Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.

Slides:



Advertisements
Similar presentations
Museum Presentation Intermuseum Conservation Association.
Advertisements

A Joint Code of Practice Objectives and Summary Presentation
EMS Checklist (ISO model)
Major Accident Prevention Policy (MAPP) and Safety Management System (SMS) in the Context of the Seveso II Directive.
[Organisation’s Title] Environmental Management System
Business Continuity Training & Awareness by Sulia Toutai (ANZ)
Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.
Environmental Management System (EMS)
Introduction to Business Continuity Planning An Introduction to the Business Continuity Planning Process Including Developing your Process and the Plans.
Business Continuity Mark Holloway Former Head of Change Management at Co-operative Food.
1 Continuity Planning for transportation agencies.
BRC Storage & Distribution Safety and Quality Management System Training Guide
Security Controls – What Works
Business Crisis and Continuity Management (BCCM) Class Session
ISO General Awareness Training
Computer Security: Principles and Practice
Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.
Session 3 – Information Security Policies
Crisis Management Planning Employee Health Safety and Security Expertise Panel · Presenter Name · 2008.
Services Tailored Around You® Business Contingency Planning Overview July 2013.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
Evolving IT Framework Standards (Compliance and IT)
Ship Recycling Facility Management System IMO Guideline A.962
Occupational Health and Safety
Module 3 Develop the Plan Planning for Emergencies – For Small Business –
SMS Operation.  Internal safety (SMS) audits are used to ensure that the structure of an SMS is sound.  It is also a formal process to ensure continuous.
Produced 27/06/05 Seeing the Future First Tom Welland Fire Services Manager.
Risk Management - the process of identifying and controlling hazards to protect the force.  It’s five steps represent a logical thought process from.
ISA 562 Internet Security Theory & Practice
ISO 14001:2004, Environmental Management System
Incident Management By Marc-André Léger DESS, MASc, PHD(candidate) Winter 2008.
David N. Wozei Systems Administrator, IT Auditor.
Important points and activities.  The objective is to secure life, property, information in the event of a disaster and to facilitate business continuity.
Hazards Identification and Risk Assessment
Business Continuity Program Orientation (insert presentation date) (This presentation is a template that requires adjustments to meet your needs)
SMS Planning.  Safety management addresses all of the operational activities of the entire organization.  The four (4) components of an SMS are: 1)
Phases of BCP The BCP process can be divided into the following life cycle phases: Creation of a business continuity and disaster recovery policy. Business.
ISO DOCUMENTATION. ISO Environmental Management Systems2 Lesson Learning Goals At the end of this lesson you should be able to:  Name.
Unit 3: Identifying and Safeguarding Vital Records Unit Introduction and Overview Unit objective:  Describe the elements of an effective vital records.
NFPA 1600 Disaster/Emergency Management and Business Continuity Programs.
Business Continuity Planning  What is it?  Why do we do it?  How do we do it?
Business Continuity. Business continuity... “Drive thy business or it will drive thee.” —Benjamin Franklin ( ), American entrepreneur, statesman,
Key Terms Business Continuity Plan (BCP) – A comprehensive written plan to maintain or resume business in the event of a disruption Critical Process –
Continuity of Operations (COOP) Planning Guidelines for Dukes County.
Unit 4: Operational Phases and Implementation. Unit 4 Objectives  Explain the four phases of continuity and relate their application to the continuity.
ISO Registration Common Areas of Nonconformances.
ASPEC Damaging Energies New Staff Induction What is this course about? This course is designed to talk through the major damaging energies on site. It.
Chapter 3: Business Continuity Planning. Planning for Business Continuity Assess risks to business processes Minimize impact from disruptions Maintain.
A2 LEVEL ICT 13.6 LEGAL ASPECTS DISASTER RECOVERY.
Exercising, Maintaining and Reviewing BCM Arrangements ERMAN TASKIN
Business Continuity Disaster Planning
Company LOGO. Company LOGO PE, PMP, PgMP, PME, MCT, PRINCE2 Practitioner.
Alex Ezrakhovich Process Approach for an Integrated Management System Change driven.
CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.
Disaster Recovery Planning Barry Navarre Charter Business.
OHSAS Occupational health and safety management system.
Improving performance, reducing risk Dr Apostolos Noulis, Lead Assessor, Business Development Mgr Thessaloniki, 02 June 2014 ISO Energy Management.
Disaster Recovery Planning (DRP) DRP: The definition of business processes, their infrastructure supports and tolerances to interruptions, and formulation.
Business Continuity Planning 101
Business Continuity Steven S. Keleman, CPM. Emergency Management Prevention Response Preparation Mitigation Recovery.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Information Security Management Goes Global
THINK DIFFERENT. THINK SUCCESS.
Continuity of operations planning
Business Continuity Plan Training
“The Link” - Continuity of Operations and Emergency Management
Business Impact Analysis
Business Continuity Program Overview
Developing and testing the Plan
Presentation transcript:

Erman Taşkın

Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. A business continuity management process should be implemented to minimize the impact on the organization and recover from loss of information assets (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions) to an acceptable level through a combination of preventive and recovery controls. This process should identify the critical business processes and integrate the information security management requirements of business continuity with other continuity requirements relating to such aspects as operations, staffing, materials, transport and facilities. Erman Taşkın’06

Information security aspects of business continuity management The consequences of disasters, security failures, loss of service, and service availability should be subject to a business impact analysis. Business continuity plans should be developed and implemented to ensure timely resumption of essential operations. Information security should be an integral part of the overall business continuity process, and other management processes within the organization. Business continuity management should include controls to identify and reduce risks, in addition to the general risks assessment process, limit the consequences of damaging incidents, and ensure that information required for business processes is readily available. Erman Taşkın’06

Including information security in the business continuity management process Control A managed process should be developed and maintained for business continuity throughout the organization that addresses the information security requirements needed for the organization’s business continuity. Erman Taşkın’06

Information security aspects of business continuity management The process should bring together the following key elements of business continuity management: a) understanding the risks the organization is facing in terms of likelihood and impact in time, including an identification and prioritisation of critical business processes b) identifying all the assets involved in critical business processes c) understanding the impact which interruptions caused by information security incidents are likely to have on the business (it is important that solutions are found that will handle incidents causing smaller impact, as well as serious incidents that could threaten the viability of the organization), and establishing the business objectives of information processing facilities; d) considering the purchase of suitable insurance which may form part of the overall business continuity process, as well as being part of operational risk management; Erman Taşkın’06

Information security aspects of business continuity management The process should bring together the following key elements of business continuity management: e) identifying and considering the implementation of additional preventive and mitigating controls; f) identifying sufficient financial, organizational, technical, and environmental resources to address the identified information security requirements; g) ensuring the safety of personnel and the protection of information processing facilities and organizational property; h) formulating and documenting business continuity plans addressing information security requirements in line with the agreed business continuity strategy (see ); i) regular testing and updating of the plans and processes put in place (see ); j) ensuring that the management of business continuity is incorporated in the organization’s processes and structure; responsibility for the business continuity management process should be assigned at an appropriate level within the organization Erman Taşkın’06

Business continuity and risk assessment Control Events that can cause interruptions to business processes should be identified, along with the probability and impact of such interruptions and their consequences for information security. Erman Taşkın’06

Business continuity and risk assessment Information security aspects of business continuity should be based on identifying events (or sequence of events) that can cause interruptions to the organizations business processes, e.g. equipment failure,human errors, theft, fire, natural disasters and acts of terrorism. This should be followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period. Erman Taşkın’06

Business continuity and risk assessment Business continuity risk assessments should be carried out with full involvement from owners of business resources and processes. This assessment should consider all business processes and should not be limited to the information processing facilities, but should include the results specific to information security. It is important to link the different risk aspects together, to obtain a complete picture of the business continuity requirements of the organization. The assessment should identify, quantify, and prioritise risks against criteria and objectives relevant to the organization, including critical resources, impacts of disruptions, allowable outage times, and recovery priorities. Erman Taşkın’06

Business continuity and risk assessment Depending on the results of the risk assessment, a business continuity strategy should be developed to determine the overall approach to business continuity. Once this strategy has been created, endorsement should be provided by management, and a plan created and endorsed to implement this strategy. Erman Taşkın’06

Developing and implementing continuity plans including information security Control Plans should be developed and implemented to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes. Erman Taşkın’06

Developing and implementing continuity plans including information security The business continuity planning process should consider the following: a) identification and agreement of all responsibilities and business continuity procedures; b) identification of the acceptable loss of information and services; c) implementation of the procedures to allow recovery and restoration of business operations and availability of information in required time- scales; particular attention needs to be given to the assessment of internal and external business dependencies and the contracts in place; Erman Taşkın’06

Developing and implementing continuity plans including information security The business continuity planning process should consider the following: d) operational procedures to follow pending completion of recovery and restoration; e) documentation of agreed procedures and processes; f) appropriate education of staff in the agreed procedures and processes, including crisis management; g) testing and updating of the plans. Erman Taşkın’06

Developing and implementing continuity plans including information security The planning process should focus on the required business objectives, e.g. restoring of specific communication services to customers in an acceptable amount of time. The services and resources facilitating this should be identified, including staffing, non-information processing resources, as well as fallback arrangements for information processing facilities. Such fallback arrangements may include arrangements with third parties in the form of reciprocal agreements, or commercial subscription services. Erman Taşkın’06

