csh5 ch58 BCP

Business Topics
Continuity  Basic Concepts
Planning
 Defining Goals of BCP
 The BIA
 BIA Matrix Analysis
 Justifying Costs of BCP
CSH5 Chapter 58
Business Continuity Planning
Michael Miora
1 Copyright © 2011 M. E. Kabay. All rights reserved. 2 Copyright © 2011 M. E. Kabay. All rights reserved. (1992)
Basic Concepts of BCP BCP and DRP

 Business Continuity Planning
 Identifying critical functions
 BCP and DRP  Developing the critical path
 Overview for recovery
 Evaluating costs
 Enterprise Risks and Costs
 Gaining management
 Types of Disasters approval
 Recovery Scenarios  Disaster Recovery Planning
 Preparing
P i specific
ifi strategies
t t i
for recovery
 Defining specific tasks
(steps) needed to implement
those strategies
 Testing and revising
3 Copyright © 2011 M. E. Kabay. All rights reserved. 4 Copyright © 2011 M. E. Kabay. All rights reserved.
Overview Enterprise Risks and Costs
 Increasing dependence on
technology  Fundamental risk is to
 Mission-critical
Mission critical systems survival of organization
g
(production) Case of La Ferme St
 Development Laurent
 Management Clients
Cli t off M Mathema
th iin
 Business Continuity Planning Montréal in 1980s
(
(BCP) ) Failed in 1986 when
 Protecting organizations computer error
against consequences of caused them to
unavailabilityy of such systems
y stamp p milk products
p
 Focus on enterprise operations, with wrong expiry
not just IT dates
 Must define “fast
fast enough
enough”
 In each context of the business
Enterprise Risks and Costs

Types of Disasters
(cont d)
(cont’d)
Exhibits are from Michael Miora’s Chapter 42 in CSH4.
Types of Disasters (cont’d) Recovery Scenarios
 Recovery scenarios have 3 phases
 The specific disaster
scenario
i is
i nott as Exhibit 42.4
important as the
recovery process
and
d recovery time
ti
 Group disasters into
types
yp to facilitate
planning
 Break BCPs into
modules to activate Determine the
as appropriate effect of the Major
Restore
emergency recovery
normal
steps
ops
Topics Defining Goals of BCP

 Overview
 Basic Concepts  Scope
 Defining Goals of BCP  Correlating Objectives to
 The BIA Corporate Missions and
Functions
 BIA Matrix Analysis
 Validating Goals
 Justifying Costs of
BCP  Mapping Goals to Recovery
Phases
 Emergency Issues
Overview of Setting Goals Scope
 Setting goals a multi-step
process  Define environment to be protected
 Define minimum service levels Who and what are to be included?
required for acceptable
performance Will protect specific
Define specific goals for systems,
y ,
specific sectors equipment,
Gain approval and support
of steering committees of procedures,
appropriate sector locations, and
Gain overall approval of support capabilities
upper management
 Expect
E to refine
fi andd redefine
d fi scope during
d i
 Goals are defined in business planning process
terms not in terms of means
and systems  May have to define stepwise (phased)
 Process may be iterative implementation plan for BCP
Correlating Objectives to Corporate Missions and

Corporate Missions and Functions Functions (cont
(cont’d)
d)
 IT often (usually) develops BCP
Systems engineering  Examples of often-overlooked
often overlooked functions
disciplines help
Mail room
IT infrastructure critically
important Facilities support
May already have contacts Especially important in emergencies
throughout organization for and for recovery
functional support
pp
Security forces
 Must expand beyond IT: need
business perspective  Work from 3 main documents
 Much may depend on Organization chart
processes outside scope Corporate phone directory
of IT function
Must not overlook non-IT- List of corporate
p operations
p budget
g line
dependent systems items
Missions and Functions (cont’d)
Validating Goals
 Distinguish between importance of a function
To the overall corporate goals
To BCP / disaster recovery goals
 Mostly a matter of timeline
Determine how long function can be
suspended (or running at minimal levels)
without harming organization
May change depending on circumstances
E.g., corporate tax function may be long-
term goals at mid-year yet more critical at
Exclude
tax-filing time
Include
 Need top-management
top management sign-off
sign off on fundamental
goals – affects everything else
Mapping Goals to Recovery

