31/10/2013
1
Prepared Always, Resilient Always
2 31 October 2013
Business Continuity Management
The Uncertainties
25 October 2013
Wong Tew KiatCBCP, MBCI, CITBCM(S), CITPM(S), COMIT(S), Fellow SCS
Founder & Managing Director
3 31 October 2013
What is
Business Continuity Management?
31/10/2013
2
4 31 October 2013
Is a holistic management process that identifies
potential threats to an organization and the impacts to
business operations those threats, if realized, might
cause, and which provides a framework for building
organizational resilience with the capability of an
effective response that safeguards the interests of its
key stakeholders, reputation, brand and value creating
ISO22301
Business Continuity Management (BCM)
5 31 October 2013
Business Continuity Management (BCM)
Have we planned holistically?
6 31 October 2013
Business As Usual
31/10/2013
3
7 31 October 2013
Key Components & Activities
Key Products
Staff
Sales, Marketing, Engineers, Technicians, Procurement,
Finance, Delivery, Transportation
IT Technologies
Computer Systems, Emails, Internet, Sales Order Systems,
Invoicing System, Procurement System, Data Centre and
Network Communications
Raw Materials
Local suppliers, Overseas suppliers, mode of delivery, timeline
delivery, Ability to delivery, Single Point of Failure
Plants
Machineries, electrical power, generators
Warehouse
Inventories, Stocks
Transportation and Delivery
Customers
8 31 October 2013
Key Components & Activities
Key Products
Staff
Sales, Marketing, Engineers, Technicians, Procurement,
Finance, Delivery, Transportation
IT Technologies
Computer Systems, Emails, Internet, Sales Order Systems,
Invoicing System, Procurement System, Data Centre and
Network Communications
Raw Materials
Local suppliers, Overseas suppliers, mode of delivery, timeline
delivery, Ability to delivery
Plants
Machineries, electrical power, generators
Warehouse
Inventories, Stocks
Transportation and Delivery
Customers
Disrupted!
Disrupted!
Disrupted!
Disrupted!
Delivery
?Customer Satisfaction
?
9 31 October 2013
Business Continuity Management (BCM)
Have we analysed the risks and
impacts thoroughly?
31/10/2013
4
10 31 October 2013
Disruptive Events?
8 Sep 2013 – Another 3 die of MERS virus in Saudi Arabia
15 Aug 2013 – H7N9 bird flu may be spread
through human faeces
11 31 October 2013
H5N1 H1N1 SARS
Disruptive Events?
12 31 October 2013
Disruptive Events?
17 Aug 2013 – Fire twice in Shopping Mall 18 Sep 2013 – Ceilings Collapsed
31/10/2013
5
13 31 October 2013
Disruptive Events?
16 & 18 July 2013 – Fire twice at Poly
14 31 October 2013
Disruptive Events?
9 Oct 2013 – Fire. 60,000 customers affected
16 Oct 2013 – banking services disrupted
by "system connectivity issue”
16 Oct 2013 - disruption to its 3G
services was related to a scheduled
network upgrade.
15 31 October 2013
Technologies Risks?
Disruptive Events?
Old and End-of-Life Servers? Old Programming Languages?Old and End-of-Life Network
Cards and Equipment
31/10/2013
6
16 31 October 2013
Disruptions – Suppliers and Delivery (Supply Chains)
Disruptive Events?
Iceland’s disruptive volcano (2010)
The volcanic ash had forced the cancellation
of many flights and disrupted air traffic across
northern Europe, stranding thousands of
passengers.
311 Japan Earthquake (2011)
Factories, buildings, etc destroyed.
17 31 October 2013
?3 Components in an Organisation’s
Business Continuity?
Critical
Businesses
Data
Centre /
Infrastructures
IT Systems
Full BCM
18 31 October 2013
3 Key “Push Factors” for BCM
1. Monetary Authority of Singapore (MAS)
– June 2003 | MAS BCM Guidelines
– Oct 2004 | MAS Outsourcing Guidelines
– June 2013 | Technology Risk Management Guide
31/10/2013
7
19 31 October 2013
3 Key “Push Factors” for BCM
2. ICT Resiliency | End 2012
� ICT Equipment Resiliency
� ICT Systems Resiliency
� Data Centre Resiliency
IT Systems
Data
Centre /
Infrastructures
20 31 October 2013
3 Key “Push Factors” for BCM
3. Singapore Business Federation (SBF)
– SS540 - 2008 | Business Continuity Management Standards
– SS ISO22301 – Dec 2012 | BCM Systems Requirements
� SS540 was launched by then Deputy Prime Minister and Coordinating Minister
for National Security – Prof Jayakumar on 7 Nov 2008
� To enhance corporate resilience in Singapore, selected Government or public
agencies will consider tenderers’ level of BCM-readiness as
part of the procurement process. In longer term, we will look
at moving towards preferring suppliers of essential services
which are BCM ready during our procurements
� More than 100 Companies being BCM Certified in 2013
21 31 October 2013
Critical Businesses / Services
? Critical
Businesses
7 BCM Principles
31/10/2013
8
22 31 October 2013
MAS BCM Guidelines | 2003
– 7 Principles
� Principle 1 – Board of Directors and Senior Management should be responsible for
their Institution’s Business Continuity Management
� Principle 2 – Institutions should embed Business Continuity Management into their
Business-as-usual operations, incorporating sound practices
� Principle 3 – Institutions should test their Business Continuity Plan regularly, and
meaningfully
� Principle 4 – Institutions should develop Recovery Strategies and set recovery time
objectives for critical business functions
� Principle 5 – Institutions should understand and appropriately mitigate
interdependency risk of critical business functions
� Principle 6 – Institutions should plan for wide-area disruption
� Principle 7 – Institutions should practise a separation policy to mitigate concentration
risk of critical business functions
Critical
Businesses
23 31 October 2013
MAS Outsourcing Guidelines | 2004
� Clause 4 – Legal and Regulatory Obligations
� An institution has to take steps to ensure that the service provider employs a
high standard of care in performing the service as if the activity were not
outsourced and conducted within the institution
� Clause 5 – Material outsourcing
� An institution should undertake periodic reviews of its outsourcing arrangements
to identify new material outsourcing risks as they arise
� Clause 6 – Risk Management Practices
� Role of the Board and Senior Management
� Evaluation of Risks
� Capability of Service Providers
� Outsourcing Agreement
� Confidentiality and Security
� Business Continuity Management
� Monitoring and Control of Outsourced Activities
� Audit and Inspection
� Outsourcing outside Singapore/within a Group
� Outsourcing of Internal Audit to External Auditors
Critical
Businesses
24 31 October 2013
MAS TRM Guidelines| 2013(Technology Risk Management)
� Clause 3 – Oversight of Technology Risks by Board of Directors and Senior Management
� Clause 4 – Technology Risk Management Framework
� Clause 5 – Management of IT Outsourcing Risks
� Clause 6 – Acquisition and Development of Information Systems
� Clause 7 – IT Service Management
� Clause 8 – Systems Reliability, Availability and Recoverability
� Clause 9 – Operational Infrastructure Security Management
� Clause 10 – Data Centres Protection and Controls
� Clause 11 – Access Control
� Clause 12 – Online Financial Services
� Clause 13 – Payment Card Security (ATM, Credit and Debit Cards
� Clause 14 – IT Audit
IT Systems
Data
Centre /
Infrastructures
31/10/2013
9
25 31 October 2013
MAS TRM Guidelines| 2013(Technology Risk Management)
� Clause 4 – Technology Risk Management Framework
Risk
Identification
Risk
Assessment
Risk
Treatment
Risk Monitoring
& Reporting
Risk identification entails the determination of the threats and vulnerabilities to the FI’s
IT environment which comprises the internal and external networks, hardware,software, applications, systems interfaces, operations and human elements.
IT Systems
Data
Centre /
Infrastructures
26 31 October 2013
MAS TRM Guidelines| 2013(Technology Risk Management)
� Clause 8 – Systems Reliability, Availability and Recoverability
Systems
Availability
Disaster
Recovery Plan
Disaster
Recovery Testing
Data Backup
Management
System availability are:
• Adequate capacity
• Reliable performance
• Fast response time
• Scalability
• Swift Recovery
Capability
DR Plan:
• Various contingency
scenario
• Major system outages
• Total incapacitation of
primary DC
• Recovery Priorities,
RTO, RPO
DR Testing:
• No impromptu and
untested procedure
• Test and validate
annually
• Test total shutdown
or incapacitation of
primary DC
Data Backup Strategy:
• Direct-Attached
Storage (DAS)
• NAS
• SAN
• Testing & Validation
• Encrypt backup media
IT Systems
27 31 October 2013
MAS TRM Guidelines| 2013(Technology Risk Management)
� Clause 9 – Operational Infrastructure Security Management
Data Loss
Protection
Technology
Refresh Mgt
Networks &
Security Config
Mgt
Vulnerability
Assessment &
Penetration Testing
• Internal Sabotage
• Clandestine
espionage
• Furtive attacks by
trusted staff,
contractors and
vendors
• Data Loss prevention
strategy
• Up-to-date inventory
of software and
hardware
• End-of-support
• Consistent security
settings
• Regular enforcement
checks
• Anti-virus to servers
• Network security
devices
• Identify, assess and
discover security
vulnerabilities
• Conduct in-depth
evaluation of the
security posture of
system
IT Systems
31/10/2013
10
28 31 October 2013
MAS TRM Guidelines| 2013(Technology Risk Management)
Threat
Vulnerability
Risk Assessment
Physical SecurityData Centre
Resiliency
• Security threats
• Operational
weaknesses in DC
• DC’s perimeter and
surrounding
environment
• Access Controls
• Control of access
• Secure and monitor
• Security Systems
• Surveillance tools
• Redundancy
• Fault Tolerance –
electrical power, air
conditioning, fire
suppression and data
communications
• Backup power
� Clause 10 – Data Centre Protection and Controls
Data
Centre /
Infrastructures
29 31 October 2013
MAS TRM Guidelines| 2013(Technology Risk Management)
� Clause 10.0.1 - As FIs’ critical systems, applications, network
devices and data are concentrated and maintained in the data centre
(DC), it is important that the data centre is resilient (?) and physically
secured (?) from internal (?)and external threats (?).
Note: Information from MAS Technology Risk Management Guidelines
o Resilient – Tier Classification? Which Tier?
o Physically secured – TVRA?
o Internal Threats – Human process, overload, etc?
o External Threats – Power outage, dip, lightning, flood, etc?
Data
Centre /
Infrastructures
30 31 October 2013
Note: Information from Eaton Battery Monitoring System
Data Centres Protection and Controls
(UPS Battery Monitoring System)
� Providing a window to the battery with
continuous, accurate monitoring and alarm
notification
Ensuring Resiliency
31/10/2013
11
31 31 October 2013
Fundamentals of Power Infrastructures
� Uninterrupted Power Supply (UPS), batteries and capacitors
o Batteries are always either in a state of charge or recharge
o Once battery begins to discharge its electricity, the voltage drops and
the battery will need to be charged
o Battery autonomy – normally 15-30 minutes
o Batteries may have 5-year life span, depending on its manufacturing
specification
o Capacitors – life span can be 1, 5 or 10 years depending on design
Data
Centre /
Infrastructures
What is the
impact if
they are not
replaced?
32 31 October 2013
Fundamentals of Power Infrastructures
� Sample Line Diagram on power infrastructure
Transformer Primary Power
Panel
Non-
Critical
Loads
Automatic Transfer
Switch
Diesel Generator
Critical Loads
UPS System PDU IT Servers
bypass
Data
Centre /
Infrastructures
33 31 October 2013
Fundamentals of Power Infrastructures
LT
MSB1 MBS2 MBS3 MBS4
Main Circuit Breaker
MCCB ELR
MCB Load
ELCB
RCCBLeakage
Server
Miniature Circuit Breaker
Moulded Case
Circuit Breaker
Earth Leakage
Circuit Breaker
Earth
Leakage
Relay
UPS
Data
Centre /
Infrastructures
31/10/2013
12
34 31 October 2013
Risk
Monitoring
&
Reporting
Data Centre Risks –
Risk Monitoring and Reporting
� Changes in IT environment and delivery channels, risk parameters may change
� Periodic assessment of utilization on powerusage, temperature & humidity reading,
End-of-Life equipment, etc.
� At least a monthly or quarterly review
Data
Centre /
Infrastructures
35 31 October 2013
Flu Pandemic Business Continuity Guides- 2006
� Disease Outbreak Response System Condition (DORSCON)
Alert Green
Level 0
Public health threat to Singapore is low, no novel influenza virus outbreaks
anywhere in the world
Alert Green
Level 1Global concern with isolated animal-to-human transmission
Alert Yellow
Inefficient human-to-human transmission outside Singapore. The risk of
important into Singapore is elevated. Where there are isolated imported
cases, such cases have not resulted in sustained transmission locally
Alert Orange
Globally and / or locally, larger cluster(s) but human-to-human spread is still
localized suggesting that virus is becoming increasingly better adapted to
humans but may not yet be fully transmissible
Alert Red
Situation where there is a pronounced risk of acquiring the disease from the
community. There is an increasing trend of mortality and morbidity rates
among affect cases. The healthcare system is likely to be overwhelmed
Alert black
Morbidity and mortality rates are exceeding high, and emergency measures
are needed to bring situation under control. Healthcare and other social
support systems are overwhelmed by the pandemic.
Critical
Businesses
36 31 October 2013
Business Continuity Management - Framework
Business
Impact Analysis
Continuity
Strategy
Business Continuity
Procedures
Business Continuity
Test & Exercise
Programme
Management
Business Continuity
Management
Business
Impact Analysis
+ + = Data
Centre /
Infrastructures
Critical
Businesses IT SystemsFull BCM
31/10/2013
13
37 31 October 2013
Empowering Your Organization with. . . ..
38 31 October 2013
Empowering Your Organization with. . . ..BCM Guidelines
Data Centre Standards
MAS BCM Guidelines
MAS Outsourcing Guidelines
MAS Technology Risk Management
ISO22301 BCMS Requirements
IS22313 BCMS Guidelines
ICT Resiliency
TIA-942
Uptime Institute
Risk Assessments
Walk-around
Identify
Assess
Mitigate
Control and Monitor
Awareness &
Trainings
Business Continuity Mgt
Data Centre
IT Technologies
Internal Auditor
39 31 October 2013
Turn your nightmares into
sweet dreams instead.
(Even before it happens!)
“Seeing is Believing”…. See to Assess, Not Ask to Assess
1. Walk-around
2. Identify (See)
3. Assess
4. Mitigate Risks in…..
Data Centre Risks:
Power Overloading
Hot Spots
High Temperatures
End-of-Life UPS
Batteries /
Capacitors
Technology Risks:End-of-Life –
Servers, Software
and Network
Equipment
Source Code Escrow
Critical ServicesProcess Risk
Environment Risk
Operating Risk
Uncertainties
“Certainties”
31/10/2013
14
40 31 October 2013
Peace of Mind
Resilience
Turn your nightmares into sweet dreams instead.
(Even before it happens!)
41 31 October 2013
3 Components in an Organisation’s
Business Continuity
Critical
Businesses
Data
Centre /
Infrastructures
IT Systems
Full BCM
42 31 October 2013
• Murphy’s Law
– “Anything that can go wrong will go wrong”
• John Wooden – 1910
– “Failure to prepare is preparing to fail.”
• Chinese Proverb
–不怕 一万 , 只怕万 一
Expect the Unexpected
31/10/2013
15
43 31 October 2013
Coming….. 11 – 14 Nov 2013
44 31 October 2013
Coming….. 19 – 20 Nov 2013
45 31 October 2013
Thank You
Wong Tew Kiat
CBCP, MBCI, CITBCM(S), CITPM(S), COMIT(S), Fellow SCSFounder & Managing DirectorOrganisation Resilience Management Pte Ltd
M +65 98585127E + [email protected] + www.ormgt.com.sg