Chapter 7 Business Continuity and Risk Management

Transcription

1 Chapter 7 Business Cntinuity and Risk Management Sectin 01 Business Cntinuity Management Initiating the Business Cntinuity Plan (BCP) Purpse: T establish the apprpriate level f business cntinuity management t sustain the peratin f critical business services fllwing a disaster r adverse event. 1. Agencies must maintain a business and disaster recvery plan with respect t infrmatin technlgy. Business and disaster recvery plans shall be prvided t the Office f the State CIO. 2. Agencies, thrugh their management, must implement and supprt an apprpriate infrmatin technlgy business cntinuity prgram t ensure the timely delivery f critical autmated business services t the State s citizens. 3. A management team cmpsed f representatives frm all the agency rganizatinal areas has primary leadership respnsibility t identify infrmatin technlgy risks and t determine what impact these risks have n business peratins. 4. Management must als plan fr business cntinuity, including disaster recvery, based n these risks and dcument cntinuity and recvery strategies and prcedures in a defined business cntinuity plan that is reviewed, apprved, tested and updated n an annual basis Business cntinuity planning framewrk Assessing the BCP Risk Purpse: T require that State agencies manage infrmatin technlgy risks apprpriately as required in GS Agencies shall identify the ptential risks that may adversely impact their business in rder t develp cntinuity and recvery strategies and justify the financial and human resurces required t prvide the apprpriate level f cntinuity initiatives and prgrams. 2. Agencies shall cnduct business risk impact analysis activities that include the fllwing: Define the agency s critical functins and services. Define the resurces (technlgy, staff and facilities) that supprt each critical functin r service. Identify key relatinships and interdependencies amng the agency s critical resurces, functins and services. Estimate the maximum elapsed time that a critical functin r service can be inperable withut a catastrphic impact. (See als Statewide Glssary fr Recvery Time Objective) Estimate the maximum amunt f infrmatin r data that can be lst withut a catastrphic impact t a critical functin r service. (See als Statewide Glssary fr Recvery Pint Objective) Dcument any critical events r services that are time-sensitive r predictable and require a higherthan-nrmal pririty (fr example, tax filing dates, reprting deadlines, etc.). 111

2 Identify any critical nn-electrnic media required t supprt the agency s critical functins r services. Identify any interim r wrkarund prcedures that exist fr the agency s critical functins r services. GUIDELINES The fllwing items shuld be cnsidered: Estimate the decline in effectiveness ver time f each critical functin r service. Estimate financial lsses ver time resulting frm the inperability f each critical functin r service. Estimate tangible (nn-financial) impacts ver time resulting frm the inperability f each critical functin r service. Estimate intangible impacts ver time resulting frm the inperability f each critical functin r service Business cntinuity and risk assessment Business cntinuity planning framewrk Develping the BCP Purpse: T require that the apprpriate level f infrmatin technlgy business cntinuity management is in place t sustain the peratin f critical infrmatin technlgy services t supprt the cntinuity f vital business functins. 1. Management shall develp a business cntinuity plan (BCP) that cvers all f the agency s essential and critical business activities and that includes references t prcedures t be used fr the recvery f systems that perfrm the agency s essential and critical business activities. 2. At a minimum, an agency s business cntinuity plan must: Help prtect the health and safety f the emplyees f the State f Nrth Carlina. Prtect the assets f the State and minimize financial, legal and/r regulatry expsure. Minimize the impact and reduce the likelihd f business disruptins. Create crisis teams and respnse plans fr threats and incidents. Include cmmunicatin tls and prcesses. Require that emplyees are aware f their rles and respnsibilities in the BCP and in plan executin. Include training and awareness prgrams. Require simulatins and tabletp exercises. Have a dcumented plicy statement utlining: Framewrk and requirements fr develping, dcumenting, and maintaining the plans. Requirements fr testing and exercising. Review, sign-ff and update cycles. 112

