Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four

Similar documents
Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

Virginia Commonwealth University School of Medicine Information Security Standard

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Temple university. Auditing a business continuity management BCM. November, 2015

Business Continuity Plan

Business Continuity Management

Application / Hardware - Business Impact Analysis Template. MARC Configuration Requirements. Business Impact Analysis

Principles for BCM requirements for the Dutch financial sector and its providers.

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Business Continuity Planning and Disaster Recovery Planning

How To Manage A Disruption Event

Unit Guide to Business Continuity/Resumption Planning

Business Continuity Management

Disaster Recovery and Unstable Furniture

Assessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP).

Business Continuity Management

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

Business Continuity Planning (800)

William Rider Manager Disaster Recovery & Data Security The Johns Hopkins Health System & University

Table of contents. Maintaining Continuity of Operations with a Disaster Tolerance Strategy

Guideline - Business Continuity Plan

Information Security Policy. Chapter 11. Business Continuity

The Business Continuity Maturity Continuum

Domain 3 Business Continuity and Disaster Recovery Planning

State of South Carolina Policy Guidance and Training

With 57% of small to medium-sized businesses (SMBs) having no formal disaster

Documentation. Disclaimer

Business Continuity Planning

Why Bother With A Business Impact Analysis?

University of Michigan Disaster Recovery / Business Continuity Administrative Information Systems 4/6/2004 1

Disaster Recovery Plan The Business Imperatives

Business Continuity and Disaster Recovery Planning from an Information Technology Perspective

Company Management System. Business Continuity in SIA

Disaster Recovery and Business Continuity Plan

Success or Failure? Your Keys to Business Continuity Planning. An Ingenuity Whitepaper

Business Continuity - IT Disaster Recovery Discussion Paper - - Commercial in Confidence Version V2.0R Wednesday, 5 September 2012

KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity

Business Resiliency Business Continuity Management - January 14, 2014

ACTUALLY TEST YOUR PLAN. Disaster Recovery using Shadow Protect. March Madness Lunch & Learn. 1 AGENDA

HA / DR Jargon Buster High Availability / Disaster Recovery

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

Course: Information Security Management in e-governance. Day 2. Session 5: Disaster Recovery Planning

Risk Management Programme Guidelines

BUSINESS CONTINUITY PLANNING GUIDELINES

The Credit Research Foundation. Disaster Recovery and Business Continuity. Of Your , Credit & A/R System. An Occasional Paper February 2003

Preparing for the Worst: Disaster Recovery and Business Continuity Planning for Investment Firms An Eze Castle Integration ebook

Ohio Conference for Payroll Professionals Disaster Recovery

Business continuity management policy

Flinders University IT Disaster Recovery Framework

Creating a Business Continuity Plan for your Health Center

Disaster Recovery and Business Continuity What Every Executive Needs to Know

November 2007 Recommendations for Business Continuity Management (BCM)

Business Continuity Overview

Prudential Practice Guide

Why Should Companies Take a Closer Look at Business Continuity Planning?

Desktop Scenario Self Assessment Exercise Page 1

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

Q uick Guide to Disaster Recovery Planning An ITtoolkit.com White Paper

Business Continuity Policy

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

Building a Disaster Recovery Program By: Stieven Weidner, Senior Manager

Code Subsidiary Document No. 0007: Business Continuity Management. September 2015

How to measure your business resiliency

Business Continuity Policy and Business Continuity Management System

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

How to write a DISASTER RECOVERY PLAN. To print to A4, print at 75%.

Best Practices in Disaster Recovery Planning and Testing

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

Developing a Business Continuity Plan... More Than Disaster

State Data Centre Disaster Recovery Handbook Version 1.0

Justifying Business Continuity: How it Impacts Risk Management

Ohio Supercomputer Center

Birmingham CrossCity Clinical Commissioning Group. Business Continuity Management Policy

To Tier or not to Tier

Beyond Disaster Recovery: Why Your Backup Plan Won t Work

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS)

Business Unit CONTINGENCY PLAN

Disaster Recovery Policy

BUSINESS IMPACT ANALYSIS

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Business continuity plan

By: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015

University of Ulster Policy Cover Sheet

PROJECT RISK MANAGEMENT

NCUA LETTER TO CREDIT UNIONS

Proposal for Business Continuity Plan and Management Review 6 August 2008

BUSINESS CONTINUITY PLAN

The purpose of this white paper is to outline the 5 steps required to prepare small-to-medium businesses for these disasters.

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

Business Continuity Planning and Disaster Recovery Planning. Ed Crowley IAM/IEM

Small Business Continuity Workshop. Region 1- Vermont

Information Services IT Security Policies B. Business continuity management and planning

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

Business Continuity and Disaster Recovery Planning

Sound Transit Internal Audit Report - No

Information Technology Engineers Examination. Information Technology Service Manager Examination. (Level 4) Syllabus

FRAMEWORK. Approving authority. University Council. Approval date

Transcription:

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four Data Handling in University Business Impact Analysis ( BIA )

Agenda Overview Terminologies Performing BIA Example how to do BIA Business Continuity Planning Conclusion 1

Overview the operation activities the measure of failure the evaluation process 2

Business Impact Business Impact Business impact is a measure of how an organisation might be affected by a process failure, caused by technology, premise, or human resource issues. Impact is classified as either revenue or non-revenue. Revenue impact includes the full or partial failure of any process which produces, collects, or processes business income. Non-revenue impact is caused by challenges that do not directly affect short term realisation of revenue. Although causes of non-revenue impact might not result in immediate financial losses, some could result in long term financial damage through loss of investor or customer good will. 3

Business Impact Business Impact Business impact can be calculated using either a qualitative or a quantitative approach. Qualitative Qualitative analysis depends on the experience of employees and consultants to arrive at risk scores. Quantitative The results of the quantitative approach are estimates of potential dollar losses based on known costs or revenue streams. 4

Business Impact Analysis (BIA) Business Impact Analysis definition: BIA- An impact analysis results in the differentiation between critical (urgent) and non-critical (non-urgent) organization functions/ activities. Why Critical? Financial loss Business continuity Legal requirements -Wikipedia What for? Determine criticality Allocate resources (limited) to recovery requirements 5

Business Impact Analysis (BIA) Business Impact Analysis BIA is an essential component of an organisation's business continuity plan Assumptions: Every component of the organisation is reliant upon the continued functioning of every other component, but that some are more crucial than others and require a greater allocation of funds in the wake of a disaster. 6

What is Business Impact Analysis (BIA) BIA Reveals any vulnerabilities Identifies costs linked to failures Such as loss of cash flow, replacement of equipment, salaries paid to catch up with a backlog of work, loss of profits Quantifies the importance of business components Suggests appropriate fund allocation for measures to protect them Assesses the possibilities of failures in terms of their impacts on safety, finances, marketing, legal compliance, and quality assurance. Expresses impact monetarily for purposes of comparison For example, a business may spend three times as much on marketing in the wake of a disaster to rebuild customer confidence. Develops strategies for minimising risk 7

What is Business Impact Analysis (BIA) BIA- the Risk Management Perspective Impact vs Risk Risk = Probability of Occurrence (PO) x Business Impact (BI) Probability of occurrence is calculated using the threat and vulnerability analysis. It s represented as the number of occurrences expected in a single year. This is known as the Annual Rate of Occurrence (ARO). For example, if information about known threats, vulnerabilities, and actual events lead an analyst to believe a threat will cause a weakness to interrupt business operations once every four years, the probability of occurrence is.25. During a qualitative BIA, the analyst uses probability of occurrence (PO) and business impact (BI) to arrive at a risk score. The risk score is a measure of the amount of damage resulting from one or more failed critical processes. 8

The BIA Process Process Information Gathering Business Function Identification Business Impact Time Criticalness Business Impact Assessment Risk Rating = Likelihood + Consequences Resource Dependency Analysis Resource Required Assign Criticality Level 9

Terminologies Criticality/ Time-sensitivity Recovery Point Objective ("RPO") Recovery Time Objective ("RTO") Maximum Tolerable Downtime ("MTD") 10

Criticality/ Time-sensitivity Organisations do not hire staff to perform non-essential tasks. Every function has a purpose, but some are more time-sensitive than others when there is limited time or resources available to perform them. The organisation needs to look at every function. Criticality/ Time-sensitivity: How long can the entity not perform this function without causing significant financial losses, or significant penalties or fines from regulators or from lawsuits? 11

Recovery Point Objective ("RPO") Recovery Point Objective (RPO) describes the acceptable amount of data loss measured in time. The point in time for which data must be restored in order to resume transaction processing. Generally defining what the organisation s "acceptable loss" in a disaster situation. 12

Recovery Point Objective ("RPO") Example (RPO=2hrs) Backup at 11:00am System crashed at 12:59pm without new backup The loss of the data written between 11:00am and 12:59pm will be lost. Data loss is acceptable because of the 2 hour RPO. This is the case even if it takes an additional 3 hours to get the site back into production. The restored system will continue with data at the point in time of 11:00am. All data in between will have to be manually recovered through other means. 13

Recovery Time Objective ("RTO") Recovery Time Objective (RTO) is the duration of time and a service level within which a business process must be restored after a disruption in order to avoid unacceptable consequences associated with a break in business continuity. RTO includes the time for trying to fix the problem without a recovery the recovery tests and the communication to the users Decision time for users representative is not included. RTO is established during the Business Impact Analysis (BIA) by the owner of a process. The RTOs are then presented to senior management for acceptance. 14

Recovery Time Objective ("RTO") The RTO attaches to the business process and not the resources required to support the process. The RTO and the results of the BIA provide the basis for identifying and analysing viable strategies for inclusion in the business continuity plan. Viable strategy options would include any which would enable resumption of a business process in a time frame at or near the RTO. This would include alternate or manual workaround procedures and would not necessarily require computer systems to meet the RTOs The "O" in RTO stands for objective, not mandate. In reality, strategy is often selected that will not meet the RTO. In this instance the RTO will not be met but should still remain an objective of future strategy revision. 15

RPO vs RTO If RPO = 2hrs the entity cannot suffer loss of data made in 2hours time If RTO = 5hrs the entity cannot accept the data being not available for more than 2 hrs RPO=2hrs RTO=5hrs DATA LOSS Data backup Disaster Restored 16

Maximum Tolerable Downtime ("MTD") MTD (Maximum Tolerable Downtime) is the maximum time a critical process can be down, or hindered in some way, without irreparable harm to the business. It s typically calculated as part of a BIA and is used during risk calculations. At a high level, a BIA begins with identifying critical processes, describes resources necessary to maintain them, calculates the financial or reputation impact on the business if the process fails, and determines process MTD. Other processes which depend on the failed process output also suffer. So a BIA must also describe the interrelationship between all critical processes and factor this into their MTDs. A process MTD is an adjustable value. 17

Performing BIA Performing BIA 1. Business Function Identification 2. Resource Dependency Analysis 3. Business Impact Assessment 4. Mitigation Aim: to rank business processes by criticality 18

Performing BIA - Business Function Identification Determine Business Processes Obtain an understanding of business processes within the entity Identify business processes and dependencies Identify process owners (department management/ key staff) Information for assessing business impacts and identifying resources requirement can be obtained by sighting internal documentation and conducting interviews with process owners: Interviews Workshops Surveys 1 19

Performing BIA - Business Function Identification Identify Business Impact Business impacts include Financial impact (actual & potential); Operational impact; Impact of regulatory, legislative non-compliance; and Any other negative impacts to the business in the event of disaster. 1 20

