Infocomm Professional Development Forum 2011 1
Agenda Brief Introduction to CITBCM Certification Business & Technology Impact Analysis (BTIA) Workshop 2
Integrated end-to-end approach in increasing resilience of modern organisations which are characterized by major dependencies on ICT systems Covers: Business Continuity Management IT/Disaster Recovery (IT/DR) Data Centre Infrastructure Management (DCIM) IT/DR CITBCM DCIM BCM 3
CITBCM certification aligns with the government s initiatives such as SS507 and SS540 towards making Singapore known as a place with high business resiliency. SS507:2008 Singapore Standards for ICT Disaster Recovery Services SS540:2008 Singapore Standards for Business Continuity Management (BCM) The certification is developed by SCS and supported by IDA for IT professionals in charge of IT service resiliency. It is aligned with NICF and given CITREP status. Formal certification and training by NUS ISS will enable organisations to identify people with the critical professional skills to overcome the potential risks of major disruptions. 4
2003 Jun - MAS issued its BCM Guidelines 2003 Oct - SPRING launched BCM Certification Guidelines 2004 Oct - MAS issued its Outsourcing Guidelines 2004 Dec - IDA launched SS507 Certification for DR/BC Providers 2005 Sep - Singapore Business Federation launched TR19 BCM 2006 Apr - SPRING published Flu Pandemic BC Guide for SMEs 2008 Feb - ITSC approved revision of SS507:2008 2008 Nov - SPRING released SS540 BCM Standards, revision of TR19 2009 Jan - SGX introduced new BCM rules for SGX member firms 2009 Oct - Government launched BCM Pandemic Plan 5
Establish need for a BCM Risk Management Business & Technology Impact Analysis Program Management Organise & manage BCM project to completion Resiliency Strategy Establish Training & Awareness Program Planning & Testing Audit, Review and Maintenance Identify potential risks impacting organisation activities & facilities Identify suitable risk treatment and controls to prevent or mitigate impact Crisis Communications Management Determine impacts Identify critical functions and recovery priorities Identify critical IT components & vital records Identify critical data centre components Identify and review BC alternatives Identify alternative facility and offsite requirement Provide cost benefit analysis to justify investment in controls Recommend resilient strategy & obtain management approval Develop and exercise crisis communication plans Establish procedures for coordinating response, continuity and restoration with External Agencies Developing Plans Planning for Emergency Response Establish Emergency Response procedures Establish an Emergency Operations Centre (EOC) Determine strategies for salvage & restoration Planning for Business Continuity Establish BC and ITDR plans Testing & Exercising Program Understand audit of the ITBCM program Develop processes to review and update plans Ensure data centre equipment are well-maintained 6
Determine the qualitative and quantitative impacts resulting from disruptions and disaster scenarios Identify critical functions and their recovery priorities and inter-dependencies Identify critical IT applications, technology infrastructure and vital records Identify critical data center electrical, Computer Room Air Conditioning (CRAC) equipment and fire protection controls 7
Business Impact Analysis The process of determining the impacts on the organisation due to interruptions to business operations or processes. The BIA should qualify and/or quantify losses as a result of such interruptions. Where possible, the loss analysis should include both business disruption (number of days) and financial impact (SS 540) Process of analysing business functions and the effect that a business disruption might have upon them (BS 25999) 8
Minimum Business Continuity Objective (MBCO) The minimum level of services and/or products that is acceptable to the organization to achieve its business objectives during an incident, emergency or disaster. MBCO is set by the executive management of the organization and can be influenced, dictated and/or changed by current regulatory requirements or industry practices. (SS 540). Critical functions/critical business functions (CBFs) Business activities and processes that shall not be disrupted such that they impact the ability of the organisation to achieve its minimum business continuity objective (SS540). Vital record Electronic or hardcopy record that is essential for to preserve, continue or reconstruct the operations of the organisation and protect the rights of the organisation as well as its employees, customers and stakeholders (SS540). 9
Last data backup Disruption!!! Critical business functions resumed RPO RTO Time The point in time at which systems and data must be recovered after a disruption has occurred. For example, data should be restored up till start of the day (SS540). The period of time within which systems, applications, or functions must be recovered after a disruption has occurred. For example, critical business functions must be restored within 4 hours of occurrence of a disaster (SS540). 10
Identify and endorse the following Minimum Business Continuity Objective (MBCO) Critical Business Functions (CBFs) Qualitative & Quantitative Losses/Impacts Critical Infrastructure (CI) i.e. data centre and M&E Recovery Time Objective (RTO) Recovery Point Objective (RPO) Minimum Resource Requirement (MRR) Vital records (VR) and Grab List (GL) Justify necessary funding for BCP 11
1. Gather information 2. Analyse impact 3. Identify critical functions 6. Identify DC equipment and controls 5. Identify technology infrastructure 4. Identify critical IT applications 12
13
Business Technology Organisation charts Business functions Business processes Financial Legal Facility Functional continuity development team Select Subject Matter Expert (SME) to represent major areas 14
1 Common data collection approach Facilitated workshop Questionnaire or worksheets Interview Standardise the process of collecting information from corporate-wide locations and determining the importance management places on protecting each of these functions. 15
2 Analyse the impact based on a chosen scenario E.g. H1N1, Blackout Financial and non-financial impact Loss of personnel, physical & information, intangible Disruption to business operation Legal & regulation implication Reputation/public perception (e.g. brand damage) Standard criticality criteria for non-financial impact E.g. High, Moderate and Low 16
17
3 Last data backup RPO Disruption!!! RTO Critical business functions resumed Time Recovery time requirements for each critical business function and interdependencies should be established RTO B RTO C RTO A In this analysis of business unit A, B and C, which one is the most critical function based on RTO? 18
Last data backup Disruption!!! Critical business functions resumed Prioritise based on Potential loss impact Parallels and interdependencies RPO RTO Time Recovery time requirements RTO B RTO C RTO A 19
20
4 Drives Business Information Information Systems Technology Infrastructure Supports IT application supporting the identified each critical business function should be identified Inventory of technology and equipment used (computing and noncomputing) should be maintained 21
5 Drives Business Information Information Systems Technology Infrastructure Supports Impacts on existing infrastructure due to a disruption shall be identified and assessed Interrelationship between business and technology 22
23
6 Adequate Power Supply - Reading on power utilisation Power Redundancy-dual source power, generators, UPS, PDUs Cooling - Hot & Cold Aisles, High Power Density Equipments Life span of critical components - UPS, UPS Batteries, UPS Capacitors and Earth Fault Relay (EFR) Fire Suppression System and Water Sprinkler Systems VESDA Systems (Very Early Smoke Detection Apparatus) Water Detection System EMS (Environmental Monitoring System) What is the switching procedure in the event of power outage/trip? 24
Critical systems, applications and vital records are those you need to recover within one to three days for your business to survive Types of vital records needed to support each critical business function Paper or electronic Needed during recovery List of processing job priorities that support day-to-day operations for each department 25
Minimum Resources Requirement for resumption: Internal and external resources Owned versus non-owned resources Existing and additional resources required Resource Requirements Should be indicated with the day it will be required upon an occurrence of a disruption Minimum Resource Requirements Will determine the estimated cost for strategy planning And RTO, RPO and Qualitative & Quantitative Impacts will determine the type of continuity options - Hot, Warm or Cold 26
Document the analysis and findings Present to Steering Committee for Approval Business & Technology Impact Analysis Report: Endorsement of MBCO List of Critical Business Functions with its RTO, RPO, qualitative & quantitative impacts, dependencies, interdependencies and priorities for recovery List of Minimum Resource Requirements to support each Critical Business Functions with indication on the day they are required in the event of a disruption List of Vital Records identified to be stored at alternate site or offsite storage. 27
Step 1 Step 2 Step 3 Step 4 Identify and Ranking of Business Functions Identify of Business & Technology Impact Ranking Business & Technology Impact Analysis Identify Minimum Resource Requirements 28