ORGANIZATION CONTINUITY PLANNING & MANAGEMENT AND SOCIETAL SECURITY SCENARIOS

Transcription

1 ORGANIZATION CONTINUITY PLANNING & MANAGEMENT AND SOCIETAL SECURITY SCENARIOS Jiří F. Urbánek, Jitka Raclavská, Albert Srník, Olga Šifferová and Jaroslav Vonlehmden Abstract: This article brings quite new knowledge from societal security scenarios of civil, property and infrastructure protection. It includes description, analysis, clear technical and technological schemata of pertinent standard implementation of organizaton s Continuity Planning and Management, especially ISO and ISO/DIS These and consequent standards are expected for human and social sciences and practice for a long period of time. They will be very helpful for state and municipal authorities and their organizations, as well as for the common population. They will provide a great contribution to common people s lives, similar to the ISO :2000/2008, which was very important for production organization total quality management. In this paper also, fundamental knowledge is published from special scenario methodology design. It also takes into account the possibilities of maximum use of computerised aid and assistance for modelling, using the method DYVELOP in future. It is an insight into problem clarification and implementation of process and logistic access and it corresponds with the most common contemporary trends, increasing implementing process effectiveness. This contributed paper is a result of the Faculty of Economics and Management, University of Defence, Development Project titled Security Laboratory supported by Czech Ministry of Defence. Keywords: Continuity plan and management standards & scenarios 1. Introduction The systems and processes of prosperous organizations at the beginning of 21 st century embody the characters, property and behaviour resulting from their cooperative or competitive globalization. The globalization takes place on many levels, however standardization and security levels are especially treated in this paper. Efficient global organizational systems are distinguished by high connectivity, complexity and radical demand on interoperability. The result of their mutual bindings is evocatory pertinent relations among participating players' entities of these systems. These entities are never only in cooperative relations! But there have always been numerous portfolios of participating "enemies", which are in apparent or hidden opposing roles within a prosperous organization system. They can overgrow to antagonistic dramatically irreconcilable relations, resulting in a crisis scene [5] or even to a battle theatre. The scenarios [2, 9] of such the plays are then always enacted on net integrated structure on many process environments [8]. They operate on a scene which is more or less competitive, however, always complex and influencing special interests: on commodity, informative, financial, productional, organizational, personal and other important relations for this play [8]. Together with growing complexity [9] of global organization systems there is developing & growing the system s hazard of antagonistic relations, which doesn't create greater 129

2 organizational profit, but to the contrary eliminates its effects. However, it is necessary to note old knowledge, namely that the process structure of any organization system isn't static, but it changes dynamically, innovates [3] and forms in real-time. System s dynamics is characterized by interdependence, mutual interactions, information feedbacks and circular causalities [7]. It is then possible to describe the System and its process dynamics as mutual dependence and incidence of system entities. In every system, there runs an incidence of mutual bindings and response in cyclic feedback loops. Their existence is conditioned by information diffusion, relevant definite activities which if, within pertinent system after certain time, they return back to starting point, influence the next system activities. The feedback underlies the system s structure and at the same time is determinant of its behaviour. The interconnection and influence of entity s and system s component bindings and feedbacks in the cycle, can be titled as a relation (-ship) [8]. The relation then, in real time and owing to environment, can change an entity s intensity and systemic importance. Feedback existence is natural in every system. Nevertheless during system crisis development, the feedbacks can operate in mode and impact that are not common in peace time. Such feedback is possibly titled negative, regarding its necessity of changes enforcing of system behaviour. For example in the banking sector [1]: Negative feedback of banks debts balance and subsequently pertinent decreasing of its rating causes financing costs increasing, which reduce its future ceteris paribus and this bank is more vulnerable, because its resulting rating decreasing would be able to bring "a waste of the possibilities of other financial resources obtaining" on interbanking market. However, negative feedback has the system s self-regulation character and they operate like a specific automatic stabilizer, contributing to an elimination of system s crisis. That is why the changes [3] are compensated by feedback here, inducing: for example, values growth of system s entity A lead to lower value of B entity than it would be without the changes. However, positive feedback (a growth in A leading to higher B than it would be without the changes), needn t operate just in a positive words sense, but they can evoke negative feedback even [10]: for example, price falls in a reality market evoke declining consumer's expense, that more and more weaken the reality market and spread further to the other economy sectors. Withal for example, state and influence of financial organizational system on the real economy is an excellent detector of procyclicality mechanisms, amplified natural amplitude of economic cycle. For example: excessive procyclicality [3] embodies such a fluctuation that has induced excessive expense reinforcement of real economies and it is resulting in the health damage of financial sector. A question asserts to the foreground of system s vulnerability and security during economic cycle: What is a resilience to resistance against relevant threats and hazards of relating particular entities, even of a whole complex organizational system? The answer, not only for economic, but also for other sectors of human society, is possible obtain from the planning, testing and auditing according to international standards for Business Continuity Management System - BCMS. [12] The BCSM acts as part of an organizational total management system. It sets and innovates a continuity of total management system activities and processes in business life cycles. 130

