510 likes | 889 Views
I llusions of Business Continuity Planning S.C. Leung CISSP, CISA Chairperson, PISA. What is BCP for?. Business Continuity Planning Advanced planning and arrangements to insure continuity of critical functions of an organization
E N D
Illusions of Business Continuity PlanningS.C. LeungCISSP, CISAChairperson, PISA
What is BCP for? • Business Continuity Planning • Advanced planning and arrangements to insure continuity of critical functions of an organization • Preparations and Procedure sufficient for responding to a disaster • Incident Response as first step to respond to a disaster
What is the No.1 Priority ? • No.1 Priority of Disaster Response “Personnel Life” • In all case, do not expose employees to risk. Risk is greatest in Evacuation
BC Management Team Typical BC Management Team
Lessons from WTC Bomb Attack 1993 • Out of 350 companies that operated in the WTC prior to bombing in 1993, 150 were out of business a year later Business Continuity Plan is vital !
Importance of BCP ratified Where the pain had been felt … • BCP Objectives defined • BCP Management Team formed • BCP Coordinators nominated • BCP Procedure developed • BCP Drill Tests performed • BCP Resources budgeted Risks mitigated and contained to a large extent!
Lessons from WTC Attack 2001 By Richard Corcoran, Manager, Global Business Continuity, Eastman Kodak Company http://www.contingencyplanning.com/article_index.cfm?article=393 Lessons Learnt from 911
Human Factors of BCP • Significant trauma and stress on personnel, progressively getting worse with each day – MORALE • Companies are not prepared to lose critical recovery team personnel – Key Assumptions for BCP to work
DR Planning Flaws • Companies seriously under-estimated how long it would take to recover. Some of this was attributed to loss of staff. • Few customers had workstation recovery plans for their end users • Budget in DR need to be increased from 3.5% to 6% of IT budget. (Financial sector up to 12%-15% is required!)
DR Drill Test Insufficiencies • Problems in Data Synchronization and links to feeding and dependent systems -- companies did not thoroughly test these interfaces • There should have been moretesting with end users.
DR Maintenance Flaws • It is very hard to get technical team members to document their sections of the recovery plan. • Some companies suffered significant vital record problems because of flawsin their backup and off-site storage programs • Companies had notupdated their capacity requirements as their environments grew
Communication Issues • Many experienced significant networkissues
So what had gone wrong? We have got Illusions of BCP It is not yet a Reality BCP!
What is the Focus? • Many organization put BCP as a technical plan People BCP Process Technology
Weakness in People People BCP Process Technology
A BCP is a People Plan • It deals with people • People Design it • People Test & Implement it • People make the plan work when it is needed • People the determining factor of BCP success
Insufficient Training • Recent Survey found that 70% of respondents did not get sufficient Business Continuity or Disaster Training • BCP seems to be more Good Intention than Practice
People in the Weak Links (1) • Dependencies in Business Recovery Personnel • Success in Contacting and Deploying Personnel is vital to the Execution of BC Plan • Leadership must be Visible • Leadership must be Available • Is BC Management always available? • How if BCM and BCC trapped in disaster site?
People in the Weak Links (2) • Release the Dependencies in Business Recovery Personnel • Flexible Command Structure • Alternative Recovery Personnel • Cross-train, Rotate Responsibilities • More staff involvement • Off-site staff
Incident Command System • ICS – a US System for Any Emergency Incident • Prime Purpose: stabilize the incident and provide for life safety • A Management System • Adaptable to any emergency or incident • Single jurisdiction or agency to multiple jurisdiction or agency
Incident Command System • Commander • the Initial and Highest Ranking Authority available • Transfer of Command • When most qualified person arrives • When Incident changes • When extended time frame of incident
People in the Weak Links (3) • Be Realistic about People • Do not assume everyone is available • Do not assume everyone knows what to do • Do not assume everyone works according to plan • People’s morale and concerns change over time
People in the Weak Links (4) • External Support are not always available • Can we survive before emergency agencies arrive?
People in the Weak Links (5) • People Interfering your BCP Execution • Neighbors creating turmoil • Customers press on critical production • Suppliers demand cash on delivery of recovery services • Media call in every 15 minutes
Weakness in Process People BCP Process Technology
Weak Post-planning • Pre-planning • Planning • Post-planning • Awareness Program • Training Program, for BCM, BCC and staff • Plan Maintenance • Public Relations and Crisis Communication • Coordination with Public Authority
Awareness Training • Is it part of your plan? Scheduled? Budgeted • Has all staff been involved? Do they get the awareness to report incidents? • Continued Education for the BC Coordinator? • Information sharing of recent disasters and lessons learned • Disaster Recovery Journal www.drj.com • Disaster Recovery Institute www.drii.org • Federal Emergency Mgmt. Agency www.fema.gov • User Groups
Maintenance and Update Phase • The Most Difficult Part of BCP • How do you Organize, Manage and Coordinate Effects of Change? • Do you have standards and procedure to incorporate changes on routine schedule? • How often do you update your BCP? • Yearly? Half-yearly? Monthly? When there is a critical change? • Have you budgeted the required resources?
Best Practice • Make BCP part of the routine practice • Include BCP as key component in the Security Policy • Include in Change Management Procedure & Plan • Reward employee involvement and solution
Public Relations /Coordination withPublic Authorities • Disaster Declaration Procedure • Have you developed one? • Crisis Management Team • Who are involved? • Public Relations Program • Do you find you need to it earlier ?
Weakness in Technology People BCP Technology Process
Assumptions of Technical Controls for BCP • Control measures are around the theme of Avoidance of Single Point of Failure • All controls are assumed working and available
Data Centre Power Exchange Single Point of Failure (1) • Sometimes the assumption need to be challenged • Case: You building got source from dual power grid
On a Single Fault? Single Point of Failure (2) • Backup site distance • 400m? 4km? 12km?
DR Site Arrangement Usable? • Reciprocal arrangement is not guaranteed • DR Services Level guaranteed? • Staff not familiar with the DR site environment
Test & Drill enough? • Staff involvement is low • Do your drills involve only the Business Continuity Coordinators? • Plan not thoroughly tested • Something else goes wrong in reality • Live Test ?! • Return Home Test
Communication Issues • Mobile phone and wired phone got jammed • Communication booms in the first moment of disaster • Wrong information
Auditing your BCP (1) • Risk Scenario Criteria • Do not assume “It won’t happen to Me”. • The lesson will come one day: Fire, Flood, Hardware, Software, Anthrax ...
Broaden Scenarios to consider http://www.contingencyplanning.com/disruption.cfm • Scenario: key BC Personnel is dead … • Worse Case Scenario
Auditing your BCP (2) • BCP Dependencies Criteria • Drill Test Criteria • Response Criteria • Mock Exam:untold Scenario
Are you ready any time? • Availability of • Contact List • Grab List • Incident Response Plan • Are you 7 x 24 x forever ready to go to the front line?
Summary • BCP is a people’s plan • BCP is a communication intensive activity • Do question your assumptions • Do develop a flexible teams for BC Mgmt. & Business Recovery • Do involve more staff • Do take Maintenance into serious consideration • BCP needs your intuition, creation and response to succeed. Good Luck!
Q & A Thank You SC Leung Chairperson, PISA sc.leung@pisa.org.hk