ADFINGO
Transcript of ADFINGO
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
1
Business Continuity Management
Dewar Donnithorne-TaitAdfingo
Within a government context
AFCEA Europe TechNet 2006, Sofia, Bulgaria
Thursday 19th October 2006
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
2
Background
• Formerly:– Defence Systems– Sun Microsystems lead on UK Government
BCM panel (Office of Government Commerce) right after 9/11
• Latterly:– eGovernment Minster’s personal strategic
adviser, FEDICT, Belgium (this presentation mainly based on this experience)
• Business Continuity Institute
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
3
BCM
Business Continuity Management (BCM) is a process which embraces all aspects of the organization, which identifies threats and contingencies and which provides a framework to provide capabilities and responses to assure continuous business operation and to protect the interests of stakeholders.
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
4
IA
Information Assurance (IA) is a comprehensive approach to protect information and information systems by ensuring their availability, integrity, authentication, confidentiality and non-repudiation.Comment. IAAC describes IA to board directors as ‘the certainty that the information within an organization is reliable, secure and private. IA encompasses both the accuracy of the information and its protection, and includes disciplines such as information security management, risk management and business continuity planning.’
Definition proposed by the Information Assurance Advisory Council (IAAC), UK.
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
5
Disaster Recovery
Disaster Recovery is the process for bringing back systems, processes and data to the original position, which prevailed before an accident/calamity/catastrophe/disaster occurred
Comment. It is reactive to an event occurring, although procedures should be tested and rehearsed frequently
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
6
Security
Security is the protection, guard or defence against threat.
Comment. It can be active or passive. In organizational terms the threat is measured in terms of potential damage to the organization. The security classifications afforded relate to the potential damage to the organization if security is breached. The level of protection increases with the degree of classification. Government security generally conforms very closely to this model. The term personal security is traditionally taken to mean protection from physical attack, but with the advent of increased ICT use, viruses and other electronic attacks the use of personal firewalls and back-ups bring personal electronic security more into line with the organizational definition. In government, security is generally regarded as an organizational issue and this is how the term is used in this presentation.
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
7
Privacy
• Privacy - two relevant definitions: Absence or avoidance of publicity or
display, being withdrawn from public interest, seclusion
Private or personal matters or relations
Comment. The key feature is that privacy is about the choice of the individual, social group and occasionally organization to keep things from the knowledge of others; this could be for reasons which might not prevent damage, as in the sense of security. In some states, certain rights and levels of privacy have been made rights (individual and sometimes also organizational depending on the state). For BCM, several sorts of private information may be involved, such as client/customer records.
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
8
A Governance Model
PurposeCore Values
Long-Term Goal(s)
Short-Term Goal
Short-Term Goal
Short-Term Goal
Objective
Objective
Objective
StrategyStrategy Strategy
Capability
Capability
Capability
Resource
Resource
Resource
Activities: People, Processes, Systems, Policies
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
9
Implementing BCM
Adapted from ‘Business Continuity Management: Good Practice Guidelines’, The Business Continuity
Institute, 2002
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
10
Stage 1: Understanding the Business
Organizational Purpose, Core Values, Strategy, Objectives, Capabilities, Resources
Critical Business Factors (eg people, processes, systems)
Business Outputs and Deliverables Business Impact Analysis
• Risk Assessment and Control
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
11
Stage 2: Business Continuity Management Strategies
Organisation (Corporate) BCM Strategy Process Level BCM Strategy Resource Recovery BCM Strategy
(including people)
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
12
Stage 3: Develop and Implement a BCM Capability
Plans and Planning External Bodies and Organisations Crisis and/or BC event/incident Management Sourcing (intra-organisation and/or outsourcing
providers) Emergency Response, Recovery Solutions and
Operations Communications Public Relations and the Media
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
13
Stage 4: Building and Embedding a BCM Culture
An on-going programme of: Awareness Education and Culture Building Training
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
14
Stage 5: Exercising, Maintenance and Audit
Exercising of BCM plans Rehearsal of staff and BCM teams Testing of technology and BCM systems BCM Maintenance BCM Audit
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
15
Stage 6: BCM Programme Management, Policy, Assurance
Senior Commitment and proactive participation Organisation (Corporate) BCM Strategy BCM Policies BCM Framework Roles, Accountability, Responsibility and Authority Finance Resources Assurance Audit Management Information System: Metrics/Benchmark Compliance: Legal/Regulatory issues Change Management
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
16
RESPONSIBILITIES
• Ever-increasing trend to reliance on knowledge, automation, mass-customisation
• Technical burden tends to fall on ICT staffs• But BCM is a pan-organisation activity, which
needs to be led from the highest levels• In government, this is typically ‘Prime
Minister’s Office’ or ‘Ministry of Interior’• Other government departments, including
ICT functions, play their part within overall approach
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
17
PRINCIPLES OF GOVERNMENT BCM(Adapted from Business Continuity Management: Good Practice Guidelines, The Business Continuity Institute, 2002)
• Business Continuity Management (BCM) and Crisis Management are an integral part of government Corporate Governance.
• BCM activities must match, focus upon and directly support government goals and business strategy.
• BCM must provide organisational resilience to optimise government product and service availability and as a value-based management process, BCM must optimise resource efficiencies.
• BCM is a business management process that must add value.
• The component parts of government own their business risk and their management of business risk should be based on risk levels appropriate for all government stakeholders.
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
18
PRINCIPLES 2
• The government must recognise and acknowledge that reputation, brand image, stakeholder value and risk cannot be transferred or removed by intra-governmental sourcing and/or outsourcing.
• All BCM strategies, plans and solutions must be government main-line business owned and driven. They should not be viewed as a specialised, separate category.
• BCM must be considered at all stages of the development of new government business operations, products, services and internal infrastructure projects.
• BCM must be considered as an essential part of the business change management process.
• The relevant legal and regulatory requirements for BCM must be clearly defined and understood before undertaking a government BCM programme.
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
19
PRINCIPLES 3
• There must be agreed, published and distributed organisation policy, strategy, framework and exercising guidelines for government BCM and Crisis Management.
• All BCM strategies, plans and solutions must be based upon: the identified government business Mission Critical Activities (MCA); their dependencies; the single points of failure identified by a Business Impact Analysis (BIA).
• The competency of government BCM practitioners should be based on and benchmarked against standards, such as the ten professional competency standards of the Business Continuity Institute.
• The government and its component parts must implement and maintain a robust exercising, rehearsal and testing programme to ensure its BCM and Crisis Management capabilities are effective, efficient and economic.
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
20
PRINCIPLES 4
• All third parties, including joint venture companies and service providers, upon which the government is critically dependent for the provision of products, services, support or data, must be required to demonstrate an effective, proven and fit-for-purpose BCM capability.
• The government's BCM and Crisis Management capabilities should reflect these good practice guidelines.
• All BIA must be conducted in respect of government products and services in an end-to-end context.
• The government and its component parts are accountable and responsible for maintaining an effective, up-to-date and fit-for-purpose BCM competence and capability.
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
21
BCM & IA• ‘IA encompasses both the accuracy of the information and its
protection, and includes disciplines such as information security management, risk management and business continuity planning.’
• The Turnbull Report in the UK advocates and provides a basis for a risk-based approach to corporate governance, which has to be interpreted to cater for levels of risk acceptable to government functions. However, the continually increasing dependence on ever more complex information systems means that more emphasis needs to be given to the information risk management element of government corporate governance.(The Turnbull Report on Corporate Governance - Internal Control: Guidance for Directors on the Combined Code, 1999, London)
• IA can be viewed as a major subset of BCM
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
22
IAAC Deliberations• An IAAC discussion paper recommended:
The incorporation of IA into guidelines for corporate governance The development of further metrics and IA maturity models to
assist in the creation of appropriate risk management tools Compliance with a management standard, with the minimum
standard being ISO 17799 Development of theory and tools for the measuring and
monitoring of dependency risks Development of the insurance markets to provide more efficient
tailored services Senior management awareness, communicated in business
language, of the risks and dependencies faced by organisations
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
23
Some MetricsSource: Performance Concepts quoted in Business Continuity, Director Publications Ltd,
London, 2000
Organisations in possession of a BCM plan
Sector Yes No No Comment
• Finance 32 56 12
• Computing, Technology 31 60 9
• Telecom 31 65 4
• Public Sector 26 44 30
• Manufacturing 23 48 19
• Retail 16 70 10
• Entertainment, Media 16 76 8
• Transport, Logistics 12 64 24
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
24
Some More Metrics 1Source: Performance Concepts quoted in Business Continuity, Director
Publications Ltd, London, 2000
• 38% of those interviewed couldn’t distinguish between Business Continuity Management and Disaster Relief
• 88% suffered serious events not covered by plans• Up to 90% reduction in total loss can be achieved by having
by good, tested plans• 94% do not seek managerial approval of plans prior to
implementation• 92% upgrade BCM capability significantly after a disaster• 70% do not view DR/BCM as an integral part of biz planning• 22% consider integrated company-wide planning important• 20% do not consider protection of data & systems
important
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
25
Some More Metrics 2Source: Performance Concepts quoted in Business Continuity, Director
Publications Ltd, London, 2000• 88% of e-business is not included in organizational Business
Continuity Management and Disaster Relief plans• 57% of disasters are IT-related• 61% do not publish BCM plans to all employees• Only 11% of organisations had active board-level involvement
in BCM• 92% fail to update BCM plans after new system introduction• 84% do not identify risks in Supply Chain Management (SCM)• 10% of disasters are in SCM• 29% of involved had no formal training • 38% confident in their skills
ADFINGO
ADFINGO Professional Development Centre Copyright © 2005 by Veitch Moir Ltd, all rights reserved, no portion of these materials may be used, nor reproduced, without the written permission of Veitch Moir Ltd.
26
DiscussionDewar Donnithorne-Tait MA MBA FIoD
www.adfingo.netm: +44-7703-105006 e: