Upload
jmorency1952
View
7
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Presented at 2008 ISACA-NE Annual meeting. Discusses risk management methodology for recovery and continuity management initiatives.
Citation preview
Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner.Such approvals must be requested via e-mail: [email protected] is a registered trademark of Gartner, Inc. or its affiliates.
A Risk-based Approach to Recovery & Continuity Management
John P. Morency, CISA
Research Director
(978)-901-4123
Fact #1: “Disasters” happen more often than you think ….
Source: SunGard Availability Services U.S. data
Data Center Eqpt Failure, 483, 34%
Weather-related disasters (e.g. hurricanes,floods, blizzards)
274, 20%
Network Outage, 79, 5%
Power Outage, 209, 14%
Software, 27, 2%
Terrorism, 176, 12%
Building Damage, Gas/Water Break,
12, 1%
Flood, 90, 6%
Fire/Explosion, 47, 3%
Bomb Threat/Evacuation,
27, 2% Earthquake, 19, 1%
Gartner Survey Findings: Last Time Continuity Plan was Exercised
N=168
26%
28%
29%
16%
21%
23%
13%
20%
17%
20%
20%
17%
19%
25%
25%
16%
18%
17%
33%
18%
21%
35%
30%
36%
8%
10%
9%
13%
11%
7%
0% 20% 40% 60% 80% 100%Within the last six monthsWithin the last yearWithin the last two yearsNeverNot sure
Disaster Recovery
Work area/Workforce Continuity
Business Resumption
Contingency Planning
Emergency/Incident Mgmt.
Restoration
Two-thirds of organizations have had to use their BCM/DR plans within the last two years.
Fact #2: Post-9/11 Surge in Business Continuity Regulations and Standards
Consumer Credit Protection ActConsumer Credit Protection Act
OMB Circular A-130OMB Circular A-130
FEMA Guidance DocumentFEMA Guidance Document
Paperwork Reduction ActPaperwork Reduction Act
FFIEC BCP HandbookFFIEC BCP Handbook
Computer Security ActComputer Security Act
12 CFR Part 1812 CFR Part 18
Presidential Decision Directive 67Presidential Decision Directive 67
FDA Guidance on Computerized SystemsFDA Guidance on Computerized Systems
used in Clinical Trialsused in Clinical Trials
ANSI/NFPA Standard 1600ANSI/NFPA Standard 1600
Sarbanes-Oxley Act of 2002Sarbanes-Oxley Act of 2002
HIPAA, Final Security RuleHIPAA, Final Security Rule
FFIEC BCP HandbookFFIEC BCP Handbook
Fair Credit Reporting ActFair Credit Reporting Act
NASD Rule 3510NASD Rule 3510
NERC Security GuidelinesNERC Security Guidelines
FERC Security StandardsFERC Security Standards
NAIC Standard on BCPNAIC Standard on BCP
NIST Contingency Planning GuideNIST Contingency Planning Guide
FRB-OCC-SEC Guidelines for FRB-OCC-SEC Guidelines for
Strengthening the Resilience of Strengthening the Resilience of USUS
Financial SystemFinancial System
NYSE Rule 446NYSE Rule 446
California SB 1386California SB 1386
Australia Standards BCM HandbookAustralia Standards BCM Handbook
GAO Potential Terrorist AttacksGAO Potential Terrorist Attacks
GuidelineGuideline
Post-9/11Post-9/11
Pre-9/11Pre-9/11
1991 - 2001 2002 2008
FPC 65FPC 65NYS Circular Letter 7NYS Circular Letter 7
ASISASISState of NY FIRM White Paper on CPState of NY FIRM White Paper on CPNISCC Good Practices (Telecomm)NISCC Good Practices (Telecomm)
Australian Prudential Standard on BCMAustralian Prudential Standard on BCMHB221HB221HB292HB292
BS25999BS25999SS507SS507TR19TR19
CA Z1600CA Z1600
Title IX – 110-53 Title IX – 110-53
Fact #3: DR is (Very) Important (source: 2008 Gartner Research Survey)
Business Context -- The IT Risk Pyramid
• Data accuracy, timeliness and consistency• Financial reporting
• Regulatory compliance
• Opportunity capitalization• Response to competitors
• Implementing major strategic change
• Knowledge Sharing• Information Protection
• Attack Prevention
• Continuous application and data availability
• Management communication, coordination and orchestration
• Employee productivity
Source: Westerman, G. "The IT Risk Pyramid: Where to Start with Risk Management"" MIT CISR Research Briefing, V (1D), Mar 2005 and Westerman, G. & Hunter, R.: IT Risk, Business Consequences, Harvard Business School
Press, forthcoming.© 2006 MIT Sloan Center for Information Systems Research – Westerman
"Controlling continuity risk not only improves business continuity, but also starts to improve access, integrity, and strategic change risks."