Emergency Issues
Phases
 Ensure safety y of employees
p y and others
potentially affected by disaster
Health protection (gas masks, hazmat
suits,, etc. as appropriate)
pp p )
Safety preparedness (fire extinguishers,
training, CPR…)
Shelter & care for employees involved in
disaster or in recovery
Search & rescue teams
 Effective public relations may keep a problem
from becoming a disaster
Honest, timely, y accurate and controlled
release of information
Topics Establishing Scope of BIA
 Inventory equipment &
 Basic Concepts capabilities to be protected or
 Defining Goals of BCP recovered
 The BIA  Will change over time
 BIA Matrix Analysis  Must be kept up-to-date
 Justifying Costs of BCP  Remember communications
infrastructure
 Establish documentation
 Office equipment
q p mayy also be
critical
 Include security systems
Interviews Interviews (cont’d)

 People who do the work are the best sources
of information about those functions
 Determine whom to interview
List departments
Select individual in each
dept as 1° interviewee
Determine functions within
each department
Avoid excessive detail
Group means into functional goals
 E.g., specific forms for SEC = “SEC
reporting”
reporting
Interviews (cont’d) Describing Functions
 Goal: develop chart showing relative  Must include summary information about
importance of different functions each function listed
 Will be important in determining critical path 1 or 2 ¶
(timeline) for recovery Reduce confusion
Focus discussions
 Use matrix as shown below to represent
functions
Ra
Survival Days
O
Ops
O
Oops
anking Factorr
No. Users
Criticality
Category
Key Key Department
Department Functions System Elements
Impact
Person Alternate Head
Definition of Departments & Definition of Departments &

Functions Functions (cont
(cont’d)
d)
Ranking
Surviva
Ops
Oops Impact
No. Users
Critic
Category
Key Key Department

System Elements  Criticality
U
Department Functions
g Factor
cality
al Days

What happens when the damage starts?
Range Descr iption

 Survival Days
1 to 2 “Nobody would not ice.” Very m inor inconvenience.
How long can organization survive without
this function before significant damage? 3 to 4 Minor inconvenience, virt ually no fiscal impact.
5 to 7 Greater inconvenience, monetary impact.
8 to 9 Major problems, significant monetary impact.
10 “Out of business.”
Definition of Departments &
The Ranking Factor
Functions (cont
(cont’d)
d)
Ranking Factor
Survivall Days
Ops
Oops Im
No. Us
Critica
Categ
 Operational Impact Department
p Functions
Key Key Department
System
y Elements
gory
mpact
ality
sers
Convert criticality to Operational Impact
4 levels instead of 10
Reduces granularity of criticality
Cr iticality Impact Descr iption  Combines survival time and operational impact
10 - 9 1 Critical operational impact or fiscal loss  Low number is most important
8 -7 -6 2 Significant operational impact or fiscal loss  Multiply survival time (days) x operational impact
5 -4 -3 3 Some operational impact or fiscal loss E.g.,
E g 1 day survival x op impact critical (1) = 1
10 day survival x op 1 = 10
2 -1 4 No short term impacts or fiscal losses
3 day survival x “some
some op impact
impact” (3) = 9
Category Category (cont’d)

Ranking
Surviva
Ops
Oops Impact
No. Users
Critic
Category
Key Key Department

System Elements
U
Department Functions
g Factor
cality
al Days
 Sort by Ranking Factor in ascending order

 Category groups functions with similar
recovery periods
Topics BIA Matrix is Heart of BIA
 Basic information needed to
 Basic Concepts Establish recovery requirements
 Defining Goals of BCP Timelines
 The BIA Estimate costs of outages
 BIA Matrix Analysis  Useful in
 Justifying Costs of BCP Translating business
objectives into BIA
objectives
Listing the Functions Organizationally Finding Cross-Department

