Business Continuity ManageMent A Practical Guide

Stuart Hotchkiss

BUSINESS CONTINUITYMANAGEMENTIn Practice

BCS, The Chartered Institute for IT

Our mission as BCS, The Chartered Institute for IT, is to enable the information society.We promote wider social and economic progress through the advancement ofinformation technology science and practice. We bring together industry, academics,practitioners and government to share knowledge, promote new thinking, inform thedesign of new curricula, shape public policy and inform the public.

Our vision is to be a world-class organisation for IT. Our 70,000 strong membershipincludes practitioners, businesses, academics and students in the UK andinternationally. We deliver a range of professional development tools for practitionersand employees. A leading IT qualification body, we offer a range of widely recognisedqualifications.

Further Information

BCS, The Chartered Institute for ITFirst Floor, Block DNorth Star House, North Star AvenueSwindon, SN2 1FA, United KingdomT +44 (0) 1793 417 424F +44 (0) 1793 417 444www.bcs.org/contactus

BUSINESS CONTINUITYMANAGEMENTIn Practice

Stuart Hotchkiss

2010 Stuart Hotchkiss

Stuart Hotchkiss hereby asserts to the Publishers his moral right to be identified as the Author of the Work inaccordance with sections 77 and 78 of the Copyright, Designs and Patents Act 1988.

All rights reserved. Apart from any fair dealing for the purposes of research or private study, or criticism orreview, as permitted by the Copyright Designs and Patents Act 1988, no part of this publication may bereproduced, stored or transmitted in any form or by any means, except with the prior permission in writing ofthe publisher, or in the case of reprographic reproduction, in accordance with the terms of the licences issuedby the Copyright Licensing Agency. Enquiries for permission to reproduce material outside those termsshould be directed to the publisher.

All trade marks, registered names etc acknowledged in this publication are the property of their respectiveowners. BCS and the BCS logo are the registered trade marks of the British Computer Society charity number292786 (BCS).

Published by British Informatics Society Limited (BISL), a wholly owned subsidiary of BCS The CharteredInstitute for IT First Floor, Block D, North Star House, North Star Avenue, Swindon, SN2 1FA, UK.www.bcs.org

ISBN 978-1-906124-72-4

British Cataloguing in Publication Data.A CIP catalogue record for this book is available at the British Library.

Disclaimer:The views expressed in this book are of the author(s) and do not necessarily reflect the views of BCS or BISLexcept where explicitly stated as such. Although every care has been taken by the authors and BISL in thepreparation of the publication, no warranty is given by the authors or BISL as publisher as to the accuracy orcompleteness of the information contained within it and neither the authors nor BISL shall be responsible orliable for any loss or damage whatsoever arising by virtue of such information or any instructions or advicecontained within this publication or by any of the aforementioned.

Typeset by The Charlesworth Group.Printed at CPI Antony Rowe, Chippenham, UK

iv

CONTENTS

About the author xiAbbreviations xiiiGlossary xvPreface xxiPreamble xxiii

INTRODUCTION AND PURPOSE 1Why have business continuity? 1What exactly is a continuity plan? 1Business continuity - planning or management? 2Why does continuity management fail? 3A real-life continuity plan 3Outages in practice 5The BCM lifecycle 6

1 GENERAL ISSUES IN CONTINUITY MANAGEMENT 10Some terminology 10Standards 13Regulatory issues 15Availability, uptime and reliable components 15The downtime myth 16Application and asset approach 17It wont happen to us 18Disasters 18The cost of failure 19The cost of success 20Customer satisfaction 21Some industries are different 21

2 IN PRACTICE THE FOUNDATIONS 23Company strategy 23Continuity strategy 24Business continuity policy 25Planning 26

3 BUSINESS IMPACT ANALYSIS 28Introduction 28The objectives of the BIA 29

v

Level of detail and scope 30Critical success factors 31Assessing impact 32Revenue at risk 33Questionnaires 34Tools 35The process in detail 36

4 THE BUSINESS IMPACT ANALYSIS REPORT 38

5 THREATS, RISKS AND RISK ANALYSIS 42Introduction 42In practice 43Risk lifecycle 44

6 SUPPORTING FUNCTIONS AND DEPARTMENTS 52The special cases of IT and Facilities 52General issues with IT recovery architectures 54IT considerations 56Procurement considerations 57Human Resources considerations 57Facilities considerations 59Finance considerations 60

7 SCENARIOS 61Scenarios and capability 62

8 PROCEDURES THE LAST THING TO DO IS THINK 64IT procedures 68

9 TESTING AND STAYING FRIENDS 69In-depth analysis 69Desk testing 70Live testing 71

10 AUDIT 73Test logs 74Stakeholder management 74Auditing yourself 75

11 IMPLEMENTATION AND GOVERNANCE 79A governance framework 79Job descriptions 80Incident and escalation management 81Escalation structure 83

12 COMMUNICATIONS 86

13 TRAINING 88

CONTENTS

vi

14 ORGANISATIONAL ISSUES 90Where does BCM fit in an organisation? 90Keeping the plan up-to-date 91

15 BUSINESS CONTINUITY AND THE CLOUD 93

16 LESSONS TO LEARN 95

17 CONCLUSION 97

APPENDIX 1: REFERENCE DATA 98

APPENDIX 2: TEMPLATES 102BIA questionnaire template 102Threat/risk questionnaire template 104

INDEX 107

CONTENTS

vii

LIST OF FIGURES AND TABLES

Figure I.1 Causes of outages 5Figure I.2 Lifecycle of business continuity capability 7Figure 4.1 Heatmap comparing frequency and impact of threats 39Figure 4.2 Heatmap comparing impact of events with preparation 40Figure 4.3 Revenue loss projection 41Figure 5.1 Lifecycle of risk analysis and management 45

Table I.1 Event: Water leak 4Table I.2 Assessing a risk scenario 8Table 1.1 Strategic statements and action plans 25Table 3.1 MTOs and daily revenues for product groups 31Table 3.2 Calculating revenue losses 33Table 3.3 Supporting functions 34Table 5.1 Probabilities of threats occurring 48Table 5.2 Probabilities multiplied by impact 49Table 6.1 Failure scenarios for ATM datacentre 55Table 7.1 Examples of risk scenarios 63Table 8.1 Procedure table 64Table 8.2 Example procedure 65Table 8.3 Example of procedure contacts list 67Table 9.1 Example of desk test results 70Table 9.2 Differences between desk test and live test actions 72Table 11.1 Responsibilities of managers for business continuity 79Table 11.2 Breakdown of product managers role in business continuity 80Table 11.3 Communications matrix for major incidents 85Table 12.1 Internal communications matrix 87Table 13.1 Training plan 88Table A1.1 Overview of typical RTOs and RPOs for different sectors 98Table A1.2 Typical timescales for continuity strategies 99Table A1.3 Typical RTOs and RPOs for IT by levels of importance 100Table A2.1 Typical BIA questionnaire template 103Table A2.2 BCM threat/risk exposure questionnaire 104Table A2.3 Table for summarising threats and countermeasures 104Table A2.4 Table for summarising outages over last three years 105Table A2.5 Summary sheet for contingency plans 106

ix

ABOUT THE AUTHOR

Stuart Hotchkiss is a business consultant in Hewlett Packard TechnologyServices EMEA. He has over 30 years of experience in IT from many domains, ofwhich the last 16 have been in security and business continuity. This bookshares some of that experience. The opinions in it are his alone.

xi

ABBREVIATIONS

AS Australian Standards

ATM Automated Teller Machine

BCM Business Continuity Management

BCP Business Continuity Planning

BIA Business Impact Analysis

CIA Confidentiality, Integrity and Availability (of data)

CPU Central Processing Unit

DR Disaster Recovery

HR Human Resources

IEC International Electrotechnical Commission

ISO International Organization for Standardization

ITIL Information Technology Infrastructure Library

ITSCM IT Service Continuity Management

LAN Local Area Network

LOB Line of Business

MTO Maximum Tolerable Outage

NZS New Zealand Standard

P&L Profit and Loss

RPO Recovery Point Objective

RTC Recovery Time Capability

RTO Recovery Time Objective

SAN Storage Area Network

SPOF Single Point of Failure

xiii

GLOSSARY

Asset Physical items such as computer systems, vehicles and buildings.Resource has a broader definition (see below).

Business Continuity Management (BCM) The process of developing andmaintaining a complete business continuity plan which will ensure thecontinuity of a business when disruptions occur. BCM covers plan developmentbased on the business impact analysis, the exercising of the plan and theregular updating of the plan to reflect new threats, risks and businesscircumstances.

Business Continuity Plan (BCP) The documented procedures defining whathappens when risk scenarios materialise. The plan should cover all scenariosand procedures and act as guide when business disruption occurs. The businesscontinuity plan is updated and maintained via the BCM process defined above.

Business Impact Analysis (BIA) This is the process of determining whichareas of a business have potential losses requiring mitigation and what controlsare needed. Controls can reduce or, occasionally, eliminate risk and loss.Controls cost money and, in a BIA, the objective is also to balance the cost ofthese with risk appetite. (Risk appetite is simply the tolerance for risk somecompanies accept high risks, others dont.)

The output of a BIA shoul