Business Continuity Planning Anjan

7/30/2019 Business Continuity Planning Anjan

1/69

1

Business Continuity Planning (BCP)

Presented by Anjan Mohapatro


2/69

2

Business Continuity Plan

Plann ing to ensu re the con t inu at ion o f op erat ion s in th e event o f a ca tas t ro ph ic event .

Business continuity planning goes beyond disaster recovery planning to include the actions to betaken, resources required, and procedures to befollowed to ensure the continued availability of essential services, programs, and operations in theevent of unexpected interruptions.


3/69

3


How to preserve critical business functionsin the face of a disaster/Crisis so that it canmanage and survive the crisis and take appropriateaction to help ensure the organizations continuedViability

A plan for emergency response, backupoperations, and post-disaster recovery maintainedby an activity as a part of its security program thatwill ensure the availability of critical resources andfacilitate the continuity of operations in anemergency situation


4/69

4


Goalto assist theorganization/business to continuefunctioning even though normaloperations are disrupted

Beforedisruption DuringDisruption After DisruptionSteps


5/69

5

Why BCP is Required

Proactive rather than Reactive

It is better toplan activitiesahead of timerather

than to reactwhen the timecomes

Maintain businessoperations

Keep the moneycoming in Short and long

term loss of business

Effect oncustomers

Public image Loss of life


6/69

6

Utility failuresIntrudersFire/SmokeWater

Natural disasters (earthquakes, snow/hail/ice,lightning, hurricanes)Heat/HumidityElectromagnetic emanationsHostile activityTechnology failur e

The Problem


7/69

7

The Problem

50%

25%

10%

10%5%

Errors & Omissions Fire,water,electrical Dishonest employees

Disgruntled employees Outside Threats


8/69

8

Utility failuresIntrudersFire/SmokeWater

Natural disasters (earthquakes, snow/hail/ice,lightning, hurricanes)Heat/HumidityElectromagnetic emanationsHostile activityTechnology failur e

The Problem


9/69

9

The Controls

Information SecurityRedundancy

Backed up data Alternate equipment Alternate communications Alternate facilities

Alternate personnel Alternate procedures


10/69

Key Elements

Disaster Recovery Business Recovery Contingency Planning Crisis Management


11/69

Create a Business ContinuityManagement Team

Lead by Top Management

Responsible for creating andMaintaining, testing andImplementing comprehensive

BCP Top down approach Awareness at all levels

Key PlayersSenior OfficialsInternal AuditRisk ManagementLegalFinance/Budget

ProcurementSafety


12/69

Corporate Policy

BCP Policy committed to undertake all reasonable andappropriate steps to protect people, property and allbusiness interests is essential.

Corporate policy should contain a definition of crisis Responsibility for systems ,resources and key business

process should be clearly identified BCP team should include top senior leaders, major

organizational functions and support groups, widespread acceptance.

Communicated throughout the organization


13/69

Business Continuity Process Assess - identify and triage all threats (BIA) Evaluate - assess likelihood and impact of

each threat Prepare plan for contingent operations

Mitigate - identify actions that may eliminaterisks in advance Respond take actions necessary to minimize

the impact of risks that materialize Recover return to normal as soon as possible


14/69

BIA

Any organizational impacts that could resultfrom an interruption of normal operationsshould be examined.

Identify critical process and document it-purchasing, manufacturing,supplychain

Process should be ranked as HML Assess Impact if crisis were to Happen

Human cost Financial cost Corporate Image cost


15/69

BIA Review Factors

All Hazards Analysis

Likelihood of Occurrence

Impact of Outage on Operations System Interdependence

Revenue Risk

Personnel and Liability Risks


16/69

LTU CISP Security 16

The Steps in a BCP - 1

Risk Assessment/Analysis Potential failure scenarios (risks) Likelihood of failure Cost of failure, quantify impact of threat

Assumed maximum downtime Annual Loss Expectancy Worst case assumptions Based on business process model? Or IT model? Identify critical functions and supporting resources

Balance impact and countermeasure cost Key -

Potential damage Likelihood


17/69


Definitions

Threat any event which could have an undesirable impact

Vulnerability absence or weakness of a risk-reducing safeguard, potential to allow a

threat to occur with greater frequency, greater impact, or both Exposure a measure of the magnitude of loss or impact on the value of the asset

Risk the potential for harm or loss, including the degree of confidence of

the estimate


18/69


Definitions

Quantitative Risk Analysis quantified estimates of impact, threat frequency, safeguard effectiveness and

cost, and probability

Powerful aid to decision making Difficult to do in time and cost

Qualitative Risk Analysis minimally quantified estimates Exposure scale ranking estimates Easier in time and money

Less compelling Risk Analysis is performed as a continuum from fully qualitative to less

than fully quantitative


19/69


Results

Loss impact analysis Recovery time frames

Essential business functions Information systems applications

Recommended recovery priorities & strategies Goals

Understand economic & operational impact Determine recovery time frame (business/DP/Network) Identify most appropriate strategy Cost/justify recovery planning Include BCP in normal decision making process


20/69


Threats

Hardware failure Utility failure Natural disasters Loss of key personnel

Human errors Neighborhood hazards Tampering Disgruntled employees Emanations Unauthorized access Safety Improper use of technology Repetition of errors Cascading of errors

Illogical processing Translation of user needs

(technical requirements) Inability to control technology Equipment failure Incorrect entry of data Concentration of data Inability to react quickly Inability to substantiate

processing Concentration of

responsibilities Erroneous/falsified data Misuse


21/69


Risk Analysis Steps

1 - Identify essential business functions Dollar losses or added expense Contract/legal/regulatory requirements Competitive advantage/market share

Interviews, questionnaires, workshops 2 - Establish recovery plan parameters Prioritize business functions

3 - Gather impact data/Threat analysis Probability of occurrence, source of help Document business functions Define support requirements Document effects of disruption Determine maximum acceptable outage period Create outage scenarios


22/69


Risk Analysis Steps

4 - Analyze and summarize Estimate potential losses

Destruction/theft of assets

Loss of data Theft of information Indirect theft of assets Delayed processing Consider periodicity

Combine potential loss & probability Magnitude of risk is the ALE (Annual Loss Expectancy) Guide to security measures and how much to spend


23/69

Prioritize Risk Factors

Personal Safety RiskServices RiskOperational Risk

Revenue RiskLiability RiskGood Will (Societal) Risk


24/69

What Are External Risks?

External Risks are risks presented byfactors outside the enterprise; theseinclude risk present in natural disaster,labor strife, the possible failures of

business partners, suppliers, publicutilities, transportation,telecommunications, and otherbusinesses.


25/69

Loss of Lifelines

What will we do if there is not power?

No phone service?

No Water?

Government services?

How will the public react?


26/69

Develop Scenarios

How bad will the big one be?

Extended Power, Water, or Telecom Outages? Supply Chain Disruptions? Civil unrest?

Develop various scenarios and pick which ones toplan for.


27/69

Evaluating Alternatives

Functionality - provides an acceptable level of

service Practicality - is reasonable in terms of the time

and resources needed to acquire, test, andimplement the plan

Cost Benefit - cost is justified by the benefit to bederived from the plan


28/69


29/69



Strategy Development (Alternative Selection) Management support Team structure Strategy selection

Cost effective Workable


30/69

Resources required for recoveryIdentify resources required for recovery and resumption.

ReSources personnel,hardware,software,specilisedequipment, facility/space and critical records

Backing up and storing critical and vital business records

in a safe and accessible location is a prerequisite.Risk assessment and BIA provide the foundation onwhich organisations BCP can rest.


31/69

Crisis Management and Response team development

Establishment of appropriate administrative structure to

deal with crisis management.Clear definition of the management structure authorityfor decisions and responsibility for implementation.

Should have crisis management team to lead incidentresponse.

Team should comprises of members of critical business

process lead by senior management.Crisis mnagement team supported by response teams.

Response plans to address various aspects of potentialcrises


32/69

Crisis Management and Response team development

Establishment of appropriate administrative structure to

deal with crisis management.Clear definition of the management structure authorityfor decisions and responsibility for implementation.

Should have crisis management team to lead incidentresponse.

Team should comprises of members of critical business

process lead by senior management.Crisis mnagement team supported by response teams.

Response plans to address various aspects of potentialcrises


33/69



Implementation (Plan Development) Specify resources needed for recovery Make necessary advance arrangements Mitigate exposures


34/69



Risk Prevention/Mitigation Security - physical and information (access) Environmental controls Redundancy - Backups/Recoverability

Journaling, Mirroring, Shadowing On-line/near-line/off-line

Insurance Emergency response plans Procedures

Training Risk management program


35/69

Mitigation StrategiesCost effective mitigation strategies should be employed

to prevent or lessen the impact of potential crises.Securing equipments and tables by strapping to the wallpreventation from earthquake ,Sprinkler systems canlessen the risk of fire ,a strong records management canmitigate the loss of key datas.

Resources required for mitigation process should beidentified.

Systems and resources should be monitored continuallyas a part of mitigation startegy


36/69

MTDEstablish an estimate of the maximum tolerable

downtime (MTD) for each business process.Determine how long process can be non functionalbefore impacts becomes unacceptable

Determine how soon process should berestored(Shortest allowable outage restored first)

Identify alternate procedures to a process

Evaluate costs of alternate procedures vs waiting forsystem to be restored

Determine the priorities and processes for recovery of

critical business processes .


37/69



Decision Making Cost effectiveness

Total cost

Human intervention requirements Manual functions are weakest

Overrides and defaults Shutdown capability Default to no access

Design openness Least Privilege

Minimum information Visible safeguards

Entrapment Selected vulnerabilities made attractive


38/69



Decision Making Universality Compartmentalization, defense in depth Isolation

Completeness Instrumentation Independence of controller and subject Acceptance Sustainability

Auditability Accountability Recovery


39/69


Remedial Measures

Alter environment Erect barriers Improve procedures

Early detection Contingency plans Risk assignment (insurance) Agreements

Stockpiling Risk acceptance


40/69


Remedial Measures

Fire Detection, suppression

Water Detection, equipment covers, positioning

Electrical UPS, generators Environmental

Backups

Good housekeeping

Backup procedures Emergency response procedures


41/69



Plan Development Specify resources needed for recovery Team-based Recovery plans Mitigation steps Testing plans

Prepared by those who will carry them out


42/69

Review External Dependencies

Suppliers

Subcontractors

Vendors

Your

Organization

Clients /Customers

Conduit

Organizations

Infrastructure Dependence (power, telecom, etc.)

System Up Time (computing, data,networks, etc.)

C I f i


43/69

Contact InformationContact information of crisis management team and

response team should be maintained.Information should be updated regularly .

Compliance audits should be conducted to enforce BCP

Policies.Policy violations should be highlighted and correctiveactions to be taken

M it i S t d R


44/69

Monitoring Systems and ResourcesResources include

Emergency equipment

Fire alarms' and suppression systems

Local resources and vendors

Alternate work sites

System backups and offsite storage.

A id d t d d t ti


45/69

Avoidance ,deterrence and detectionBCP should address the specifics of potential crisis and

include overall deterrence and any precursors andwarning signs ,detection measures.

Workplace violence

Natural disasters Protests/riots

Product or manufacture failure

Hostile takeover

Terrorism

Lawsuits

A id d t d d t ti


46/69

Avoidance ,deterrence and detectionEmployee should be appropriately motivated to feel

personally responsible for avoidance ,deterrence anddetection.

Facilities enhancing Avoidance

Architectural Natural or manmade barriersOperational: Security officers check posts, employeeawareness programmes, surveillance and counter

intelligenceTechnological: Intrusion Detection, access control, cctv,package and baggage screening.

P t ti l C i i R g iti


47/69

Potential Crisis RecognitionIf potential crisis exists. Organization should be able to

recognize when specific dangers occur .Identification of danger signals coupled with thelikelihood of an event is indicative of an imminent crisis.

Unusual changes in sales volume Legislative changes

Corporate policy changes

Changes to competitive environment

Changes to supply based environment

Warning of natural disasters

P t ti l C i i R g iti


48/69

Potential Crisis RecognitionIdentification of danger signals coupled with the

likelihood of an event is indicative of an imminent crisis. Cash flow changes

Potential for civil or political instability

Hostile labor negotiations

Strikes

Report Potential crisis


49/69

Report Potential crisisCertain departments and functions are well placed to

observe warning signs of imminent crisis. Personnelassigned to these functions should be trainedappropriately.

Crisis should be communicated to all EMPLOYEES

A Potential crisis once recognized should be immediatelyreported.

Parameters for notification criteria should be established,documented and adhered to by all employees.

Report Potential crisis


50/69

Report Potential crisisQualified personnel should have ready access to theupdated ,confidential listings of persons andorganizations to be contacted when certain conditions orparameters of a potential crisis are met.

Types of Notification

Notifications in a crisis situation should be timely andclear and should use variety of procedures andtechnologies.

Sometimes notification systems are also impacted by thedisaster thus redundancies built into the notification

Assessment of the situation: size of the problem

potential for escalation, possible impact of the situation.

Declare a Crisis


51/69

Declare a CrisisThe point at which a situation is declared as a criisisshould be clearly defined ,documented and fit everyspecific and controlled parameters.

Activities that declaring a crisis will trigger

Evacuation,shelter and relocation

Safety protocol

Response site and alternate site activation

Team deployment

Operational Changes

Execute the Plan


52/69

Execute the PlanBCP should be developed around worst case scenario, responsecan be scaled up to match the actual crisis .

Goals should protect the following interests

Save lives and reduce chances of further injuries and deaths

Protect assets

Restore critical business processes and systems

Reduce downtime

Protect reputation damage

Control media coverage

Maintain Customer relation

Communications


53/69

CommunicationsEffective communications is one of the most importantingredients in crisis management.

Identify the Audience

Internal and external audience should be identified to conveycrisis and organizational response. It is often appropriate to

segment the audiences. Messages tailored specifically for a groupcan be released.

Internal Audience

Employees and their families

Business owners and Partners

Board of Directors

Communications


54/69

CommunicationsExternal Audience

Present and potential Customers/clients

Contractors and vendors

Media

Govt and regulatory agencies Local law enforcement

Investors and shareholders

Surrounding Communities EMERGENCY RESPONDERS

Communications With Audience


55/69

Communications With Audience Communications should be timely and honest

An audience should hear the news from the organization Should provide objective and subjective assessment

All employees should be informed at the same time

Give bad news all at once do not sugar coat it

Provide regular updates

Communications- Face to face meetings, News conference,Voice mail, Company intranet and internet sites, toll freehotline, special newsletter, local and national newspaper

Communications With Audience


56/69

Communications With AudienceOfficial Spokesman : The company should designate a singleprimary spokesperson . This person should be trained in media

relationship prior to crisis. All in formations should be funneledthrough a single source to assure that the messages beingdelivered are consistent.

Resource Management :

How Human resources are managed will decide success or failureof Crisis management

Accounting for All Individuals : A system should be devised by

which all personnel can be accounted for quickly after the onset of a crisis.

Accurate contact information should be maintained and updated

Notification of Next of Kin by a senior manager in case of injury orfatality

Resource Management


57/69

Resource ManagementFamily Representatives : Family representative programin case of injuries and fatality. Family representativeshould be some one other than the Person whoperformed the notification.

Link between the Organization and The Employees

family .Financial Support During the crisis there may befinancial implications for the organization and the

families of the employees. Implications may includefinancial support to victims family

Pay roll : Should be functional throughout the crisis.

Logistics


58/69

LogisticsLogistical decisions made in advance will impact the success orfailure of a good BCP

Crisis Management Centre Should be identified in advance. Thisis the initial site used by the crisis management team andresponse team for directing and overseeing crisis managementactivities.

It should have uninterruptible power supply, computercommunication, heating and ventilating conditions system andother support systems. Emergency supplies should be identifiedand kept in the centre.

Access control system should be implemented with the membersof team given 24x7 access.

A secondary Crisis management centre should be identified in the

event that the primary centre is impacted due to the crisis

Logistics


59/69

LogisticsAlternate Worksite Organization should have alternate worksiteidentified for business recovery and resumption.

Offsite storage Allows rapid crisis response and businessrecovery. Critical documents and information are stored. Sufficientdistance form the primary facility

Financial and Insurance issue : Existing funding and Insurancepolicies should be examined ,additional funding and insurancecoverage should be identified and obtained

Amount of fund required for continuity of operations should beidentified

Some cash and credit should be available for weekend and afteroffice hours .

Insurance providers should be contacted as soon as possible.

Logistics


60/69

LogisticsTransportation at the time of Crisis may be a challenge

Evacuation of personnel Transportation to an alternate site

Supplies to an alternate site

Transportation of critical data to alternate site

Transportation of staff with special needs .

Suppliers/Service Providers Critical vendor or serviceprovider agreements should be established and contactinformation maintained. Evaluate their ability to providenecessary supplies and services in the case of far

reaching crisis.

Mutual Aid Agreements


61/69

Mutual Aid Agreements Identify resources that may be borrowed from other

organizations during a crisis as well as mutual supportthat may be shared with other organization.

Damage and Impact assessment : Once the CrisisManagement team is activated damage should be

assessed . All incidents should be recorded anddocumented including the response actions.

Crisis Involving Physical Damage Crisis Management

team should be mobilized at site .Entry approval by Public safety authority. Make a

preliminary assessment of the extent of damage and thelikely length of time that the facility will be unusable .

Recovery


62/69

Recovery Once the extent of damage is known process recovery

should be prioritized and a schedule for resumptionsdetermined and documented.

Resumptiions of critical process

Resumptions of other processes

Return to Normal operations - Return to pre crisisnormal /New normal

Organization springs back to productive work Crisis may be officially declared over

Recovery


63/69







Implementing plan


64/69

Implementing plan BCP is a living document ,evolutionary that grows and

changes with the organization and remains relevant andactionable.

Educate and train only as valuable as others have theknowledge of it. Time commitment from all stakeholders

Crisis management team and response teams are to betrained at least annually , new members when they joinResponsibilities and accountabilities authority should be

clearly defined. Educate and train all personnel.


65/69


Test the BCP

Plan Testing Proves feasibility of recovery process Verifies compatibility of backup facilities

Ensures adequacy of team procedures Identifies deficiencies in procedures

Trains team members

Provides mechanism for maintaining/updating theplan

Upper management comfort


66/69


The Steps in a BCP - Finally

Plan Testing Checklist Structured Walkthroughs

Life exercises/Simulations Periodic off-site recovery tests/Parallel Full interruption drills


67/69


Test MonitoringTest Monitoring Assign observers to take notesduring the test. Video tape/Audio recording can bedone .Assign to document events chronologically

Testing scenarios should be designed using the

events identified in the risk assessmentParticipants should understand their individual rolesand should be allowed to interact freely

After completion of exercise/test it should becritically evaluated, effectiveness of the test, desiredlevel of goals attended.

Develop BCP Review Schedule


68/69

Develop BCP Review Schedule BCP should be reviewed and evaluated according to the

predetermined schedule.

Reviewed every time a risk assessment is carried out.

Major trends in the sector or industry or any initiativetaken should initiate a review.

New regulatory requirement

Test and exercise results.

Recovery


69/69







Documents

Business Continuity Planning Anjan