information technology & management INFORMATION SYSTEMS securivy t MANAGEMENT ILLINOIS INSTITUTE OF TECHNOLOGY A New Model for Business Contingency Operations Ray Trygstad 2008 Ray Trygstad Director of Information Technology, Associate Director, Information Technology and Management Degree Programs ILLINOIS INSTITUTE OF TECHNOLOGY
Introduction New model for business contingency response team structure Background Terms Team Structures in common use The Contingency Response Team structure Contingency Response Officer Team structure 2 2008 Ray Trygstad
What is a contingency? An event that has a potential or proven ability to disrupt normal operations of the organization Organization could be a business, a government agency, a university, a non-profit that carries out what can broadly be termed as business activities of some kind Response to business contingencies often falls on IT Particularly the IT Security function Incident often are specifically IT-security related 3
Contingencies are a Business Issue! BUT and this is a really big but: Business contingency response is first and foremost a MANAGEMENT responsibility Addressing ability of the organization to continue to operate in situations which put the ability of the organization's operations in serious jeopardy Although the largest area of complexity in continuity of operations is in the IT area, management cannot dump responsibility for continued operations solely on IT 4
When do We Need Contingency Response? Natural events Hurricane, tornado, flood, earthquake, fire Human initiated events Operator error, sabotage, malicious code and other computer-based attacks, accidents, military actions, terrorist attacks Operating Environment events Equipment failure, software errors, telecommunications/network outage, electric power failure 5
Event Sequence to Contingency Contingency Planning RISK RISK MANAGEMENT Security Control Implementation NIST Special Publication 800-34 Emergency Event CONTINGENCY PLAN EXECUTION 6
Terminology Many terms in use Inconsistant and imprecise BS 25999 and HB292-2006 (Australia) use Business Continuity Management (BCM) NIST SP 800-34 uses both Business Continuity and Continuity of Operations NFPA 1600 uses Disaster/Emergency Management and Business Continuity but refers to an instance as an incident 7
Terminology HB291-2004 (Australia) provides a good definition: Business Continuity Management provides the availability of processes and resources in order to ensure the continued achievement of critical objectives I am going to use the term Business Contingency Operations because Although BCM is a de facto standard, there is really no standard It s the most descriptive term for the area I am addressing 8
Contingency Response Teams Although it is prescribed only in a rudimentary fashion in most standards documents, contingency response in most organizations is done through the use of teams BS 25999-1:2006 discusses the Incident Management Team or Crisis Management Team HB292-2006 & NFPA 1600 not at all 9
Contingency Response Teams NIST 800-34 goes a little team happy : Management Team Damage Assessment Team Operating System Administration Team Systems Software Team Server Recovery Team (e.g., client server, Web server) LAN/WAN Recovery Team Database Recovery Team Network Operations Recovery Team Application Recovery Team(s) Telecommunications Team Hardware Salvage Team Alternate Site Recovery Coordination Team Original Site Restoration/Salvage Coordination Team Test Team Administrative Support Team Transportation and Relocation Team Media Relations Team Legal Affairs Team Physical/Personnel Security Team Procurement Team (equipment and supplies) 10
Contingency Response Teams WHEW! A bit much, eh? 11
BS 25999/BCI Approach GOLD SILVER BRONZE Escalation Strategic Tactical Operational Control Senior (Incident) Management Business Continuity Team Incident Response & Business Unit Resumption Teams The Business Continuity Institute Business Continuity Management GOOD PRACTICE GUIDELINES 2008 12
Contingency Response Teams Regardless of how you approach it, experience has shown team approach is the best method Most literature discusses 3 or 4 primary teams: Incident Response Team Disaster Recovery Team Business Continuity Team and sometimes Crisis Management Team 13
Response Team Employment Common wisdom prescribes employment of the teams in sequential order on a handover basis First the Incident Response Team...responds If the incident cannot be brought under control or escalates, it becomes a disaster Disaster Recovery Team takes over 14
Response Team Employment If operations cannot be continued at the organization s primary site Business Continuity Team facilitates operations at an alternative site Crisis Management Team invoked as necessary Normally deals with issues surrounding loss of life or serious injuries as well as media relations They just sort of drift in and out of the picture 15
My Experience Aviation Safety Officer curriculum at the Naval Postgraduate School, created by USC s Institute for Safety and Systems Management M.S. in Systems Management; curriculum also created by USC Institute for Safety and Systems Management I learned that contingency response is contingency response is contingency response 16
My Experience From a process perspective, responding to an aircraft crash is no different than responding to a mainframe crash The military has developed a finely-tuned response to incidents; & provides lessons we can all learn from Drawn heavily upon this background & experience in creating this concept 17
Contingency Response Team One of the issues that I view as a serious weakness in contemporary models for contingency response teams is who manages the overall response 3-team model presupposes handovers between teams but presents serious continuity problems My model adds an additional team : the Contingency Response Team Could also call it the Contingency Management Team 18
Contingency Response Team Contingency Response Team folds in all responsibilities normally exercised by the Crisis Management Team but extend this to provide 1. Initial response including activation of the appropriate Plan: Incident Response, Disaster Recovery, Business Continuity 2. Ongoing administrative and facilities support of other teams as they execute their function 3. Wrap up functions as contingency operations draw to close and normal operations resume Exactly what the name implies: the core on which all contingency response rests 19
Contingency Response Team 2008 Ray Trygstad 20
Contingency Response Officer Key position on this team Not the Contingency Response Team Leader but is the person on call Contingency Response Officer (CRO) or Contingency Response Manager On duty for a 24 hour period Key point of contact for ANY contingency in the organization Organization members need to have drilled into them if something out of the ordinary happens CALL OR PAGE THE CRO 21
Contingency Response Officer CRO must be sufficiently senior to make snap decisions affecting the health and future of the organization Must have the trust of C-level management Does not have to be an IT person but must have sufficient knowledge of IT to initiate response to an IT or IT security incident Small organization at least 3 Large organization as many as 10 During on-call period CRO must be immediately available by cell phone or page Should be near enough to the primary physical facility to be there quickly 22
Contingency Response Staffing Supporting the CRO: 2 on-call administrative personnel Execute a calling tree Keep a running record of events Perform any duties as directed by the CRO Not decision makers but need to be on a 24 hour duty cycle Must be immediately available by cell phone or page Near enough to the primary physical facility to be there very quickly 23
Contingency Response Staffing The armed services responds very quickly to incidents because they have had a duty section structure in place since...well...forever This implements the same concept at a civilian level 24
Contingency Response Notification Immediate response personnel (CRO and admin support) have cell phones/ pagers supplied by the organization Handed off at relief each day ONLY one number to call/page CRO Detached from who is actually on duty 25
Contingency Response Team Composition of remainder of the team is much like you would find on a Crisis Management Team PR to handle media relations Legal to handle legal & compliance Management-level facilities member to expedite facilities issues Team core ought to consist of executive assistants and senior administrators Not necessarily managers but the people who actually get things done You all know who these people are 26
Contingency Response Team Contingency Response Team Leader should be as senior a person in the organization as you can convince management the position ought to be! NOT a micromanager! Should relieve the CRO as soon as the situation is relatively under control and the Team Leader has been fully briefed 27
Expansion of Concept/Model I am working to expand this concept in two directions An academic paper documenting the literature and clearly delineating the concept and design (I am an academic and I do have to get published) A whitepaper with a practical guide for implementation 28
Contact Ray Trygstad 630.682.6032 trygstad@iit.edu 29
The End Questions? 30