Business Agility
Availability & Continuity
Accessibility
Accuracy
IT R
isks
1. Remember: IT risk is business risk
2. Consider IT risks in terms of the four A's — Access, Availability, Accuracy and Agility — and their consequences
3. Fix the foundation: Plug the holes in the dike, consolidate the infrastructure and simplify applications, in that order
4. Create risk governance structure and process; embed IT risk management into every business decision
5. Create a risk aware culture — a culture that recognizes risk and can deal with it head-on
6. Look forward
7. Lead by example
Seven Risk Management Principles
Recovery & Continuity Business Case
“The Balancing Act”
Two Fundamental Questions
• How to define Marginal (or Residual) Risk
• How to Quantify Affordability
Generic Risk Definition Framework
Assessment Starting Point – ISACA P1
Focus on:
TBS
Application Risk Assessment – Part 1
Application Risk Assessment – Part 2
For each application, determine –
• What is the impact of downtime?
• Does increased downtime = increased impact ?
Risk-based BIA Model
For each application, determine –
• What is the impact of downtime?
• Does increased downtime = increased impact ?
Affordability Analysis Part I:Leverage DR Spending Benchmark Data
Source: Gartner November 2007
IT S
pe
nd
ing
Gro
wth
(%
) -
20
07
7
6
5
4
3
2
1
0
$1M $5M $10M
State & Local Government
Low End = $.51M
High End = $1.2M
Midpoint = $.9M
2007 IT Budget Growth Rate= 2.6%
Federal Government
Low End = $3.9M
High End = $9.9M
Midpoint = $6.9M
2007 IT Budget Growth Rate= 5.5%
Gartner IT Spending Benchmark DR Addressable Budget
Source: Gartner November 2007
DRM Critical Success Factors (CSFs)
1. RTO/RPO requirements are defined, documented and updated for production applications
2. Recovery Data Center supports Tier 1 and Tier 2 RxO requirements
3. Emergency communications are regularly tested
4. Application Recovery management procedures support Tier 1 and Tier 2 RxO requirements
5. Data Recovery management procedures support Tier 1 and Tier 2 RxO requirements
6. Workarea Recovery procedures support Tier 1 and Tier 2 RxO requirements
7. DR Plan Testing is performed at least twice a year
8. DR plans are updated to address execution deficiencies encountered during testing
9. Business Operations Restoration processes are defined and tested
10. DR Program reports are published and distributed to senior management
Definition: The actions that are needed in order to improve Disaster Recovery Predictability, Effectiveness and Efficiency
Source: Gartner November 2007
Affordability Analysis Part II:Self Assessment
• Which CSFs are supported today?
• What is the current Maturity Level for each CSF?
• Which additional CSFs need to be supported?
• What is the target capability maturity level for each CSF?
• What are the associated improvement costs?
- By Budget Line Item
• Which continuity risks will be mitigated? By how much?
• How will improvement be measured?
Source: Gartner November 2007
Defining Audit Ready Test Plans
Example - Objective # 4 Test Plan
Business Imperatives
• Beyond 12 months- Implement failover, recovery and restoration automation pilots- Align disaster recovery spending with risk management priorities- Evaluate the use of data center automation software to improve DR
execution efficiency and predictability
• Immediate- Ensure that DR Plan is current and relevant- Plan support for less-than-24-hour RTOs and RPOs- Increase the frequency and diversity of testing- Formalize DR and BC management responsibilities
• Next 12 months- Achieve a minimum of Stage 2 maturity if not already there- Evaluate the implementation of data replication pilots- Evaluate the implementation of server virtualization pilots- Improve recovery testing results and execution predictability