GLOBRIN Business Continuity Workshop TECHNOLOGY & INFORMATION 13 th November 2013 Graham Jack.

GLOBRIN

Business Continuity Workshop

TECHNOLOGY & INFORMATION

13th November 2013Graham Jack

GLOBRIN

Business Continuity Workshop

An IT perspective on the Business Continuity Plan• Business Continuity v Disaster Recovery• Availability, Reliability and RecoverabilityTechnology• Identifying the technology used• Risks and impactInformation• Types of information held within an organisation• Threats to that informationPulling together an integrated business continuity plan• Plan for failure• Preventative action• Create resources• Test / review / update

GLOBRIN

Business Continuity Workshop

Business Continuity in relation to IT• IT is only part of the overall Business Continuity Plan• Covers the technology and information used by / generated by the business• Involves taking proactive steps to allow the business to operate to a defined

service level during incidents.• Takes ongoing time and effort

GLOBRIN

Business Continuity Workshop

Disaster Recover (DR)“The strategies and plans for recovering and restoring the organizations infrastructure and capabilities after an interruption.”

Business Continuity (BC)“The strategic and tactical capability of the organization to plan for and respond to incidentsand business disruptions in order to continue business operations at an acceptable predefined level.”

ExampleA fire in your building. The DR plan will deal with the clean up, repair of the building,re-instating IT and data etc.

The BC plan deals with how you keep you business running while you implement theDR plan.

GLOBRIN

Business Continuity Workshop

Business Continuity and IT: Core issues to consider

BUSINESS CONTINUITY PLAN

Issue Availability Reliability Recoverability

Objective Maintain the chosen availability

level of the businesses IT infrastructure

Manage and control the IT

infrastructure to improve overall

reliability

Effective plan to minimize

downtime in event of

disruption.

Emphasis Technology Process People

Focus Proactive and preventive Response and recovery

Business continuityplanning lifecycle

Analysis

Design

Implement

Test / Accept

Maintain

GLOBRIN

Business Continuity Workshop

Getting started• Assign responsibilities / ownership.• Understand your business and what the minimum service levels the business

requires in order to continue to operate.• Review best practice (use ISO22301 Business Continuity Management as a guide)

Business Continuity Plans are business lead, not IT lead.

GLOBRIN

Business Continuity Workshop

Analysis: Know what technology you need

Document what IT is required in order for your business to carry out critical activities?• Computers and related hardware• Software• Networking and connectivity• 3rd party services (cloud)• Telephony• Fax/ photocopiers / printers• etc

GLOBRIN

Business Continuity Workshop

Analysis: Know what information you have

Document what information your business needs in order to carry out critical activities?• Digital (database and file systems)• Hard copy (paper)• Off site / 3rd party (held in the cloud etc)• Staff• etc

GLOBRIN

Business Continuity Workshop

Analysis: Determine the risks

Look at the likelihood and impact of risks that could cause business interruption.• Fire / Flood / Storm Damage• Key item hardware failure (Server etc)• General hardware failure (Fax/ photocopiers / printers / user PC etc)• Physical security (hardware / hard copy documents)• Security breach / data loss• Inadvertent change (software update going wrong etc)• Deprecation (obsolete software / hardware)• Loss of 3rd party service (internet connection, hosting, cloud service etc)• Loss of utilities (power, telephony, internet connection etc)• Loss of Staff• Theft / fraud• Computer viruses / malware• etc

GLOBRIN

Business Continuity Workshop

Analysis: Risk / Impact analysis

• Determine the likelihood of the risk occurring• What is the impact to the business of each event

GLOBRIN

Business Continuity Workshop

Solution Design: Plan for the risks (options)

TreatPut in place an action plan to reduce disruption to a minimum acceptable level:

• Implement high availability / hot standby systems• Maintain duplicate infrastructure / information at different location• Maintain pool of spares (desktops / monitors / mice / keyboards etc)

TolerateIt may be decided that the cost of mitigating the risk is such that it outweighs the benefits.

GLOBRIN

Business Continuity Workshop

Solution Design: Plan for the risks (options)

TransferTransfer the risk to another external party.

• Hardware support / infrastructure management to an agreed SLA• Insurance

TerminateUpdate / modify the technology used to remove the risk:

• Remove old / outdated hardware• Unsupported software• Old data formats

GLOBRIN

Business Continuity Workshop

Solution Design: Technology

For critical technology , use the results of the risk / impact analysis to build and documenta plan for maintaining a minimum service level.

This may involve a mix of:• Implementing high availability systems with automatic rollover.• Dual site• Keeping spares• Support contracts• Security measures (locked server room etc)• Change management processes to ensure software updates & patches are properly

tested before going live.

GLOBRIN

Business Continuity Workshop

Solution Design: Information

For critical information, use the results of the risk / impact analysis to build and documenta plan for maintaining a minimum service level.

This may involve a mix of:• Policy for storing critical hard copy data (clean desk policy / fire safe)• Backup policy with offsite storage• Security (assign minimum required permissions, data encryption, prevention of data

transfer to transfer media such as CD or USB drives, etc)• Training / documentation to remove reliance on individual staff members

GLOBRIN

Business Continuity Workshop

Implementation: Technology and Information

• Document the plan. Include:• The trigger events• Responsibilities• Contact details• Actions to be taken for the identified risk events• Communication plan (internal and external)

• Create support resources (battle box). Typical resources include• Copy of the Business Continuity Plan• Supporting technical documentation (server builds, network topology etc)• Software installation packs to allow rebuilds of hardware including software

licence details.• 3rd party contacts, support agreements, contact details, reference numbers etc• Default communication templates (email, web pages, twitter messages,

FaceBook updates)• 2 copies of the Battle Box – at least 1 held off site

GLOBRIN

Business Continuity Workshop

Test and Review: Technology and Information

• Different levels of testing:• Discussion based testing• Table top exercise• Live exercise

• After testing, document and review results and feed these back into the plan.• Perform a review after all incidents – learn from what worked and what didn’t.

GLOBRIN

Business Continuity Workshop

Training: Technology and Information

• Ensure that all staff with business continuity responsibilities are appropriately trainedand have the technical skills to undertake their roles.

GLOBRIN

Business Continuity Workshop

Change Management: Technology and Information

• IT infrastructure tends to be dynamic• New hardware / software updates can affect the resilience of infrastructure and

actions to be taken to restore service in case of given event.• Prior to implementing change understand how the effects on the Business Continuity Plan.• Ensure processes are in place to capture and document change.• Undertake periodic reviews as appropriate to review any implemented changes against the

Business Continuity Plan to ensure that it remains effective.

GLOBRIN

Business Continuity Workshop

Documentation and Evidence

• As part of any tender process you need to be able to provide evidence.• Document the Business Continuity plan testing, reviews and updates to create

and audit trail.• Consider getting a 3rd party to review / certify against ISO22301 Business Continuity

Management.

GLOBRIN

Contact Details

Globrin

web www.globrin.com

e [email protected]

m 07803 147302