This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Business Continuity Management (BCM) is a process which embraces all aspects of the organization, which identifies threats and contingencies and which provides a framework to provide capabilities and responses to assure continuous business operation and to protect the interests of stakeholders.
Information Assurance (IA) is a comprehensive approach to protect information and information systems by ensuring their availability, integrity, authentication, confidentiality and non-repudiation.Comment. IAAC describes IA to board directors as ‘the certainty that the information within an organization is reliable, secure and private. IA encompasses both the accuracy of the information and its protection, and includes disciplines such as information security management, risk management and business continuity planning.’
Definition proposed by the Information Assurance Advisory Council (IAAC), UK.
Disaster Recovery is the process for bringing back systems, processes and data to the original position, which prevailed before an accident/calamity/catastrophe/disaster occurred
Comment. It is reactive to an event occurring, although procedures should be tested and rehearsed frequently
Security is the protection, guard or defence against threat.
Comment. It can be active or passive. In organizational terms the threat is measured in terms of potential damage to the organization. The security classifications afforded relate to the potential damage to the organization if security is breached. The level of protection increases with the degree of classification. Government security generally conforms very closely to this model. The term personal security is traditionally taken to mean protection from physical attack, but with the advent of increased ICT use, viruses and other electronic attacks the use of personal firewalls and back-ups bring personal electronic security more into line with the organizational definition. In government, security is generally regarded as an organizational issue and this is how the term is used in this presentation.
• Privacy - two relevant definitions: Absence or avoidance of publicity or
display, being withdrawn from public interest, seclusion
Private or personal matters or relations
Comment. The key feature is that privacy is about the choice of the individual, social group and occasionally organization to keep things from the knowledge of others; this could be for reasons which might not prevent damage, as in the sense of security. In some states, certain rights and levels of privacy have been made rights (individual and sometimes also organizational depending on the state). For BCM, several sorts of private information may be involved, such as client/customer records.
PRINCIPLES OF GOVERNMENT BCM(Adapted from Business Continuity Management: Good Practice Guidelines, The Business Continuity Institute, 2002)
• Business Continuity Management (BCM) and Crisis Management are an integral part of government Corporate Governance.
• BCM activities must match, focus upon and directly support government goals and business strategy.
• BCM must provide organisational resilience to optimise government product and service availability and as a value-based management process, BCM must optimise resource efficiencies.
• BCM is a business management process that must add value.
• The component parts of government own their business risk and their management of business risk should be based on risk levels appropriate for all government stakeholders.
• The government must recognise and acknowledge that reputation, brand image, stakeholder value and risk cannot be transferred or removed by intra-governmental sourcing and/or outsourcing.
• All BCM strategies, plans and solutions must be government main-line business owned and driven. They should not be viewed as a specialised, separate category.
• BCM must be considered at all stages of the development of new government business operations, products, services and internal infrastructure projects.
• BCM must be considered as an essential part of the business change management process.
• The relevant legal and regulatory requirements for BCM must be clearly defined and understood before undertaking a government BCM programme.
• There must be agreed, published and distributed organisation policy, strategy, framework and exercising guidelines for government BCM and Crisis Management.
• All BCM strategies, plans and solutions must be based upon: the identified government business Mission Critical Activities (MCA); their dependencies; the single points of failure identified by a Business Impact Analysis (BIA).
• The competency of government BCM practitioners should be based on and benchmarked against standards, such as the ten professional competency standards of the Business Continuity Institute.
• The government and its component parts must implement and maintain a robust exercising, rehearsal and testing programme to ensure its BCM and Crisis Management capabilities are effective, efficient and economic.
• All third parties, including joint venture companies and service providers, upon which the government is critically dependent for the provision of products, services, support or data, must be required to demonstrate an effective, proven and fit-for-purpose BCM capability.
• The government's BCM and Crisis Management capabilities should reflect these good practice guidelines.
• All BIA must be conducted in respect of government products and services in an end-to-end context.
• The government and its component parts are accountable and responsible for maintaining an effective, up-to-date and fit-for-purpose BCM competence and capability.
BCM & IA• ‘IA encompasses both the accuracy of the information and its
protection, and includes disciplines such as information security management, risk management and business continuity planning.’
• The Turnbull Report in the UK advocates and provides a basis for a risk-based approach to corporate governance, which has to be interpreted to cater for levels of risk acceptable to government functions. However, the continually increasing dependence on ever more complex information systems means that more emphasis needs to be given to the information risk management element of government corporate governance.(The Turnbull Report on Corporate Governance - Internal Control: Guidance for Directors on the Combined Code, 1999, London)
Some More Metrics 1Source: Performance Concepts quoted in Business Continuity, Director
Publications Ltd, London, 2000
• 38% of those interviewed couldn’t distinguish between Business Continuity Management and Disaster Relief
• 88% suffered serious events not covered by plans• Up to 90% reduction in total loss can be achieved by having
by good, tested plans• 94% do not seek managerial approval of plans prior to
implementation• 92% upgrade BCM capability significantly after a disaster• 70% do not view DR/BCM as an integral part of biz planning• 22% consider integrated company-wide planning important• 20% do not consider protection of data & systems
Some More Metrics 2Source: Performance Concepts quoted in Business Continuity, Director
Publications Ltd, London, 2000• 88% of e-business is not included in organizational Business
Continuity Management and Disaster Relief plans• 57% of disasters are IT-related• 61% do not publish BCM plans to all employees• Only 11% of organisations had active board-level involvement
in BCM• 92% fail to update BCM plans after new system introduction• 84% do not identify risks in Supply Chain Management (SCM)• 10% of disasters are in SCM• 29% of involved had no formal training • 38% confident in their skills