Developing and implementing continuity plans including information security Business continuity plans should address organizational vulnerabilities and therefore may contain sensitive information that needs to be appropriately protected. Copies of business continuity plans should be stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site. Management should ensure copies of the business continuity plans are up-to-date and protected with the same level of security as applied at the main site. Other material necessary to execute the continuity plans should also be stored at the remote location. Erman Taşkın’06

Developing and implementing continuity plans including information security If alternative temporary locations are used, the level of implemented security controls at these locations should be equivalent to the main site. It should be noted that crisis management plans and activities may be different from business continuity management; i.e. a crisis may occur that can be accommodated by normal management procedures. Erman Taşkın’06

Business continuity planning framework Control A single framework of business continuity plans should be maintained to ensure all plans are consistent, to consistently address information security requirements, and to identify priorities for testing and maintenance. Erman Taşkın’06

Business continuity planning framework Each business continuity plan should describe the approach for continuity, for example the approach to ensure information or information system availability and security. Each plan should also specify the escalation plan and the conditions for its activation, as well as the individuals responsible for executing each component of the plan. When new requirements are identified, any existing emergency procedures, e.g. evacuation plans or fallback arrangements, should be amended as appropriate. Procedures should be included within the organization’s change management programme to ensure that business continuity matters are always addressed appropriately. Erman Taşkın’06

Business continuity planning framework Each plan should have a specific owner. Emergency procedures, manual fallback plans, and resumption plans should be within the responsibility of the owners of the appropriate business resources or processes involved. Fallback arrangements for alternative technical services, such as information processing and communications facilities, should usually be the responsibility of the service providers. Erman Taşkın’06

Business continuity planning framework A business continuity planning framework should address the identified information security requirements and consider the following: a) the conditions for activating the plans which describe the process to be followed (e.g. How to assess the situation, who is to be involved) before each plan is activated; b) emergency procedures, which describe the actions to be taken following an incident, which jeopardizes business operations; c) fallback procedures which describe the actions to be taken to move essential business activities or support services to alternative temporary locations, and to bring business processes back into operation in the required time-scales; Erman Taşkın’06

Business continuity planning framework A business continuity planning framework should address the identified information security requirements and consider the following: d) temporary operational procedures to follow pending completion of recovery and restoration; e) procedures which describe the actions to be taken to return to normal business operations; f) a maintenance schedule which specifies how and when the plan will be tested, and the process for maintaining the plan; g) awareness, education, and training activities which are designed to create understanding of the business continuity processes and ensure that the processes continue to be effective; h) the responsibilities of the individuals, describing who is responsible for executing which component of the plan. Alternatives should be nominated as required; i) the critical assets and resources needed to be able to perform the emergency, fallback and resumption procedures. Erman Taşkın’06

Testing, maintaining and re-assessing business continuity plans Control Business continuity plans should be tested and updated regularly to ensure that they are up to date and effective. Erman Taşkın’06

Testing, maintaining and re-assessing business continuity plans Business continuity plan tests should ensure that all members of the recovery team and other relevant staff are aware of the plans and their responsibility for business continuity and information security and know their role when a plan is invoked. The test schedule for business continuity plan(s) should indicate how and when each element of theplan should be tested. Each element of the plan(s) should be tested frequently. Erman Taşkın’06

Testing, maintaining and re-assessing business continuity plans A variety of techniques should be used in order to provide assurance that the plan(s) will operate in real life. These should include: a) table-top testing of various scenarios (discussing the business recovery arrangements using example interruptions); b) simulations (particularly for training people in their post-incident/crisis management roles); c) technical recovery testing (ensuring information systems can be restored effectively); Erman Taşkın’06

Testing, maintaining and re-assessing business continuity plans A variety of techniques should be used in order to provide assurance that the plan(s) will operate in real life. These should include: d) testing recovery at an alternate site (running business processes in parallel with recovery operations away from the main site); e) tests of supplier facilities and services (ensuring externally provided services and products will meet the contracted commitment); f) complete rehearsals (testing that the organization, personnel, equipment, facilities, andprocesses can cope with interruptions). Erman Taşkın’06

Testing, maintaining and re-assessing business continuity plans These techniques can be used by any organization. They should be applied in a way that is relevant to the specific recovery plan. The results of tests should be recorded and actions taken to improve the plans, where necessary. Responsibility should be assigned for regular reviews of each business continuity plan. The identification of changes in business arrangements not yet reflected in the business continuity plans should be followed by an appropriate update of the plan. This formal change control process should ensure that the updated plans are distributed and reinforced by regular reviews of the complete plan. Erman Taşkın’06

Testing, maintaining and re-assessing business continuity plans Examples of changes where updating of business continuity plans should be considered are acquisition of new equipment, upgrading of systems and changes in: a) personnel; b) addresses or telephone numbers; c) business strategy; d) location, facilities, and resources; e) legislation; f) contractors, suppliers, and key customers; g) processes, or new or withdrawn ones; h) risk (operational and financial). Erman Taşkın’06

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.