Business Continuity Awareness Week 2009


Published on

Presentation given to Continuity Forum for BCAW 2009

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Discussion: I have 10 minutes to discuss with you the subject of Rejeuvenating BCM – infrastructure. Not a lot of time, but it is something I am passionate about, and have some ideas which I would like to share with you.
  • Discussion: At the highest level the following tasks should be carried out to identify the requirements and weaknesses inherent in the infrastructure and it’s associated systems. There are other ways to carry out this work, this is just one of them. I would recommend being pragmatic and letting go of some of your passion, in order to achieve a result that is at least possible in your company in the time allotted. No big bang projects in times of economic uncertainty.
  • Discussion: This risk summary grid outlines the high-level risks that IT poses to the business. The goal in presenting this is not to frighten senior executives, but to build awareness of three things: IT risk is much more than just the risk of a hacker security breach The stakes of these risks are very high. Every major risk identified has (or should have) a mitigation strategy underway. See Companion Document, page 13
  • Guidance: I made up this heat map, but you can use it, or some other way of giving information to the executive about the current state of criticality vs availability. See Companion Document, page 13
  • Discussion: This conceptual slide is meant to illustrate how IT’s strategic initiatives can be funded by IT’s own efficiency improvements. As IT-led programs improve operational and business process efficiency, and hardware constantly improves per Moore’s Law, these benefits should be reinvested into the IT Pyramid in the form of Multi-Year Strategic Initiatives. IT’s continual improvement efforts thus effectively fund its own growth. Ideas for improving the infrastructure availability include standardisation of servers, standardisation of software, effective change control,
  • Discussion: Let management know that you have thought about how the solution might be delivered, how long it might take, how you intend to look at current projects, what you do about current assets which are critical but have no DR, and how the company might want to manage this.
  • Business Continuity Awareness Week 2009

    1. 1. 23 March 2009 Rejuvenating BCM - Infrastructure Total of 5 pages Business Continuity Awareness Week 23 – 27 March 2009 Brigitte Theuma MBCI, CBCMMA, CBCMP, CBCITP, MIAEM
    2. 2. Table of Contents <ul><li>ICT Service Continuity Current State </li></ul><ul><ul><li>Identifying Requirements and Weaknesses </li></ul></ul><ul><ul><li>Risk </li></ul></ul><ul><ul><li>Business Criticality </li></ul></ul><ul><li>Multi-Year Plan </li></ul><ul><ul><li>Balancing Design and Cost </li></ul></ul><ul><ul><li>Multi Year Infrastructure DR Roadmap </li></ul></ul><ul><ul><li>Self Funding Paradigm </li></ul></ul><ul><li>Appendices </li></ul><ul><ul><li>Related Papers and Information </li></ul></ul><ul><ul><li>Glossary of Terms </li></ul></ul>
    3. 3. I. ICT Service Continuity Current State <ul><li>ICT Service Continuity Current State </li></ul><ul><ul><li>Identifying Requirements and Weaknesses </li></ul></ul><ul><ul><li>Risk </li></ul></ul><ul><ul><li>Business Criticality </li></ul></ul>
    4. 4. a. Identifying Requirements and Weaknesses <ul><li>Standards, Practices and Programme – are they working for you? Do you have in place? </li></ul><ul><li>Review potential weaknesses - single points of failure, redundancy, supply chain dependence, IT processes, security, backup and restore, availability, Disaster Recovery or IT Service Continuity, BCM, location of premises, systems monitoring, power. </li></ul><ul><li>Review trend reporting – availability, failure, capacity, security, downtime, Service Level reports. </li></ul><ul><li>Review Service Level Agreements (SLAs) with the Business Owners of the technology or services. </li></ul><ul><li>Provide GAP analysis. </li></ul><ul><li>Compare information against corporate Policy, Guidelines, SLA’s, Strategy. </li></ul><ul><li>Measure the costs of desired state vs. current state (downtime vs. resilience expenditure i.e., risk and impact vs. costs) </li></ul><ul><li>Present the information in business terms, removing the technical complexity and terminology that could impair understanding of the issue. </li></ul>Source: PAS 77: 2006
    5. 5. b. Risk Heat Map Key Adequate mitigation in place Semi-adequate mitigation in place Inadequate mitigation in place IT Security Data Centre Outage Supply Chain Customer Billing Financial Systems Customer Data India Call Centre Failure of IT Outsource Extremely Remote 1 * 10-100 years Remote 1 * 2-10 years Possible in Short to Medium Term 1 * 6-24 months Likely in Short Term 1 * 0-6 months Business Risks - IT Critical Significant Minimal Impact Likelihood
    6. 6. c. Business Criticality Heat Map Key Disaster Recovery in place RTO 24 hours Backup and restore procedures in place. RTO 36 hours No plan RTO unknown Data Centre Payroll Customer Billing Financial Systems Customer Data India Call Centre Telecoms & LAN Tactical Strategic Critical Mandatory Criticality of Systems vs. Availability Continuous Availability Disaster Recovery Backup & Restore Architecture Criticality email Internet Presence Online Ordering SRM Despatch Document Registry
    7. 7. II. Multi-Year Plan <ul><li>Multi-Year Plan </li></ul><ul><ul><li>Balancing Design and Cost </li></ul></ul><ul><ul><li>Multi Year Infrastructure DR Roadmap </li></ul></ul><ul><ul><li>Self Funding Paradigm </li></ul></ul>
    8. 8. a. Balancing DR/HA Design and Cost <ul><li>Finding the right balance </li></ul><ul><li>Availability is required for each system </li></ul><ul><li>Cost of failure vs. cost of resilience. </li></ul><ul><li>Limitations or constraints is the company operating under. Budget, time, resource. </li></ul><ul><li>Risks associated with approach. </li></ul>Source: PAS77:2006
    9. 9. b. The Self-Funding IT Paradigm and Disaster Recovery <ul><li>Use efficiency-driven cost-savings to subsidise next-generation or future projects </li></ul> Invest in “Breakthrough” Strategic Projects, include DR at project level.  Realise Business Productivity Gains, find alternate uses for DR equipment <ul><li>Streamline IT Operations, including use of DR equipment. </li></ul>Core Infrastructure and Applications Business-Led Discretionary Projects Multi-year Strategic Initiatives The Self-Funding Ideal Original concept: The CIO Executive Board If a cost per use model is used for DR when using SLA’s for IT Services, then the DR enablers can be self funded Charge out for DR to cover cost of infrastructure
    10. 10. FY2011 FY2012 FY2015 FY2014 FY2013 FY2010 FY2009 Strategy 3 Critical Assets Strategy 1 DR Enablers Strategy 2 Projects & Lifecycle Data Centre Infrastructure c. Multi Year Infrastructure Disaster Recovery Roadmap SLA DR Policy Continuous Improvement via Self Funding DR Paradigm Project 6 DR Strategy DR Enabler Initiative 3 DR Enabler Initiative 4 Project 1 Project 2 Project 3 IT Lifecycle Project 5 Project 7 BIA & RA Multi Year DR Project for Top 5 Critical Assets Multi Year Project Critical Assets 2 Project 4 Multi Year Project 3
    11. 11. d. Business Continuity Maturity BCMM© Virtual Corporation
    12. 12. III. Appendices <ul><li>Appendices </li></ul><ul><ul><li>Related Papers and Information </li></ul></ul><ul><ul><li>Glossary of Terms </li></ul></ul>
    13. 13. a. Related Papers and Information <ul><li>AS/NZS 4360:2004 Risk Management </li></ul><ul><li>AS/NZS HB221:2004 Business Continuity Management </li></ul><ul><li>Business Continuity Institute, Good Practice Guidelines 2008 </li></ul><ul><li>Business Continuity Maturity Model, Virtual Corporation </li></ul><ul><li>BS31100:2008 Risk Management Code of Practice </li></ul><ul><li>BS25999-1:2006 Business Continuity Management – Part 1: Code of Practice </li></ul><ul><li>BS25999-2:2007 Business Continuity Management – Part 2: Specification </li></ul><ul><li>BS25777:2008 Information and Communications Technology Continuity Management – Code of Practice </li></ul><ul><li>BSI ISO/IEC 24762:2008 Information Technology – Security Techniques – Guidelines for Information and Communications Disaster Recovery Services </li></ul><ul><li>CIO Executive Board </li></ul><ul><li>HB 293-2006 Executive Guide to Business Continuity Management </li></ul><ul><li>HB292-2006 A Practitioners Guide to Business Continuity Management </li></ul><ul><li>ITIL V3 </li></ul><ul><li>NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs </li></ul><ul><li>PAS 77:2006 IT Service Continuity Management Code of Practice </li></ul>
    14. 14. b. Glossary of Terms Source: BS 25777:2008 Business Continuity Strategic and tactical capability of the organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level. BCM Business Continuity Management BC Strategy Approach by an organisation that will ensure its recovery and continuity in the face of a disaster or other major incident or business disruption. Disruption Event, whether anticipated or unanticipated which causes an unplanned, negative deviation from the expected delivery of products and services according to the organisations objectives. ICT Continuity Capability of the organisation to plan for and respond to incidents and disruptions in order to continue ICT services at an acceptable predefined level. ICT Disaster Recovery Activities and programmes that are invoked in response to a disruption and are intended to restore an organisation’s ICT services. Impact Evaluated consequence of a particular outcome. Incident Situation that might be, or could lead to, a business disruption, loss, emergency or crisis. RPO Recovery Point Objective. Point in time to which data has to be recovered in order to resume ICT services. RTO Recovery Time Objective. Target time set for resumption of product, service or activity delivery after an incident. Resilience Ability of an ICT system to provide and maintain an acceptable level of service in the face of various disruptions and challenges to normal operation. Risk Something that might happen and its effect on the achievement of objectives. Testing Forced failure of all or part of an ICT system, under specific conditions, to verify that recovery is properly performed. Vulnerability Weakness within the ICT asset or activity that might, at some point, be exploited by threats.