3 Require senir management versight and apprval. Assess the prfessinal capability f third parties and ensure that they prvide adequate cntact with the agencies. Review dependence n third parties and take actins t mitigate risk assciated with dealing with third parties. Prvide directin n synchrnizatin between any manual wrk data and the autmated systems that ccur during a recvery perid. Set frth prcedures t be fllwed fr restring critical systems t prductin. 3. Training and awareness prgrams shall be undertaken t ensure that the entire agency is cnfident, cmpetent and capable and understands the rles each individual within the agency must perfrm in a disaster/r adverse situatin. 4. The persn(s) designated as the agency business cntinuity plan (BCP) crdinatr(s) has the respnsibility f verseeing the individual plans and files that cnstitute the BCP and ensuring that they are current, meet these standards and are cnsistent with the agency s verall plan. At the directin f the State Chief Infrmatin Officer, an agency s BCP shall be reviewed annually by the Office f Infrmatin Technlgy Services and recmmendatins shall be made fr imprvement, if necessary. 5. The agency business cntinuity plan shall be tested annually, at a minimum. All critical applicatins shall be tested annually. GUIDELINES The fllwing methds are recmmended: Tabletp testing (walk-thrugh f business recvery arrangements using example interruptins). Simulatins (especially fr pst-incident / pst-crisis management rles). Technical recvery testing. Testing recvery at an alternate site. Testing f ht-site arrangements, cmplete rehearsal (testing rganizatin, persnnel, equipment, facilities and prcesses). Updating f plan as necessary. Additinal steps that may be taken include the repetitin f the test t validate any updated prcedure(s) and the additin r remval f applicatin backup prcedures. Agency management shuld define, dcument, and apprve what type f testing methdlgy t use Develping and implementing cntinuity plans including infrmatin security Business cntinuity planning framewrk Testing, maintaining and re-assessing business cntinuity plans Disaster Recvery and/r Restratin Purpse: T restre the perability f the systems supprting critical business prcesses and return t nrmal agency peratins as sn as pssible. The agency is respnsible fr maintaining its ability t recver in the event f an utage. Agencies must ensure that business cntinuity and/r disaster recvery plans are develped, maintained, tested n a prescribed basis and subjected t a cntinual update and imprvement prcess. Agencies shall cnduct the fllwing disaster recvery and/r restratin activities: 1. Define the agency s critical perating facilities and missin essential service(s) r functin(s). 113

4 2. Define the resurces (facilities, infrastructure, and essential systems) that supprt each missin critical service r functin. 3. Define explicit test bjectives and success criteria t enable an adequate assessment f the Disaster Recvery and/r Restratin Develping and implementing cntinuity plans including infrmatin security Sectin 02 Infrmatin Technlgy Risk Management Prgram Implementing a Risk Management Prgram Purpse: T ensure that state agencies manage risks apprpriately. Risk management includes the identificatin, analysis, and management f risks assciated with an agency s business, infrmatin technlgy infrastructure, the infrmatin itself, and physical security t prtect the state s infrmatin technlgy assets and vital business functins. 1. The State f Nrth Carlina recgnizes that each agency, thrugh its management, must implement an apprpriate Infrmatin Technlgy (IT) Risk Management Prgram t ensure the timely delivery f critical autmated business services t the state s citizens. 2. The risk management prgram must identify and classify risks and implement risk mitigatin as apprpriate. 3. The prgram must include the identificatin, classificatin, priritizatin and mitigatin prcesses necessary t sustain the peratinal cntinuity f missin critical infrmatin technlgy systems and resurces. 4. In general, risk is defined as a cnditin r actin that may adversely affect the utcme f a planned activity. Sme types f risk are as fllws: Business Risk The cst and/r lst revenue assciated with an interruptin t nrmal business peratins. Organizatinal Risk The direct r indirect lss resulting frm ne r mre f the fllwing: Inadequate r failed internal prcesses Peple Systems External events Infrmatin Technlgy Risk - The lss f an autmated system, netwrk r ther critical infrmatin technlgy resurce that wuld adversely affect business prcesses. Legal Parameters established by legislative mandates, federal and state regulatins, plicy directives and executive rders that impact delivery f prgram services. Reputatin General estimatin, by the public, n hw state services are delivered (integrity, credibility, trust, custmer satisfactin, image, media relatins, plitical invlvement.) Citizen Services - Prgram services mandated by charter, legislatin, r plicy that prvides fr the delivery f the state s business (educatin, human services, highways, law enfrcement, health and safety, unemplyment benefits, vital recrds, etc.) 114

