Académique Documents
Professionnel Documents
Culture Documents
Planning
Defining Goals of BCP
The BIA
BIA Matrix Analysis
Justifying Costs of BCP
CSH5 Chapter 58
Business Continuity Planning
Michael Miora
1 Copyright © 2011 M. E. Kabay. All rights reserved. 2 Copyright © 2011 M. E. Kabay. All rights reserved. (1992)
3 Copyright © 2011 M. E. Kabay. All rights reserved. 4 Copyright © 2011 M. E. Kabay. All rights reserved.
Overview Enterprise Risks and Costs
Increasing dependence on
technology Fundamental risk is to
Mission-critical
Mission critical systems survival of organization
g
(production) Case of La Ferme St
Development Laurent
Management Clients
Cli t off M Mathema
th iin
Business Continuity Planning Montréal in 1980s
(
(BCP) ) Failed in 1986 when
Protecting organizations computer error
against consequences of caused them to
unavailabilityy of such systems
y stamp p milk products
p
Focus on enterprise operations, with wrong expiry
not just IT dates
Must define “fast
fast enough
enough”
In each context of the business
5 Copyright © 2011 M. E. Kabay. All rights reserved. 6 Copyright © 2011 M. E. Kabay. All rights reserved.
7 Copyright © 2011 M. E. Kabay. All rights reserved. 8 Copyright © 2011 M. E. Kabay. All rights reserved.
Types of Disasters (cont’d) Recovery Scenarios
Recovery scenarios have 3 phases
The specific disaster
scenario
i is
i nott as Exhibit 42.4
important as the
recovery process
and
d recovery time
ti
Group disasters into
types
yp to facilitate
planning
Break BCPs into
modules to activate Determine the
as appropriate effect of the Major
Restore
emergency recovery
normal
steps
ops
9 Copyright © 2011 M. E. Kabay. All rights reserved. 10 Copyright © 2011 M. E. Kabay. All rights reserved.
11 Copyright © 2011 M. E. Kabay. All rights reserved. 12 Copyright © 2011 M. E. Kabay. All rights reserved.
Overview of Setting Goals Scope
Setting goals a multi-step
process Define environment to be protected
Define minimum service levels Who and what are to be included?
required for acceptable
performance Will protect specific
Define specific goals for systems,
y ,
specific sectors equipment,
Gain approval and support
of steering committees of procedures,
appropriate sector locations, and
Gain overall approval of support capabilities
upper management
Expect
E to refine
fi andd redefine
d fi scope during
d i
Goals are defined in business planning process
terms not in terms of means
and systems May have to define stepwise (phased)
Process may be iterative implementation plan for BCP
13 Copyright © 2011 M. E. Kabay. All rights reserved. 14 Copyright © 2011 M. E. Kabay. All rights reserved.
15 Copyright © 2011 M. E. Kabay. All rights reserved. 16 Copyright © 2011 M. E. Kabay. All rights reserved.
Missions and Functions (cont’d)
Validating Goals
Distinguish between importance of a function
To the overall corporate goals
To BCP / disaster recovery goals
Mostly a matter of timeline
Determine how long function can be
suspended (or running at minimal levels)
