Standard for Business Continuity/Disaster Recovery (BC/DR) Service Providers



Similar documents
Singapore Standard for Business Continuity/Disaster Recovery (BC/DR) Service Providers - SS507

Ohio Supercomputer Center

Business Continuity Planning (BCP) 101

KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity

BITS GUIDE TO CONCENTRATION RISK

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

courtesy of F5 NETWORKS New Technologies For Disaster Recovery/Business Continuity overview f5 networks P

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

ASX SETTLEMENT OPERATING RULES Guidance Note 10

Business continuity plan

GUIDELINES FOR BUSINESS CONTINUITY IN WHOLESALE MARKETS AND SUPPORT SYSTEMS MARKET SUPERVISION OFFICE. October 2004

INFORMATION TECHNOLOGY SECURITY STANDARDS

AN APPLICATION-CENTRIC APPROACH TO DATA CENTER MIGRATION

Business Continuity Planning for Risk Reduction

NSW Government. Data Centre & Cloud Readiness Assessment Services Standard. v1.0. June 2015

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 10

CIS 523/423 Disaster Recovery Business Continuity

Business Continuity Management Planning Methodology

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

Data Protection Act Guidance on the use of cloud computing

AUSTRACLEAR REGULATIONS Guidance Note 10

AUDIT OF INFORMATION TECHNOLOGY Management (Action Plan) Responses February 2005 # PRIORITY DESCRIPTION MANAGEMENT RESPONSE

TRENDS IN BUSINESS CONTINUITY AND CRISIS COMMUNICATIONS SURVEY

WORKDAY CONCEPT: EMPLOYEE SELF SERVICE

Anatomy of an IT Outsourcing Deal. Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault

Mitigating and managing cyber risk: ten issues to consider

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

Beyond disaster recovery: becoming a resilient business.

Section A: Introduction, Definitions and Principles of Infrastructure Resilience

Statement of Guidance

4 Critical Risks Facing Microsoft Office 365 Implementation

National Cyber Security Policy -2013

Infocomm Security Masterplan 2

Guidance on Arrangements to Support Operational Continuity in Resolution. Consultative Document

OCCUPATIONAL GROUP: Information Technology. CLASS FAMILY: Security CLASS FAMILY DESCRIPTION:

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Why Should Companies Take a Closer Look at Business Continuity Planning?

Introduction to Business Continuity Planning

Business Continuity Overview

Disaster Recovery. Hendry Taylor Tayori Limited

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

Risks and uncertainties

Disaster Recovery Planning as a Means to Resilient Development. PDNA Course

Managing internet security

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

Managing business risk

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

Pacnet White Paper. IT Server Hosting: How it benefits SMEs

Retail. White Paper. Driving Strategic Sourcing Effectively with Supply Market Intelligence

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

White Paper on Financial Institution Vendor Management

CYBER SECURITY Audit, Test & Compliance

Moving from BS to ISO The new international standard for business continuity management systems. Transition Guide

A GOOD PRACTICE GUIDE FOR EMPLOYERS

BT Conferencing Business Continuity Management. Planning to stay in business

Software as a Service Decision Guide and Best Practices

The Next Generation of Security Leaders

This is a preview - click here to buy the full publication

Client Study Portfolio

Service Availability Metrics

Vodafone Global Supplier Management

BUSINESS CONTINUITY MANAGEMENT REQUIREMENTS FOR SGX MEMBERS NEW RULES FOR INCLUSION IN SGX-ST RULES

Business Continuity and Disaster Recovery Planning

Information Security Management: Business Continuity Planning. Presentation by Stanislav Nurilov March 9th, 2005 CS 996: Info. Sec. Mgmt.