5 GUIDELINES Agencies are encuraged t select and use guidelines that supprt industry best practices fr risk management relative t business cntinuity planning and security as apprpriate. Sme suggested guidelines are listed belw. Risk Management Prgram Activities: Agency risk management prgrams at a minimum shuld fcus n the fllwing fur types f activities: Identificatin f Risks: A cntinuus effrt t identify which risks are likely t affect business cntinuity and security functins and dcumenting their characteristics. Analysis f Risks: An estimatin f the prbability, impact, and timeframe f the risks, classificatin int sets f related risks, and priritizatin f risks relative t each ther. Mitigatin Planning: Decisins and actins that will reduce the impact f risks, limit the prbability f their ccurrence, r imprve the respnse t a risk ccurrence. Fr mderate r high rated risks, mitigatin plans shuld be develped, dcumented and assigned t managers. Plans shuld include assigned manager s signatures. Tracking and Cntrlling Risks: Cllectin and reprting f status infrmatin abut risks and their mitigatin plans, respnse t changes in risks ver time, and management versight f crrective measures taken in accrdance with the mitigatin plan. Business Cntinuity Risk Management Prcesses: Fr business cntinuity risk management, the fcus f risk management is an impact analysis fr thse risk utcmes that disrupt agency business. Agencies shuld identify the ptential impacts in rder t develp the strategies and justify the resurces required t prvide the apprpriate level f cntinuity initiatives and prgrams. Agencies shuld cnduct business risk impact analysis activities that include the fllwing: Define the agency s critical functins and services. Define the resurces (technlgy, staff, and facilities) that supprt each critical functin r service. Identify key relatinships and interdependencies amng the agency s critical resurces, functins, and services. Estimate the decline in effectiveness ver time f each critical functin r service. Estimate the maximum elapsed time that a critical functin r service can be inperable withut a catastrphic impact. Estimate the maximum amunt f infrmatin r data that can be lst withut a catastrphic impact t a critical functin r service. Estimate financial lsses ver time f each critical functin r service. Estimate tangible (nn-financial) impacts ver time f each critical functin r service. Estimate intangible impacts ver time f each critical functin r service. Dcument any critical events r services that are time-sensitive r predictable and require a higherthan-nrmal pririty. (Fr example - tax filing dates, reprting deadlines, etc.) Identify any critical nn-electrnic media required t supprt the agency s critical functins r services. Identify any interim r wrkarund prcedures that exist fr the agency s critical functins r services. 115

6 Security Risk Prcess: The fcus f security risk management is an assessment f thse security risk utcmes that may jepardize agency assets and vital business functins r services. Agencies shuld identify thse impacts in rder t develp the strategies and justify the resurces required t prvide the apprpriate level f preventin and respnse. It is imprtant t use the results f risk assessment t prtect critical agency functins and services in the event f a security incident. The lack f apprpriate security measures wuld jepardize agency critical functins and services. Security risk impact analysis activities include the fllwing: Identificatin f the Federal, State, and Lcal regulatry r legal requirements that address the security, cnfidentiality, and privacy requirements fr agency functins r services. Identificatin f cnfidential infrmatin stred in the agency s files and the ptential fr fraud, misuse, r ther illegal activity. Identificatin f essential access cntrl mechanisms used fr requests, authrizatin, and access apprval in supprt f critical agency functins and services. Identificatin f the prcesses used t mnitr and reprt t management n whatever applicatins, tls and technlgies the agency has implemented t adequately manage the risk as defined by the agency (i.e., baseline security reviews, review f lgs, use f IDs, lgging events fr frensics, etc.). Identificatin f the agency s IT Change Management and Vulnerability Assessment prcesses. Identificatin f what security mechanisms are in place t cnceal agency data (Encryptin, PKI, etc.). Fr mre infrmatin n implementing a risk management prgram, including the Risk Management Guide and the Risk Assessment Questinnaire, please refer t the Risk Management Services page fund n the Enterprise Security and Risk Management Office (ESRMO) web site: Assessing security risks 4.2 Treating security risks 116