200 likes | 375 Views
GLOBRIN. Business Continuity Workshop TECHNOLOGY & INFORMATION 13 th November 2013 Graham Jack. GLOBRIN. Business Continuity Workshop. An IT perspective on the Business Continuity Plan Business Continuity v Disaster Recovery Availability, Reliability and Recoverability Technology
E N D
GLOBRIN Business Continuity Workshop TECHNOLOGY & INFORMATION 13th November 2013 Graham Jack
GLOBRIN Business Continuity Workshop • An IT perspective on the Business Continuity Plan • Business Continuity v Disaster Recovery • Availability, Reliability and Recoverability • Technology • Identifying the technology used • Risks and impact • Information • Types of information held within an organisation • Threats to that information • Pulling together an integrated business continuity plan • Plan for failure • Preventative action • Create resources • Test / review / update
GLOBRIN Business Continuity Workshop • Business Continuity in relation to IT • IT is only part of the overall Business Continuity Plan • Covers the technology and information used by / generated by the business • Involves taking proactive steps to allow the business to operate to a definedservice level during incidents. • Takes ongoing time and effort
GLOBRIN Business Continuity Workshop Disaster Recover (DR) “The strategies and plans for recovering and restoring the organizations infrastructure and capabilities after an interruption.” Business Continuity (BC) “The strategic and tactical capability of the organization to plan for and respond to incidentsand business disruptions in order to continue business operations at an acceptable predefined level.” Example A fire in your building. The DR plan will deal with the clean up, repair of the building,re-instating IT and data etc. The BC plan deals with how you keep you business running while you implement theDR plan.
GLOBRIN Business Continuity Workshop • Business Continuity and IT: Core issues to consider
GLOBRIN Business Continuity Workshop • Getting started • Assign responsibilities / ownership. • Understand your business and what the minimum service levels the businessrequires in order to continue to operate. • Review best practice (use ISO22301 Business Continuity Management as a guide)Business Continuity Plans are business lead, not IT lead. Analysis Maintain Business continuity planning lifecycle Test / Accept Design Implement
GLOBRIN Business Continuity Workshop • Analysis: Know what technology you need • Document what IT is required in order for your business to carry out critical activities? • Computers and related hardware • Software • Networking and connectivity • 3rd party services (cloud) • Telephony • Fax/ photocopiers / printers • etc
GLOBRIN Business Continuity Workshop • Analysis: Know what information you have • Document what information your business needs in order to carry out critical activities? • Digital (database and file systems) • Hard copy (paper) • Off site / 3rd party (held in the cloud etc) • Staff • etc
GLOBRIN Business Continuity Workshop • Analysis: Determine the risks • Look at the likelihood and impact of risks that could cause business interruption. • Fire / Flood / Storm Damage • Key item hardware failure (Server etc) • General hardware failure (Fax/ photocopiers / printers / user PC etc) • Physical security (hardware / hard copy documents) • Security breach / data loss • Inadvertent change (software update going wrong etc) • Deprecation (obsolete software / hardware) • Loss of 3rd party service (internet connection, hosting, cloud service etc) • Loss of utilities (power, telephony, internet connection etc) • Loss of Staff • Theft / fraud • Computer viruses / malware • etc
GLOBRIN Business Continuity Workshop • Analysis: Risk / Impact analysis • Determine the likelihood of the risk occurring • What is the impact to the business of each event
GLOBRIN Business Continuity Workshop • Solution Design: Plan for the risks (options) • Treat • Put in place an action plan to reduce disruption to a minimum acceptable level: • Implement high availability / hot standby systems • Maintain duplicate infrastructure / information at different location • Maintain pool of spares (desktops / monitors / mice / keyboards etc) • Tolerate • It may be decided that the cost of mitigating the risk is such that it outweighs the benefits.
GLOBRIN Business Continuity Workshop • Solution Design: Plan for the risks (options) • Transfer • Transfer the risk to another external party. • Hardware support / infrastructure management to an agreed SLA • Insurance • Terminate • Update / modify the technology used to remove the risk: • Remove old / outdated hardware • Unsupported software • Old data formats
GLOBRIN Business Continuity Workshop • Solution Design: Technology • For critical technology , use the results of the risk / impact analysis to build and documenta plan for maintaining a minimum service level. • This may involve a mix of: • Implementing high availability systems with automatic rollover. • Dual site • Keeping spares • Support contracts • Security measures (locked server room etc) • Change management processes to ensure software updates & patches are properly tested before going live.
GLOBRIN Business Continuity Workshop • Solution Design: Information • For critical information, use the results of the risk / impact analysis to build and documenta plan for maintaining a minimum service level. • This may involve a mix of: • Policy for storing critical hard copy data (clean desk policy / fire safe) • Backup policy with offsite storage • Security (assign minimum required permissions, data encryption, prevention of datatransfer to transfer media such as CD or USB drives, etc) • Training / documentation to remove reliance on individual staff members
GLOBRIN Business Continuity Workshop • Implementation: Technology and Information • Document the plan. Include: • The trigger events • Responsibilities • Contact details • Actions to be taken for the identified risk events • Communication plan (internal and external) • Create support resources (battle box). Typical resources include • Copy of the Business Continuity Plan • Supporting technical documentation (server builds, network topology etc) • Software installation packs to allow rebuilds of hardware including softwarelicence details. • 3rd party contacts, support agreements, contact details, reference numbers etc • Default communication templates (email, web pages, twitter messages, FaceBook updates) • 2 copies of the Battle Box – at least 1 held off site
GLOBRIN Business Continuity Workshop • Test and Review: Technology and Information • Different levels of testing: • Discussion based testing • Table top exercise • Live exercise • After testing, document and review results and feed these back into the plan. • Perform a review after all incidents – learn from what worked and what didn’t.
GLOBRIN Business Continuity Workshop • Training: Technology and Information • Ensure that all staff with business continuity responsibilities are appropriately trainedand have the technical skills to undertake their roles.
GLOBRIN Business Continuity Workshop • Change Management: Technology and Information • IT infrastructure tends to be dynamic • New hardware / software updates can affect the resilience of infrastructure andactions to be taken to restore service in case of given event. • Prior to implementing change understand how the effects on the Business Continuity Plan. • Ensure processes are in place to capture and document change. • Undertake periodic reviews as appropriate to review any implemented changes against theBusiness Continuity Plan to ensure that it remains effective.
GLOBRIN Business Continuity Workshop • Documentation and Evidence • As part of any tender process you need to be able to provide evidence. • Document the Business Continuity plan testing, reviews and updates to createand audit trail. • Consider getting a 3rd party to review / certify against ISO22301 Business ContinuityManagement.
GLOBRIN Contact Details Globrin web www.globrin.com e graham.jack@globrin.com m 07803 147302