulatory controls

Florida State University

Federal Data Center Consolidation Initiative (FDCCI) Workshop I: Initial Data Center Consolidation Plan

EARTH Ex 2017 Middle Planning Conference

NERC Staff Organization Chart Budget 2017

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

MNsure Privacy Program Strategic Plan FY

INTERNAL AUDIT DIVISION REPORT 2017/138

Project Management Pre-Implementation Project status reporting Post Implementation Assessment Phase Solidify Project Scope

Business Continuity An Integral Part of Risk Management At Constellation Energy

State of Florida Enterprise

Are Traditional Disaster Recovery Plans Still Relevant? Bobby Williams, MBCP, MBCI Director, IT Resiliency Planning Fidelity Investments

Ensuring Stability to our Rapidly Changing (DR) World. Larry Heck October 7, 2014 Case Study

The Project Charter. Date of Issue Author Description. Revision Number. Version 0.9 October 27 th, 2014 Moe Yousof Initial Draft

Policy. Business Resilience MB2010.P.119

How ISO helps organisation to achieve operational readiness Ong Liong Chuan 26 Apr 2016

Continuity of Business

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

NERC Staff Organization Chart Budget 2019

Position Description IT Auditor

Business Continuity Management System 2016 Management WE CUSTODY TODAY THE VALUE OF TOMORROW

DISASTER RECOVERY PRIMER

IT Consulting and Implementation Services

Risk Management in Electronic Banking: Concepts and Best Practices

REPORT 2015/186 INTERNAL AUDIT DIVISION

BC vs. DR vs. HA vs. EM vs. RM vs. CM: is the difference only terminology?

THE POWER OF TECH-SAVVY BOARDS:

REPORT 2015/010 INTERNAL AUDIT DIVISION

NERC Staff Organization Chart Budget 2018

Green Governance Growth

2 The IBM Data Governance Unified Process

Transcription:

How to Derive Value from Continuity Planning Presented by Randall J. Till, Principal Till Continuity Group Spring World 2011 Disaster Recovery Journal March 28, 2011 1 BCM Challenges BCM funding is limited or shrinking BCM doesn t have organizational commitment BCM is targeted for reductions Economic Downturn Continuity 2

BCM Drivers Release Cycle/ Change Process Development Testing Prod. Implementation DR Exercise Y/ Y DR Exercise Cycle 2. Recovery System Risk Exposure BCM Drivers BCM updates tied to tests or exercises BCM managed as an annual project 2-4+ weeks Plan Update Exercise Publication Risks: services and systems s are always ays changing g BC/DR plans and environments remain unchanged waiting for a an exercise date or a project deliverable 3 BCM Approach Plan To Pass Audits & Meet Regulatory Compliance Poor Investment Embrace Audits & Exceed Regulatory Compliance Valuable Investment 4

Plans BCM Approach - Siloed Practices Risk Crisis Disaster Recovery Continuity Disjointed Lacks Integration Enbroiled in Politics 5 Plan Execution and Coordination Planning is focused on How to build the plan We don t focus on How to execute the plan Execute on the Fly Chaos Stress Impacts 6

Continuity (BCM) Program Risk (RM) BCM BC Program Governance and Continuity (BC - work area recovery) Crisis/ Emergency (CM/EM) Disaster Recovery (DR - system recovery) Each organization is unique Different levels of responsibly Each BCM Program is at a different level of maturity BCM is a long journey 7 Continuity Planning Cycle Maintain Assess Maintain Readiness Test/Exercise BCM Planning Cycle Prioritize Address Changes Implement Approve Plan Train Personnel 8

Focus of Today's Discussion D 2011 BCM Governance J F M A M J J A S O D 2012 J D Oversight of BCM Program Sets Direction and Expectations Buy-in and Endorsement 2011 BCM Planning Cycles BCM Planning Cycles 1.Pre-Cycle 2.Planning Cycle 3.Post-Cycle J F M A M J J A S O D 2012 J Planning Processes and Procedures Deliverables and Time Tables Planning Cycles for BCM (CM, BC, DR) 96 Continuity Pre-Cycle 10

