GLOBRIN Business Continuity Workshop TECHNOLOGY & INFORMATION 13 th November 2013 Graham Jack
GLOBRIN Business Continuity Workshop An IT perspective on the Business Continuity Plan Business Continuity v Disaster Recovery Availability, Reliability and Recoverability Technology Identifying the technology used Risks and impact Information Types of information held within an organisation Threats to that information Pulling together an integrated business continuity plan Plan for failure Preventative action Create resources Test / review / update
GLOBRIN Business Continuity Workshop Business Continuity in relation to IT IT is only part of the overall Business Continuity Plan Covers the technology and information used by / generated by the business Involves taking proactive steps to allow the business to operate to a defined service level during incidents. Takes ongoing time and effort
GLOBRIN Business Continuity Workshop Disaster Recover (DR) “The strategies and plans for recovering and restoring the organizations infrastructure and capabilities after an interruption.” Business Continuity (BC) “The strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level.” Example A fire in your building. The DR plan will deal with the clean up, repair of the building, re-instating IT and data etc. The BC plan deals with how you keep you business running while you implement the DR plan.
GLOBRIN Business Continuity Workshop Business Continuity and IT: Core issues to consider BUSINESS CONTINUITY PLAN IssueAvailabilityReliabilityRecoverability ObjectiveMaintain the chosen availability level of the businesses IT infrastructure Manage and control the IT infrastructure to improve overall reliability Effective plan to minimize downtime in event of disruption. EmphasisTechnologyProcessPeople FocusProactive and preventiveResponse and recovery
Business continuity planning lifecycle Analysis Design Implement Test / Accept Maintain GLOBRIN Business Continuity Workshop Getting started Assign responsibilities / ownership. Understand your business and what the minimum service levels the business requires in order to continue to operate. Review best practice (use ISO22301 Business Continuity Management as a guide) Business Continuity Plans are business lead, not IT lead.
GLOBRIN Business Continuity Workshop Analysis: Know what technology you need Document what IT is required in order for your business to carry out critical activities? Computers and related hardware Software Networking and connectivity 3 rd party services (cloud) Telephony Fax/ photocopiers / printers etc
GLOBRIN Business Continuity Workshop Analysis: Know what information you have Document what information your business needs in order to carry out critical activities? Digital (database and file systems) Hard copy (paper) Off site / 3 rd party (held in the cloud etc) Staff etc
GLOBRIN Business Continuity Workshop Analysis: Determine the risks Look at the likelihood and impact of risks that could cause business interruption. Fire / Flood / Storm Damage Key item hardware failure (Server etc) General hardware failure (Fax/ photocopiers / printers / user PC etc) Physical security (hardware / hard copy documents) Security breach / data loss Inadvertent change (software update going wrong etc) Deprecation (obsolete software / hardware) Loss of 3 rd party service (internet connection, hosting, cloud service etc) Loss of utilities (power, telephony, internet connection etc) Loss of Staff Theft / fraud Computer viruses / malware etc
GLOBRIN Business Continuity Workshop Analysis: Risk / Impact analysis Determine the likelihood of the risk occurring What is the impact to the business of each event
GLOBRIN Business Continuity Workshop Solution Design: Plan for the risks (options) Treat Put in place an action plan to reduce disruption to a minimum acceptable level: Implement high availability / hot standby systems Maintain duplicate infrastructure / information at different location Maintain pool of spares (desktops / monitors / mice / keyboards etc) Tolerate It may be decided that the cost of mitigating the risk is such that it outweighs the benefits.
GLOBRIN Business Continuity Workshop Solution Design: Plan for the risks (options) Transfer Transfer the risk to another external party. Hardware support / infrastructure management to an agreed SLA Insurance Terminate Update / modify the technology used to remove the risk: Remove old / outdated hardware Unsupported software Old data formats
GLOBRIN Business Continuity Workshop Solution Design: Technology For critical technology, use the results of the risk / impact analysis to build and document a plan for maintaining a minimum service level. This may involve a mix of: Implementing high availability systems with automatic rollover. Dual site Keeping spares Support contracts Security measures (locked server room etc) Change management processes to ensure software updates & patches are properly tested before going live.
GLOBRIN Business Continuity Workshop Solution Design: Information For critical information, use the results of the risk / impact analysis to build and document a plan for maintaining a minimum service level. This may involve a mix of: Policy for storing critical hard copy data (clean desk policy / fire safe) Backup policy with offsite storage Security (assign minimum required permissions, data encryption, prevention of data transfer to transfer media such as CD or USB drives, etc) Training / documentation to remove reliance on individual staff members
GLOBRIN Business Continuity Workshop Implementation: Technology and Information Document the plan. Include: The trigger events Responsibilities Contact details Actions to be taken for the identified risk events Communication plan (internal and external) Create support resources (battle box). Typical resources include Copy of the Business Continuity Plan Supporting technical documentation (server builds, network topology etc) Software installation packs to allow rebuilds of hardware including software licence details. 3 rd party contacts, support agreements, contact details, reference numbers etc Default communication templates ( , web pages, twitter messages, FaceBook updates) 2 copies of the Battle Box – at least 1 held off site
GLOBRIN Business Continuity Workshop Test and Review: Technology and Information Different levels of testing: Discussion based testing Table top exercise Live exercise After testing, document and review results and feed these back into the plan. Perform a review after all incidents – learn from what worked and what didn’t.
GLOBRIN Business Continuity Workshop Training: Technology and Information Ensure that all staff with business continuity responsibilities are appropriately trained and have the technical skills to undertake their roles.
GLOBRIN Business Continuity Workshop Change Management: Technology and Information IT infrastructure tends to be dynamic New hardware / software updates can affect the resilience of infrastructure and actions to be taken to restore service in case of given event. Prior to implementing change understand how the effects on the Business Continuity Plan. Ensure processes are in place to capture and document change. Undertake periodic reviews as appropriate to review any implemented changes against the Business Continuity Plan to ensure that it remains effective.
GLOBRIN Business Continuity Workshop Documentation and Evidence As part of any tender process you need to be able to provide evidence. Document the Business Continuity plan testing, reviews and updates to create and audit trail. Consider getting a 3 rd party to review / certify against ISO22301 Business Continuity Management.
GLOBRIN Contact Details Globrin webwww.globrin.com m