Functions
 Emphasize similar functions in different
departments
p
 Titles may differ but functions same 1
or almost
 Especially
E i ll important
i t t to
t resolve
l
different estimates of parameters
(Survive days, criticality, 4
i
impact,t ranking
ki factor….)
f t )
2 3
 Must adapt to irreconcilable
... p p
perspectives
Cross-Department Functions Using the Ranking Factor
...
...
Ranking Factor (cont’d) Topics
 Basic Concepts
Critically
important  Defining Goals of BCP
functions that  The BIA
must be
b restored d
first  BIA Matrix Analysis
 Justifying Costs of BCP
Quantitative Risk Model Problems of the QRM
Q
 Annualized Loss Expectancies  Costs depend on level of loss
ALE = pici E.g., costs will rise as outage lengthens
pi is probability of event or strategy i Complicates calculations
ci is cost ((or g
gain)) of event or strategy
gy I  Most important: exact probabilities
difficult to determine
 E.g., in roulette,
Some events have extensive data
Probability p1 of winning $1 bet on a single
base
numberb on 1 rollll off wheel
h l is
i 1/38 andd gain
i c1 is
i
36 times the bet = $36 Actuaries keep records for insurance
companies – fire, flood, etc.
Losing: g p2 = 37/38 with c2 = -$1
$
 But IT-related probabilities difficult to find
So ALE for this bet is p1c1 + p2c2
Huge variations in infrastructure,
= 0.0263
0.0263*$36
$36 + 0.9737
0.9737*(-$1)
( $1) configuration, exposure to threats
= $0.9468 - $0.9737 = -$0.0269 per bet Operational standards affect vulnerabilities
Generalized Cost
GCC (cont’d)
Consequence Model (GCC)
 Evaluate total losses day-by-day
 Estimate cost of damage
for each function
When does the loss
begin?
What are the monetary
consequences?
 Apply cost when
appropriate
 Collect costs by category
GCC (cont’d) Review Questions (1)
 Estimate costs with Disaster Recovery Plan in 1. Distinguish between BCP and DRP
place and compare to costs without DRP 2. Why is BCP important to IT today?
3. What is the advantage of grouping disasters into types
in BCP?
4 What are the three phases of recovery scenarios?
4.
5. Why do you need BCP steering committees for different
sectors of the organization?
g Whyy can’t a BCP expert
p
simply define the goals of the process herself?
6. How does defining the scope of the BCP support the
planning process?
7. Why does the IT sector so often get the responsibility
for coordinating BCP?
Review Questions (2) Review Questions (3)

8. What are the 3 main documents recommended by Prof 14. How does sorting by ranking factor in the BIA matrix serve
Miora as the basis for identifying key corporate BCP needs?
functions? 15 A fire
15. fire-insurance
insurance policy costs Megahard Corp $10 $10,000
000 per
9. In the description of functions for the functional year for the Miora Complex on the Northfield Campus to
matrix, what does the criticality score signify? cover the $8,000,000 cost of rebuilding it were it to burn
10 What is the relation between the operational impact
10. down. Actuaries inform the risk managers at Megahard that
score and the criticality score in the functional the probability of a catastrophic fire is 0.001 per year.
matrix? Calculate the ALE of the insurance policy and then calculate
the ALE of total destruction of the building; g compare
p the two
11 In the functional matrix,
11. matrix how is the ranking factor
calculated? What is the ranking factor used for? numbers. Is the insurance policy cost-effective? (Hint: in
the insurance contract, Megahard bets the insurance
12. In the functional matrix, what is the relation between company that they will have to pay out $8,000,000 and the
the category and the ranking factor? What is the i
insurer bets
b t that
th t they
th willill nott pay anything).
thi )
category used for?
16. Why is it so difficult to apply the quantitative risk model to
13. What’s the benefit of listing functions organizationally BCP?
in the BIA matrix?
17. How does the Generalized Cost Consequence model support
BCP?

csh5 ch58 BCP

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

csh5 ch58 BCP

Transféré par

Droits d'auteur :

Formats disponibles

Business Topics

Continuity  Basic Concepts

Basic Concepts of BCP BCP and DRP

Enterprise Risks and Costs

Topics Defining Goals of BCP

Correlating Objectives to Corporate Missions and

Mapping Goals to Recovery

Interviews Interviews (cont’d)

Definition of Departments & Definition of Departments &

Key Key Department

Person Alternate Head

Range Descr iption

Category Category (cont’d)

Key Key Department

Person Alternate Head

 Sort by Ranking Factor in ascending order

Listing the Functions Organizationally Finding Cross-Department

Ranking Factor (cont’d) Topics

Review Questions (2) Review Questions (3)

Vous aimerez peut-être aussi