Infocomm Professional Development Forum 2011

Similar documents
8 July 2010 Certification in IT Business Continuity Management (CITBCM) 1

How ISO helps organisation to achieve operational readiness Ong Liong Chuan 26 Apr 2016

TSC Business Continuity & Disaster Recovery Session

Certified Information Systems Auditor (CISA)

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

Disaster Recovery and Business Continuity Planning (Mile2)

Principles for BCM requirements for the Dutch financial sector and its providers.

Introduction to Business continuity Planning

Business Continuity Management Standards A Side-by-Side Comparison

7 th BICSI Southeast Asia Conference 2009 Building the Next Generation Broadband Network

How to Conduct a Business Impact Analysis and Risk Assessment

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

L18: Integrate Control Disciplines to Increase Control and Save Money

Facilities Management and Business Continuity. 10 May 2017

Art and Science of Building NUS Data Centres

Business Continuity Planning

Business continuity management and cyber resiliency

Business Continuity and Disaster Recovery

BUSINESS CONTINUITY. Topics covered in this checklist include: General Planning

Business Continuity Policy

Rejuvenating BCM - Infrastructure. Business Continuity Awareness Week March 2009

ISO Business Continuity Management System

Table of Contents. Sample

MHA Consulting BCM Metrics Resiliency Through Measurement

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

BCM Program Development

BUSINESS CONTINUITY MANAGEMENT (BCM) INITIATIVES OF THE BANGKO SENTRAL NG PILIPINAS

How to Derive Value from Business Continuity Planning

Implementing a Global Business

Risk Management. Continuity Management

Sample Exam Privacy & Data Protection Foundation

EXAM PREPARATION GUIDE

Session 5: Business Continuity, with Business Impact Analysis

Business Continuity Risk Management IT Service Continuity

Continuity of Business

ISO 22301: An Overview of BCM Implementation Process. Presenter: Dejan Kosutic

Contents. Chapter 3: Chapter 4: Critical Server Ranking Classifying Systems for Recovery Priority Mission-Critical Only, Please...

PECB Change Log Form

The Problem. Business Continuity/ Disaster Recovery. Course Outline and Structure. The Problem The Coverage. Sean Gunasekera

Global Statement of Business Continuity

Business Continuity Planning Keeping Pace with New Technology

Disaster Recovery Planning: Is Your Plan in Place? Presented by: Steve Shofner, CISA, CGEIT

Business Continuity & Disaster Recovery

HENRY EE, FBCI, CBCP

Business Continuity Planning

Policy. Business Resilience MB2010.P.119

Business Continuity - An Inside Perspective

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

IT CONTINUITY, BACKUP AND RECOVERY POLICY

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

INFORMATION SECURITY- DISASTER RECOVERY

Parkroyalon Kitchener Road 5th December 2007

Implementing a BCM Programme

Disaster recovery strategic planning: How achievable will it be?

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

SECURITY & PRIVACY DOCUMENTATION

EPRO. Electric Infrastructure Protection Initiative EPRO BLACK SKY SYSTEMS ENGINEERING PROCESS

IT DISASTER RECOVEry IMPLEMENTER

Leveraging ITIL to improve Business Continuity and Availability. itsmf Conference 2009

Build a viable plan for disaster recovery and crisis management.

Applications/Data To Include in Survey (include applications that meet one or more of the following criteria)

Introduction to Business Continuity Management

Financial CISM. Certified Information Security Manager (CISM) Download Full Version :

Reference Architecture for the Operationalization of a BCMS. Boban Kršić, Chief Information Security Officer. verinice.xp - Berlin, 07.

Appendix 3 Disaster Recovery Plan

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

BME CLEARING s Business Continuity Policy

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Florida State University

Driving Global Resilience

Template. IT Disaster Recovery Planning: A Template

Bradford J. Willke. 19 September 2007

Business Continuity Management

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY

EQUINIX BUSINESS CONTINUITY ADVANCED SERVICES KEEP YOUR BUSINESS UP AND RUNNING

Information Technology Disaster Recovery Planning Audit Redacted Public Report

Business Continuity Planning. PDI January 14 th, 2018

NUIT Tech Talk. Emergency Preparedness. March 1, Sharlene Mielke. Jay Bagley. Disaster Recovery / Business Continuity Coordinator

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

BUSINESS CONTINUITY MANAGEMENT. A short guide 2017

Disaster Recovery and Business Continuity

L E C T U R E N O T E S : C O N T R O L T Y P E S A N D R I S K C A L C U L A T I O N

SC27 WG4 Mission. Security controls and services

Solutions Technology, Inc. (STI) Corporate Capability Brief

Public Safety Canada. Audit of the Business Continuity Planning Program

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Report. Diemer Plant Improvements Program Audit Report. Internal Audit Report for January 2011

Enterprise resilience and the role of Standards

The Australian Government s Approach to Critical Infrastructure Resilience

Dude Solutions Business Continuity Overview

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

Re: Audit of Information Technology Disaster Preparedness, Recovery, and Continuity

ASSURING BUSINESS CONTINUITY THROUGH CONTROLLED DATA CENTER

D2-01_17 PREPARING ICT TOWARDS ELECTRICAL BUSINESS CONTINUITY

Andrew Durant/Ellen Sullivan

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

HOTEL RESILIENT Plan ahead stay ahead. With support from the German Government through

Security Guideline for the Electricity Sector: Business Processes and Operations Continuity

The Common Controls Framework BY ADOBE

Transcription:

Infocomm Professional Development Forum 2011 1

Agenda Brief Introduction to CITBCM Certification Business & Technology Impact Analysis (BTIA) Workshop 2

Integrated end-to-end approach in increasing resilience of modern organisations which are characterized by major dependencies on ICT systems Covers: Business Continuity Management IT/Disaster Recovery (IT/DR) Data Centre Infrastructure Management (DCIM) IT/DR CITBCM DCIM BCM 3

CITBCM certification aligns with the government s initiatives such as SS507 and SS540 towards making Singapore known as a place with high business resiliency. SS507:2008 Singapore Standards for ICT Disaster Recovery Services SS540:2008 Singapore Standards for Business Continuity Management (BCM) The certification is developed by SCS and supported by IDA for IT professionals in charge of IT service resiliency. It is aligned with NICF and given CITREP status. Formal certification and training by NUS ISS will enable organisations to identify people with the critical professional skills to overcome the potential risks of major disruptions. 4

2003 Jun - MAS issued its BCM Guidelines 2003 Oct - SPRING launched BCM Certification Guidelines 2004 Oct - MAS issued its Outsourcing Guidelines 2004 Dec - IDA launched SS507 Certification for DR/BC Providers 2005 Sep - Singapore Business Federation launched TR19 BCM 2006 Apr - SPRING published Flu Pandemic BC Guide for SMEs 2008 Feb - ITSC approved revision of SS507:2008 2008 Nov - SPRING released SS540 BCM Standards, revision of TR19 2009 Jan - SGX introduced new BCM rules for SGX member firms 2009 Oct - Government launched BCM Pandemic Plan 5

Establish need for a BCM Risk Management Business & Technology Impact Analysis Program Management Organise & manage BCM project to completion Resiliency Strategy Establish Training & Awareness Program Planning & Testing Audit, Review and Maintenance Identify potential risks impacting organisation activities & facilities Identify suitable risk treatment and controls to prevent or mitigate impact Crisis Communications Management Determine impacts Identify critical functions and recovery priorities Identify critical IT components & vital records Identify critical data centre components Identify and review BC alternatives Identify alternative facility and offsite requirement Provide cost benefit analysis to justify investment in controls Recommend resilient strategy & obtain management approval Develop and exercise crisis communication plans Establish procedures for coordinating response, continuity and restoration with External Agencies Developing Plans Planning for Emergency Response Establish Emergency Response procedures Establish an Emergency Operations Centre (EOC) Determine strategies for salvage & restoration Planning for Business Continuity Establish BC and ITDR plans Testing & Exercising Program Understand audit of the ITBCM program Develop processes to review and update plans Ensure data centre equipment are well-maintained 6

Determine the qualitative and quantitative impacts resulting from disruptions and disaster scenarios Identify critical functions and their recovery priorities and inter-dependencies Identify critical IT applications, technology infrastructure and vital records Identify critical data center electrical, Computer Room Air Conditioning (CRAC) equipment and fire protection controls 7

Business Impact Analysis The process of determining the impacts on the organisation due to interruptions to business operations or processes. The BIA should qualify and/or quantify losses as a result of such interruptions. Where possible, the loss analysis should include both business disruption (number of days) and financial impact (SS 540) Process of analysing business functions and the effect that a business disruption might have upon them (BS 25999) 8

Minimum Business Continuity Objective (MBCO) The minimum level of services and/or products that is acceptable to the organization to achieve its business objectives during an incident, emergency or disaster. MBCO is set by the executive management of the organization and can be influenced, dictated and/or changed by current regulatory requirements or industry practices. (SS 540). Critical functions/critical business functions (CBFs) Business activities and processes that shall not be disrupted such that they impact the ability of the organisation to achieve its minimum business continuity objective (SS540). Vital record Electronic or hardcopy record that is essential for to preserve, continue or reconstruct the operations of the organisation and protect the rights of the organisation as well as its employees, customers and stakeholders (SS540). 9

Last data backup Disruption!!! Critical business functions resumed RPO RTO Time The point in time at which systems and data must be recovered after a disruption has occurred. For example, data should be restored up till start of the day (SS540). The period of time within which systems, applications, or functions must be recovered after a disruption has occurred. For example, critical business functions must be restored within 4 hours of occurrence of a disaster (SS540). 10

Identify and endorse the following Minimum Business Continuity Objective (MBCO) Critical Business Functions (CBFs) Qualitative & Quantitative Losses/Impacts Critical Infrastructure (CI) i.e. data centre and M&E Recovery Time Objective (RTO) Recovery Point Objective (RPO) Minimum Resource Requirement (MRR) Vital records (VR) and Grab List (GL) Justify necessary funding for BCP 11

1. Gather information 2. Analyse impact 3. Identify critical functions 6. Identify DC equipment and controls 5. Identify technology infrastructure 4. Identify critical IT applications 12

13

Business Technology Organisation charts Business functions Business processes Financial Legal Facility Functional continuity development team Select Subject Matter Expert (SME) to represent major areas 14

1 Common data collection approach Facilitated workshop Questionnaire or worksheets Interview Standardise the process of collecting information from corporate-wide locations and determining the importance management places on protecting each of these functions. 15

2 Analyse the impact based on a chosen scenario E.g. H1N1, Blackout Financial and non-financial impact Loss of personnel, physical & information, intangible Disruption to business operation Legal & regulation implication Reputation/public perception (e.g. brand damage) Standard criticality criteria for non-financial impact E.g. High, Moderate and Low 16

17

3 Last data backup RPO Disruption!!! RTO Critical business functions resumed Time Recovery time requirements for each critical business function and interdependencies should be established RTO B RTO C RTO A In this analysis of business unit A, B and C, which one is the most critical function based on RTO? 18

Last data backup Disruption!!! Critical business functions resumed Prioritise based on Potential loss impact Parallels and interdependencies RPO RTO Time Recovery time requirements RTO B RTO C RTO A 19

20

4 Drives Business Information Information Systems Technology Infrastructure Supports IT application supporting the identified each critical business function should be identified Inventory of technology and equipment used (computing and noncomputing) should be maintained 21

5 Drives Business Information Information Systems Technology Infrastructure Supports Impacts on existing infrastructure due to a disruption shall be identified and assessed Interrelationship between business and technology 22

23

6 Adequate Power Supply - Reading on power utilisation Power Redundancy-dual source power, generators, UPS, PDUs Cooling - Hot & Cold Aisles, High Power Density Equipments Life span of critical components - UPS, UPS Batteries, UPS Capacitors and Earth Fault Relay (EFR) Fire Suppression System and Water Sprinkler Systems VESDA Systems (Very Early Smoke Detection Apparatus) Water Detection System EMS (Environmental Monitoring System) What is the switching procedure in the event of power outage/trip? 24

Critical systems, applications and vital records are those you need to recover within one to three days for your business to survive Types of vital records needed to support each critical business function Paper or electronic Needed during recovery List of processing job priorities that support day-to-day operations for each department 25

Minimum Resources Requirement for resumption: Internal and external resources Owned versus non-owned resources Existing and additional resources required Resource Requirements Should be indicated with the day it will be required upon an occurrence of a disruption Minimum Resource Requirements Will determine the estimated cost for strategy planning And RTO, RPO and Qualitative & Quantitative Impacts will determine the type of continuity options - Hot, Warm or Cold 26

Document the analysis and findings Present to Steering Committee for Approval Business & Technology Impact Analysis Report: Endorsement of MBCO List of Critical Business Functions with its RTO, RPO, qualitative & quantitative impacts, dependencies, interdependencies and priorities for recovery List of Minimum Resource Requirements to support each Critical Business Functions with indication on the day they are required in the event of a disruption List of Vital Records identified to be stored at alternate site or offsite storage. 27

Step 1 Step 2 Step 3 Step 4 Identify and Ranking of Business Functions Identify of Business & Technology Impact Ranking Business & Technology Impact Analysis Identify Minimum Resource Requirements 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback