BCI ICT Resilience

www.sungard.co.uk

Ron Miller Principal Consultant

BCM & ICT Continuity Standards:

What are their purposes and how can they

work together?

2010 SunGard. | www.sungard.co.uk

What Ill be covering

ISO 27031 and ISO 24762 why?

ICT continuity standards key content and guidance

Principles

Elements

The relationships and integration with the GPG, BS 25999

and ISO 22301

ICT recovery versus resilience, addressing common

issues

2


It was all about IT DR


Secto

rs

TIME

1970s 1980s 1990s 2000s

IT Big Business

Medium

Business

Public Sector

BCM growth


BS 25999 British Standard for Business Continuity Management

Provided guidance for

organizations:

Of all sizes

In all sectors

What they should do to:

Enhance resilience

Provide restoration of key products and services

Deliver proven capability to manage disruption

(but not how they do it!)


BCM Lifecycle (BS 25999)

Widely adopted

UK and beyond

Used as basis for ISO 22301

and ISO 22313

Used as the basis for other

continuity and resilience

standards

TC223 ISO standards

US BCM standard


But what about ICT?


ISO 27000

ISO 27001

5 controls (out of 133)

ISO 27002

Four and a half pages of high-level guidance (out of

130 pages)

8


BS 25777


How BS 25777 integrated with BS 25999


The need for ISO 27031

Increasing dependency on information and

communications technology

Comprehensive guidance established for business

continuity management - BS 25999 and others

Supported by ICT continuity guidance BS 25777

No detailed guidance directly related to ISO 27001

Significant gaps continue to be present between business

and supporting ICT continuity and resilience in many

organisations

11


BS 25777 evolved into.

ISO 27031

Guidelines for information and communication technology readiness for business continuity

Takes the core elements of BS 25777

Links them to an information security anchor

Provides guidance which expands upon ISO 27002

Helps in the implementation of controls contained within

ISO 27001

12


ISO 27031

Continues to integrate with

BC

Supports the PDCA process

Planning

Implementing and operating

Assessing, measuring and reviewing

Corrective and preventive actions

Supports ISMS

13


ISO 24762 what is it?

Guidelines for information

and communications

technology disaster recovery

services provision of information and

communications technology

disaster recovery (ICT DR)

services as part of business

continuity management

applicable to both in-house and outsourced ICT DR service providers of physical facilities and

services.

14


ISO 24762 is it any good?

No! Based on Singapore standard

ISO consultation process failed

BCM community unaware of its existence until too late

Service-providers unaware of its existence until too late.

Does not integrate with BCM

standards

Does not integrate with ISO

27031

Shining example of how-not-to-develop-a-standard

Now at beginning of revision process.

15


ISO 24762 who uses it?

Good question!

16


ISO 24762 - who uses it?

BSi sells it!!

Some dubious claims by

vendors

Experts offering advice

17


Concepts and Principles

18


Concepts and Principles of ISO 27031

ICT Readiness for BC

IRBC

Complements and supports BCM and/or ISMS

Improving the incident detection capabilities

Preventing a sudden or drastic failure

Enabling an acceptable degradation of operational status should the failure be unstoppable;

Further shorten recovery time; and

Minimising impact upon eventual occurrence of the incident.

19


The relationship between IRBC and BCM

20


The relationship between IRBC and BCM

21


ICT Readiness Principles

22


Key principles

Incident prevention

Incident detection

Response

Recovery

Improvement

23

2010 SunGard. | www.sungard.co.uk 24


Incident prevention

Iterative process

ICT Readiness promotes resilience

Facilitates identification of

critical components in each

of the elements which make

up the ICT environment

Relates ICT criticality to

wider business criticalities

Priorities also driven by BC

requirements

25


Incident prevention

Iterative process Justifies resource and

budget for appropriate

resilience measures

Monitors the performance of

resilience measures

Review and improvement

following exercises, tests

and incidents

26


Incident prevention

People

27


Incident prevention

People

Facilities

28


Incident prevention

People

Facilities

Technology

29


Incident prevention

People

Facilities

Technology

Data

30


Incident prevention

People

Facilities

Technology

Data

Processes

31


Incident prevention

People

Facilities

Technology

Data

Processes

Suppliers

32


Incident detection

IRBC promotes

Response BEFORE an incident occurs, upon detection of one

or a series of related events

that become incidents

Detecting incidents at the earliest opportunity minimizes

impact to services, reduces

recovery effort, and preserves

quality of service

Investment in detection should be linked to the business

continuity needs

33


Incident detection

People

Facilities

Technology

Hardware failures

Malfunctions in racks, servers, storage arrays, tape devices

Network

Data connectivity interruptions, intrusion detection etc.

Software

Upgrade issues, unauthorised software, malware etc.

Data

Corrupted datasets, incomplete datasets etc.

Processes

System changes, maintenance etc.

Suppliers

Power failure, telecoms outage

34


Response

IRBC promotes

existing good

practice

Confirm nature and extent of incident

Take control of situation

Contain the incident

Communicate with stakeholders

(Not necessarily a chronological order.)

35


Response

Confirm nature and

extent of incident

Acquire information

Assess

How does it affect the elements of the ICT

environment?

How might this affect

service-users and the critical

activities of the

organisation?

36


Response

Take control of situation

Automatic or manual failover?

Determine priorities for mitigating incident

People

Facilities

Technology

Data

Processes

Suppliers

Determine resource requirements

Communicate

37


Response

Contain the incident

Auto or manual failover?

Direct resources to manage situation

Communicate

Is there concurrent

activation of BC Incident

Management?

Liaise with rest of

organisation

Activate relevant contingency arrangements

38


Response

Communicate

Communication essential all the way through the

response process

Integration with overall BC incident management

process

39


Recovery

Technical recovery plans

In conjunction with organisational business

continuity plans

Failover of immediately time-critical systems

Recovery of less time-sensitive systems

Manage recovery process

Over hours, days, weeks..

40


Improvement

IRBC promotes

improvement

Lessons learned from exercises

Audits/self assessment

Feedback from periodic BIAs and risk

assessments

Corrective action following incidents

Preventive action

41


The ICT Resilience Gap

Why do organisations

get it wrong?

The consequences of

the gap

42


Managing Expectations?

ICT Teams plan for this?



Service users expect this?


Information value is the key

IT departments are

custodians of information

They are NOT the owners of

the information

They do not know its value

Value is not always about money

Value can be reputational, service-related etc.

45



Mismatch of expectations

IT Youll get what we choose to give you

Business What do you mean? Dont you give us

EVERYTHING?????

Constraints

Technological

Budgetary

Resource

Fundamental misunderstandings about business and role

of technology

Fundamental misunderstandings about the holistic nature

of ICT


The example of email


The impact of ICT loss

Impacts are not always

obvious

ICT requirements post-

disruption can be quite

different from business-as-

usual

Criticality of the same data

can vary widely across the

organisation not all data is born equal!

Recovery is frequently not an option

48


The consequences

Mismatch of ICT resilience implementation and

organisational requirements

Wasteful of expenditure and resource

Provides the WRONG ICT environment in the WRONG timescales

IT departments frequently concentrate on DR rather than resilience and continuity

We dont need to bother about uptime because we know we have good DR

They dont ask users the right questions

Business departments dont know/share continuity requirements

RTOs

RPOs

Each sides knowledge of information availability capabilities and requirements remains unknown to the other

49


The consequences

The organisation

implements an

information security

programme which fails

to deliver on information

availability

50


ICT Resilience

How can the costs be justified?

How can ISO 27031 help?

51


Getting value for money

Mechanism for realism in

service-user BCM

requirements

Relates RTOs and RPOs to Minimum Business Continuity

Objectives

Rationalises IT DR spend

Justifies cost to the business

Resilience versus

Recovery


ISO 27031 and BS 25999

Holistic view of ICT and how it fits

within the organisation

People

Facilities

Technology

Data

Processes

Suppliers

..and how they fit into the principles of:

Incident prevention

Incident detection

Response

Recovery

Improvement


Embedding ICT Readiness

Provides a framework for

ensuring ICT Readiness is

aligned with business

requirements

Gets IT and service-users

involved in validation

Provides budgetary and

business rationale for

investment in ICT

resilience


Supports and complements BS 25999 and ISO 27001

Provides the guidance which supports BCM and

information security goals

ICT Readiness is driven by business/organizational

requirements (not the other way round)

ICT Readiness and resilience capabilities feed back into

organizational goals

Ensures that information availability is tackled as

effectively as confidentiality and integrity.

Documents

BCI ICT Resilience