What is Business Continuity Management (BCM)

Business Continuity Management (BCM) is the development of strategies,

plan and actions that provide protection or alternative mode for achieving

operational and financial objectives of business.

BCM consists of following elements:

Crisis Management & Communication; crisis management focuses on

stabilizing the situation an preparing the business for recovery operations

through planning, leadership and communication.

Business Recovery Planning; involves resumption of business critical functions

and processes to support delivery of products and services to customers

IT Service Continuity Management; It is recovery of critical IT assets, including

systems, applications, storage and network assets.

Operational Objectives

Commercial Objectives

Compliance Objectives

BCM Terminology is confused with different terms!

Business Continuity Management (BCM) is misinterpreted by different terms:

Disaster Recovery

Contingency Planning

Recovery Planning

Emergency Response

IT Service Continuity Management (ITSCM) is far more than just Disaster Recovery

Planning. ITSCM is aligned to Business Continuity Planning. ITSCM investigates,

develops and implements measures to prevents disaster from occurring in the first

place. It helps determining “Disaster”. ITSCM addresses risks that could cause impact

and threaten the continuity of the business. These could be:

loss, damage or denial of access to key infrastructure

corruption of key information

sabotage or commercial espionage

deliberate infiltration

attack on critical information systems that may

disrupt normal business

ITSCM is the “IT component” of BCM

Business Continuity Management (BCM) Activities

BCM Programme

Manager

Understand the Business

Analyze & Determine BCM

Strategy

Developing, Commitments & Supplementing BCM Response

Exercise, Test, Maintain the Programme Periodically

Define Disaster

Define Communication Plan, Roles & Responsibilities

Identify assets, functions, processes and systems

Interview business stakeholder and key users

Interview information systems & support personnel

Analyze and determine critical systems, applications,

business processes an key personnel

Prepare impact analysis of critical systems

Prepare critical system ranking form

Implement BCM

Test and Maintain

Defining a Disaster

Defining the pre-conditions that constitute a disaster is part of the ITSCM

process

The definitions are an integral part of any Service Level Agreement relating to

the provision of services

What is an IT Disaster?

A disaster may be defined as the prolonged loss of an entire computing center

Not a component failure and its associated recovery

Worse case scenario of a disaster

All equipment and data within the datacenter destroyed

Access to the datacenter prohibited due to datacenter damage

Staff familiar with the datacenter, equipment, and applications

unavailable for the recovery

Each organization must provide its own “IT Disaster” definition

Disasters cause immense destruction

According to Swiss Re, extreme weather events in the U.S. dominated the list of the most expensive disasters of 2012, with

Hurricane Sandy alone costing an estimated $70 billion in total damage and $35 billion in insured losses - See more at:

http://www.climatecentral.org/news/us-dominated-global-disaster-losses-in-2012-insurer-reports-15814#sthash.ZOSr1nTC.dpuf

Economic losses from natural catastrophes and man-made disasters reached USD 186 billion in

2012

Insured losses amounted to USD 77 billion, making 2012 the third most costly year on record

http://www.swissre.com/media/news_releases/nr_20130327_sigma_natcat_2012.html

Some known Causes of Disasters

The Business Value of ITSCM

Regulatory requirements The recovery capability is becoming a mandatory requirement

Positive marketing of contingency capabilities Being able to demonstrate effective ITSCM capabilities enables an organization to provide high service levels

to clients and customers and thus win business

Organizational credibility There is a responsibility on the directors of organizations to protect the shareholders’ interest and those of

their clients

Competitive advantage Service organizations are increasingly being asked by business partners, customers and stakeholders to

demonstrate their contingency facilities and may not be invited to tender for business unless they can

demonstrate appropriate recovery capabilities

Potential lower insurance premiums The IT organization can help the organization demonstrate to underwriters or insurers that they are

proactively managing down their business risks

Information Security Continuous Monitoring

In today’s environment where many, if not all, of an organization’s mission-critical functions

are dependent upon information technology, the ability to manage this technology and to

assure confidentiality, integrity, and availability of information is mission-critical.

Ongoing monitoring is a critical part of that risk management process. In addition, an

organization’s overall security architecture and accompanying security program are

monitored to ensure that organization-wide operations remain within an acceptable level of

risk, despite any changes that occur. Timely, relevant, and accurate information is vital,

particularly when resources are limited and organizations must prioritize their efforts.

Information security continuous monitoring (ISCM) is defined as maintaining ongoing

awareness of information security, vulnerabilities, and threats to support organizational risk

management decisions.

Source: NIST Special Publication 800-137

Information Security Continuous Monitoring Process

Define

Establish

Implement

Analyze

Respond

Review/ Update

Define Business Impact: an ISCM strategy based on risk tolerance that maintains clear visibility into

assets, awareness of vulnerabilities, up-to-date threat information, and mission/business impacts.

