Business Continuity Workshop Final
-
Upload
bill-lisse -
Category
Business
-
view
2.785 -
download
2
description
Transcript of Business Continuity Workshop Final
![Page 1: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/1.jpg)
Business Continuity PlanningPresented by
Bill Lisse, CISSP, CISA, CGEIT, GPCI, GHSC, Security+ SME
Manager, Technology & Risk Management
Jack Lohbeck, CPA
Director, Business Consulting
![Page 2: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/2.jpg)
Increasing Competition & Risks
• Businesses are constantly at risk for interruptions to their operations, any of which can have devastating consequences
• Gartner reports that two out of five organizations that experience a disaster go out of business within five years
• A speedy recovery from interruption is imperative to staying solvent as a business
![Page 3: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/3.jpg)
Business Continuity
• “The process of developing advance arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions continue with planned levels of interruption or essential change.”
Disaster Recovery Institute International’s Glossary of Industry Terms
![Page 4: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/4.jpg)
Planning for Disruptions
• If you do not develop and implement a business continuity (BC) plan and disaster recovery (DR) procedures, one that is able to bring its business back up in as short a time as possible, the potential for lost revenue can add up to millions of dollars within several days
![Page 5: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/5.jpg)
Common Roadblocks
• Over confidence - “It can’t happen to me”• Over extension - don’t feel you have the
time, personnel or other resources to devote to comprehensive contingency planning
• Over reaching - reaching too far and wide; makes the process overwhelming and seem impossible
• Over planning - several contingency plans for specific situations or departments which become uncoordinated
![Page 6: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/6.jpg)
Business Continuity Management (BCM)
• BCM is a process that applies to any business, small or large, that helps to manage the risks that threaten its survival
• The objective is to identify the hazards that may affect critical functions or activities and to ensure that these can be reduced or responded to in an effective way
![Page 7: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/7.jpg)
Reasons for BCP
• Loss or Injury to Personnel• Compliance• Loss of Revenue• Damage to Critical Resources• Loss of Customers• Reputation Damage• Civil and Criminal Liabilities
![Page 8: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/8.jpg)
People
Materials
Critical Records
Office Work Areas
Critical Machinery & Equipment
Communications Infrastructure
BCP Resource
Scope
![Page 9: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/9.jpg)
BCM Cycle
Risk Management
Business Impact
Analysis
Business Continuity Strategy
Business Continuity
Plan
Business Continuity
Plan Testing
BCP Maintenance
Stage 1
Stage 2
Stage 3
Stage 4
Stage 5
![Page 10: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/10.jpg)
Business Continuity Management
• Risk Management • Business impact analysis (BIA)• Classification of operations and criticality
analysis • Document the BC plan and DR procedures • Training & Awareness • Testing • Ongoing Monitoring & Plan Maintenance
![Page 11: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/11.jpg)
BCM Cycle
Risk Management
Business Impact
Analysis
Business Continuity Strategy
Business Continuity
Plan
Business Continuity
Plan Testing
BCP Maintenance
Stage 1
Stage 2
Stage 3
Stage 4
Stage 5
![Page 12: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/12.jpg)
Risk Management
![Page 13: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/13.jpg)
ProbabilityThreats
Impacts
FoundationHistory - Analytical Tools - Technology Maturity - Knowledge/Experience
Risks
How likely is an adverse outcome?
What can go wrong?
- Human (Intentional or accidental)
- Natural Events
What are the consequences of the event?
![Page 14: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/14.jpg)
Threats - Examples
• Labor Disruptions• Pandemics• Strikes and disputes• Accidents• Workplace Violence
• Natural Disasters• Tornado• Hurricane• Earthquake• Floods
• Lack of Materials• Shortages• Delays• Supplier breach
• Facilities• Fire• Black/Brown Outs
• Equipment• IT Failures• Communications
failures• Equipment Failures
![Page 15: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/15.jpg)
Threat
Opportunity Exposure
Vulnerability
![Page 16: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/16.jpg)
Risk ManagementQuestion High Impact Medium Impact Low Impact
What is the impact of the function on revenue generation?
Direct correlation to revenue
Peripheral correlation to revenue
No correlation to revenue
What is the impact on other projects?
Entire company One or more departments
Select users throughout the company
What is the cost to overcome disruptions?
Material to the company
Material to a departmental or project budget
Peripheral departmental or project budget
How will it impact customers or prospects?
Direct impact on revenue generation or end-customer support
Peripheral impact on revenue generation or end-customer support
No impact
Which business processes will be affected?
Any external facing processes
Critical internal processes
Non-critical internal processes
![Page 17: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/17.jpg)
Potential Business Consequences
• Inability to maintain critical customer services • Damage to your market share, image,
reputation or brand • Failure to protect the company assets
(including intellectual property and personnel) • Fraud• Failure to meet legal or regulatory
requirements• Financial loss
![Page 18: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/18.jpg)
Risk Management
•Risk Responses•Mitigate•Accept•Avoid•Transfer
![Page 19: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/19.jpg)
BCM Cycle
Risk Management
Business Impact
Analysis
Business Continuity Strategy
Business Continuity
Plan
Business Continuity
Plan Testing
BCP Maintenance
Stage 1
Stage 2
Stage 3
Stage 4
Stage 5
![Page 20: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/20.jpg)
Business Impact Assessment
• The BIA is the most critical process in the development of a DR strategy• provides the business requirements used
to develop the plan (focus resources)• Typical Areas
• Identify critical business processes• Determine the disruptions & probability • Impact of disruptions on business • Determine Loss Exposures
![Page 21: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/21.jpg)
Business Impact Analysis
• A Business Impact Analysis Helps Organizations:• Identify and prioritize risks• Identify requirements• Identify the extent of financial impact • Identify the extent of operational
impact
![Page 22: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/22.jpg)
The process of analyzing all core business functions and establishing an optimized timetable for recovery.
Provides baseline for: Justification for costs associated with recovery Developing recovery strategies Developing Support Level Agreements
Maps data flow Identify maximum tolerance for downtime Identify interdependencies Determine the recovery priorities of the organization
Business Impact Analysis
![Page 23: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/23.jpg)
End-User Questionnaire Highlights:
Department Overview
Workflow Interdependencies
Computer Resources
Application Impact Analysis
Business Impact Analysis
![Page 24: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/24.jpg)
Department OverviewDepartment Overview
Department Overview
Workflow Interdependencies
Computer Resources
Application Impact Analysis
1. Identify department, location, and at least
two representatives from each department.
2. Develop a comprehensive list of
applications used in the department.
3. Describe the business function(s) of the
department.
4. Gather information about the
department’s daily business hours,
revenues generated, transaction volume,
and any peak or high demand periods.
![Page 25: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/25.jpg)
Workflow InterdependenciesWorkflow Interdependencies
Department Overview
Workflow Interdependencies
Computer Resources
Application Impact Analysis
1. Identify the departments and organizations
that send work to the department.
2. Determine what routes or channels of
communication are used to send that
incoming work and estimate the percentage
that comes via each route or channel.
3. Gather the same information in #1 and #2
for work sent by the department.
![Page 26: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/26.jpg)
Computer ResourcesComputer Resources
Department Overview
Workflow Interdependencies
Computer Resources
Application Impact Analysis
1. Gather information on the computing
equipment in the department and how it is
used.
2. Begin exploring the reliance that the
department has on the computing
equipment, e.g., What data entry backlog
would there be if it was unavailable for one
day?
![Page 27: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/27.jpg)
Application Impact AnalysisApplication Impact Analysis
Department Overview
Workflow Interdependencies
Computer Resources
Application Impact Analysis
1. Basic description of each application,
including what it does, what business
functions it supports, if it handles PHI, and
who the department contacts are for the
application.
