Proposal for Business Continuity Plan and Management Review 6 August 2008 2008/8/6
Contents About Newton IT / Quality of our services. BCM & BS25999 Overview 2. BCM Development in line with BS25999 3. BCM Development Case Study Appendix 2008/8/6 2
About Newton IT Newton IT Limited (Newton) is pleased to have the opportunity to propose for Business Continuity Plan and Management Review. Since our foundation in 998, Newton IT Limited has continually developed its business and increased its Products & Service offerings. With our combined Anglo Japanese management philosophy, Newton IT has been able to raise its profile of skill sets to meet the demands set by today's dynamically changing IT industry and to provide solutions at every level of our customer requirements and needs. All Rights Reserved @ Newton IT Ltd. 3
Quality of Our Services Member of The Business Continuity Institute ISO7799 Associate Consultant of BSI BS25999 / ISO900 / ISO2700 Registered Company (*) BCI Qualified Business Continuity Specialists (MBCI, ABCI) Other Specialists Skills (e.g. CISA, CEH, CISSP, MCSE, CCNA, CCNP) Provision of Solutions in accordance with International Standards (e.g. ISO2700, BS25999, COBIT, ITIL, ISO900, ISO20000) Proven ability to manage Projects on time and within budgets Corporate lawyer partnership with Legal Authority specialized in information systems (*) The Scope includes the provision of design, implementation and support IT Infrastructure, Consultancy on ISO2700 and Security Policies All Rights Reserved @ Newton IT Ltd. 4
.BCM & BS25999 Overview All Rights Reserved @ Newton IT Ltd. 5
BCM Overview (Terminologies) Terminologies around BCM BCM Risk Assessment RTO IMP BIA Recovery Response Business DR Continuity BCP Incident Response Incident Management DRP Business Impact Analysis Business Recovery RPO MTPD All Rights Reserved @ Newton IT Ltd. 6
BCM Overview (Timeline) (Business As Usual) Incident Timeline BCPs Exercise Assess Internal Audit Improvement Operation Rate Incident Incident Management Business Continuity Business Recovery 8hours 48hours 3months 00% TIME 60% Back to Normal 20% 0% RTO:8 hours RPO:20% of Normal Operation Note: RTO: Recovery time objective / RPO: Recovery point objective All Rights Reserved @ Newton IT Ltd. 7
Terms and Definition (/2) BCM Holistic management process that identified potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities Business Continuity Strategy Approach by an organization that will ensure its recovery and continuity in the face of a disaster or other major incident or business interruption BCP Documented collection of procedures and information that is developed, compiled and maintained in readiness of use in an incident to enable an organization to continue to deliver its critical activities at an acceptable predefined level IMP Incident management plan. Clearly defined and documented plan of action for use at the time of an incident, typically covering the key personnel, resources, services and actions needed to implement the incident management process All Rights Reserved @ Newton IT Ltd. 8
Terms and Definition (2/2) Invocation Act of declaring that an organization s business continuity plan needs to be put into effect in order to continue delivery of key products or services BIA Business impact analysis. Process of analysing business functions and the effect that a business disruption might upon them RTO Recovery time objective. Target time set for resumption of product, service or activity delivery after an incident. The recovery time objective has to be less than the maximum tolerable period of disruption MTPD Maximum tolerable period of disruption. Duration after which an organization s viability will be irrevocably threatened if product and service delivery cannot be resumed All Rights Reserved @ Newton IT Ltd. 9
BS25999 Structure (/2) BS25999 Part Code of Practice 2 3 4 5 6 7 8 9 0 Scope and applicability Terms and definitions Overview of business continuity management (BCM) The business continuity management policy BCM programme management Understanding the organization Determining business continuity strategy Developing and implementing a BCM response Exercising, maintaining and reviewing BCM arrangements Embedding BCM in the organization s culture All Rights Reserved @ Newton IT Ltd. 0
BS25999 Structure (2/2) BS25999 Part2 Specification 2 3 4 5 6 Scope Terms and definitions Planning the business continuity management system 3. 3.2 3.3 3.4 4. 4.2 4.3 4.4 5. 5.2 6. General Establishing and managing the BCMS Embedding BCM in the organization s culture BCMS documentation and records Implementing and operating the BCMS Understanding the organization Determining business continuity strategy Developing and implementing a BCM response Exercising, maintaining and reviewing BCM arrangement Monitoring and reviewing the BCMS Internal Audit Management review of the BCMS Maintaining and improving the BCMS Preventive and corrective actions 6.2 Continual improvement All Rights Reserved @ Newton IT Ltd.