Implement Risk Based Audit Plan: collect the security-related information required for metrics,

assessments, and reporting. Automate collection, analysis, and reporting of data where possible.

Analyze: the data collected and Report findings, determining the appropriate response. It may be

necessary to collect additional information to clarify or supplement existing monitoring data.

Review and Update (Audit): the monitoring program, adjusting the

ISCM strategy and maturing measurement capabilities to increase

visibility into assets and awareness of vulnerabilities, further enable

data-driven control of the security of an organization’s information

infrastructure, and increase organizational resilience.

Respond/ Disaster Recovery Plan: to findings with technical, management,

and operational mitigating activities or acceptance, transference/sharing, or

avoidance/rejection.

Establish Risk Assessment; an ISCM program determining metrics, status monitoring frequencies,

control assessment frequencies, and an ISCM technical architecture.

Risk Management Framework Process Overview

Risk Management Framework

Categorize

Information

System Select

Security Controls

Implement Security Controls

Asses Security Controls

Authorize Information

System

Monitor Security Controls

Organizational Input Laws, Directives, Policy

Guidelines, Strategic Goals and Objectives, Priorities, Resource

Availability, etc.

Architecture Description Architecture Reference Model,

Mission and Business Processes, Information System Boundaries

IT Strategy and IT Roadmap Portfolio

IT Strategy: We bring deep understanding and years of experience in developing IT capabilities into engines of business

value.

Our experienced professionals with many years of professional & management experience work with leadership and IT

teams to identify the roles of technology in a business strategy, the capabilities IT can provide and how the IT organization

needs to be managed in order to deliver its commitments. We work with our clients to understand the ROI that can be

leveraged from current and leading technologies.

Our Service Capabilities are:

Business IT Alignment:

Alignment of IT Strategy to business

IT Governance alignment

IT Portfolio Lifecycle management

IT Leadership Management; advising CIO’s on how to manage the IT organization including staff,

vendors, funding, business case, technology and other critical areas.

IT Organizational and Cost Assessments

Vendor Strategy Development

Software Selection Services

IT Transformation; We assist you through:

IT organizational redesigning projects

IT Services Continuity Management Design, implementation and management

IT Portfolio and Program Management Services

IT Service Operation IT Service Management

Our IT Infrastructure Managed Services Portfolio

Customer Service Desk Infrastructure Services (Server) Infrastructure Services (Client) Virtualisation

Collaboration

Helpdesk, Single Point of Contact

1st to 3rd Level Support

Telephone & Remote Support 7x24 Application availability and

performance monitoring 7x24 on-site intervention

Sever & Storage monitoring Network monitoring Data Centre ( HVAC) monitoring

Hardware-Staging, Burn-In-Test’s

Server Virtualisation (VMWare)

Rollouts

Exchange Migration

Windows Migration

Server monthly patching (WSUS)

Complex Hardware Configuration

Disaster Recovery Setup and Tests

Project Management, implementation and sign-off for infrastructure projects

System Management

High availability solutions

ITIL implementation (Incident, Change, Problem and Asset Management)

Server Hardening and on-line backup

Intrusion Prevention, Detection and Response

ISO 27001 Certification Support

User profiles, Group Policies

ThinApp

Data Management

Online Backup for Client

Citrix implementation

Topological Vulnerability Analysis Prevention, Detection and Response

Enterprise Information Management

Secure Sync & Share (Cloud or on-site solutions)

MS SharePoint, Open Source (Liferay) vertical platform solutions

VOIP Implementation and Management

Our Forte: Compliance Driven to Data Driven Risk

Management

Operations Security & Services Security Compliancy by monitoring & reporting: monitor special privileges, e.g.

operations, administrators and manage Identity and Access Management

Monitor schedules and Backup of critical information

Anti-virus management

Malware management

Incident, Problem, Change and Configuration Management

End-point Security Updates

Handle violations, incidents, and breaches, and report where necessary

Support high availability

Implement and support patch and vulnerability management

Respond to attack, and other vulnerabilities, e.g. spam, virus,

spyware, phishing

IT Security Management Services

Governance

• Information Security & Risk Management Strategy

• Information Security Governance und Information Security Frameworks

• Information Security Management System (ISMS) according to ISO/IEC 27001

Risk Management

• Risk Management & Gap Analysis

• Crisis Management

Compliance

• Compliance Checks

• Control Framework

Security Awareness Training

• Create awareness

• Emotionalize (convey a positive attitude towards IT security issues)

• Motivate (trigger a behavioral change towards the sensitivity of issue)

Project Management

• Project Portfolio Management & Steering