Upload
brigitte-theuma
View
985
Download
0
Embed Size (px)
Citation preview
23 March 2009
Total of 5 pages
Rejuvenating BCM - Infrastructure
Business Continuity Awareness Week23 – 27 March 2009
Brigitte TheumaMBCI, CBCMMA, CBCMP, CBCITP, MIAEM
2
Table of Contents
I. ICT Service Continuity Current State
a. Identifying Requirements and Weaknesses
b. Riskc. Business Criticality
II. Multi-Year Plana. Balancing Design and Costb. Multi Year Infrastructure DR
Roadmapc. Self Funding Paradigm
III. Appendicesa. Related Papers and Informationb. Glossary of Terms
I. ICT Service Continuity Current State
3
I. ICT Service Continuity Current State
a. Identifying Requirements and Weaknesses
b. Riskc. Business Criticality
a. Identifying Requirements and Weaknesses
4Source: PAS 77: 2006
• Standards, Practices and Programme – are they working for you? Do you have in place?
• Review potential weaknesses - single points of failure, redundancy, supply chain dependence, IT processes, security, backup and restore, availability, Disaster Recovery or IT Service Continuity, BCM, location of premises, systems monitoring, power.
• Review trend reporting – availability, failure, capacity, security, downtime, Service Level reports.
• Review Service Level Agreements (SLAs) with the Business Owners of the technology or services.
• Provide GAP analysis.
• Compare information against corporate Policy, Guidelines, SLA’s, Strategy.
• Measure the costs of desired state vs. current state (downtime vs. resilience expenditure i.e., risk and impact vs. costs)
• Present the information in business terms, removing the technical complexity and terminology that could impair understanding of the issue.
5
b. Risk Heat Map
Key
Adequate mitigation in place
Semi-adequate mitigation in place
Inadequate mitigation in place
IT Security
Data CentreOutage
Supply Chain
CustomerBilling
FinancialSystems
CustomerData
IndiaCall
Centre
Failure ofIT Outsource
Extremely Remote1 * 10-100 years
Remote1 * 2-10 years
Possible in Short to Medium Term
1 * 6-24 months
Likely in Short Term1 * 0-6 months
Business Risks - IT
Critical
Significant
Minimal
Impa
ct
Likelihood
6
c. Business Criticality Heat Map
Key
Disaster Recoveryin place
RTO 24 hours
Backup and restoreprocedures in place.
RTO 36 hours
No planRTO unknown
Data Centre
Payroll
CustomerBilling
FinancialSystems
CustomerData
IndiaCall
Centre
Telecoms &LAN
Tactical Strategic Critical Mandatory
Criticality of Systems vs. Availability
ContinuousAvailability
DisasterRecovery
Backup &Restore
Arch
itect
ure
Criticality
emailInternetPresence
OnlineOrdering
SRM
Despatch
DocumentRegistry
7
II. Multi-Year Plan
II. Multi-Year Plana. Balancing Design and Costb. Multi Year Infrastructure DR
Roadmapc. Self Funding Paradigm
a. Balancing DR/HA Design and Cost
8Source: PAS77:2006
Finding the right balance
• Availability is required for each system
• Cost of failure vs. cost of resilience.
• Limitations or constraints is the company operating under. Budget, time, resource.
• Risks associated with approach.
9
Use efficiency-driven cost-savings to
subsidise next-generation or
futureprojects
b. The Self-Funding IT Paradigm and Disaster Recovery
Invest in “Breakthrough” Strategic Projects, include DR at project level.
Realise Business Productivity Gains, find alternate uses for DR equipment
Streamline IT Operations, including use of DR equipment.
Core Infrastructure and Applications
Business-Led Discretionary Projects
Multi-year Strategic Initiatives
The Self-Funding Ideal
Original concept: The CIO Executive Board
If a cost per use model is used for DR when
using SLA’s for IT Services, then the DR enablers can be self
funded
Charge out forDR to covercost of infrastructure
10
FY2011 FY2012 FY2015FY2014FY2013FY2010FY2009
Strategy 3Critical Assets
Strategy 1DR Enablers
Strategy 2 Projects &
Lifecycle
Data Centre Infrastructure
c. Multi Year Infrastructure Disaster Recovery Roadmap
SLA
DR Policy
Continuous Improvement via Self Funding DR Paradigm
Project 6
DR Strategy
DR Enabler Initiative 3
DR Enabler Initiative 4
Project 1 Project 2 Project 3
IT Lifecycle
Project 5
Project 7
BIA & RA
Multi Year DR Project for Top 5 Critical Assets
Multi Year Project Critical Assets 2
Project 4
Multi Year Project 3
d. Business Continuity Maturity
11BCMM© Virtual Corporation
12
III. Appendices
III. Appendicesa. Related Papers and Informationb. Glossary of Terms
13
a. Related Papers and Information
• AS/NZS 4360:2004 Risk Management• AS/NZS HB221:2004 Business Continuity Management• Business Continuity Institute, Good Practice Guidelines 2008 http://www.thebci.org/ • Business Continuity Maturity Model, Virtual Corporation
http://www.virtual-corp.net/html/bcmm.html • BS31100:2008 Risk Management Code of Practice• BS25999-1:2006 Business Continuity Management – Part 1: Code of Practice• BS25999-2:2007 Business Continuity Management – Part 2: Specification• BS25777:2008 Information and Communications Technology Continuity Management –
Code of Practice• BSI ISO/IEC 24762:2008 Information Technology – Security Techniques – Guidelines for
Information and Communications Disaster Recovery Services• CIO Executive Board http://www.cio.executiveboard.com• HB 293-2006 Executive Guide to Business Continuity Management• HB292-2006 A Practitioners Guide to Business Continuity Management• ITIL V3• NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity
Programs• PAS 77:2006 IT Service Continuity Management Code of Practice
b. Glossary of Terms
Business Continuity
Strategic and tactical capability of the organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level.
BCM Business Continuity Management
BC Strategy Approach by an organisation that will ensure its recovery and continuity in the face of a disaster or other major incident or business disruption.
Disruption Event, whether anticipated or unanticipated which causes an unplanned, negative deviation from the expected delivery of products and services according to the organisations objectives.
ICT Continuity
Capability of the organisation to plan for and respond to incidents and disruptions in order to continue ICT services at an acceptable predefined level.
ICT Disaster Recovery
Activities and programmes that are invoked in response to a disruption and are intended to restore an organisation’s ICT services.
14
Impact Evaluated consequence of a particular outcome.
Incident Situation that might be, or could lead to, a business disruption, loss, emergency or crisis.
RPO Recovery Point Objective. Point in time to which data has to be recovered in order to resume ICT services.
RTO Recovery Time Objective. Target time set for resumption of product, service or activity delivery after an incident.
Resilience Ability of an ICT system to provide and maintain an acceptable level of service in the face of various disruptions and challenges to normal operation.
Risk Something that might happen and its effect on the achievement of objectives.
Testing Forced failure of all or part of an ICT system, under specific conditions, to verify that recovery is properly performed.
Vulnerability Weakness within the ICT asset or activity that might, at some point, be exploited by threats.
Source: BS 25777:2008