3 2. BCMS The BCMS is founded on Business continuity planning life cycles. Next, Figure 1 shows PDCA cycle ( Plan-Do- Check-Act ) [14] for the planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continual improvement of the effectiveness of an organization s business continuity processes. Business continuity planning (BCP) [12] "identifies an organization's exposure to internal and external threats and synthesizes hard and soft assets to provide effective prevention and recovery for the organization, while maintaining competitive advantage and value system integrity. It is also called business continuity and resiliency planning (BCRP). integrity. It is also called business continuity and resiliency planning (BCRP). Figure 1: PDCA cycle applied to BCMS processes [14] Business continuity plan is a roadmap for continuing operations under adverse conditions (i. e. interruption from natural or man-made hazards). BCP is an ongoing state or methodology governing how business is conducted. In the US, governmental entities refer to the process as continuity of operations planning (COOP). BCP is working out how to continue operations under adverse conditions that include local events like arson, theft, and vandalism, regional incidents like earthquakes and floods, and national incidents like pandemic illnesses. In fact, any event that could impact operations should be considered, such as supply chain interruption, loss of or damage to critical infrastructure (major machinery or computing/network resource). As such, risk management must be incorporated as part of BCP. BCP may be a part of an organizational learning effort that helps reduce 131

4 operational risk. A backup plan to run any business event uninterrupted is a part of business continuity plan. BCP for specified organization is to be implemented for the organizational level in large scale, however the backup plan at individual level is to be implemented at small unit scale. The organizational management team is accountable for large scale BCP for any particular firm, while the respective individual management team is accountable for their BCP at small unit scale. This process may be integrated with improving security and corporate risk management practices. In 2004, the United Kingdom enacted the Civil Contingencies Act 2004, a statute that instructs all emergency services and local authorities to actively prepare and plan for emergencies. Local authorities also have the legal obligation under this act to actively lead promotion of business continuity practices in their respective geographical areas. In December 2006, the British Standards Institution (BSI) released a new independent standard for BCP BS Prior to the introduction of BS 25999, BCP professionals relied on BSI information security standard BS 7799, which only peripherally addressed BCP to improve an organization's information security compliance. BS 25999's applicability extends to organizations of all types, sizes, and missions whether governmental or private, profit or nonprofit, large or small, or industry sector. In 2007, the BSI published the second part, BS "Specification for Business Continuity Management" [12] that specifies requirements for implementing, operating and improving a documented BCMS.Now, whilst BS and BS ISO [13] are the new standards, the subject matter is anything but new. Since time immemorial people have practiced BCM - from the wise virgins (probably earlier, but we could not find a reference for it) to the present day - the art of BCM has been practiced. BS describes the activities and 'outcomes' of establishing a BCM process. It also provides a series of recommendations for good practice. ISO defines the requirements for a management systems approach to business continuity management. It provides assistance to the person responsible for implementing BCM within an organization. It describes a framework and process for the Business Continuity Manager to use and offers a range of good practice recommendations. ISO22301 offers the basis for certification. It defines management systems requirements within a specification. These, however, can be used by internal or external bodies. BS25999 was produced through the British Standard Institution. The sponsors of the original document, which was called PAS 56, were the BCI and Insight Consulting, although a number of other organizations were consulted during the development, including EDS, Sainsbury's and the Post Office. ISO was produced by International Standard Organization, using BS as a primary input. This standard will be implemented in various environments. Special targeted environment societal has derivative ISO/DIS ISO The ISO is the Standard for Societal security BCMS [14]. This international standard issues from British BS25999 plus ISO and provides guidance for setting up and managing an effective BCMS in societal security environment, which is the most universal and for this reason recomendations from this standard will mostly be cited. A BCMS emphasizes the importance of: - Understanding the organization s needs and the necessity for 132

