information technology & management INFORMATION SYSTEMS

ILLINOIS INSTITUTE OF TECHNOLOGY

information technology & management

INFORMATIONSYSTEMS

MANAGEMENTsecurivysecurivyt

A New Model for Business Contingency Operations

Ray TrygstadDirector of Information Technology, Center for Professional DevelopmentAssociate Director,

Information Technology and Management Degree Programs

ILLINOIS INSTITUTE OF TECHNOLOGY

©2008 Ray Trygstad

2

ILLINOIS INSTITUTE OF TECHNOLOGY Center for Professional DevelopmentSe

curi

ity

Introduction

New model for business contingency response team structure

BackgroundTermsTeam Structures in common useThe Contingency Response Team structure

Contingency Response OfficerTeam structure ©2008 Ray Trygstad

3


curi

ity

What is a “contingency”?

An event that has a potential or proven ability to disrupt normal operations of the organization

Organization could be a business, a government agency, a university, a non-profit that carries out what can broadly be termed as “business activities” of some kind

Response to business contingencies often falls on IT

Particularly the IT Security function Incident often are specifically IT-security related

4


curi

ity

Contingencies are a Business Issue!

BUT and this is a really big but: Business contingency response is first and foremost a MANAGEMENT responsibility

Addressing ability of the organization to continue to operate in situations which put the ability of the organization's operations in serious jeopardy

Although the largest area of complexity in continuity of operations is in the IT area, management cannot “dump” responsibility for continued operations solely on IT

5


curi

ity

When do We Need Contingency Response?

Natural events Hurricane, tornado, flood, earthquake, fire

Human initiated events Operator error, sabotage, malicious code and other computer-based attacks, accidents, military actions, terrorist attacks

Operating Environment events Equipment failure, software errors, telecommunications/network outage, electric power failure

6


curi

ity

Event Sequence to Contingency

RISK MANAGEMENTSecurity Control

Implementation

Contingency Planning

RISK MANAGEMENT CONTINGENCY PLAN

EXECUTION

EmergencyEvent

NIST Special Publication 800-34

7


curi

ity

Terminology

Many terms in useInconsistant and imprecise

BS 25999 and HB292-2006 (Australia) use “Business Continuity Management” (BCM)NIST SP 800-34 uses both “Business Continuity” and “Continuity of Operations”NFPA 1600 uses “Disaster/Emergency Management and Business Continuity” but refers to an instance as an “incident”

8


curi

ity

Terminology

HB291-2004 (Australia) provides a good definition:

“Business Continuity Management provides the availability of processes and resources in order to ensure the continued achievement of critical objectives”

I am going to use the term “Business Contingency Operations” because

Although “BCM” is a de facto standard, there is really no “standard”It’s the most descriptive term for the area I am addressing

9


curi

ity

Contingency Response Teams

Although it is prescribed only in a rudimentary fashion in most standards documents, contingency response in most organizations is done through the use of teamsBS 25999-1:2006 discusses the Incident Management Team or Crisis Management TeamHB292-2006 & NFPA 1600 not at all

10


curi

ity


NIST 800-34 goes a little “team happy”:

Management TeamDamage Assessment TeamOperating System Administration TeamSystems Software TeamServer Recovery Team (e.g., client server, Web server) LAN/WAN Recovery TeamDatabase Recovery TeamNetwork Operations Recovery TeamApplication Recovery Team(s)Telecommunications Team

Hardware Salvage TeamAlternate Site Recovery Coordination TeamOriginal Site Restoration/Salvage Coordination TeamTest TeamAdministrative Support TeamTransportation and Relocation TeamMedia Relations TeamLegal Affairs TeamPhysical/Personnel Security TeamProcurement Team (equipment and supplies)

11


curi

ity


WHEW!A bit much, eh?

12


curi

ity

BS 25999/BCI Approach

GOLD Strategic Senior (Incident) Management

SILVER Tactical Business Continuity Team

BRONZE OperationalIncident Response & Business Unit

Resumption Teams

Esca

latio

n

Control

The

Business Continuity Institute Business Continuity Management GOOD PRACTICE GUIDELINES 2008

13


curi

ity


Regardless of how you approach it, experience has shown team approach is the best method Most literature discusses 3 or 4 primary teams:

Incident Response TeamDisaster Recovery TeamBusiness Continuity Teamand sometimesCrisis Management Team

14


curi

ity

Response Team Employment

Common wisdom prescribes employment of the teams in sequential order on a handover basisFirst the Incident Response Team ...respondsIf the incident cannot be brought under control or escalates, it becomes a disaster Disaster Recovery Team takes over

15


curi

ity

Response Team Employment

If operations cannot be continued at the organization’s primary site Business Continuity Team facilitates operations at an alternative siteCrisis Management Team invoked as necessary

Normally deals with issues surrounding loss of life or serious injuries as well as media relationsThey just sort of “drift in and out” of the picture

16


curi

ity

My Experience

Aviation Safety Officer curriculum at the Naval Postgraduate School, created by USC’s Institute for Safety and Systems Management M.S. in Systems Management; curriculum also created by USC Institute for Safety and Systems ManagementI learned that contingency response is contingency response is contingency response

17


curi

ity

My Experience

From a process perspective, responding to an aircraft crash is no different than responding to a mainframe crashThe military has developed a finely-tuned response to incidents; & provides lessons we can all learn from Drawn heavily upon this background & experience in creating this concept

18


curi

ity

Contingency Response Team

One of the issues that I view as a serious weakness in contemporary models for contingency response teams is who manages the overall response3-team model presupposes handovers between teams but presents serious continuity problemsMy model adds an additional “team”: the Contingency Response Team

Could also call it the Contingency Management Team

19


curi

ity

Contingency Response TeamContingency Response Team folds in all responsibilities normally exercised by the Crisis Management Team but extend this to provide 1.

Initial response including activation of the appropriate Plan: Incident Response, Disaster Recovery, Business Continuity

2.

Ongoing administrative and facilities support of other teams as they execute their function

3.

Wrap up functions as contingency operations draw to close and normal operations resume

Exactly what the name implies: the core on which all contingency response rests

20


curi

ity


©2008 Ray Trygstad

21


curi

ity

Contingency Response Officer

Key position on this teamNot the Contingency Response Team Leader but is the person “on call”“Contingency Response Officer” (CRO)or “Contingency Response Manager”On duty for a 24 hour period Key point of contact for ANY contingency in the organizationOrganization members need to have drilled into them if something out of the ordinary happens CALL OR PAGE THE CRO

22


curi

ity

Contingency Response Officer

CRO must be sufficiently senior to make “snap”decisions affecting the health and future of the organization

Must have the trust of C-level managementDoes not have to be an IT person but must have sufficient knowledge of IT to initiate response to an IT or IT security incidentSmall organization at least 3 Large organization as many as 10During on-call period CRO must be immediately available by cell phone or pageShould be near enough to the primary physical facility to be there quickly

23


curi

ity

Contingency Response Staffing

Supporting the CRO: 2 on-call administrative personnel

Execute a calling treeKeep a running record of events Perform any duties as directed by the CRONot decision makers but need to be on a 24 hour duty cycleMust be immediately available by cell phone or page Near enough to the primary physical facility to be there very quickly

24


curi

ity

Contingency Response Staffing

The armed services responds very quickly to incidents because they have had a “duty section” structure in place since...well...foreverThis implements the same concept at a civilian level

25


curi

ity

Contingency Response Notification

Immediate response personnel (CRO and admin support) have cell phones/ pagers supplied by the organization

Handed off at relief each dayONLY one number to call/page CRO●Detached from who

is actually on duty

26


curi

ity


Composition of remainder of the team is much like you would find on a Crisis Management Team

PR to handle media relationsLegal to handle legal & compliance Management-level facilities member to expedite facilities issues

Team core ought to consist of executive assistants and senior administrators

Not necessarily managers but the people who actually get things doneYou all know who these people are…

27


curi

ity


Contingency Response Team Leader should be as senior a person in the organization as you can convince management the position ought to be!

NOT a micromanager! Should relieve the CRO as soon as the situation is relatively under control and the Team Leader has been fully briefed

28


curi

ity

Expansion of Concept/Model

I am working to expand this concept in two directions

An academic paper documenting the literature and clearly delineating the concept and design (I am an academic and I do have to get published)A whitepaper with a practical guide for implementation

29


curi

ity

Contact

Ray [email protected]

30


curi

ity

The End…

Questions?

Documents

information technology & management INFORMATION SYSTEMS