without harming organization
May change depending on circumstances
E.g., corporate tax function may be long-
term goals at mid-year yet more critical at
Exclude
tax-filing time
Include
Need top-management
top management sign-off
sign off on fundamental
goals – affects everything else
17 Copyright © 2011 M. E. Kabay. All rights reserved. 18 Copyright © 2011 M. E. Kabay. All rights reserved.
19 Copyright © 2011 M. E. Kabay. All rights reserved. 20 Copyright © 2011 M. E. Kabay. All rights reserved.
Topics Establishing Scope of BIA
Inventory equipment &
Basic Concepts capabilities to be protected or
Defining Goals of BCP recovered
The BIA Will change over time
BIA Matrix Analysis Must be kept up-to-date
Justifying Costs of BCP Remember communications
infrastructure
Establish documentation
Office equipment
q p mayy also be
critical
Include security systems
21 Copyright © 2011 M. E. Kabay. All rights reserved. 22 Copyright © 2011 M. E. Kabay. All rights reserved.
23 Copyright © 2011 M. E. Kabay. All rights reserved. 24 Copyright © 2011 M. E. Kabay. All rights reserved.
Interviews (cont’d) Describing Functions
Goal: develop chart showing relative Must include summary information about
importance of different functions each function listed
Will be important in determining critical path 1 or 2 ¶
(timeline) for recovery Reduce confusion
Focus discussions
Use matrix as shown below to represent
functions
Ra
Survival Days
O
Ops
O
Oops
anking Factorr
No. Users
Criticality
Category
Key Key Department
Department Functions System Elements
Impact
Person Alternate Head
25 Copyright © 2011 M. E. Kabay. All rights reserved. 26 Copyright © 2011 M. E. Kabay. All rights reserved.
Ops
Oops Impact
No. Users
Critic
Category
Department Functions
g Factor
cality
al Days
27 Copyright © 2011 M. E. Kabay. All rights reserved. 28 Copyright © 2011 M. E. Kabay. All rights reserved.
Definition of Departments &
The Ranking Factor
Functions (cont
(cont’d)
d)
Ranking Factor
Survivall Days
Ops
Oops Im
No. Us
Critica
Categ
Operational Impact Department
p Functions
Key Key Department
System
y Elements
gory
mpact
Person Alternate Head
ality
sers
Convert criticality to Operational Impact
4 levels instead of 10
Reduces granularity of criticality
Cr iticality Impact Descr iption Combines survival time and operational impact
10 - 9 1 Critical operational impact or fiscal loss Low number is most important
8 -7 -6 2 Significant operational impact or fiscal loss Multiply survival time (days) x operational impact
5 -4 -3 3 Some operational impact or fiscal loss E.g.,
E g 1 day survival x op impact critical (1) = 1
10 day survival x op 1 = 10
2 -1 4 No short term impacts or fiscal losses
3 day survival x “some
some op impact
impact” (3) = 9
29 Copyright © 2011 M. E. Kabay. All rights reserved. 30 Copyright © 2011 M. E. Kabay. All rights reserved.
Ops
Oops Impact
No. Users
Critic
Category
Department Functions
g Factor
cality
al Days
31 Copyright © 2011 M. E. Kabay. All rights reserved. 32 Copyright © 2011 M. E. Kabay. All rights reserved.
Topics BIA Matrix is Heart of BIA
Basic information needed to
Basic Concepts Establish recovery requirements
Defining Goals of BCP Timelines
The BIA Estimate costs of outages
BIA Matrix Analysis Useful in
Justifying Costs of BCP Translating business
objectives into BIA
objectives
33 Copyright © 2011 M. E. Kabay. All rights reserved. 34 Copyright © 2011 M. E. Kabay. All rights reserved.
i
impact,t ranking
ki factor….)
f t )
2 3
Must adapt to irreconcilable
... p p
perspectives
35 Copyright © 2011 M. E. Kabay. All rights reserved. 36 Copyright © 2011 M. E. Kabay. All rights reserved.
Cross-Department Functions Using the Ranking Factor
...
...
37 Copyright © 2011 M. E. Kabay. All rights reserved. 38 Copyright © 2011 M. E. Kabay. All rights reserved.
Basic Concepts
Critically
important Defining Goals of BCP
functions that The BIA
must be
b restored d
first BIA Matrix Analysis
Justifying Costs of BCP
39 Copyright © 2011 M. E. Kabay. All rights reserved. 40 Copyright © 2011 M. E. Kabay. All rights reserved.
Quantitative Risk Model Problems of the QRM
Q
Annualized Loss Expectancies Costs depend on level of loss
ALE = pici E.g., costs will rise as outage lengthens
pi is probability of event or strategy i Complicates calculations
ci is cost ((or g
gain)) of event or strategy
gy I Most important: exact probabilities
difficult to determine
E.g., in roulette,
Some events have extensive data
Probability p1 of winning $1 bet on a single
base
numberb on 1 rollll off wheel
h l is
i 1/38 andd gain
i c1 is
i
36 times the bet = $36 Actuaries keep records for insurance
companies – fire, flood, etc.
Losing: g p2 = 37/38 with c2 = -$1
$
But IT-related probabilities difficult to find
So ALE for this bet is p1c1 + p2c2
Huge variations in infrastructure,
= 0.0263
0.0263*$36
$36 + 0.9737
0.9737*(-$1)
( $1) configuration, exposure to threats
= $0.9468 - $0.9737 = -$0.0269 per bet Operational standards affect vulnerabilities
41 Copyright © 2011 M. E. Kabay. All rights reserved. 42 Copyright © 2011 M. E. Kabay. All rights reserved.
Generalized Cost
GCC (cont’d)
Consequence Model (GCC)
Evaluate total losses day-by-day
Estimate cost of damage
for each function
When does the loss
begin?
What are the monetary
consequences?
Apply cost when
appropriate
Collect costs by category
43 Copyright © 2011 M. E. Kabay. All rights reserved. 44 Copyright © 2011 M. E. Kabay. All rights reserved.
GCC (cont’d) Review Questions (1)
Estimate costs with Disaster Recovery Plan in 1. Distinguish between BCP and DRP
place and compare to costs without DRP 2. Why is BCP important to IT today?
3. What is the advantage of grouping disasters into types
in BCP?
4 What are the three phases of recovery scenarios?
4.
5. Why do you need BCP steering committees for different
sectors of the organization?
g Whyy can’t a BCP expert
p
simply define the goals of the process herself?
6. How does defining the scope of the BCP support the
planning process?
7. Why does the IT sector so often get the responsibility
for coordinating BCP?
45 Copyright © 2011 M. E. Kabay. All rights reserved. 46 Copyright © 2011 M. E. Kabay. All rights reserved.