Business Continuity Risk Management IT Service Continuity · 2020-01-23 · Author: Business...

Author:

Business Continuity Risk Management IT Service Continuity

The Three Musketeers

“All for one, one for all”

Athol Culpan, Isaacs George and Ray Botardo

Agenda

Introductions – Athol Culpan

Case Study Overview – Athol Culpan

Business Continuity Management (BCM) – Isaacs George

Risk Management – Ray Botardo

IT Service Continuity Management (ITSCM) – Athol Culpan

Challenges and Lessons Learned – Panel (Athol, Isaacs & Ray)

Conclusion – Questions and Answers

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

Introductions Isaacs George – Business Continuity Manager – Datacom

• Public and Private sector experience including Consulting

• Business Continuity Institute (BCI Certified), PMP, ITIL

• Contact details: Mobile: +64274888789

Email: isaacs.george@datacom.co.nz

Ray Botardo – Process Team Manager – Datacom

• Public and Private sector experience including Consulting

• CISM, PMP, COBIT 5, ITIL, ISO 20000

• Contact details: Mobile: +64277039326

Email: ray.botardo@datacom.co.nz

Athol Culpan – IT Service Continuity Manager

• Public and Private sector experience including Consulting

• ITIL 3 Expert, Prince2 Practitioner, ISO 20000

• Contact details: Mobile: +64272677555

Email: athol.culpan@datacom.co.nz

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

Case Study Introduction

Datacom needed to build an internal capability in the area of BCM

and ITSCM.

The benefits for doing this are as follows:

• Assisting Datacom customers with their BCM

requirements where asked to do so

• Expectation from our customers to meet our

contractual obligations in the case of a disaster

Datacom subscribe to the ITIL “Good Practice” guidelines

Strong investment by Datacom in BCM and Disaster Recovery

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

Datacom – BCP Approach

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

Datacom Systems Limited (DSL) – New Zealand BCP Directive

BCP Information Dependencies – ITSCM Planning

DSL WGTN

Common Risks

Common Actions

Unit Specific Actions

Unit Specific Risks

DSL AKL DSL

CHCH

BU 1 BU 2

BU 3

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

High Impact, Low Probability Events – earthquakes, tsunamis, volcanoes

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

BC – The Big Picture

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

The relationship between BC, DR, Risk, Security and IT Management

Risk Management

Information Security

Management

Disaster

Recovery (DR)

Business Continuity

Management

IT Management

What is Business Continuity?

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

What it’s isn’t – it’s not just Disaster Recovery (DR)!

A holistic approach to identify potential threats/risks to an

organisation and quantify the effects of those threats/risks if they

eventuate

Purpose is to build resilience in and protect sources of value in the

organisation

Resilience is the ability of an organisation to absorb, respond to

and recover from a disruption or unexpected event

To reiterate - BCM is holistic (applies to the whole organisation),

cross-functional and cross-enterprise

Process and Approach -

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

Based on the Business Continuity Institute’s (BCI) Good Practice Guideline BCM Lifecycle

Terminology

Recovery Time Objective (RTO) - How long business process can

be without IT application before significant damage to finances or

reputation occurs or where required by legal or regulatory

requirements

Recovery Point Objective (RPO) - How much data the business

process can recreate or afford to loose

Maximum Tolerable Period of Disruption (MTPD) - The maximum

amount of time that the business can survive without the business

process in any form (manual or automated)

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

Business Impact Analysis (BIA)

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

Dependencies –

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

for each business function

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

Risks • Possibility that the threat can lead to a disruption or

loss of service

• Can be specific to a business unit, or, common across several business units (e.g. fire, earthquake, theft, malware attack)

• Defined by:

– Severity (impact to the business)

– Occurrence (probability)

– Level of Control (practices, processes, technology)

• RPN (Risk Priority Number) = S x O x C

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

Risk Analysis Cycle Risk

Scenario

Threat Category

Threat Identification

Risk Identification

Specific Unit or Multiple Groups?

Identify Current Control

Risk Rating (S,O,C)

Prioritize

(RPN ranking)

Risk Treatment

Risk Mitigation Actions

Review Risks

• Environment • Process • People • Technology

• Severity • Occurrence • Level of Control

RPN= S x O x C

• Avoid • Accept • Transfer • Mitigate

Risk Assessment

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

ITSCM Support overall Business Continuity Management (BCM) process

by ensuring that the required IT resources can be recovered within

business related agreed upon time frames

Provide pre-determined levels of service under exceptional

conditions

Common responsibilities & Risk management

Selection of options based on business requirements

Definition of roles and responsibilities

Alignment of IT recovery plans and BCM exercising (testing)

Resources include hardware, software, staff, and physical

environmental

The technical and operational aspects of your total Business

Continuity Plan

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

BCM and ITSCM

ITSCM must be aligned to the Business Continuity Lifecycle

ITSCM must be a part of the overall Business Continuity Plan and

not dealt with in isolation

ITSCM is the “technical component” of BCM

IT Focus

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

Critical Business Process Recovery Metrics

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

How did ITSCM align with BCM

ITSCM follow a similar approach to BCM except from a technology

and IT systems perspective - ITSCM was able to leverage off the

BIA exercise in DSL (ITSCM also participated in these exercises)

The BIA helped identity what business processes were critical and

what technology and IT Systems are required to support it.

The RTO and RPO were determined by the business units (not IT)

within DSL themselves and in this way could be matched to what

was required in ITSCM Plans.

The risk identification and management helped with determining

risk mitigation and prevention from a technology perspective.

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

DR Planning &Testing DR Planning

ITSCM prepares for the worst case scenario

Not just how to recovery from a disaster but also how to return to normal

How to prevent/minimize the disaster from occurring in the first place

Investigates, develops and implements recovery options when a service

interruption reaches a pre-defined point

DR Exercises (Testing)

Ensure that your processes and procedures will work in the event of a

true disaster

Types - Walk-throughs, Full tests, Partial tests, Scenario tests

Involve IT and the business

Defined objects and critical success factors

Can’t test everything

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

IT Service Continuity Management

Yellowpages.mpg

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

Challenges and Lessons Learnt Challenges:

Obtaining the required time from each business unit to explain the

purpose of Business Continuity and how this is of benefit to them and the

wider organisation. This is an additional task to their business as usual

activities

The time required to create the strategy and approach and roll this to all

business units takes considerable time. Usually much longer than planned

at the start!

Lessons Learnt:

Obtaining senior management buy-in and continued support is crucial to

ensure the success of the whole BC programme of work

Requires persistence and drive to push this programme through and show

benefits to business units of applying BC eg their concerns/risks can be

quantified and addressed by management

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

Challenges and Lessons Learnt Contracts with suppliers can be worthless in a major disaster

Despite promises of rapid SLA’s

Despite penalty clauses that might apply should SLA’s not be met

Be Prepared: If Not:

Develop systems that enable your business to be self sufficient for at

least 48 hours (industry recommendation)

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

Conclusion – Time for Q & A

Copyright © Datacom New Zealand Limited 2013 Thursday, 8 May 2014

Thank You