5 establishing business continuity management policy and objectives; - Implementing and operating controls and measures for managing an organization s overall business continuity risks; - Monitoring and reviewing the performance and effectiveness of the BCMS and - Continual improvement based on objective measurement. BCMS, like any other management system, includes the following key components: a) A policy; b) People with defined responsibilities; c) Management processes relating to: policy, planning; implementation and operation, performance assessment, management review and improvement; d) A set of documentation providing auditable evidence and e) Any business continuity management processes relevant to the organization. Business continuity contributes to a more resilient society. The wider community and the organization s environmental impact on any organization and therefore other organizations may need to be involved in the recovery processes. BCM is about preparing an organization to deal with disruptive incidents that might otherwise prevent it from achieving its objectives. Any incident, large or small, natural, accidental or deliberate has the potential to cause major disruption to the organization s operations and its ability to deliver products and services. However, implementing BCM now, rather than waiting for this to happen, will enable the organization to resume operations before unacceptable levels of impact arise. BCM is not complicated. It involves: a) Identifying the organization s key products and services; b) Identifying the prioritized activities and resources required to deliver them; c) Evaluating the threats to these activities and their dependencies; d) Putting arrangements in place to resume these activities following an incident; and e) Making sure that these arrangements will be effective in all circumstances. Figure 2: Mitigating impacts in certain solutions [14] 133

6 Activities may be disrupted by a wide variety of incidents, many of which are difficult to predict or analyze. By focusing on the impact of disruption, BCM identifies those activities on which the organization depends for its survival, and enables the organization to determine what is required to continue to meet its obligations. Through BCM, an organization may recognize what needs to be done to protect its people, premises, technology, information, supply chain, interested parties and reputation, before an incident occurs. With that, it can take a realistic view on the responses that are likely to be needed as and when a disruption occurs, so that it may be confident of managing the consequences and avoid unacceptable levels of impacts. An organization with appropriate business continuity management measures in place may also be able to take advantage of opportunities that might otherwise be judged to be too high risk. The diagrams on Figure 2 [14] are intended to illustrate conceptually how BCM may be effective in mitigating impacts in certain solutions. No particular timescales are implied by the relative distance between the stages depicted in either diagram. International standard ISO for business continuity provides guidance based on best international practice for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving a documented management system that enables organizations to prepare for, respond to, and recover from disruption. It is not the intent of this International Standard to imply uniformity in the structure of a BCMS but for an organization to design a BCMS that is appropriate to its needs and that meets the requirements of its interested parties. These needs are shaped by legal, regulatory, organizational and industry 134 requirements, the products and services, the processes employed, the size and structure of the organization and the requirements of its interested parties. This international standard is generic and applicable to all sizes and types of organizations, including large, medium and small organizations operating in industrial, commercial, public and notfor-profit sectors that wish to: establish, implement, maintain and improve a BCMS; assure conformance with the organization s business continuity policy; or iii/ make a self-determination and self-declaration of compliance with this ISO. This standard should not be used to assess an organization s ability to meet its own business continuity needs, nor any customer, legal or regulatory needs. Organizations wishing to do so should use the ISO to demonstrate conformance to others or seek certification/registration of its BCMS by an accredited third party certification body. 4. BCM providing phase Life cycles of BCM Implementation contains the next phases: - Analysis; - Solution design; - Implementation; - Testing and organizational acceptance; - Maintenance. The Analysis phase, in the development of a BCP manual, consists of an impact analysis, threat analysis and impact scenarios with the resulting BCP plan requirement documentation. Impact analysis (business impact analysis, BIA) results in the differentiation between critical (urgent or crisis) and non-critical (non-urgent) organization functions/ activities. A function may be considered critical if the implications for stakeholders of resulting damage to the organization are regarded as unacceptable. Perceptions of the

7 acceptability of disruption may be modified by the cost of establishing and maintaining appropriate business or technical recovery solutions. A function may also be considered critical if dictated by law. For each critical (in scope) function, two values are then assigned: Recovery Point Objective (RPO) the acceptable latency of data that will not be recovered; Recovery Time Objective (RTO) the acceptable amount of time to restore the fiction. The RPO must ensure that the maximum tolerable data loss for each activity is not exceeded. The RTO must ensure that the Maximum Tolerable Period of Disruption (MTPD) for each activity is not exceeded. Next, the impact analysis results in the recovery requirements for each critical function. Recovery requirements consist of the following information: The business requirements for recovery of the critical function, and/or The technical requirements for recovery of the critical fiction. Threat analysis comes after defining recovery requirements, documenting potential threats is recommended to detail a specific disaster s unique recovery steps. Some common threats include the following: Disease; Earthquake; Fire; Flood; Cyber attack; Sabotage (insider or external threat); Hurricane or other major storm; Utility outage; Terrorism; Theft (insider/ external theft, vital information or material); Random failure of mission-critical systems. All threats share a common impact: the potential of damage to organizational infrastructure except one (disease). The impact of diseases can be regarded as purely human, and may be alleviated with technical and business solutions. However, if the humans behind these recovery plans are also affected by the disease, then the process can fall down. The organizations also banned face-toface contact between opposing team members during business and nonbusiness hours. With such a split, organizations increased their resiliency against the threat of government-ordered quarantine measures if one person in a team contracted or was exposed to the disease. Damage from flooding also has a unique characteristic; if an office environment is flooded with nonsalinated and contamination-free water. Definition of impact scenarios comes after defining potential threats, documenting the impact scenarios that form the basis of the business recovery plan is recommended. In general, planning for the most wide-reaching disaster or disturbance is preferable to planning for a smaller scale problem, as almost all smaller scale problems are partial elements of larger disasters. A typical impact scenario like 'building loss' will most likely encompass all critical business functions, and the worst potential outcome from any potential threat. A business continuity plan may also document additional impact scenarios if an organization has more than one building. Other more specific impact scenarios for example a scenario for the temporary or permanent loss of a specific floor in a building may also be documented. Organizations sometimes underestimate the space necessary to make a move from one venue to another. Recovery requirement documentation comes after the completion of the analysis phase, the business and technical plan requirements are documented in order to commence the Solutions design phase. A good asset management program can be of great assistance here and allow for quick identification of available and reallocatable resources. For an officebased, IT intensive business, the plan s 135