Performing BIA - Business Function Identification Financial Impact The direct and indirect results may be lost sales, lost revenue, loss of business opportunities, impaired cash flow, contractual fines or other penalties, etc. Operational Impact Operational impacts are the result of disruption to daily operations. Impacts may include: Negative public image (reputation) Client satisfaction and loyalty Employee morale Health & safety Regulatory/ Legislative/ Non-compliance Potential regulatory penalties Breach of regulatory requirement Litigation 1 21

Performing BIA - Business Function Identification Time Criticalness Time criticalness is ranked by the following two criteria: Recovery Time Objective (RTO) Recovery Point Objective (RPO) Business Function 001 Process Owner: xxxxxx Dependency: BF008/BF009 Potential Impact on Disruption:.. Time Criticalness: RTO=xx RPO=xx 1 22

Performing BIA - Resource Dependency Analysis Summarize the minimum set of recovery facilities, resources and services that would be required by each business unit at different times during disaster recovery. Identify the resource required to accomplish the process Classify the resources required (e.g. facility, capital, manpower, services ) 2 23

Performing BIA - Business Impact Assessment Potential risk events (e.g. power outage, virus infection ) impacting the critical business functions processes. For each risk identified, rate the Likelihood Criticality (RTO) Consequence of occurrence. 3 24

Performing BIA - Mitigate Risks Once identified failure exceeds acceptable risk threshold: Identify resource availability for mitigation Design and implement mitigating measures Recalculate residual risk Re-evaluate risk acceptability (if still exceeds acceptable risk threshold, repeat steps above) 4 25

Example - How to do a BIA Example: Student record maintenance by Registry No Dept Key Business Functions Consequences of disruption RTO RPO Service level Commitment Notes Critical processes or services that are business unit s responsibility. Impact of loss of function e.g. financial loss, loss of business, operational impact, regulatory, legislative non-compliance, etc Maximum time the business can tolerate without this function Maximum amount of data the business can afford to lose Internal or external Service Level Agreements (SLAs) in place for this function. Other comments 1 Registry Student record maintenance Unable to provide student data for faculties and administrative departments when requested 1 week 12 hrs N/A 26

Example - How to do a BIA HOW LONG BEFORE THE ABSENCE OR SERVICE DEGRADATION OF THE PROCESS/DEPARTMENT BECOMES CRITICAL? (MARK ONE BOX NOTING THE NUMBER OF HOURS, DAYS OR WEEKS) 1 (0-3 days) 2 (3-5 days) Criticality Level 3 (5-7 days) 4 (1-2 weeks) 5 >2 weeks (REGISTRY- STUDENT RECORD MAINTENANCE) X 27

Example - How to do a BIA (Resource Dependency Analysis) Process: Student Record Maintenance Department: Registry Number of resources required Critical level Information Technology Dependencies Hardware PC 1 4 Printer 1 5 Desktop Microsoft Word 1 4 Microsoft Excel 0 Intranet access 1 3 Internet access 0 Local Applications N/A N/A Communications Telephones - Landline 1 3 Telephones - Mobiles N/A Key internal suppliers / interface (i.e.: number of staff temporary borrowed from other Departments during disaster) Clerical staff (for manual record processing) 2 2 Key external suppliers / vendors (i.e. IT system not supported by IT Department) N/A N/A 28

Example - How to do a BIA (Business Impact Assessment) Risk Rating Contingency / Mitigation Action Process Reference & Risk Description Likelihood Consequences Likelihood + Consequences (e.g. Manual alternatives, escalation procedures) 1. Student Record Maintenance 1.1 Student Record System Unavailable due to server outage 1 3 4 User paper records for student record queries 29

Business Continuity Planning (BCP) The BCP Process Analysis Design Implementation Testing Maintenance BIA 30

Conclusion BIA 31

Q&A? 32

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information