Business Continuity Policy and Business Continuity Management System

Windows Server 2003 Migration: Take a Fresh Look at Your IT Infrastructure

BCP (Business Continuity Plan)

Moving to the Cloud? DIY VS. MANAGED HOSTING

Continuity of Operations Planning. A step by step guide for business

The Resilient IT Infrastructure

Q uick Guide to Disaster Recovery Planning An ITtoolkit.com White Paper

Interagency Statement on Pandemic Planning

MANAGED SERVICES IMPACT ON THE TELECOM INDUSTRY

Business Continuity Policy

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Managing Outsourcing Arrangements

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, February 12, 2013

Creating the Resilient Corporation

DPS HOSTED SOLUTIONS

DATA CENTER COLOCATION

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery

Disaster Recovery Policy

Intel Business Continuity Practices

IBM index reveals key indicators of business continuity exposure and maturity

Business Continuity & Disaster Recovery

Transcription:

Section One Standard for Business Continuity/Disaster Recovery (BC/DR) Service Providers The awareness of BC/DR services has grown due to the threats from terrorism and geopolitical tension. There are increasing concerns over the resilience of companies' IT and telecom infrastructure worldwide. Enterprises are looking at alternative locations for recovery purposes in the event of disruptions. Possessing such attributes as being a secure and stable location, excellent infrastructure, skilled manpower and extensive vendor support, Singapore is well-positioned to be a regional business continuity and disaster recovery hub in Asia Pacific. The development of the world's first standard in Singapore for such service providers continue to focus Singapore as having a strong value chain of service providers supporting the BC/DR cluster. This paper examines the implications of establishing this standard. Goh Moh Heng & Lim Yew Ban DRI Asia Members, BC/DR Working Group of Security & Privacy Standards Technical Committee 1 INTRODUCTION The Information Technology (IT) systems in a majority of organizations form the backbone in supporting business operations. Other than issues of downtime due to upgrade and virus attacks, IT systems are taken to function in an unobtrusive manner. The IT function is another function in organizations, just like human resource and finance. However, disruption to IT operations such as momentary power or telecommunication failure highlights its vulnerability, especially for organizations whose operations depend on accurate and timely information from their IT systems. The concentration of a vital resource of the organization, information, onto a single function merits a re-appraisal of its vulnerability and roles in supporting business operations. Extending from above, scenarios which could cause disruption to the IT chain, from infrastructure to hardware and application programs, would incapacitate the IT function. Organizations need to improve the resilience of their IT operations and functions to protect against possible disruptions. Other than acquisition and duplication of IT systems and resources, which is a costly undertaking except for a minority of the organizations, a viable alternative would be to outsource this requirement to third party vendors. Section One 019

In addition to supplementing the IT function in a disruption, vendors providing such outsource services for IT systems are in many ways performing a vital role of business continuity of their client's operations and business. Besides the technical recovery of disrupted IT function - disaster recovery - these vendors must ensure the recovery process stays in tandem with the business operations. For example, the sequence and manner in which application systems are recovered should support the transactions during the disruption. Besides technical considerations, issues such as interdependencies and priority of business operations should be planned and embedded into the recovery process. Vendors providing such services are better named as Business Continuity and Disaster Recovery (BC/DR) service providers, rather than the traditional term Disaster Recovery (DR) service providers. Organizations choosing its BC/DR service providers could adopt a variety of criteria in their selection process. Geographic location of potential BC/DR service providers represents a good starting point in the decision making process. Besides the absence of natural disasters, the availability of good infrastructure, for example telecommunications and power supply, in a location at a given time is not easily changed within a short time frame. The presence of other BC/DR vendors in the location, besides attesting to its suitability, has the added option of providing ready substitutes in the final short-listing of vendors. The presence of BC/DR vendors in a particular location brings along with it the confluence of skilled manpower. 2 BC/DR OUTSOURCING - A TRIPARTITE LINKAGE Outsourcing to a third party vendor can be viewed as a purely commercial agreement between the organization and its vendor, governed by negotiation and service level agreement (SLA). However, unlike other forms of outsourcing, provision of BC/DR services merits inclusion of additional considerations not generally within the SLA and which are usually not under the direct administration of the vendor. These include infrastructure and the operation environment of the recovery site. Infrastructure provision such as good transportation to the recovery site via air, land and sea, global telecommunication connectivity and consistent power supply are generally beyond the control of a single vendor. Environmental factors such as availability of space away from area of natural disaster zones to build the BC/DR facility and a safe working surrounding are also not readily dictated by the vendor. For example, the business activities of tenant organizations in nearby buildings may impact the operations of the BC/DR facility. It would be difficult for the BC/DR vendor to influence the alteration of such activities of these other organizations. While some of these provisions and factors can be circumvented through prior special arrangements, such as specially chartered transportation to fetch staff to the recovery site, these cannot be guaranteed to response timely in the stipulated manner especially during disaster. It is wise to avoid reliance on such special arrangements and provisions for planning purposes. Besides costs considerations, active support and participation by the local authority in making available infrastructure and a conducive working environment would be other essential elements for successful recovery operations. Organizations embarking on selecting a BC/DR recovery site should therefore review not only potential vendors' capabilities but also those provisions already in place due to the location of the recovery site. A number of these provisions could be fostered by the intervention and support of the local authority. 020 Section One

3 A FOCAL POINT TO GUIDE SELECTION - A STANDARD Industry practices, for example promulgated through code of conduct and guidelines drawn up by industry professional bodies, promote common understanding not only among organizations in a particular industry but also its suppliers and clients. A standard in this case for organizations seeking BC/DR services and the vendors would provide a meeting point of parties concerned. Foremost, a BC/DR standard would specify a certain baseline of what are required and provided, managing the expectations of both organizations and vendors. Secondly, it would help organizations seeking to engage their first BC/DR vendors a starting point of what are available in the market and mitigate outsourcing risks. Unlike countries such as the US and UK, which are experienced consumers of BC/DR services, a BC/DR standard would provide a basis to certify and classify the different services and capabilities offered by a host of vendors in a relatively young Asian market. A standard and certification of vendors using this standard would help to clarify the selection process for organizations. From the vendor's perspective, it would help to elevate the industry benchmark, discriminate against weak and irresolute players and promote professionalism in the industry. In addition, for organizations that are conscious of their own preparations and BC/DR capabilities, a common standard would serve as a form of yardstick for internal self assessment. 4 THE SINGAPORE BC/DR STANDARD The initiative of a Singapore BC/DR Standard was mooted by the Infocomm Development Authority of Singapore (IDA) in July 2003. With the support of IDA, an industry BC/DR Working Group was formed under the Information Technology Standards Committee (ITSC), an industry partnership supported by SPRING Singapore and IDA Singapore. For any Infocomm Singapore standard to be established, a number of committees with representation from the private and public sectors are involved. The following are the main committees directly involved in drafting and approving the standard: ITSC Council, Security and Privacy Standards Technical Committee (SPSTC), and BC/DR Working Group. The working group includes representatives from the tripartite linkage, namely: Local Authority - IDA Singapore Key BC/DR vendors, both of local and foreign origin End-user organizations Besides the committees and participant organizations, the process for developing a national standard also includes public consultation and feedback. Section One 021

4.1 The BC/DR Development Framework The standard is developed based on a multi-tier framework comprising key vendors in the BC/DR industry. The foundation layer consists of Policies, Processes, Programs, Performance Measurements, People and Products. This layer explores the supporting infrastructure from which services are derived. For example, products based on current technology would influence the extent of services that can be provided. The international best practices layer examines widely adopted practices that help to improve BC/DR activities in specific areas. These best practices represent an added level of provision above the services provided. For example, the vendor could plan for additional capacity to cater to unplanned demand by client organization during a disaster situation. The overall BC/DR standard requirements are drawn up from a composite view of these layers and with a balance between cost effectiveness and standard rigour considerations. The process of deriving the requirements of the standard is as important as the standard itself. The process ensures that standard requirements can be implemented and enforced. Key principles that guide the development process include: Multi-party contribution. Active participation and feedback by members in the working group, including vendors and end-user organizations, is integral to the coverage of the standard. Implementation independence. The standard specifies the requirements without stipulating the means of attaining the requirements. Figure 1: BC/DR development framework [1] 4.2 The Scope of Coverage Clauses in the standard can be divided into two main categories: Clauses used in certification. These are the clauses being used to certify a BC/DR service provider - clauses 3, 4 and 5. 022 Section One

Non-certification clauses. These clauses highlight certain salient aspects of BC/DR pertinent to the location of recovery sites and industry best practices - clauses 6 and 7. BC/DR service providers may be certified under two categories: Facility Provider and Service Provider. Certification of the former examines the physical infrastructure while certification of the latter examines its service capability. Service providers may also opt to be certified under both categories simultaneously. Figure 2: Structure of the main clauses in standard For organizations seeking to provide BC/DR services, they should comply with the requirements in the following clauses in the standard. These requirements include stipulations for operating, monitoring, maintaining and up keeping BC/DR services offered to clients. They specify what BC/DR service providers must possess so as to provide a basic secure operating environment to enable clients to implement and execute their BC/DR plans. Clause 3 - General Requirements. This consists of requirements which must be fulfilled by all service providers seeking certification. For example, it includes third-party vendor management. Clause 4 - Disaster Recovery Facility Certification. This lays down the requirements of the physical infrastructure and facility used in providing BC/DR services. It includes all non computing equipment used. For example, physical access control and security of recovery premises, air-conditioning environmental control and constant supply of electrical power. Clause 5 - Service Provider Capability Certification. This stipulates the service capability of the BC/DR vendors besides its physical facility. It includes computing equipment used. For example, staff BC/DR expertise and training, operational readiness and change management. Depending on their business objectives, the BC/DR service providers can choose to be certified as Facility Providers - complying with Clause 4, and/or Service Providers - complying with Clause 5. Section One 023

5 CHALLENGES OF THE STANDARD The product offerings by existing BC/DR service providers shape the landscape of this industry in this part of the world. These service providers must continue to upgrade their assets and resources to further enhance their product offerings if they wish to remain competitive and attract major foreign end-user organizations to relocate their BC/DR facility to this part of the world. While threats from terrorism and geopolitical tension may prod these foreign organizations to seek for alternate providers and locations, the BC/DR providers located here must constantly introduce new and innovative solutions to preempt and response to changing customer business needs. From an end-user organization's perspective, a standard provides a means to identify and narrow down on committed and capable service providers that could meet their needs. For foreign organizations without a presence in Singapore, a national standard for BC/DR also serves to provide a certain measure of assurance in mitigating outsourcing risks. People represent an essential portion of the BC/DR program. A pool of skilled and knowledgeable workers would help to operate, uphold and maintain the relevance of BC/DR requirements. Awareness and training courses in the BC/DR arena would also help to keep professionals in the industry abreast in the latest trends and developments. In this respect, the professional BC/DR courses run by institutions in Singapore help to improve this professional pool. Funding and rebate grants for some of these courses by the relevant local authority further help to promote BC/DR importance and raise the level of competency. The Singapore Standard for BC/DR Service Providers provides a basis for committed BC/DR service providers to differentiate and distinguish themselves from other lesser players. The availability of such a standard also helps end-user organizations to lower BC/DR outsourcing risks. Coupled with a good geographical location and infrastructure, service providers located in Singapore enjoy these advantages jointly present a unique standard-location-infrastructure option for end-user organizations in their BC/DR deliberation for a suitable location and service provider. 6 CONCLUSION Singapore represents a unique location for foreign based organizations to locate their BC/DR recovery and services requirements. Its major international air and sea links facilitate transportation of staff and equipment during recovery. Environment stability and absence of threats due to natural hazards and sudden climate changes, for example earthquakes and typhoons, coupled with a trained pool of professionals and dedicated service provider vendors make relocation here a viable option. The standard, developed with participation from end-user organizations and key BC/DR service providers, serves to further consolidate these existing advantages into a formal, objective and measurable manner. 7 REFERENCE 024 Section One [1] SS 507: 2004 - Singapore Standard for Business Continuity/Disaster Recovery (BC/DR) Service Providers

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information