2. Estimate the level of departmental business
interruption associated with the
application being unavailable through
various time thresholds.
3. Estimate the associated data entry backlog
that would result and how many staff
hours it would take to eliminate the
backlog.
![Page 28: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/28.jpg)
Application Impact AnalysisApplication Impact Analysis
Department Overview
Workflow Interdependencies
Computer Resources
Application Impact Analysis
4. Evaluate the downtime procedures
associated with the application, asking
questions like have the procedures been
used before?, how did they work, and how
long can the department function using
them?
5. Evaluate any regulatory, legal, financial,
customer service, and public image
problems that could arise as a direct or
indirect result of the application being
unavailable through various time
thresholds.
![Page 29: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/29.jpg)
BCM Cycle
Risk Management
Business Impact
Analysis
Business Continuity Strategy
Business Continuity
Plan
Business Continuity
Plan Testing
BCP Maintenance
Stage 1
Stage 2
Stage 3
Stage 4
Stage 5
![Page 30: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/30.jpg)
Business Continuity Strategy
• Market Structure & Budget• Data and system backup and restore• System & Data failover, redundancy • System vulnerabilities & threats • Disruptions to internal systems,
telecommunications, applications, Web access
• Operation of environmental systems • Natural disasters and other interruptions
![Page 31: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/31.jpg)
Business Continuity Strategy
• Transfer Control/ Function• Relocate of staff• Manual or alternative• Work from home• Shut down• Hot Site or dedicated• Warm Site• Cold or Shell Site
![Page 32: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/32.jpg)
BCM Cycle
Risk Management
Business Impact
Analysis
Business Continuity Strategy
Business Continuity
Plan
Business Continuity
Plan Testing
BCP Maintenance
Stage 1
Stage 2
Stage 3
Stage 4
Stage 5
![Page 33: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/33.jpg)
Business Continuity Plan
• Considerable effort and time are necessary to develop the initial BCP
• Effective documentation and procedures are extremely important in a BCP
• Well-written plans reduce the time required to read and understand the procedures• Result in a better chance of success if the plan
has to be used. • Significantly reduce maintenance time and
effort.
![Page 34: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/34.jpg)
Business Continuity Plan
• An overarching plan of the company to be able to recover from a disaster and to resume normal business processes in as little time as possible
• The BCP is made up of many “sub-plans”:• Emergency Response Plan• Disaster Recovery Plan• Public Affairs Plan• Occupant Emergency Plans
![Page 35: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/35.jpg)
Business Continuity Plan
• Within a BCP, you have some key components:• Assessment: A way to identify threats (BIA -
more on this later)• Evaluation: The likelihood and impact of each
threat• Preparation: For contingent operations• Mitigation: The reduction or elimination of risks• Response: The response to minimize the
impact of an emergency• Recovery: The return to normalcy
![Page 36: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/36.jpg)
Business Continuity Plan
![Page 37: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/37.jpg)
Business Continuity Plan
• A document stating• Who and What (systems, Equipment, records
and facilities) are required• When they are required• Where to operate your business for an
indefinite period
• A standard format for the procedures should be used for consistency, conformity, and maintenance
• Standardization is especially important if several people write the procedures
![Page 38: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/38.jpg)
Business Continuity Plan
• Two basic formats are used to write the plan: background information and instructional information.
• Background information should be written using indicative sentences
• Instructions should use an imperative style (issue directions)
![Page 39: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/39.jpg)
Business Continuity Plan• Helpful tips in writing the BCP:
• Be specific. Write the plan with the assumption it may be implemented by personnel unfamiliar with the function and operation.
• Use short, direct sentences, and keep it simple. Long sentences can overwhelm or confuse the reader.
• Use short paragraphs. Long paragraphs can be detrimental to reader comprehension.
• Use active voice verbs in present tense. Passive voice sentences can be lengthy and may be misinterpreted.
• Use descriptive verbs. Non-descriptive verbs such as “make” and “take” can cause procedures to be wordy.
• Avoid jargon.• Use position titles (rather than personal names of individuals)
to reduce maintenance and revision requirements.• Develop uniformity in procedures to simplify the training
process and minimize exceptions to conditions and actions.• Identify events that can occur in parallel, and events that
must occur sequentially.
![Page 40: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/40.jpg)
BCM Cycle
Risk Management
Business Impact
Analysis
Business Continuity Strategy
Business Continuity
Plan
Business Continuity
Plan Testing
BCP Maintenance
Stage 1
Stage 2
Stage 3
Stage 4
Stage 5
![Page 41: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/41.jpg)
BCP Testing
• Plan Audit• Passive Walk Through• Scenario Workshop• Physical Test• Live Simulation Test
![Page 42: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/42.jpg)
BCP Testing
• Dependencies• Frequency• Test Plan Development• Test Procedures• Test Results• Management and Staff Awareness
![Page 43: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/43.jpg)
BCM Cycle
Risk Management
Business Impact
Analysis
Business Continuity Strategy
Business Continuity
Plan
Business Continuity
Plan Testing
BCP Maintenance
Stage 1
Stage 2
Stage 3
Stage 4
Stage 5
![Page 44: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/44.jpg)
BCP Maintenance
• It is important that the plan be continually maintained and updated. Business continuity plans should include specific maintenance responsibilities and procedures. The major considerations in this process include:• Maintenance frequency• Change factors• Maintenance responsibilities• Distribution considerations
![Page 45: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/45.jpg)
BCP Maintenance
• The recovery procedures for each team should be updated at minimum on a yearly basis and should also be updated following major organizational changes
• Telephone lists and other inventories should be updated at least quarterly
• The plan should also be reviewed and updated when there are major changes in technology
• A plan maintenance form can be used to record and control all maintenance changes, additions or modifications to the plan
![Page 46: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/46.jpg)
BCP Maintenance
• It is important to recognize factors that may change the business continuity plan:
• Procedural changes• Organizational structure changes• Personnel changes/turnover• Physical changes (e.g., facilities)• Technology changes• Recovery requirements changes
testing issues
![Page 47: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/47.jpg)
BCM Cycle - Summary
Risk Management
Business Impact
Analysis
Business Continuity Strategy
Business Continuity
Plan
Business Continuity
Plan Testing
BCP Maintenance
Stage 1
Stage 2
Stage 3
Stage 4
Stage 5
![Page 48: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/48.jpg)
Keys to Success
• Link Business and IT Processes• Develop a comprehensive DR plan based
on realistic threats• Keep DR procedures current• Test the DR plan – don’t view as an exam;
it is quality improvement exercise• BC goals should be realistic • Clearly define DR roles, responsibilities
and ownership• Have a clear data backup strategy• Communicate!
![Page 49: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/49.jpg)
Resources
• Disaster Response Institute International (DRII) – http://www.drii.org
• Business Continuity Institute (BCI) - http://www.thebci.org/
• Disaster Response Journal – http://www.drj.com • NFPA 1600 Standard on Disaster/Emergency
Management and Business Continuity Programs http://www.nfpa.org/assets/files/PDF/NFPA1600.pdf
• Continuity Central http://www.continuitycentral.com/info.htm
• Federal Financial Institutions Examination Council Business Continuity Handbook http://www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_continuity_plan.pdf
![Page 50: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/50.jpg)
Conclusion
• Don’t wait till a disaster occurs• Even with a small budget, prudent
steps can be taken• ensuring good backups • establishing roles and responsibilities• effective planning• new technologies may also be leveraged
to make recovery more affordable
![Page 51: Business Continuity Workshop Final](https://reader033.fdocuments.us/reader033/viewer/2022061111/5454243eb1af9f95228b493b/html5/thumbnails/51.jpg)
Questions?
• Bill Lisse - (937) 853-1490• Email - [email protected]
• Jack Lohbeck - (937) 853-1423• Email – [email protected]