Upload
george-lloyd
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
GLOBRIN
Business Continuity Workshop
TECHNOLOGY & INFORMATION
13th November 2013Graham Jack
GLOBRIN
Business Continuity Workshop
An IT perspective on the Business Continuity Plan• Business Continuity v Disaster Recovery• Availability, Reliability and RecoverabilityTechnology• Identifying the technology used• Risks and impactInformation• Types of information held within an organisation• Threats to that informationPulling together an integrated business continuity plan• Plan for failure• Preventative action• Create resources• Test / review / update
GLOBRIN
Business Continuity Workshop
Business Continuity in relation to IT• IT is only part of the overall Business Continuity Plan• Covers the technology and information used by / generated by the business• Involves taking proactive steps to allow the business to operate to a defined
service level during incidents.• Takes ongoing time and effort
GLOBRIN
Business Continuity Workshop
Disaster Recover (DR)“The strategies and plans for recovering and restoring the organizations infrastructure and capabilities after an interruption.”
Business Continuity (BC)“The strategic and tactical capability of the organization to plan for and respond to incidentsand business disruptions in order to continue business operations at an acceptable predefined level.”
ExampleA fire in your building. The DR plan will deal with the clean up, repair of the building,re-instating IT and data etc.
The BC plan deals with how you keep you business running while you implement theDR plan.
GLOBRIN
Business Continuity Workshop
Business Continuity and IT: Core issues to consider
BUSINESS CONTINUITY PLAN
Issue Availability Reliability Recoverability
Objective Maintain the chosen availability
level of the businesses IT infrastructure
Manage and control the IT
infrastructure to improve overall
reliability
Effective plan to minimize
downtime in event of
disruption.
Emphasis Technology Process People
Focus Proactive and preventive Response and recovery
Business continuityplanning lifecycle
Analysis
Design
Implement
Test / Accept
Maintain
GLOBRIN
Business Continuity Workshop
Getting started• Assign responsibilities / ownership.• Understand your business and what the minimum service levels the business
requires in order to continue to operate.• Review best practice (use ISO22301 Business Continuity Management as a guide)
Business Continuity Plans are business lead, not IT lead.
GLOBRIN
Business Continuity Workshop
Analysis: Know what technology you need
Document what IT is required in order for your business to carry out critical activities?• Computers and related hardware• Software• Networking and connectivity• 3rd party services (cloud)• Telephony• Fax/ photocopiers / printers• etc
GLOBRIN
Business Continuity Workshop
Analysis: Know what information you have
Document what information your business needs in order to carry out critical activities?• Digital (database and file systems)• Hard copy (paper)• Off site / 3rd party (held in the cloud etc)• Staff• etc
GLOBRIN
Business Continuity Workshop
Analysis: Determine the risks
Look at the likelihood and impact of risks that could cause business interruption.• Fire / Flood / Storm Damage• Key item hardware failure (Server etc)• General hardware failure (Fax/ photocopiers / printers / user PC etc)• Physical security (hardware / hard copy documents)• Security breach / data loss• Inadvertent change (software update going wrong etc)• Deprecation (obsolete software / hardware)• Loss of 3rd party service (internet connection, hosting, cloud service etc)• Loss of utilities (power, telephony, internet connection etc)• Loss of Staff• Theft / fraud• Computer viruses / malware• etc
GLOBRIN
Business Continuity Workshop
Analysis: Risk / Impact analysis
• Determine the likelihood of the risk occurring• What is the impact to the business of each event
GLOBRIN
Business Continuity Workshop
Solution Design: Plan for the risks (options)
TreatPut in place an action plan to reduce disruption to a minimum acceptable level:
• Implement high availability / hot standby systems• Maintain duplicate infrastructure / information at different location• Maintain pool of spares (desktops / monitors / mice / keyboards etc)
TolerateIt may be decided that the cost of mitigating the risk is such that it outweighs the benefits.
GLOBRIN
Business Continuity Workshop
Solution Design: Plan for the risks (options)
TransferTransfer the risk to another external party.
• Hardware support / infrastructure management to an agreed SLA• Insurance
TerminateUpdate / modify the technology used to remove the risk:
• Remove old / outdated hardware• Unsupported software• Old data formats
GLOBRIN
Business Continuity Workshop
Solution Design: Technology
For critical technology , use the results of the risk / impact analysis to build and documenta plan for maintaining a minimum service level.
This may involve a mix of:• Implementing high availability systems with automatic rollover.• Dual site• Keeping spares• Support contracts• Security measures (locked server room etc)• Change management processes to ensure software updates & patches are properly
tested before going live.
GLOBRIN
Business Continuity Workshop
Solution Design: Information
For critical information, use the results of the risk / impact analysis to build and documenta plan for maintaining a minimum service level.
This may involve a mix of:• Policy for storing critical hard copy data (clean desk policy / fire safe)• Backup policy with offsite storage• Security (assign minimum required permissions, data encryption, prevention of data
transfer to transfer media such as CD or USB drives, etc)• Training / documentation to remove reliance on individual staff members
GLOBRIN
Business Continuity Workshop
Implementation: Technology and Information
• Document the plan. Include:• The trigger events• Responsibilities• Contact details• Actions to be taken for the identified risk events• Communication plan (internal and external)
• Create support resources (battle box). Typical resources include• Copy of the Business Continuity Plan• Supporting technical documentation (server builds, network topology etc)• Software installation packs to allow rebuilds of hardware including software
licence details.• 3rd party contacts, support agreements, contact details, reference numbers etc• Default communication templates (email, web pages, twitter messages,
FaceBook updates)• 2 copies of the Battle Box – at least 1 held off site
GLOBRIN
Business Continuity Workshop
Test and Review: Technology and Information
• Different levels of testing:• Discussion based testing• Table top exercise• Live exercise
• After testing, document and review results and feed these back into the plan.• Perform a review after all incidents – learn from what worked and what didn’t.
GLOBRIN
Business Continuity Workshop
Training: Technology and Information
• Ensure that all staff with business continuity responsibilities are appropriately trainedand have the technical skills to undertake their roles.
GLOBRIN
Business Continuity Workshop
Change Management: Technology and Information
• IT infrastructure tends to be dynamic• New hardware / software updates can affect the resilience of infrastructure and
actions to be taken to restore service in case of given event.• Prior to implementing change understand how the effects on the Business Continuity Plan.• Ensure processes are in place to capture and document change.• Undertake periodic reviews as appropriate to review any implemented changes against the
Business Continuity Plan to ensure that it remains effective.
GLOBRIN
Business Continuity Workshop
Documentation and Evidence
• As part of any tender process you need to be able to provide evidence.• Document the Business Continuity plan testing, reviews and updates to create
and audit trail.• Consider getting a 3rd party to review / certify against ISO22301 Business Continuity
Management.