BCM Program Governance BCM Governance Continuity Steering Committee Ownership Responsibility Commitment BCM Strategic Direction Educate Metrics Reporting Structure 11 BCM Ownership and Execution Ownership Corporate IT Headquarters Headquarters Europe Asia Pacific Latin America Finance Coordination Regional Coordinators (Secondary) Marketing Sales Customer Services HR Legal IT Division Coordinators (Primary) Facilitation Continuity Planners Continuity Planners BC Plans CM Plans DR Plans Continuity 12

Continuity Pre- Cycle Timeline D 2011 Continuity Oversight J F M A M J J A S O D 2012 J BC Steering BCM Objectives 2011 Cycle Deliverables 2011 Cycle Communication D 2011 Continuity Planning Cycles J F M A M J J A S O D 2012 J Develop 2011 Cycle Def. Cycle Kickoff Objectives Processes Meetings with Develop Coordinators Tools Planning Strategies Templates Metrics 13 Continuity Planning Cycle 14

Crisis/Emergency (CM/EM) Crisis/Emergenc y (CM/EM) of incident Assessment perspective otification & Assembly Communications Decisions - Activation Life Safety - First Response Crisis 15 Value of Crisis/Emergency CM Organization & Plans Enterprise-wide Assign responsibilities Setup Command Centers Train people Practice roles and procedures ational Incident System (IMS) 16

Crisis Planning Strategies Office Type Corporate and Core Offices Regional and Select Offices (Offices with significant # of people/operations) Crisis Team Assigned* - Corporate Incident Response Team (CIRT) - Local Incident Response Teams (LIRT) - Initial Assessment Teams (IAT) - Local Incident Response Teams (LIRT) - Initial Assessment Teams (IAT) Smaller Offices Initial Assessment Teams (IAT) * Based on ICS Structure 17 Crisis Cycle Matrix Deliverables Corporate/Co re CIRT/LIRTs Regional/Selec t LIRTs Smaller IATs Due Dates CIRT/LIRT otification Tests 2 2 0 During exercises CIRT/LIRT Functional Group Training CIRT/LIRT Scenario Based Exercise 1 1 0 Apr Sept 1 0 0 Y 8 30 Dallas 04/15 SF 10/20 LIRT Self Exercise 0 1 0 May Aug IAT otification Tests 3 1 2 1 Mar, Jun, Sept IAT Training 1 1 1 Mar Jul IAT Exercises/Self Exercises 2 1 2 1 May Sept 18

Continuity Planning (BC) Continuity (BC - work area recovery) service function Department People Processes & procedures Information Function Function Function Function Service DR System DR System DR System Systems/applications Technology Dependencies Customers 3rd parties/vendors 19 Value of Continuity Protection of critical assets Access to critical Customer information Continuity communications (BC - work area recovery) Interdependencies Recovery locations process analysis Process improvement Office Infrastructure 20

BC Planning Strategies Office Type Corporate/Core Offices BC Planning Levels BC planning at business function level Regional and Select Offices BC planing at department level Smaller Offices Plan Criticality Essential Plans Deferred Plans BC planing at office level Recovery Times and Facilities Critical business functions RTO < 7 days Recovery facilities pre-established Less critical business functions >7 days) o recovery facilities established 21 Continuity Planning Cycle Deliverables Core Key Small Start Date End Date Impact Analysis (BIA) Review (Ess/Def) Y Y Y 1-Mar 31-Mar BIA Sign-off by Senior Leader Y Y Y 1-Mar 31-Mar Plan Review/Update (Ess/Def) Y Y /A 1-Apr 30-Jun Continuity Manual Review/Update /A Y Y 1-Apr 30-Sep Plan Roster Review/Update (Ess/Def - Qrtly) Y Y Y Jan, Apr, Jul, Oct Work From Home Validation (Ess/Def) Y Y Y 15-Mar 31-Jul Team Activation Exercise (Ess/Def) Y Y Y 1-Apr 30-Sep Plan Walkthrough Exercise (Ess/Def) Y Y /A 1-Apr 30-Sep Recovery Site Exercise (Ess only) Y /A /A Office-1: Jun 21/Sep 13 Office-2: May 17/Aug 7 Office-3: Jun 1/ ov. 22 22