BCM Lifecycle Understanding the business Business Impact Analysis Risk Assessment The BCM Lifecycle BCM Strategies Organizational BCM strategy Process level BCM strategy Resource recovery BCM strategy Developing / Implementing BCM plans Business Continuity Plans resource recovery and solutions plan Disaster Recovery Plans BCM exercising, maintenance and audit Embedding a BCM culture awareness, training and culture (Ref: BS25999-2006) All Rights Reserved @ Newton IT Ltd. 2
2.BCM development in line with BS25999 All Rights Reserved @ Newton IT Ltd. 3
Target of the development The BCM Lifecycle The Target to Develop BCM Lifecycle itself (Ref: BS25999-2006) All Rights Reserved @ Newton IT Ltd. 4
Process to implement and operate the BCMS I. Understand the organization Identify key stakeholders and Business impact analysis (BIA) their needs and expectations 2 Risk Assessment (RA) Identify activities supporting key services/products 3 Determining choices Identify impacts resulting from II.Determining business continuity strategy disruption to those activities and determine how these vary over time. 2 Hot to recover each critical activity within its RTO, in taking account resources and suppliers and outsource partners required for resumption and recovery. III. Developing and implementing a BCM response Incident response structure Document business continuity plans and incident management plans Define MTPD and RTO, and identify critical activities Assess risks of critical activities and supporting resources Choose and implement risk treatments for each critical activity IV.Exercising, maintaining, and reviewing BCM arrangements BCM Exercise Decide BC Strategy based on the results of BIA & RA Assess the BCM arrangements and identify 2 improvements to be made All Rights Reserved @ Newton IT Ltd. 5
Document the BCM (/2) (Business As Usual) Incident Timeline BCPs Exercise Assess Internal Audit Improvement Operation Rate Incident Incident Management Business Continuity Business Recovery 8hours 48hours 3months 00% TIME 60% Back to Normal 20% 0% RTO:8 hours RPO:20% of Normal Operation Note: RTO: Recovery time objective / RPO: Recovery point objective All Rights Reserved @ Newton IT Ltd. 6
Document the BCM (2/2) Incident Timeline POLICY & PLANS BCPs Exercise Assess Internal Audit Improvement Operation Rate Incident Management Incident Management Plans Business Incident Continuity Policy and BCPs 8hours Business Continuity Business Continuity & Recovery Plan 48hours Business Recovery System Recovery Plan 3months PROCEDURES (Business As Usual) 00% TIME Training Material Training Result Test Case Lesson learnt report Internal Audit Plan 60% Internal Audit Result 20% Improvement Plan 0% Incident Management Procedures Back to Normal Business Continuity Recovery Procedures RTO:8 hours System Recovery RPO:20% of Normal Operation Procedures Note: RTO: Recovery time objective / RPO: Recovery point objective All Rights Reserved @ Newton IT Ltd. 7
3.BCM Development - Case Study All Rights Reserved @ Newton IT Ltd. 8
Case Overview Company A Industry: IT Solutions Provider Key Services: IT System design, implementation, maintenance and supports Consulting Software Development Number of Staff: 60 Turnover: 0 Millions (2006) Office: London, UK Number of Customers : 250 Companies Number of Suppliers : 30 Companies Internal IT Infrastructure Servers: 0 Client PC: 20 All Rights Reserved @ Newton IT Ltd. 9
Understand the organization (Overview /2) I. Understand the organization 2 3 Business impact analysis (BIA) Risk Assessment (RA) Determining choices II.Determining business continuity strategy Hot to recover each critical activity within its RTO, in taking account resources and suppliers and outsource partners required for resumption and recovery. III. Developing and implementing a BCM response 2 Incident response structure Document business continuity plans and incident management plans IV.Exercising, maintaining, and reviewing BCM arrangements BCM Exercise Assess the BCM arrangements and identify 2 improvements to be made All Rights Reserved @ Newton IT Ltd. 20
Understand the organization (Overview 2/2) In a business continuity context, an understanding of the organization comes from: BS25999-:2006 6. Understanding the organization Identify the organization s objectives, stakeholder obligations and statutory duties Identify activities and resources supporting the service deliveries assess the impact and consequences over time of disruptions of those activities and resources BIA identify and evaluate the perceived threats that could disrupt the organization s key services, and the critical activities and resources that support them Risk Assessment All Rights Reserved @ Newton IT Ltd. 2
Understand the organization : BIA (Stakeholder Analysis) Identify the organization s objectives, stakeholder obligations and statutory duties Identify activities and resources supporting the service deliveries assess the impact and consequences over time of disruptions of those activities and resources BIA Key Stakeholders Customers Regulatory Bodies etc Expectations / Needs Relevant Services All Rights Reserved @ Newton IT Ltd. 22
Understand the organization : BIA (Critical Activities) Identify the organization s objectives, stakeholder obligations and statutory duties Identify activities and resources supporting the service deliveries assess the impact and consequences over time of disruptions of those activities and resources BIA ACTIVITIES IMPACTS RESULTING FROM DISRUPTIONS LEVEL LEVEL 2 Likely disruption LIKELY IMPACT OF DISRUPTION Impact DETAILS OF IMPACT (RANGE OF IMPACT /VARY OVER TIME) MTPD All Rights Reserved @ Newton IT Ltd. 23
Understand the organization : Risk Assessment (/2) In a BCM context, the level of risk should be understood specifically in respect of the organization s critical activities and the risk of a disruption to these; BS25999-2:2007 4..2. Risk Assessment Critical activities are underpinned by resources such as people, premises, technology, information, supplies and stakeholders Identify the threats to these resources Identify the vulnerabilities of each resource Determine the impact what would be arise if a threat became an incident and caused a business disruption Define and document the risk assessment method (criteria for risk treatment, Identifications of acceptable levels of risk etc) All Rights Reserved @ Newton IT Ltd. 24
Understand the organization : Risk Assessment (2/2) Reference documents; Risk Assessment Results Threats Vulnerabilities Probability of occurrence (A) (High 3/Medium 2/Low ) Impact (B) (High 3/Medium 2/Low ) Value of Risks (C ) = (A) * (B) Choices (BC Strategy) Help desk Unavailability of key personnel / lack of training, insufficient inexperienced staff management of staff 3 3 Develop BCPs for Help Desk PEOPLE Unavailability of key personnel / lack of training, insufficient Engineers inexperienced staff management of staff 3 3 Develop BCPs for Engineers SUPPLIES The company letter head Lack of the letter head Insufficient logistics management Accept the risk Lack of physical security, the Office No access to the office office location PREMISES 3 3 Back-up Office / Develop BCPs No access to the office area Office location 3 3 Back-up Office / Develop BCPs Customer information No access to the information No duplicated information 2 3 6 Data Replication at DR Site / Develop BCPs and System Recovery Procedures INFORMATION Engineers' skill set No access to the information No duplicated information 2 3 6 Data Replication at DR Site / Develop BCPs and System Recovery Procedures Engineers' schedule No access to the information No duplicated information 2 3 6 Data Replication at DR Site / Develop BCPs and System Recovery Procedures Email Loss of IT system No duplicated IT system, insufficient IT system 3 3 System recovery procedures maintenance File Server Loss of IT system No duplicated IT system, insufficient IT system 3 3 System recovery procedures maintenance IT SYSTEMS SAP Server Loss of IT system No duplicated IT system, insufficient IT system 3 3 System recovery procedures maintenance SAGE Loss of IT system No duplicated IT system, insufficient IT system 3 3 System recovery procedures maintenance TTS System Loss of IT system No duplicated IT system, insufficient IT system 3 3 System recovery procedures maintenance Mobile Phone Unavailability of Mobile phone No duplicated lines 2 2 Accept the risk OTHERS Supporting Resources Utilities Loss of utilities insufficient contracts, lack of maintenance 2 3 6 Review contracts / Back-up office Post office Unavailability of Post office Strike, natural disaster 2 2 Accept the risk All Rights Reserved @ Newton IT Ltd. 25
Determining business continuity strategy (/3) I. Understand the organization 2 3 Business impact analysis (BIA) Risk Assessment (RA) Determining choices II.Determining business continuity strategy Hot to recover each critical activity within its RTO, in taking account resources and suppliers and outsource partners required for resumption and recovery. III. Developing and implementing a BCM response 2 Incident response structure Document business continuity plans and incident management plans IV.Exercising, maintaining, and reviewing BCM arrangements BCM Exercise Assess the BCM arrangements and identify 2 improvements to be made All Rights Reserved @ Newton IT Ltd. 26
Determining business continuity strategy (2/3) Strategy options BS25999-:2006 7.2 Strategy options The organization should consider strategic options for its critical activities and the resources that each activity will require on its resumption. Decide BC Strategy Strategies might be required the following organizational resources; People Premises IT Systems Information Supplies Stakeholders Premises Strategy IT System Strategy Supply management Strategy All Rights Reserved @ Newton IT Ltd. 27
Determining business continuity strategy (3/3) Reference documents; Business Continuity Strategic Options Option : Restore data from back-up tape Option 2: Data replication at DR site Option 3: System and data replication at DR site People The existing staff Train the existing staff Train the existing staff R e s o u c e s R e q u i r e d Premises Back-up office DR site / Back-up Office DR Site / Back-up office IT The existing back-up tape Server for data duplication Servers for system and data replications Supplies Others Data restore manuals Purchasing new server to restore data from back-up tape Transportation to/from DR site, data recovery manual Contract with DR site Transportation to/from DR site, system and data recovery manual Contract with DR site A Feasibility High High High d e Effectiveness q (MTPD) u Low High High a c Cost Low Medium High y All Rights Reserved @ Newton IT Ltd. 28
Developing and implementing a BCM response (/2) I. Understand the organization 2 3 Business impact analysis (BIA) Risk Assessment (RA) Determining choices II.Determining business continuity strategy Hot to recover each critical activity within its RTO, in taking account resources and suppliers and outsource partners required for resumption and recovery. III. Developing and implementing a BCM response 2 Incident response structure Document business continuity plans and incident management plans IV.Exercising, maintaining, and reviewing BCM arrangements BCM Exercise Assess the BCM arrangements and identify 2 improvements to be made All Rights Reserved @ Newton IT Ltd. 29
Developing and implementing a BCM response (2/2) Developing a BCM Response BS25999-2:2007 4.3.2. Incident Management Structure The organization shall nominate incident response personnel (e.g. Incident management team which consist of the management) with the necessary responsibility, authority and competence to manage an incident. BS25999-2:2007 4.3.3 Business continuity plans and incident management plans The organization shall have documented plans (e.g. Incident management plans, business continuity plans) that detail how the organization will manage an incident and how it will recover or maintain its activities to a predetermined level in the event of an disruption. All Rights Reserved @ Newton IT Ltd. 30
Developing and implementing a BCM response (Invocation of plans) TIME LINE INCIDENT What has gone wrong? IMPACT ANALYSIS Which critical processes will be stopped? DURATION ANALYSIS How long can the disruption be expected to last? IMT IMPs DRPs INFORMATION GAP ANALYSIS Do we have enough information to assess the incident? If we wait to get more information will we be able to safely invoke? START BUSINESS CONTINUITY & RECOVERY Implement Business Continuity Plans BCPs INVOKE DR SITE SEND EVERYONE ELSE BACK-UP Send the Recovery staff to DR site and OFFICE start system recovery All staff other than Recovery staff to go back-up office (or home) All Rights Reserved @ Newton IT Ltd. 3
Developing and implementing a BCM response (Contents of plans). BC Policy 2. Objectives and scope 3. Roles and responsibilities 4. Plans invocation 5. Document management 6. Contact list The Company-level BCP. Task and action lists 2. Emergency contact lists 3. Activities Site evaluation procedure Safety and first aid Safety briefing Staff/customer communications 4. Media response 5. Response to key stakeholders 6. Incident management team 7. Appendix (sample) access to the sites communications with insurance companies Secure facilities and premises. Task and action lists Plans Invocation Available services Transpiration Manual operation and system recovery operation procedures 2. Required resources People Premises IT systems Information and supplies etc 3. Owner of the BCP 4. Check sheet Incident Management Plans Team s BCPs All Rights Reserved @ Newton IT Ltd. 32
Exercising, maintaining, and reviewing BCM arrangements (/2) I. Understand the organization 2 3 Business impact analysis (BIA) Risk Assessment (RA) Determining choices II.Determining business continuity strategy Hot to recover each critical activity within its RTO, in taking account resources and suppliers and outsource partners required for resumption and recovery. III. Developing and implementing a BCM response 2 Incident response structure Document business continuity plans and incident management plans IV.Exercising, maintaining, and reviewing BCM arrangements BCM Exercise Assess the BCM arrangements and identify 2 improvements to be made All Rights Reserved @ Newton IT Ltd. 33
Exercising, maintaining, and reviewing BCM arrangements (2/2). Test policy 2. Objective 3. Scope 4. Success criteria 5. Roles and responsibilities 6. Test method 7. Test schedule BCP Test plans. Objective 2. Scope Test scenario Success criteria Test result Recommended improvement action Improvement action target date. 2. 3.. 2. Internal Audit Plans. 2. 3. 3. Internal Audit Report Lesson learnt report Improvement Action Plans All Rights Reserved @ Newton IT Ltd. 34
Appendix 2008/8/6 35
Introduction of Key Staff Aki Sudo (Senior Consultant) Aki Sudo is an experienced Business and IT Governance consultant with more than 0 years experience, including the audit and risk management for organizations in a variety of sectors. Aki is a Certified Information System Auditor (CISA), BCI Business Continuity Professional member (MBCI), ISO2700 specialist and BS25999 specialist. Kieran McDonagh (Senior Consultant) Kieran McDonagh is an experienced Operational and IT risk consultant with more than fifteen years experience in reviewing and managing risks for organizations in a variety of sectors. Kieran is a Certified Information System Auditor (CISA) and BCI member. All Rights Reserved @ Newton IT Ltd. 36