Risk Based Approach To Recovery And Continuity Management John P Morency


Published on

Presented at 2008 ISACA-NE Annual meeting. Discusses risk management methodology for recovery and continuity management initiatives.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Risk Based Approach To Recovery And Continuity Management John P Morency

  1. 1. A Risk-based Approach to Recovery & Continuity Management John P. Morency, CISA Research Director (978)-901-4123 [email_address]
  2. 2. Fact #1: “Disasters” happen more often than you think …. Source: SunGard Availability Services U.S. data Data Center Eqpt Failure, 483, 34% Weather-related disasters (e.g. hurricanes, floods, blizzards) 274, 20% Network Outage, 79, 5% Power Outage, 209, 14% Software, 27, 2% Terrorism, 176, 12% Building Damage, Gas/Water Break, 12, 1% Flood, 90, 6% Fire/Explosion, 47, 3% Bomb Threat/Evacuation, 27, 2% Earthquake, 19, 1%
  3. 3. Gartner Survey Findings: Last Time Continuity Plan was Exercised N=168 26% 28% 29% 16% 21% 23% 13% 20% 17% 20% 20% 17% 19% 25% 25% 16% 18% 17% 33% 18% 21% 35% 30% 36% 8% 10% 9% 13% 11% 7% 0% 20% 40% 60% 80% 100% Within the last six months Within the last year Within the last two years Never Not sure Disaster Recovery Work area/Workforce Continuity Business Resumption Contingency Planning Emergency/Incident Mgmt. Restoration Two-thirds of organizations have had to use their BCM/DR plans within the last two years.
  4. 4. Fact #2: Post-9/11 Surge in Business Continuity Regulations and Standards Consumer Credit Protection Act OMB Circular A-130 FEMA Guidance Document Paperwork Reduction Act FFIEC BCP Handbook Computer Security Act 12 CFR Part 18 Presidential Decision Directive 67 FDA Guidance on Computerized Systems used in Clinical Trials ANSI/NFPA Standard 1600 Sarbanes-Oxley Act of 2002 HIPAA, Final Security Rule FFIEC BCP Handbook Fair Credit Reporting Act NASD Rule 3510 NERC Security Guidelines FERC Security Standards NAIC Standard on BCP NIST Contingency Planning Guide FRB-OCC-SEC Guidelines for Strengthening the Resilience of US Financial System NYSE Rule 446 California SB 1386 Australia Standards BCM Handbook GAO Potential Terrorist Attacks Guideline Post-9/11 Pre-9/11 1991 - 2001 2002 2008 FPC 65 NYS Circular Letter 7 ASIS State of NY FIRM White Paper on CP NISCC Good Practices (Telecomm) Australian Prudential Standard on BCM HB221 HB292 BS25999 SS507 TR19 CA Z1600 Title IX – 110-53
  5. 5. Fact #3: DR is (Very) Important (source: 2008 Gartner Research Survey)
  6. 6. Business Context -- The IT Risk Pyramid <ul><li>Data accuracy, timeliness and consistency </li></ul><ul><li>Financial reporting </li></ul><ul><li>Regulatory compliance </li></ul><ul><li>Opportunity capitalization </li></ul><ul><li>Response to competitors </li></ul><ul><li>Implementing major strategic change </li></ul><ul><li>Knowledge Sharing </li></ul><ul><li>Information Protection </li></ul><ul><li>Attack Prevention </li></ul>Source: Westerman, G. &quot;The IT Risk Pyramid: Where to Start with Risk Management&quot;&quot; MIT CISR Research Briefing, V (1D), Mar 2005 and Westerman, G. & Hunter, R.: IT Risk, Business Consequences, Harvard Business School Press, forthcoming. © 2006 MIT Sloan Center for Information Systems Research – Westerman &quot;Controlling continuity risk not only improves business continuity, but also starts to improve access, integrity, and strategic change risks.&quot; Business Agility Availability & Continuity Accessibility Accuracy IT Risks <ul><li>Continuous application and data availability </li></ul><ul><li>Management communication, coordination and orchestration </li></ul><ul><li>Employee productivity </li></ul>
  7. 7. <ul><li>Remember: IT risk is business risk </li></ul><ul><li>Consider IT risks in terms of the four A's — Access, Availability, Accuracy and Agility — and their consequences </li></ul><ul><li>Fix the foundation: Plug the holes in the dike, consolidate the infrastructure and simplify applications, in that order </li></ul><ul><li>Create risk governance structure and process; embed IT risk management into every business decision </li></ul><ul><li>Create a risk aware culture — a culture that recognizes risk and can deal with it head-on </li></ul><ul><li>Look forward </li></ul><ul><li>Lead by example </li></ul>Seven Risk Management Principles
  8. 8. Recovery & Continuity Business Case “ The Balancing Act”
  9. 9. Two Fundamental Questions <ul><li>How to define Marginal (or Residual) Risk </li></ul><ul><li>How to Quantify Affordability </li></ul>
  10. 10. Generic Risk Definition Framework
  11. 11. Assessment Starting Point – ISACA P1 Focus on: TBS
  12. 12. Application Risk Assessment – Part 1
  13. 13. Application Risk Assessment – Part 2 <ul><li>For each application, determine – </li></ul><ul><li>What is the impact of downtime? </li></ul><ul><li>Does increased downtime = increased impact ? </li></ul>
  14. 14. Risk-based BIA Model <ul><li>For each application, determine – </li></ul><ul><li>What is the impact of downtime? </li></ul><ul><li>Does increased downtime = increased impact ? </li></ul>
  15. 15. Affordability Analysis Part I: Leverage DR Spending Benchmark Data Source: Gartner November 2007 IT Spending Growth (%) - 2007 7 6 5 4 3 2 1 0 $1M $5M $10M State & Local Government Low End = $.51M High End = $1.2M Midpoint = $.9M 2007 IT Budget Growth Rate= 2.6% Federal Government Low End = $3.9M High End = $9.9M Midpoint = $6.9M 2007 IT Budget Growth Rate= 5.5%
  16. 16. Gartner IT Spending Benchmark DR Addressable Budget Source: Gartner November 2007
  17. 17. DRM Critical Success Factors (CSFs) <ul><li>RTO/RPO requirements are defined, documented and updated for production applications </li></ul><ul><li>Recovery Data Center supports Tier 1 and Tier 2 RxO requirements </li></ul><ul><li>Emergency communications are regularly tested </li></ul><ul><li>Application Recovery management procedures support Tier 1 and Tier 2 RxO requirements </li></ul><ul><li>Data Recovery management procedures support Tier 1 and Tier 2 RxO requirements </li></ul><ul><li>Workarea Recovery procedures support Tier 1 and Tier 2 RxO requirements </li></ul><ul><li>DR Plan Testing is performed at least twice a year </li></ul><ul><li>DR plans are updated to address execution deficiencies encountered during testing </li></ul><ul><li>Business Operations Restoration processes are defined and tested </li></ul><ul><li>DR Program reports are published and distributed to senior management </li></ul>Definition: The actions that are needed in order to improve Disaster Recovery Predictability, Effectiveness and Efficiency Source: Gartner November 2007
  18. 18. Affordability Analysis Part II: Self Assessment <ul><li>Which CSFs are supported today? </li></ul><ul><li>What is the current Maturity Level for each CSF? </li></ul><ul><li>Which additional CSFs need to be supported? </li></ul><ul><li>What is the target capability maturity level for each CSF? </li></ul><ul><li>What are the associated improvement costs? </li></ul><ul><ul><li>By Budget Line Item </li></ul></ul><ul><li>Which continuity risks will be mitigated? By how much? </li></ul><ul><li>How will improvement be measured? </li></ul>Source: Gartner November 2007
  19. 19. Defining Audit Ready Test Plans
  20. 20. Example - Objective # 4 Test Plan
  21. 21. Business Imperatives <ul><li>Beyond 12 months </li></ul><ul><ul><li>Implement failover, recovery and restoration automation pilots </li></ul></ul><ul><ul><li>Align disaster recovery spending with risk management priorities </li></ul></ul><ul><ul><li>Evaluate the use of data center automation software to improve DR execution efficiency and predictability </li></ul></ul><ul><li>Immediate </li></ul><ul><ul><li>- Ensure that DR Plan is current and relevant </li></ul></ul><ul><ul><li>- Plan support for less-than-24-hour RTOs and RPOs </li></ul></ul><ul><ul><li>- Increase the frequency and diversity of testing </li></ul></ul><ul><ul><li>- Formalize DR and BC management responsibilities </li></ul></ul><ul><li>Next 12 months </li></ul><ul><ul><li>- Achieve a minimum of Stage 2 maturity if not already there </li></ul></ul><ul><ul><li>- Evaluate the implementation of data replication pilots </li></ul></ul><ul><ul><li>- Evaluate the implementation of server virtualization pilots </li></ul></ul><ul><ul><li>- Improve recovery testing results and execution predictability </li></ul></ul>