Continuity Planning Cycle Continuity Planning Cycle M A M J J A S O BIA Reviews BIA Sign-offs Plan Review/Updates BC Manual Review/Updates W-F-H Validation Alternate Site Functional Exercise Team otification Tests Plan Walkthrough Exercises Alternate Site Functional Exercise Roster Updates Quarterly End-user Training 23 Disaster Recovery (DR) Planning Disaster Recovery (DR - system recovery) Primary Site Cost Reductions Alternate Site DR Strategy Shared Disk Shared Disk DR Testing etworks Data Backup 24

Value of Disaster Recovery Reduce recovery objectives Reduce loss of data Primary Site DB Live Switches Less Planned Outages Co-processing Virtualization Cloud Computing Alternate Site DB Improve Utilize DR system design resources Enhance operating flexibility 25 DR Planning Strategies Data Centers Planning & Exercises Primary Data Center (Internal Control) Co-location Data Center Outsourced Processing DR Plan Criticality Tier 1 Systems Tier 2 Systems Tier 3 Systems - Full DR plans Tier 1& 2 systems - Full functional exercises Tier 1 systems - DR plans for Tier 1&2 systems - Coordinated DR exercises with provider - DR plans oversight and evaluation Recovery Times and Facilities Critical systems RTO = 0-3 days Hot recovery site established Critical systems RTO = 4-14 days DR plans developed, Warm recovery site Critical systems RTO = >14 days o recovery site established 26

Disaster Recovery Planning Cycle Deliverables Tier 1 Tier 2-3 Start Date End Date System Impact Analysis (BIA) Review (Tier 1, 2 & 3) Y Y 1-Mar 31-Jul BIA Sign-off by Tech Owner and Owner Y Y 1-Mar 31-Jul Recovery Plan Reviews 1-Apr 31-Oct Y Y Technical Recovery Manual Review/Update Y Y 1-Sept 31-Oct Plan Roster Review/Update (Quarterly) Y Y Jan, Apr, Jul, Oct Team Activation Exercise Y Y 1-Apr 30-Sep Plan Walkthrough h Exercise Y Y 1-Apr 30-Sep Disaster Recovery Exercise (Tier 1) Y /A Primary DC: Jun /Sep Secondary DC: May/Aug Secondary DC: Jul/ Oct Remote DC: Aug Remote DC: July 27 Continuity Cycle Timeline D Continuity Oversight 2011 J F M A M J J A S O D 2012 J BC Steering ew Requirements Escalations to D Continuity Planning Cycles 2011 J F M A M J J A S O D 2012 J Manage CM, BC, DR Planning Cycles 2012 Budgets and Plans Crisis Planning Cycle Continuity Planning Cycle Technical Recovery "DR" Planning Cycle 28

Continuity Planning Post-Cycle 29 BCM Metrics Gain commitment Show readiness Meet compliance Below Expectations < 6.0 Partially Meets Expectations 6.0 to < 8.0 Meets Expectations 8.0 30

