Upload
absar-husain
View
79
Download
3
Embed Size (px)
Citation preview
What is Business Continuity Management (BCM)
Business Continuity Management (BCM) is the development of strategies,
plan and actions that provide protection or alternative mode for achieving
operational and financial objectives of business.
BCM consists of following elements:
Crisis Management & Communication; crisis management focuses on
stabilizing the situation an preparing the business for recovery operations
through planning, leadership and communication.
Business Recovery Planning; involves resumption of business critical functions
and processes to support delivery of products and services to customers
IT Service Continuity Management; It is recovery of critical IT assets, including
systems, applications, storage and network assets.
Operational Objectives
Commercial Objectives
Compliance Objectives
BCM Terminology is confused with different terms!
Business Continuity Management (BCM) is misinterpreted by different terms:
Disaster Recovery
Contingency Planning
Recovery Planning
Emergency Response
IT Service Continuity Management (ITSCM) is far more than just Disaster Recovery
Planning. ITSCM is aligned to Business Continuity Planning. ITSCM investigates,
develops and implements measures to prevents disaster from occurring in the first
place. It helps determining “Disaster”. ITSCM addresses risks that could cause impact
and threaten the continuity of the business. These could be:
loss, damage or denial of access to key infrastructure
corruption of key information
sabotage or commercial espionage
deliberate infiltration
attack on critical information systems that may
disrupt normal business
ITSCM is the “IT component” of BCM
Business Continuity Management (BCM) Activities
BCM Programme
Manager
Understand the Business
Analyze & Determine BCM
Strategy
Developing, Commitments & Supplementing BCM Response
Exercise, Test, Maintain the Programme Periodically
Define Disaster
Define Communication Plan, Roles & Responsibilities
Identify assets, functions, processes and systems
Interview business stakeholder and key users
Interview information systems & support personnel
Analyze and determine critical systems, applications,
business processes an key personnel
Prepare impact analysis of critical systems
Prepare critical system ranking form
Implement BCM
Test and Maintain
Defining a Disaster
Defining the pre-conditions that constitute a disaster is part of the ITSCM
process
The definitions are an integral part of any Service Level Agreement relating to
the provision of services
What is an IT Disaster?
A disaster may be defined as the prolonged loss of an entire computing center
Not a component failure and its associated recovery
Worse case scenario of a disaster
All equipment and data within the datacenter destroyed
Access to the datacenter prohibited due to datacenter damage
Staff familiar with the datacenter, equipment, and applications
unavailable for the recovery
Each organization must provide its own “IT Disaster” definition
Disasters cause immense destruction
According to Swiss Re, extreme weather events in the U.S. dominated the list of the most expensive disasters of 2012, with
Hurricane Sandy alone costing an estimated $70 billion in total damage and $35 billion in insured losses - See more at:
http://www.climatecentral.org/news/us-dominated-global-disaster-losses-in-2012-insurer-reports-15814#sthash.ZOSr1nTC.dpuf
Economic losses from natural catastrophes and man-made disasters reached USD 186 billion in
2012
Insured losses amounted to USD 77 billion, making 2012 the third most costly year on record
http://www.swissre.com/media/news_releases/nr_20130327_sigma_natcat_2012.html
Some known Causes of Disasters
The Business Value of ITSCM
Regulatory requirements The recovery capability is becoming a mandatory requirement
Positive marketing of contingency capabilities Being able to demonstrate effective ITSCM capabilities enables an organization to provide high service levels
to clients and customers and thus win business
Organizational credibility There is a responsibility on the directors of organizations to protect the shareholders’ interest and those of
their clients
Competitive advantage Service organizations are increasingly being asked by business partners, customers and stakeholders to
demonstrate their contingency facilities and may not be invited to tender for business unless they can
demonstrate appropriate recovery capabilities
Potential lower insurance premiums The IT organization can help the organization demonstrate to underwriters or insurers that they are
proactively managing down their business risks
Information Security Continuous Monitoring
In today’s environment where many, if not all, of an organization’s mission-critical functions
are dependent upon information technology, the ability to manage this technology and to
assure confidentiality, integrity, and availability of information is mission-critical.
Ongoing monitoring is a critical part of that risk management process. In addition, an
organization’s overall security architecture and accompanying security program are
monitored to ensure that organization-wide operations remain within an acceptable level of
risk, despite any changes that occur. Timely, relevant, and accurate information is vital,
particularly when resources are limited and organizations must prioritize their efforts.
Information security continuous monitoring (ISCM) is defined as maintaining ongoing
awareness of information security, vulnerabilities, and threats to support organizational risk
management decisions.
Source: NIST Special Publication 800-137
Information Security Continuous Monitoring Process
Define
Establish
Implement
Analyze
Respond
Review/ Update
Define Business Impact: an ISCM strategy based on risk tolerance that maintains clear visibility into
assets, awareness of vulnerabilities, up-to-date threat information, and mission/business impacts.
Implement Risk Based Audit Plan: collect the security-related information required for metrics,
assessments, and reporting. Automate collection, analysis, and reporting of data where possible.
Analyze: the data collected and Report findings, determining the appropriate response. It may be
necessary to collect additional information to clarify or supplement existing monitoring data.
Review and Update (Audit): the monitoring program, adjusting the
ISCM strategy and maturing measurement capabilities to increase
visibility into assets and awareness of vulnerabilities, further enable
data-driven control of the security of an organization’s information
infrastructure, and increase organizational resilience.
Respond/ Disaster Recovery Plan: to findings with technical, management,
and operational mitigating activities or acceptance, transference/sharing, or
avoidance/rejection.
Establish Risk Assessment; an ISCM program determining metrics, status monitoring frequencies,
control assessment frequencies, and an ISCM technical architecture.
Risk Management Framework Process Overview
Risk Management Framework
Categorize
Information
System Select
Security Controls
Implement Security Controls
Asses Security Controls
Authorize Information
System
Monitor Security Controls
Organizational Input Laws, Directives, Policy
Guidelines, Strategic Goals and Objectives, Priorities, Resource
Availability, etc.
Architecture Description Architecture Reference Model,
Mission and Business Processes, Information System Boundaries
IT Strategy and IT Roadmap Portfolio
IT Strategy: We bring deep understanding and years of experience in developing IT capabilities into engines of business
value.
Our experienced professionals with many years of professional & management experience work with leadership and IT
teams to identify the roles of technology in a business strategy, the capabilities IT can provide and how the IT organization
needs to be managed in order to deliver its commitments. We work with our clients to understand the ROI that can be
leveraged from current and leading technologies.
Our Service Capabilities are:
Business IT Alignment:
Alignment of IT Strategy to business
IT Governance alignment
IT Portfolio Lifecycle management
IT Leadership Management; advising CIO’s on how to manage the IT organization including staff,
vendors, funding, business case, technology and other critical areas.
IT Organizational and Cost Assessments
Vendor Strategy Development
Software Selection Services
IT Transformation; We assist you through:
IT organizational redesigning projects
IT Services Continuity Management Design, implementation and management
IT Portfolio and Program Management Services
IT Service Operation IT Service Management
Our IT Infrastructure Managed Services Portfolio
Customer Service Desk Infrastructure Services (Server) Infrastructure Services (Client) Virtualisation
Collaboration
Helpdesk, Single Point of Contact
1st to 3rd Level Support
Telephone & Remote Support 7x24 Application availability and
performance monitoring 7x24 on-site intervention
Sever & Storage monitoring Network monitoring Data Centre ( HVAC) monitoring
Hardware-Staging, Burn-In-Test’s
Server Virtualisation (VMWare)
Rollouts
Exchange Migration
Windows Migration
Server monthly patching (WSUS)
Complex Hardware Configuration
Disaster Recovery Setup and Tests
Project Management, implementation and sign-off for infrastructure projects
System Management
High availability solutions
ITIL implementation (Incident, Change, Problem and Asset Management)
Server Hardening and on-line backup
Intrusion Prevention, Detection and Response
ISO 27001 Certification Support
User profiles, Group Policies
ThinApp
Data Management
Online Backup for Client
Citrix implementation
Topological Vulnerability Analysis Prevention, Detection and Response
Enterprise Information Management
Secure Sync & Share (Cloud or on-site solutions)
MS SharePoint, Open Source (Liferay) vertical platform solutions
VOIP Implementation and Management
Our Forte: Compliance Driven to Data Driven Risk
Management
Operations Security & Services Security Compliancy by monitoring & reporting: monitor special privileges, e.g.
operations, administrators and manage Identity and Access Management
Monitor schedules and Backup of critical information
Anti-virus management
Malware management
Incident, Problem, Change and Configuration Management
End-point Security Updates
Handle violations, incidents, and breaches, and report where necessary
Support high availability
Implement and support patch and vulnerability management
Respond to attack, and other vulnerabilities, e.g. spam, virus,
spyware, phishing
IT Security Management Services
Governance
• Information Security & Risk Management Strategy
• Information Security Governance und Information Security Frameworks
• Information Security Management System (ISMS) according to ISO/IEC 27001
Risk Management
• Risk Management & Gap Analysis
• Crisis Management
Compliance
• Compliance Checks
• Control Framework
Security Awareness Training
• Create awareness
• Emotionalize (convey a positive attitude towards IT security issues)
• Motivate (trigger a behavioral change towards the sensitivity of issue)
Project Management
• Project Portfolio Management & Steering