8 requirements may cover the following elements which may be classed as ICE (In Case of Emergency) Data: The numbers and types of desks, whether dedicated or shared, required outside of the primary business location in the secondary location; The individuals involved in the recovery effort along with their contact and technical details; The applications and application data required from the secondary location desks for critical business functions; The manual workaround solutions; The maximum outage allowed for the applications; The peripheral requirements like printers, copiers, fax machines, calculators, paper, pens etc. Other business environments, such as production, distribution, warehousing etc. will need to cover these elements, but are likely to have additional issues to manage following a disruptive event. Solution design goal is to identify the most cost effective disaster recovery solution that meets two main requirements from the impact analysis stage. For IT applications, this is commonly expressed as: The minimum application and application data requirements; the time frame in which the minimum application and application data must be available. Disaster recovery plans may also be required outside the IT applications domain, for example in preservation of information in hard copy format, loss of skill staff management, or restoration of embedded technology in process plant. This BCP phase overlaps with disaster recovery planning methodology. The solution phase determines: the crisis management command structure; the location of a secondary work site (where necessary); telecommunication architecture between primary and secondary work sites; data replication methodology between primary and secondary work sites; the application and software required at the secondary work site, and the type of physical data requirements at the secondary work site. Implementation phase, quite simply, is the execution of the design elements identified in the solution design phase. Work package testing may take place during the implementation of the solution, however; work package testing does not take the place of organizational testing. Testing and organizational acceptance purpose is to achieve organizational acceptance that the business continuity solution satisfies the organization's recovery requirements. Plans may fail to meet expectations due to insufficient or inaccurate recovery requirements, solution design flaws, or solution implementation errors. Testing may include: Crisis command team call-out testing; Technical swing test from primary to secondary work locations; Technical swing test from secondary to primary work locations; Application test; and Business process test. At minimum, testing is generally conducted on a biannual or annual schedule. Problems identified in the initial testing phase may be rolled up into the maintenance phase and retested during the next test cycle. The Maintenance of a BCP manual is broken down into three periodic activities. The first activity is the confirmation of information in the manual; roll out to ALL staff for awareness and specific training for individuals whose roles are identified as critical in response and recovery. The second activity is the testing and verification of technical solutions established for recovery operations. The third activity is the testing and verification of documented organization recovery procedures. A biannual or annual maintenance cycle is typical. 136

9 5. Conclusion to scenario design Three types of exercise scenarios can be employed when testing business continuity plans. Simple exercises are often called a desktop or workshop. Medium exercises will invariably be conducted within a Virtual World and will usually bring together several departments, teams or disciplines. Complex exercises are perhaps the hardest to define as they aim to have as many boundaries as possible. Rules for Exercise Scenarios design will be the object of our next research activities. References [1] AIKMAN, D. et al Funding liquidity risk in a quantitative model of systemic stability, Bank of England working paper No [2] ARLOW, J. NEUSTADT, I. Enterprise Patterns and MDA, Addison-Wesley, 2006, ISBN X. [3] DRUCKER, P. Innovation and entrepreneurial spirit, Management press, Prague, [4] GERLACH, S. GRUNEWALD,P. Procyclicality of Financial Systems in Asia, Hong Kong Institute of Monetary research: [5] HAMMER, M. CHAMPY, J. Reengineering, Management press, [6] MACH, O. Příprava, provedení a vyhodnocení cvičení k ověření připravenosti na jaderné, nebo na radiologické mimořádné události, (Czech) International Atomic Energy Agency: [7] RICHARDSON,G.P. System dynamics, In Encyclopedia of Operations Research and Information Science, Saul Gass and Carl Harris, eds., Kluwer Academic Publishers, [8] URBÁNEK, J. F.: Teorie procesů management environmentů, CERM Brno, 2003, ISBN [9] URBÁNEK, J. F. a kol. Scénáře adaptivní kamufláže. Brno: Tribun EU s.r.o., 2012, ISBN [10] KUBICOVÁ, I. Et al. Analýza mikrofinančních rizik a jejich přenosů v kontextu zranitelnosti české ekonomiky, Hlávkovo nadání, Praha, 2012, ISBN [11] EPR EXERCISE. Preparation, Conduct and Evaluation of Exercises to Test Preparedness for a Nuclear or Radiological Emergency, International Atomic Energy Agency: [12] BS [13] ISO 22301:2011. [14] ISO/DIS 22313: