RSA Conference Exhibitor List 2024 - Exhibitors Data
Wong Tew Kiat - The Uncertainities
1. 31/10/2013
Prepared Always, Resilient Always
Business Continuity Management
The Uncertainties
25 October 2013
Wong Tew Kiat
CBCP, MBCI, CITBCM(S), CITPM(S), COMIT(S), Fellow SCS
Founder & Managing Director
2
31 October 2013
What is
Business Continuity Management?
3
31 October 2013
1
2. 31/10/2013
Business Continuity Management (BCM)
Is a holistic management process that identifies
potential threats to an organization and the impacts to
business operations those threats, if realized, might
cause, and which provides a framework for building
organizational resilience with the capability of an
effective response that safeguards the interests of its
key stakeholders, reputation, brand and value creating
ISO22301
4
31 October 2013
Business Continuity Management (BCM)
Have we planned holistically?
5
31 October 2013
6
31 October 2013
Business As Usual
2
3. 31/10/2013
Key Components & Activities
Staff
Sales, Marketing, Engineers, Technicians, Procurement,
Finance, Delivery, Transportation
IT Technologies
Computer Systems, Emails, Internet, Sales Order Systems,
Invoicing System, Procurement System, Data Centre and
Network Communications
Key Products
Raw Materials
Local suppliers, Overseas suppliers, mode of delivery, timeline
delivery, Ability to delivery, Single Point of Failure
Plants
Machineries, electrical power, generators
Warehouse
Inventories, Stocks
Transportation and Delivery
Customers
7
31 October 2013
Key Components & Activities
Staff
Sales, Marketing, Engineers, Technicians, Procurement,
Disrupted!
Finance, Delivery, Transportation
IT Technologies
Computer Systems, Emails, Internet, Sales Order Systems,
Invoicing System, Procurement System, Data Centre and
Disrupted!
Network Communications
Raw Materials
Local suppliers, Overseas suppliers, mode of delivery, timeline
delivery, Ability to delivery
Key Products
Delivery
?
Customer Satisfaction
Disrupted!
Plants
Machineries, electrical power, generators
?
Warehouse
Inventories, Stocks
Disrupted!
Transportation and Delivery
Customers
8
31 October 2013
Business Continuity Management (BCM)
Have we analysed the risks and
impacts thoroughly?
9
31 October 2013
3
4. 31/10/2013
Disruptive Events?
8 Sep 2013 – Another 3 die of MERS virus in Saudi Arabia
15 Aug 2013 – H7N9 bird flu may be spread
through human faeces
10
31 October 2013
Disruptive Events?
H5N1
H1N1
SARS
11
31 October 2013
Disruptive Events?
18 Sep 2013 – Ceilings Collapsed
17 Aug 2013 – Fire twice in Shopping Mall
12
31 October 2013
4
5. 31/10/2013
Disruptive Events?
16 & 18 July 2013 – Fire twice at Poly
13
31 October 2013
Disruptive Events?
9 Oct 2013 – Fire. 60,000 customers affected
16 Oct 2013 – banking services disrupted
by "system connectivity issue”
16 Oct 2013 - disruption to its 3G
services was related to a scheduled
network upgrade.
14
31 October 2013
Disruptive Events?
Technologies Risks?
Old and End-of-Life Servers?
Old Programming Languages?
15
Old and End-of-Life Network
Cards and Equipment
31 October 2013
5
6. 31/10/2013
Disruptive Events?
Disruptions – Suppliers and Delivery (Supply Chains)
Iceland’s disruptive volcano (2010)
The volcanic ash had forced the cancellation
of many flights and disrupted air traffic across
northern Europe, stranding thousands of
passengers.
311 Japan Earthquake (2011)
Factories, buildings, etc destroyed.
16
31 October 2013
3 Components in an Organisation’s
Business Continuity?
?
Data
Critical
Centre /
Infrastructures
Businesses
Full BCM
IT Systems
17
31 October 2013
3 Key “Push Factors” for BCM
1. Monetary Authority of Singapore (MAS)
– June 2003 | MAS BCM Guidelines
– Oct 2004 | MAS Outsourcing Guidelines
– June 2013 | Technology Risk Management Guide
18
31 October 2013
6
7. 31/10/2013
3 Key “Push Factors” for BCM
2. ICT Resiliency | End 2012
ICT Equipment Resiliency
IT Systems
ICT Systems Resiliency
Data
Data Centre Resiliency
Centre /
Infrastructures
19
31 October 2013
3 Key “Push Factors” for BCM
3. Singapore Business Federation (SBF)
– SS540 - 2008 | Business Continuity Management Standards
– SS ISO22301 – Dec 2012 | BCM Systems Requirements
SS540 was launched by then Deputy Prime Minister and Coordinating Minister
for National Security – Prof Jayakumar on 7 Nov 2008
To enhance corporate resilience in Singapore, selected Government or public
agencies will consider tenderers’ level of BCM-readiness as
part of the procurement process. In longer term, we will look
at moving towards preferring suppliers of essential services
which are BCM ready during our procurements
More than 100 Companies being BCM Certified in 2013
20
31 October 2013
Critical Businesses / Services
7 BCM Principles
?
Critical
Businesses
21
31 October 2013
7
8. 31/10/2013
MAS BCM Guidelines | 2003
– 7 Principles
Principle 1 – Board of Directors and Senior Management should be responsible for
their Institution’s Business Continuity Management
Principle 2 – Institutions should embed Business Continuity Management into their
Business-as-usual operations, incorporating sound practices
Principle 3 – Institutions should test their Business Continuity Plan regularly, and
meaningfully
Principle 4 – Institutions should develop Recovery Strategies and set recovery time
objectives for critical business functions
Principle 5 – Institutions should understand and appropriately mitigate
interdependency risk of critical business functions
Critical
Businesses
Principle 6 – Institutions should plan for wide-area disruption
Principle 7 – Institutions should practise a separation policy to mitigate concentration
risk of critical business functions
22
31 October 2013
MAS Outsourcing Guidelines | 2004
Clause 4 – Legal and Regulatory Obligations
An institution has to take steps to ensure that the service provider employs a
high standard of care in performing the service as if the activity were not
outsourced and conducted within the institution
Clause 5 – Material outsourcing
An institution should undertake periodic reviews of its outsourcing arrangements
to identify new material outsourcing risks as they arise
Clause 6 – Risk Management Practices
Role of the Board and Senior Management
Evaluation of Risks
Capability of Service Providers
Outsourcing Agreement
Confidentiality and Security
Business Continuity Management
Monitoring and Control of Outsourced Activities
Audit and Inspection
Outsourcing outside Singapore/within a Group
Outsourcing of Internal Audit to External Auditors
23
Critical
Businesses
31 October 2013
MAS TRM Guidelines| 2013
(Technology Risk Management)
Clause 3 – Oversight of Technology Risks by Board of Directors and Senior Management
Clause 4 – Technology Risk Management Framework
Clause 5 – Management of IT Outsourcing Risks
Clause 6 – Acquisition and Development of Information Systems
Clause 7 – IT Service Management
IT Systems
Clause 8 – Systems Reliability, Availability and Recoverability
Clause 9 – Operational Infrastructure Security Management
Clause 10 – Data Centres Protection and Controls
Data
Centre /
Infrastructures
Clause 11 – Access Control
Clause 12 – Online Financial Services
Clause 13 – Payment Card Security (ATM, Credit and Debit Cards
Clause 14 – IT Audit
24
31 October 2013
8
9. 31/10/2013
MAS TRM Guidelines| 2013
(Technology Risk Management)
Clause 4 – Technology Risk Management Framework
Risk
Assessment
Risk
Identification
Risk
Treatment
IT Systems
Risk Monitoring
& Reporting
Data
Centre /
Infrastructures
Risk identification entails the determination of the threats and vulnerabilities to the FI’s
IT environment which comprises the internal and external networks, hardware,
25
software, applications, systems interfaces, operations and human elements.
31 October 2013
MAS TRM Guidelines| 2013
(Technology Risk Management)
Clause 8 – Systems Reliability, Availability and Recoverability
Disaster
Recovery Plan
Systems
Availability
System availability are:
• Adequate capacity
• Reliable performance
• Fast response time
• Scalability
• Swift Recovery
Capability
DR Plan:
• Various contingency
scenario
• Major system outages
• Total incapacitation of
primary DC
• Recovery Priorities,
RTO, RPO
Disaster
Recovery Testing
DR Testing:
• No impromptu and
untested procedure
• Test and validate
annually
• Test total shutdown
or incapacitation of
primary DC
Data Backup
Management
Data Backup Strategy:
• Direct-Attached
Storage (DAS)
• NAS
• SAN
• Testing & Validation
• Encrypt backup media
IT Systems
26
31 October 2013
MAS TRM Guidelines| 2013
(Technology Risk Management)
Clause 9 – Operational Infrastructure Security Management
Data Loss
Protection
•
•
•
•
Internal Sabotage
Clandestine
espionage
Furtive attacks by
trusted staff,
contractors and
vendors
Data Loss prevention
strategy
Networks &
Security Config
Mgt
Technology
Refresh Mgt
•
•
Up-to-date inventory
of software and
hardware
End-of-support
•
Consistent security
settings
Regular enforcement
checks
Anti-virus to servers
Network security
devices
•
•
•
Vulnerability
Assessment &
Penetration Testing
•
•
Identify, assess and
discover security
vulnerabilities
Conduct in-depth
evaluation of the
security posture of
system
IT Systems
27
31 October 2013
9
10. 31/10/2013
MAS TRM Guidelines| 2013
(Technology Risk Management)
Clause 10 – Data Centre Protection and Controls
Threat
Vulnerability
Risk Assessment
•
•
•
•
Security threats
Operational
weaknesses in DC
DC’s perimeter and
surrounding
environment
Access Controls
Data Centre
Resiliency
Physical Security
•
•
•
•
Control of access
Secure and monitor
Security Systems
Surveillance tools
•
•
•
Redundancy
Fault Tolerance –
electrical power, air
conditioning, fire
suppression and data
communications
Backup power
Data
Centre /
Infrastructures
28
31 October 2013
MAS TRM Guidelines| 2013
(Technology Risk Management)
Clause 10.0.1 - As FIs’ critical systems, applications, network
devices and data are concentrated and maintained in the data centre
(DC), it is important that the data centre is resilient (?) and physically
secured (?) from internal (?)and external threats (?).
o
o
o
o
Resilient – Tier Classification? Which Tier?
Physically secured – TVRA?
Internal Threats – Human process, overload, etc?
External Threats – Power outage, dip, lightning, flood, etc?
Data
Note: Information from MAS Technology Risk Management Guidelines
Centre /
Infrastructures
29
31 October 2013
Data Centres Protection and Controls
(UPS Battery Monitoring System)
Providing a window to the battery with
continuous, accurate monitoring and alarm
notification
Ensuring Resiliency
Note: Information from Eaton Battery Monitoring System
30
31 October 2013
10
11. 31/10/2013
Fundamentals of Power Infrastructures
Uninterrupted Power Supply (UPS), batteries and capacitors
o Batteries are always either in a state of charge or recharge
o Once battery begins to discharge its electricity, the voltage drops and
the battery will need to be charged
o Battery autonomy – normally 15-30 minutes
o Batteries may have 5-year life span, depending on its manufacturing
specification
o Capacitors – life span can be 1, 5 or 10 years depending on design
What is the
impact if
they are not
replaced?
Data
Centre /
Infrastructures
31
31 October 2013
Fundamentals of Power Infrastructures
Sample Line Diagram on power infrastructure
Primary Power
Panel
Transformer
Automatic Transfer
Switch
NonCritical
Loads
Diesel Generator
Critical Loads
bypass
Data
Centre /
Infrastructures
UPS System
PDU
IT Servers
32
31 October 2013
Fundamentals of Power Infrastructures
LT
Data
MSB1
MBS2
MBS3
UPS
Main Circuit Breaker
MCCB
ELR
MCB
Load
ELCB
RCCB
Earth
Leakage
Relay
Centre /
Infrastructures
MBS4
Moulded Case
Circuit Breaker
Leakage
Miniature Circuit Breaker
Server
33
Earth Leakage
Circuit Breaker
31 October 2013
11
12. 31/10/2013
Data Centre Risks –
Risk Monitoring and Reporting
Changes in IT environment and delivery
channels, risk parameters may change
Risk
Monitoring
&
Reporting
Periodic assessment of utilization on power
usage, temperature & humidity reading,
End-of-Life equipment, etc.
At least a monthly or quarterly review
Data
Centre /
Infrastructures
34
31 October 2013
Flu Pandemic Business Continuity Guides
- 2006
Disease Outbreak Response System Condition (DORSCON)
Alert Green
Level 0
Public health threat to Singapore is low, no novel influenza virus outbreaks
anywhere in the world
Alert Green
Level 1
Global concern with isolated animal-to-human transmission
Alert Yellow
Inefficient human-to-human transmission outside Singapore. The risk of
important into Singapore is elevated. Where there are isolated imported
cases, such cases have not resulted in sustained transmission locally
Alert Orange
Globally and / or locally, larger cluster(s) but human-to-human spread is still
localized suggesting that virus is becoming increasingly better adapted to
humans but may not yet be fully transmissible
Alert Red
Situation where there is a pronounced risk of acquiring the disease from the
community. There is an increasing trend of mortality and morbidity rates
among affect cases. The healthcare system is likely to be overwhelmed
Alert black
Morbidity and mortality rates are exceeding high, and emergency measures
are needed to bring situation under control. Healthcare and other social
support systems are overwhelmed by the pandemic.
Critical
Businesses
35
31 October 2013
Business Continuity Management - Framework
Business Continuity
Management
Business
Impact Analysis
Business
Impact Analysis
Programme
Management
Continuity
Strategy
Business Continuity
Procedures
Business Continuity
Test & Exercise
Data
Critical
Businesses
+
IT Systems
+
36
Centre /
Infrastructures
=
Full BCM
31 October 2013
12
13. 31/10/2013
Empowering Your Organization with. .
.
..
37
31 October 2013
Empowering Your Organization with. .
.
..
BCM Guidelines
Data Centre Standards
Risk Assessments
MAS BCM Guidelines
MAS Outsourcing Guidelines
MAS Technology Risk Management
Walk-around
Awareness &
Trainings
Identify
ISO22301 BCMS Requirements
IS22313 BCMS Guidelines
Business Continuity Mgt
Assess
ICT Resiliency
Mitigate
Data Centre
Control and Monitor
TIA-942
Uptime Institute
IT Technologies
Internal Auditor
38
31 October 2013
Uncertainties
“Seeing is Believing”…. See to Assess, Not Ask to Assess
1. Walk-around
2. Identify (See)
3. Assess
4. Mitigate Risks in…..
Data Centre Risks:
Power Overloading
Hot Spots
High Temperatures
End-of-Life UPS
Batteries /
Capacitors
Turn your nightmares into
sweet dreams instead.
(Even before it happens!)
Technology Risks:
End-of-Life –
Servers, Software
and Network
Equipment
Source Code Escrow
Critical Services
Process Risk
Environment Risk
Operating Risk
“Certainties”
39
31 October 2013
13
14. 31/10/2013
Peace of Mind
Resilience
Turn your nightmares into sweet dreams instead.
(Even before it happens!)
40
31 October 2013
3 Components in an Organisation’s
Business Continuity
Data
Critical
Centre /
Infrastructures
Businesses
Full BCM
IT Systems
41
31 October 2013
Expect the Unexpected
• Murphy’s Law
– “Anything that can go wrong will go wrong”
• John Wooden – 1910
– “Failure to prepare is preparing to fail.”
• Chinese Proverb
– 不怕 一 万 , 只怕 万 一
42
31 October 2013
14
15. 31/10/2013
Coming….. 11 – 14 Nov 2013
43
31 October 2013
Coming….. 19 – 20 Nov 2013
44
31 October 2013
Thank You
Wong Tew Kiat
CBCP, MBCI, CITBCM(S), CITPM(S), COMIT(S), Fellow SCS
Founder & Managing Director
Organisation Resilience Management Pte Ltd
M +65 98585127
E + wongtk@ormgt.com.sg
W + www.ormgt.com.sg
45
31 October 2013
15