Build Measurements into Cycle Action plan underway: Establish BRP Ownership Build management relationships Enhance Continuity it Plans Practice & test plans Below Expectations < 6.0 Partially till Meets Expectations tti 6.0 60t to <80 8.0 Meets Expectations 8.0 31 Measurements Based on BCM Cycles Crisis Cycle Matrix Deliverables Corporate/C ore CIRT/LIRTs Regional/Sel ect LIRTs Smaller IATs Due Dates Continuity it Cycle Matrix CIRT/LIRT otification i Tests 2 2 0 During exercises CIRT/LIRT Functional Group Deliverables 1 Core 1 Key 0 Small Apr Sept Start Date End D Training Impact Analysis (BIA) Review (Ess/Def) Y Y Y 1-Mar 31-M CIRT/LIRT BIA Sign-off Scenario by Senior Based Leader Disaster Recovery Y Y Cycle Y 1-Mar Matrix 1 0 0 May & Oct 31-M Exercise Deliverables Tier 1 Tier 2-3 Start Date Plan Review/Update System Impact (Ess/Def) Analysis (BIA) Review (Tier 1, 2 & 3) Y Y /A Y 1-Mar 1-Apr 30-J Continuity BIA Sign-off Manual by Tech Review/Update Owner and Owner /A Y Y 1-Mar 1-Apr 30-S LIRT Self Exercise 0 1 0 May Aug IAT otification Tests 3 2 1 Mar, Jun, Sept Plan Roster Recovery Review/Update Plan Reviews (Ess/Def - Qrtly) Y Y Y 1-AprJan, Apr, Jul, Oct Technical Recovery Manual Review/Update Y Y 1-Sept IAT Training 1 1 1 Mar Jul Work From Home Validation (Ess/Def) Y Y Y 15-Mar 31-J IAT Exercises/Self Exercises 2 2 1 May Sept Team Activation Plan Exercise Roster Review/Update (Ess/Def) (Quarterly) Y Y Y Jan, 1-Apr, Jul, Oct 30-S Plan Walkthrough Exercise (Ess/Def) Y Y /A 1-Apr 30-S Recovery 32 Team Activation Site Exercise Exercise (Ess only) Y /A Y /A Y 1-Apr Office-1: Jun 21/Sep

BCM Inculcation System Project Define Requirements Design and Develop System Perform System and Integration Testing Implement Production System Continue to Maintain the Recovery System & Environment Perform BIA Update Recovery Matrix Design and Develop Recovery Capabilities Implement Recovery Capabilities Contingency Exercise Suite Perform Exercise Assessment Integrate into Contingency Exercises Test Recovery Capabilities and Develop Plans Assimilation Repeatability Reduces Politics 33 Redesign Testing & Exercise Requirements Redesign Testing Requirements System Release Cycle Requirements Design Development Testing Production Recovery System Analysis Plan Update System Update Process Recovery Test Recovery System Update Process Modify Exercise Program Recovery System Analysis Meetings Recovery Plan Updates Procedure Validation Owner sign-off on recovery status Modify exercise approach to focus on Core Services Conduct Ad-hoc DR Exercises (limit size and scope) Test DR Plans for Deferred Systems 34

Maintenance Processes and Cycles Reliable information EtblihShdl Establish Schedule Define responsibilities Dynamic Significant Volume of Data Automate Reuse data - single source Develop Streamline Processes 35 Continuity Post-Cycle Timeline D 2011 Continuity Oversight J F M A M J J A S O D 2012 J BC Steering BOD Endorsement D 2011 Continuity Planning Cycles J F M A M J J A S O D 2012 J Develop 2011 Reports Develop 2012 Objectives Emergency Planning Cycle Recovery Planning Cycle Technical Recovery "DR" Planning Cycle Maintenance Cycles Plan and Exercise Evaluations 36

Value of BCM Planning Cycle Continuity Program Defines measurable BCM requirements Inculcates BCM practices into business culture Provides mechanism to educate BCM Sets BCM deliverables into business cycles Makes BCM processes consistent & repeatable Leads to BCM Program Maturity 37 Continuity Cycle - Full Timeline D Continuity Oversight 2011 J F M A M J J A S O D 2012 J BC Steering 2011 Objectives 2011 Cycle Deliverables 2011 Cycle Communication ew Requirements BC Steering BC Steering BOD Endorsement Escalations to D Continuity Planning Cycles 2011 J F M A M J J A S O D 2012 J Develop 2011 Cycle Def. Cycle Kickoff Objectives Processes Develop Tools Planning Strategies Templates Metrics Manage CM, BC, DR Planning Cycles 2012 Budgets & Plans Emergency Planning Cycle Recovery Planning Cycle Technical Recovery "DR" Planning Cycle Maintenance Cycles Develop 2011 Reports Develop 2012 Objectives Plan and Exercise Evaluations 38

Randall J. Till, MBCP Till Continuity Group 314-608-7672 randall@tillcontinuity.com 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback