SlideShare a Scribd company logo

Risk Based Planning for Mission Continuity

Download as PPT, PDF
D
Dan Houser

Introduction to Continuity Management & Risk Based Continuity Planning. Risk-based approach to provide mission-critical BCP. Models are provided to conduct quantitative & qualitative analytics, prioritize activity and integrate continuity planning into risk management activities.

Business
1 of 40
1 Risk Based Planning for Mission Continuity Daniel D. Houser, CISSP, CISM, MBA May 16, 2006
2©Copyright 2006, Dan Houser Agenda  Discuss Disaster Recovery, Business Continuity & Emergency Planning  Effective Business Impact Assessment  Risk Management approach to continuity risk mitigation  Implementation  Q&A
3©Copyright 2006, Dan Houser Obligatory Dilbert Slide This image used in compliance with United Feature Syndicate copyright restrictions.
4©Copyright 2006, Dan Houser Continuity Management  Disaster Recovery  Business Continuity  Emergency Response
5©Copyright 2006, Dan Houser Causes of Disasters Boston Molasses Disaster of January 15, 1919 Warehouse FireEarthquake Columbus School for the Blind – Jan 15, 2001Pontifical College Josephinum – 12/15/99
6©Copyright 2006, Dan Houser Causes of Disasters  Natural  Floods  Hurricanes  Tornadoes  Earthquakes  Volcano Eruptions  Wildland fires  Thunderstorms and lightening  Man Made  Hazardous Materials  House/Building Fires  Nuclear Power Plant Emergencies  Terrorism  Criminal Hacking  Civil Unrest  Strikes  Political Unrest All effect essential elements – such as people, buildings, applications, data, and equipment – all required to sustain critical business operations. Disasters create downtime for computer systems. Statistics can be found at www.fema.org and www.storagetek.com
7©Copyright 2006, Dan Houser Continuity Management Business Continuity 1) Ensures continuity of the critical business functions, 2) Captures vital transactions, and 3) Facilitates the rapid recovery of business operations to reduce the overall impact of the disaster. Focus = no interruption of vital business functions
8©Copyright 2006, Dan Houser Continuity Management Disaster Recovery Procedures for when the computer installation suffers loss of computer resources and physical facilities. 1. Emergency response, 2. Extended backup operations and 3. Post-disaster recovery Focus = restoring normal automated operations for critical functions.
9©Copyright 2006, Dan Houser Crisis vs. Emergency vs. Disaster  Events occur, which may lead to an incident or crisis  An emergency is a crisis that may also cause injury, loss of life or destruction of property.  A Disaster is declared, in accordance with the DRP, following a sudden unplanned catastrophic event  Typically, disasters are not declared following an incident (your mileage may vary)
10©Copyright 2006, Dan Houser BCP is a Business Process  Disaster Recovery is system focused, BCP is focused on the continuity of the business.  Business drives business needs  Fundamental issue: what VITAL business functions must survive? The Bottom Line: Continuity planning is a business process requiring business management attention and guidance.
11©Copyright 2006, Dan Houser Disaster Lifecycle 0 20 40 60 80 100 120 Event Crisis Disaster Recovery Restoration
12©Copyright 2006, Dan Houser Disaster Lifecycle 0 20 40 60 80 100 120 Disaster Business Continuity
13©Copyright 2006, Dan Houser Business Continuity Process The Business Continuity Institute’s BCM process (also known as the BC Life Cycle) combines 6 key elements 1. Understanding Your Business 2. Continuity Strategies 3. Developing a BCM Response 4. Establishing a Continuity Culture 5. Exercising, Rehearsal & Testing 6. The BCM Management Process
14©Copyright 2006, Dan Houser Risk Management & BIA  Business Impact Analysis (BIA) is the starting point for determination of risk.  Sets the stage for shaping a business- oriented judgment concerning the appropriation of resources for recovery planning efforts* * Jackson
15©Copyright 2006, Dan Houser Business Impact Analysis  What drives your organization?  What vital functions can you not live without?  Revenue generation  Asset management  Access to capital  Operations execution  Customer/account servicing  Which of these are most time critical?
16©Copyright 2006, Dan Houser Risk Management Human Life & Vital Business Processes Information Software Facilities
17©Copyright 2006, Dan Houser Business Impact Analysis  What’s a vital function?  What is your mission?  Vital Functions execute the mission statement  Preservation of mission integrity  Maintaining core values of the organization
18©Copyright 2006, Dan Houser Additional Vital Functions  Overhead functions necessary to weather the storm:  Public Relations / Corporate Communications  Human Resources  Communications  Legally required operations  Facility Management (?)  Supporting functions  Compliance-mandated record keeping  Abnormal record keeping required to permit recovery following the disaster
19©Copyright 2006, Dan Houser Quantitative Loss Impact Consider financial costs of potential disruption  Lost revenue  Lost trade discounts  Interest lost on float  Interest paid on borrowed funds  Contractual Fines & Penalties  Increase in extraordinary expense  Emergency Purchases  Outside Services/ Temporary Staff  Cancelled orders  Unavailability of capital  Prioritize [0-5], [Critical, High, Medium, Low]
20©Copyright 2006, Dan Houser Qualitative Loss Impact  Loss impact in terms of intangibles, emotions and understanding  Lost confidence: customers, shareholders, regulators, investors  Loss of customer services capability  Drop in staff morale  Drop in staff productivity  Customer inconvenience
21©Copyright 2006, Dan Houser Risk Analysis Process Human Life & Vital Business Processes Information Software Facilities
22©Copyright 2006, Dan Houser BIA Worksheet Function Financial Qualitative RTO RPO Human Resources $100,000 Medium Public Relations Minimal Critical Asset Environ'tl Controls $1,250,000 High Soup Kitchen $34,000 Critical Operations Center $55,000 High
23©Copyright 2006, Dan Houser Analysis of Loss Estimates  Threshold analysis:  Interview senior management for a better understanding of loss threshold.  At what threshold do losses become unbearable?  $1 million? $10 million? $100 million?  Stability of Threat Environment  Unstable environments get higher priority  Example: Processing center near fault line
24©Copyright 2006, Dan Houser Time Sensitivity of Vital Functions  Conduct interviews to determine time criticality of vital functions.  What is the maximum downtime that can be absorbed without a significant impact to the mission?  What are the costs associated with ½ that duration? 1/3? (linear, exponential, logorithmic, bursty)  Determination of vital time functions…
25©Copyright 2006, Dan Houser BCP Recovery Time Parameters  MTD: Maximum Tolerable Downtime Maximum outage duration, by business function. (a.k.a. – RTO)  RPO: Recovery Point Objective Maximum outage duration before normal operations are resumed  Note that the RPO doesn’t start when the disaster starts, but starts at the first prior viable restart point (e.g. previous night backup tape).
26©Copyright 2006, Dan Houser BIA Worksheet Function Financial Qualitative RTO RPO Human Resources $100,000 Medium 1 day 2 wks Public Relations Minimal Critical 1 hr 4 wks Asset Environ'tl Controls $1,250,000 High 1 hr 3 days Soup Kitchen $34,000 Critical 4 hr 2 wks Operations Center $55,000 High 1 hr 5 days
27©Copyright 2006, Dan Houser Continuity Strategies  Facility Plans  Minor – shelter in place  Major – relocate  Disaster – execute disaster relocation plan  Business Plans  Manual processing  Co-processing / Reciprocal agreements  Queue and hold  Outside services
28©Copyright 2006, Dan Houser Business Continuity ROI For each vital function covered by BCP, calculate the qualitative and quantitative costs.  Catastrophic loss of the business function = ____  Qualitative loss of the function means ______ & ______.  Planning, exercising and maintaining the BCP will cost _______.  Executing the BCP will cost ____ per day, forecasted maximum cost of _____.
29©Copyright 2006, Dan Houser BCP ROI Example: Operations Center Predicted Losses 1 Day 3 Day 7 Day 21 Day Loss of Facility 14000 51800 191660 1341620 Business Function Offline 0 10000 67000 603000 Contractual Penalties 0 0 25000 45000 Parallel Operations 1500 12000 44400 164280 Extraordinary Expenses 100 5000 15000 72000 Recovery Costs 500 1850 6845 25327 Likelihood 2 0.2 0.1 0.01 ALE $29,200 $13,730 $28,291 $16,482 $87,703 Business Continuity Planning & Testing BIA $11,000 Continuity Plan Development $16,000 BCP Exercises & Refinement $49,500 BCP Mgmt - Year 2-4 $6,000 BCP Exercises - Year 2-4 $10,500 Amortized cost $23,250 Net Risk: $64,453
30©Copyright 2006, Dan Houser Risk Analysis Process Critical High Medium Low $100,000 $1 million $10 million $100 million Net Cost
31©Copyright 2006, Dan Houser Critical High Medium Low $100,000 $1 million $10 million $100 million Net Cost Risk Analysis Process A C B D E F J G H
32©Copyright 2006, Dan Houser Continuity Procedure Development  Objectives:  Document a detailed business continuity procedure  Establish testing and training methods  Establish a maintenance approach for the Continuity Plan  Major Activities:  Develop service function plans, including data processing, telecommunications, etc.  Develop business function plans  Develop facility plans  Test selected continuity procedures  Define ongoing support processes  Deliverables:  Business and service recovery plans  Plan maintenance programs  Employee awareness program  Test / Excersize documentation  Restoration plan
33©Copyright 2006, Dan Houser Recovery Testing / Excercise Structured Walk-Through Exercise Occurs when the functional representatives meet to review the plan in detail. This involves a thorough look at each of the plan steps, and the procedures that are invoked at that point in the plan. This ensures that the actual planned activities are accurately described in the plan. Checklist Exercise Method of testing the plan by distributing copies to each of the functional areas. Each area reviews the plan and checks off the points that are listed. This process ensures that the plan addresses all concerns and activities. Tabletop Exercise Participants review and discuss the actions they would take per their plans, but do not perform any of these actions. The exercise is typically under the guidance of exercise facilitators.
34©Copyright 2006, Dan Houser Recovery Testing / Excercise Standalone Test A test conducted on a specific component of a plan, in isolation from other components, typically under simulated operating conditions. Integrated Test A test conducted on multiple components of a plan, in conjunction with each other, typically under simulated operating conditions
35©Copyright 2006, Dan Houser Recovery Testing / Exercise Simulation Exercise where all operational and support functions meet to practice execution of the plan based on a scenario that is played out to test the reaction of all functions to various situations. Only those materials and information available in a real disaster are allowed to be used during the simulation, and the simulation continues up to the point of actual relocation to the alternate site and shipment of replacement equipment. (a.k.a. Scenario Testing) Parallel Exercise Essentially an operational test. In this test, the critical systems are placed into operation at the alternative site to see if things run as expected. The results can be compared with the real operational output and differences noted.
36©Copyright 2006, Dan Houser Recovery Testing Full Interruption Test When full normal operations are completely shut down, and the processing is conducted at the alternate site using the materials that are available in the offsite storage location and personnel that are assigned to the recovery teams.
37©Copyright 2006, Dan Houser BCM Process Lifecycle Source: wikipedia
38©Copyright 2006, Dan Houser Summary  While interlocked, ensure that Business Continuity is a different exercise from DRP.  Use a blend of quantitative and qualitative determinates for risk  Keep in mind the pyramid: People, Process, Data, Software, Hardware  Ensure continuous assessment of BCP – address with any significant business change
39©Copyright 2006, Dan Houser Q&A Contact Info: Dan Houser Dan.houser@gmail.com
40©Copyright 2006, Dan Houser Sources Jackson, Carl B. The Business Impact Assessment Process, The Handbook of Information Security Management, 3rd Ed. 1999. Accessed 4/26/2006, http://tinyurl.com/zgq7f Stacey, Timothy R. Best Practice in Contingency Planning or Contingency Planning Program Maturity, The Handbook of Information Security Management, 5th Ed. Vol 2, Auerbach Publishers, 2005. Texas Department of Information Resources, Information Resources Asset Protection Council. Business Continuity Planning Guidelines, 2nd ed, 2004. Accessed 4/26/2006, http://tinyurl.com/l4pyv

Recommended

2009_NYC_OpRiskUSA_Conf
2009_NYC_OpRiskUSA_Conf2009_NYC_OpRiskUSA_Conf
2009_NYC_OpRiskUSA_ConfPeter Poulos
 
A Top Down Business Impact Analyses Method V5
A Top Down Business Impact Analyses Method V5A Top Down Business Impact Analyses Method V5
A Top Down Business Impact Analyses Method V5Gewurtz
 
Building blocks for BCM programme
Building blocks for BCM programmeBuilding blocks for BCM programme
Building blocks for BCM programmeMalcolm Van Harte
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planningalanlund
 
Prevention And Mitigation In Disaster Management PowerPoint Presentation Slides
Prevention And Mitigation In Disaster Management PowerPoint Presentation SlidesPrevention And Mitigation In Disaster Management PowerPoint Presentation Slides
Prevention And Mitigation In Disaster Management PowerPoint Presentation SlidesSlideTeam
 
Business continuity planning
Business continuity planningBusiness continuity planning
Business continuity planningSandeep Kashyap
 
2015-01-13 Resiliency (v04)
2015-01-13 Resiliency (v04)2015-01-13 Resiliency (v04)
2015-01-13 Resiliency (v04)John Mymryk
 
Business continuity & Disaster recovery planing
Business continuity & Disaster recovery planingBusiness continuity & Disaster recovery planing
Business continuity & Disaster recovery planingHanaysha
 

Recommended

2009_NYC_OpRiskUSA_Conf
2009_NYC_OpRiskUSA_Conf2009_NYC_OpRiskUSA_Conf
2009_NYC_OpRiskUSA_ConfPeter Poulos
 
A Top Down Business Impact Analyses Method V5
A Top Down Business Impact Analyses Method V5A Top Down Business Impact Analyses Method V5
A Top Down Business Impact Analyses Method V5Gewurtz
 
Building blocks for BCM programme
Building blocks for BCM programmeBuilding blocks for BCM programme
Building blocks for BCM programmeMalcolm Van Harte
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planningalanlund
 
Prevention And Mitigation In Disaster Management PowerPoint Presentation Slides
Prevention And Mitigation In Disaster Management PowerPoint Presentation SlidesPrevention And Mitigation In Disaster Management PowerPoint Presentation Slides
Prevention And Mitigation In Disaster Management PowerPoint Presentation SlidesSlideTeam
 
Business continuity planning
Business continuity planningBusiness continuity planning
Business continuity planningSandeep Kashyap
 
2015-01-13 Resiliency (v04)
2015-01-13 Resiliency (v04)2015-01-13 Resiliency (v04)
2015-01-13 Resiliency (v04)John Mymryk
 
Business continuity & Disaster recovery planing
Business continuity & Disaster recovery planingBusiness continuity & Disaster recovery planing
Business continuity & Disaster recovery planingHanaysha
 
Prevention Protection And Mitigation Planning PowerPoint Presentation Slides
Prevention Protection And Mitigation Planning PowerPoint Presentation SlidesPrevention Protection And Mitigation Planning PowerPoint Presentation Slides
Prevention Protection And Mitigation Planning PowerPoint Presentation SlidesSlideTeam
 
Business Emergency Management PowerPoint Presentation Slides
Business Emergency Management PowerPoint Presentation Slides Business Emergency Management PowerPoint Presentation Slides
Business Emergency Management PowerPoint Presentation Slides SlideTeam
 
Tax planning tools for marine manufacturers - IBEX online workshop
Tax planning tools for marine manufacturers - IBEX online workshopTax planning tools for marine manufacturers - IBEX online workshop
Tax planning tools for marine manufacturers - IBEX online workshopMichael C. Laur, CPA MTx
 
Business continuity management system
Business continuity management systemBusiness continuity management system
Business continuity management systemsubbusai82
 
Business Hazards Mitigation PowerPoint Presentation Slides
Business Hazards Mitigation PowerPoint Presentation SlidesBusiness Hazards Mitigation PowerPoint Presentation Slides
Business Hazards Mitigation PowerPoint Presentation SlidesSlideTeam
 
Business Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationBusiness Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationPECB
 
BCP Awareness
BCP Awareness BCP Awareness
BCP Awareness Imad Almurib
 
The secret of a successful Crisis Management & Continuity Plan
The secret of a successful Crisis Management & Continuity PlanThe secret of a successful Crisis Management & Continuity Plan
The secret of a successful Crisis Management & Continuity PlanPECB
 
Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...
Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...
Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...Alexander Larsen
 
Business continuity presentation
Business continuity presentationBusiness continuity presentation
Business continuity presentationSteveKutzer
 
A laypersons guide to business continuity management richard (2)
A laypersons guide to business continuity management richard (2)A laypersons guide to business continuity management richard (2)
A laypersons guide to business continuity management richard (2)leemond25
 
11.11.2015 corporate crisis management odbayar- mno eng (1)
11.11.2015 corporate crisis management odbayar- mno eng (1)11.11.2015 corporate crisis management odbayar- mno eng (1)
11.11.2015 corporate crisis management odbayar- mno eng (1)The Business Council of Mongolia
 
Risk mgmt key to security certifications v2
Risk mgmt key to security certifications v2Risk mgmt key to security certifications v2
Risk mgmt key to security certifications v2Jorge Sebastiao
 
Amalfi core coop-v5a
Amalfi core coop-v5aAmalfi core coop-v5a
Amalfi core coop-v5aAmalfiCORE, LLC
 
Business Recovery Planning
Business Recovery PlanningBusiness Recovery Planning
Business Recovery PlanningNanette Struck
 
Ivan Cindric CA CPA Resume
Ivan Cindric CA CPA ResumeIvan Cindric CA CPA Resume
Ivan Cindric CA CPA ResumeIvanCACPA
 
BCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMS
BCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMS
BCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSsarankamalanathan
 
Tax Planning for the Marine Industry - IBEX Tech Talk 2019
Tax Planning for the Marine Industry - IBEX Tech Talk 2019Tax Planning for the Marine Industry - IBEX Tech Talk 2019
Tax Planning for the Marine Industry - IBEX Tech Talk 2019Ron Wainwright, CPA MST
 
Preparing For The Governance Backlash Slideshare
Preparing For The Governance Backlash SlidesharePreparing For The Governance Backlash Slideshare
Preparing For The Governance Backlash SlideshareUNSW Canberra
 
Business Continuity as a Career
Business Continuity as a CareerBusiness Continuity as a Career
Business Continuity as a CareerBonnie Canal
 
Hacking Bourbon
Hacking BourbonHacking Bourbon
Hacking BourbonDan Houser
 
2013 (ISC)² Congress: This Curious Thing Called Ethics
2013 (ISC)² Congress: This Curious Thing Called Ethics2013 (ISC)² Congress: This Curious Thing Called Ethics
2013 (ISC)² Congress: This Curious Thing Called EthicsDan Houser
 

More Related Content

Similar to Risk Based Planning for Mission Continuity

Prevention Protection And Mitigation Planning PowerPoint Presentation Slides
Prevention Protection And Mitigation Planning PowerPoint Presentation SlidesPrevention Protection And Mitigation Planning PowerPoint Presentation Slides
Prevention Protection And Mitigation Planning PowerPoint Presentation SlidesSlideTeam
 
Business Emergency Management PowerPoint Presentation Slides
Business Emergency Management PowerPoint Presentation Slides Business Emergency Management PowerPoint Presentation Slides
Business Emergency Management PowerPoint Presentation Slides SlideTeam
 
Tax planning tools for marine manufacturers - IBEX online workshop
Tax planning tools for marine manufacturers - IBEX online workshopTax planning tools for marine manufacturers - IBEX online workshop
Tax planning tools for marine manufacturers - IBEX online workshopMichael C. Laur, CPA MTx
 
Business continuity management system
Business continuity management systemBusiness continuity management system
Business continuity management systemsubbusai82
 
Business Hazards Mitigation PowerPoint Presentation Slides
Business Hazards Mitigation PowerPoint Presentation SlidesBusiness Hazards Mitigation PowerPoint Presentation Slides
Business Hazards Mitigation PowerPoint Presentation SlidesSlideTeam
 
Business Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationBusiness Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationPECB
 
The secret of a successful Crisis Management & Continuity Plan
The secret of a successful Crisis Management & Continuity PlanThe secret of a successful Crisis Management & Continuity Plan
The secret of a successful Crisis Management & Continuity PlanPECB
 
Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...
Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...
Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...Alexander Larsen
 
Business continuity presentation
Business continuity presentationBusiness continuity presentation
Business continuity presentationSteveKutzer
 
A laypersons guide to business continuity management richard (2)
A laypersons guide to business continuity management richard (2)A laypersons guide to business continuity management richard (2)
A laypersons guide to business continuity management richard (2)leemond25
 
11.11.2015 corporate crisis management odbayar- mno eng (1)
11.11.2015 corporate crisis management odbayar- mno eng (1)11.11.2015 corporate crisis management odbayar- mno eng (1)
11.11.2015 corporate crisis management odbayar- mno eng (1)The Business Council of Mongolia
 
Risk mgmt key to security certifications v2
Risk mgmt key to security certifications v2Risk mgmt key to security certifications v2
Risk mgmt key to security certifications v2Jorge Sebastiao
 
Business Recovery Planning
Business Recovery PlanningBusiness Recovery Planning
Business Recovery PlanningNanette Struck
 
Ivan Cindric CA CPA Resume
Ivan Cindric CA CPA ResumeIvan Cindric CA CPA Resume
Ivan Cindric CA CPA ResumeIvanCACPA
 
BCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMS
BCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMS
BCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSsarankamalanathan
 
Tax Planning for the Marine Industry - IBEX Tech Talk 2019
Tax Planning for the Marine Industry - IBEX Tech Talk 2019Tax Planning for the Marine Industry - IBEX Tech Talk 2019
Tax Planning for the Marine Industry - IBEX Tech Talk 2019Ron Wainwright, CPA MST
 
Preparing For The Governance Backlash Slideshare
Preparing For The Governance Backlash SlidesharePreparing For The Governance Backlash Slideshare
Preparing For The Governance Backlash SlideshareUNSW Canberra
 
Business Continuity as a Career
Business Continuity as a CareerBusiness Continuity as a Career
Business Continuity as a CareerBonnie Canal
 

Similar to Risk Based Planning for Mission Continuity (20)

Prevention Protection And Mitigation Planning PowerPoint Presentation Slides
Prevention Protection And Mitigation Planning PowerPoint Presentation SlidesPrevention Protection And Mitigation Planning PowerPoint Presentation Slides
Prevention Protection And Mitigation Planning PowerPoint Presentation Slides
 
Business Emergency Management PowerPoint Presentation Slides
Business Emergency Management PowerPoint Presentation Slides Business Emergency Management PowerPoint Presentation Slides
Business Emergency Management PowerPoint Presentation Slides
 
Tax planning tools for marine manufacturers - IBEX online workshop
Tax planning tools for marine manufacturers - IBEX online workshopTax planning tools for marine manufacturers - IBEX online workshop
Tax planning tools for marine manufacturers - IBEX online workshop
 
Business continuity management system
Business continuity management systemBusiness continuity management system
Business continuity management system
 
Business Hazards Mitigation PowerPoint Presentation Slides
Business Hazards Mitigation PowerPoint Presentation SlidesBusiness Hazards Mitigation PowerPoint Presentation Slides
Business Hazards Mitigation PowerPoint Presentation Slides
 
Business Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationBusiness Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS Implementation
 
BCP Awareness
BCP Awareness BCP Awareness
BCP Awareness
 
The secret of a successful Crisis Management & Continuity Plan
The secret of a successful Crisis Management & Continuity PlanThe secret of a successful Crisis Management & Continuity Plan
The secret of a successful Crisis Management & Continuity Plan
 
Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...
Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...
Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...
 
Business continuity presentation
Business continuity presentationBusiness continuity presentation
Business continuity presentation
 
A laypersons guide to business continuity management richard (2)
A laypersons guide to business continuity management richard (2)A laypersons guide to business continuity management richard (2)
A laypersons guide to business continuity management richard (2)
 
11.11.2015 corporate crisis management odbayar- mno eng (1)
11.11.2015 corporate crisis management odbayar- mno eng (1)11.11.2015 corporate crisis management odbayar- mno eng (1)
11.11.2015 corporate crisis management odbayar- mno eng (1)
 
Risk mgmt key to security certifications v2
Risk mgmt key to security certifications v2Risk mgmt key to security certifications v2
Risk mgmt key to security certifications v2
 
Amalfi core coop-v5a
Amalfi core coop-v5aAmalfi core coop-v5a
Amalfi core coop-v5a
 
Business Recovery Planning
Business Recovery PlanningBusiness Recovery Planning
Business Recovery Planning
 
Ivan Cindric CA CPA Resume
Ivan Cindric CA CPA ResumeIvan Cindric CA CPA Resume
Ivan Cindric CA CPA Resume
 
BCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMS
BCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMS
BCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMSBCMS
 
Tax Planning for the Marine Industry - IBEX Tech Talk 2019
Tax Planning for the Marine Industry - IBEX Tech Talk 2019Tax Planning for the Marine Industry - IBEX Tech Talk 2019
Tax Planning for the Marine Industry - IBEX Tech Talk 2019
 
Preparing For The Governance Backlash Slideshare
Preparing For The Governance Backlash SlidesharePreparing For The Governance Backlash Slideshare
Preparing For The Governance Backlash Slideshare
 
Business Continuity as a Career
Business Continuity as a CareerBusiness Continuity as a Career
Business Continuity as a Career
 

More from Dan Houser

Hacking Bourbon
Hacking BourbonHacking Bourbon
Hacking BourbonDan Houser
 
2013 (ISC)² Congress: This Curious Thing Called Ethics
2013 (ISC)² Congress: This Curious Thing Called Ethics2013 (ISC)² Congress: This Curious Thing Called Ethics
2013 (ISC)² Congress: This Curious Thing Called EthicsDan Houser
 
Securing Big Data and the Grid
Securing Big Data and the GridSecuring Big Data and the Grid
Securing Big Data and the GridDan Houser
 
RSA2008: What Vendors Won’t Tell You About Federated Identity
RSA2008: What Vendors Won’t Tell You About Federated IdentityRSA2008: What Vendors Won’t Tell You About Federated Identity
RSA2008: What Vendors Won’t Tell You About Federated IdentityDan Houser
 
The Challenges & Risks of New Technology: Privacy Law & Policy
The Challenges & Risks of New Technology: Privacy Law & PolicyThe Challenges & Risks of New Technology: Privacy Law & Policy
The Challenges & Risks of New Technology: Privacy Law & PolicyDan Houser
 
Perimeter Defense in a World Without Walls
Perimeter Defense in a World Without WallsPerimeter Defense in a World Without Walls
Perimeter Defense in a World Without WallsDan Houser
 
Security Capability Model - InfoSec Forum VIII
Security Capability Model - InfoSec Forum VIIISecurity Capability Model - InfoSec Forum VIII
Security Capability Model - InfoSec Forum VIIIDan Houser
 
Certifications and Career Development for Security Professionals
Certifications and Career Development for Security ProfessionalsCertifications and Career Development for Security Professionals
Certifications and Career Development for Security ProfessionalsDan Houser
 
Advanced IAM - Surviving the IAM Audit
Advanced IAM - Surviving the IAM AuditAdvanced IAM - Surviving the IAM Audit
Advanced IAM - Surviving the IAM AuditDan Houser
 
Debunking Information Security myths
Debunking Information Security mythsDebunking Information Security myths
Debunking Information Security mythsDan Houser
 
Hacking a Major Security Conference
Hacking a Major Security ConferenceHacking a Major Security Conference
Hacking a Major Security ConferenceDan Houser
 
Building & Running A Successful Identity Program
Building & Running A Successful Identity ProgramBuilding & Running A Successful Identity Program
Building & Running A Successful Identity ProgramDan Houser
 
Case Study: Securing & Tokenizing Big Data
Case Study: Securing & Tokenizing Big DataCase Study: Securing & Tokenizing Big Data
Case Study: Securing & Tokenizing Big DataDan Houser
 
Crypto in the Real World: or How to Scare an IT Auditor
Crypto in the Real World: or How to Scare an IT AuditorCrypto in the Real World: or How to Scare an IT Auditor
Crypto in the Real World: or How to Scare an IT AuditorDan Houser
 

More from Dan Houser (14)

Hacking Bourbon
Hacking BourbonHacking Bourbon
Hacking Bourbon
 
2013 (ISC)² Congress: This Curious Thing Called Ethics
2013 (ISC)² Congress: This Curious Thing Called Ethics2013 (ISC)² Congress: This Curious Thing Called Ethics
2013 (ISC)² Congress: This Curious Thing Called Ethics
 
Securing Big Data and the Grid
Securing Big Data and the GridSecuring Big Data and the Grid
Securing Big Data and the Grid
 
RSA2008: What Vendors Won’t Tell You About Federated Identity
RSA2008: What Vendors Won’t Tell You About Federated IdentityRSA2008: What Vendors Won’t Tell You About Federated Identity
RSA2008: What Vendors Won’t Tell You About Federated Identity
 
The Challenges & Risks of New Technology: Privacy Law & Policy
The Challenges & Risks of New Technology: Privacy Law & PolicyThe Challenges & Risks of New Technology: Privacy Law & Policy
The Challenges & Risks of New Technology: Privacy Law & Policy
 
Perimeter Defense in a World Without Walls
Perimeter Defense in a World Without WallsPerimeter Defense in a World Without Walls
Perimeter Defense in a World Without Walls
 
Security Capability Model - InfoSec Forum VIII
Security Capability Model - InfoSec Forum VIIISecurity Capability Model - InfoSec Forum VIII
Security Capability Model - InfoSec Forum VIII
 
Certifications and Career Development for Security Professionals
Certifications and Career Development for Security ProfessionalsCertifications and Career Development for Security Professionals
Certifications and Career Development for Security Professionals
 
Advanced IAM - Surviving the IAM Audit
Advanced IAM - Surviving the IAM AuditAdvanced IAM - Surviving the IAM Audit
Advanced IAM - Surviving the IAM Audit
 
Debunking Information Security myths
Debunking Information Security mythsDebunking Information Security myths
Debunking Information Security myths
 
Hacking a Major Security Conference
Hacking a Major Security ConferenceHacking a Major Security Conference
Hacking a Major Security Conference
 
Building & Running A Successful Identity Program
Building & Running A Successful Identity ProgramBuilding & Running A Successful Identity Program
Building & Running A Successful Identity Program
 
Case Study: Securing & Tokenizing Big Data
Case Study: Securing & Tokenizing Big DataCase Study: Securing & Tokenizing Big Data
Case Study: Securing & Tokenizing Big Data
 
Crypto in the Real World: or How to Scare an IT Auditor
Crypto in the Real World: or How to Scare an IT AuditorCrypto in the Real World: or How to Scare an IT Auditor
Crypto in the Real World: or How to Scare an IT Auditor
 

Recently uploaded

👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...rajveerescorts2022
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Delhi Call girls
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...anilsa9823
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756dollysharma2066
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Servicediscovermytutordmt
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Centuryrwgiffor
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageMatteo Carbone
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxpriyanshujha201
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...amitlee9823
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsP&CO
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxWorkforce Group
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMRavindra Nath Shukla
 
John Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfJohn Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfAmzadHosen3
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Lviv Startup Club
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRavindra Nath Shukla
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Dave Litwiller
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayNZSG
 

Recently uploaded (20)

👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Service
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Century
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and pains
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
 
John Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfJohn Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdf
 
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
Yaroslav Rozhankivskyy: Три складові і три передумови максимальної продуктивн...
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear Regression
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 

Risk Based Planning for Mission Continuity

  • 1. 1 Risk Based Planning for Mission Continuity Daniel D. Houser, CISSP, CISM, MBA May 16, 2006
  • 2. 2©Copyright 2006, Dan Houser Agenda  Discuss Disaster Recovery, Business Continuity & Emergency Planning  Effective Business Impact Assessment  Risk Management approach to continuity risk mitigation  Implementation  Q&A
  • 3. 3©Copyright 2006, Dan Houser Obligatory Dilbert Slide This image used in compliance with United Feature Syndicate copyright restrictions.
  • 4. 4©Copyright 2006, Dan Houser Continuity Management  Disaster Recovery  Business Continuity  Emergency Response
  • 5. 5©Copyright 2006, Dan Houser Causes of Disasters Boston Molasses Disaster of January 15, 1919 Warehouse FireEarthquake Columbus School for the Blind – Jan 15, 2001Pontifical College Josephinum – 12/15/99
  • 6. 6©Copyright 2006, Dan Houser Causes of Disasters  Natural  Floods  Hurricanes  Tornadoes  Earthquakes  Volcano Eruptions  Wildland fires  Thunderstorms and lightening  Man Made  Hazardous Materials  House/Building Fires  Nuclear Power Plant Emergencies  Terrorism  Criminal Hacking  Civil Unrest  Strikes  Political Unrest All effect essential elements – such as people, buildings, applications, data, and equipment – all required to sustain critical business operations. Disasters create downtime for computer systems. Statistics can be found at www.fema.org and www.storagetek.com
  • 7. 7©Copyright 2006, Dan Houser Continuity Management Business Continuity 1) Ensures continuity of the critical business functions, 2) Captures vital transactions, and 3) Facilitates the rapid recovery of business operations to reduce the overall impact of the disaster. Focus = no interruption of vital business functions
  • 8. 8©Copyright 2006, Dan Houser Continuity Management Disaster Recovery Procedures for when the computer installation suffers loss of computer resources and physical facilities. 1. Emergency response, 2. Extended backup operations and 3. Post-disaster recovery Focus = restoring normal automated operations for critical functions.
  • 9. 9©Copyright 2006, Dan Houser Crisis vs. Emergency vs. Disaster  Events occur, which may lead to an incident or crisis  An emergency is a crisis that may also cause injury, loss of life or destruction of property.  A Disaster is declared, in accordance with the DRP, following a sudden unplanned catastrophic event  Typically, disasters are not declared following an incident (your mileage may vary)
  • 10. 10©Copyright 2006, Dan Houser BCP is a Business Process  Disaster Recovery is system focused, BCP is focused on the continuity of the business.  Business drives business needs  Fundamental issue: what VITAL business functions must survive? The Bottom Line: Continuity planning is a business process requiring business management attention and guidance.
  • 11. 11©Copyright 2006, Dan Houser Disaster Lifecycle 0 20 40 60 80 100 120 Event Crisis Disaster Recovery Restoration
  • 12. 12©Copyright 2006, Dan Houser Disaster Lifecycle 0 20 40 60 80 100 120 Disaster Business Continuity
  • 13. 13©Copyright 2006, Dan Houser Business Continuity Process The Business Continuity Institute’s BCM process (also known as the BC Life Cycle) combines 6 key elements 1. Understanding Your Business 2. Continuity Strategies 3. Developing a BCM Response 4. Establishing a Continuity Culture 5. Exercising, Rehearsal & Testing 6. The BCM Management Process
  • 14. 14©Copyright 2006, Dan Houser Risk Management & BIA  Business Impact Analysis (BIA) is the starting point for determination of risk.  Sets the stage for shaping a business- oriented judgment concerning the appropriation of resources for recovery planning efforts* * Jackson
  • 15. 15©Copyright 2006, Dan Houser Business Impact Analysis  What drives your organization?  What vital functions can you not live without?  Revenue generation  Asset management  Access to capital  Operations execution  Customer/account servicing  Which of these are most time critical?
  • 16. 16©Copyright 2006, Dan Houser Risk Management Human Life & Vital Business Processes Information Software Facilities
  • 17. 17©Copyright 2006, Dan Houser Business Impact Analysis  What’s a vital function?  What is your mission?  Vital Functions execute the mission statement  Preservation of mission integrity  Maintaining core values of the organization
  • 18. 18©Copyright 2006, Dan Houser Additional Vital Functions  Overhead functions necessary to weather the storm:  Public Relations / Corporate Communications  Human Resources  Communications  Legally required operations  Facility Management (?)  Supporting functions  Compliance-mandated record keeping  Abnormal record keeping required to permit recovery following the disaster
  • 19. 19©Copyright 2006, Dan Houser Quantitative Loss Impact Consider financial costs of potential disruption  Lost revenue  Lost trade discounts  Interest lost on float  Interest paid on borrowed funds  Contractual Fines & Penalties  Increase in extraordinary expense  Emergency Purchases  Outside Services/ Temporary Staff  Cancelled orders  Unavailability of capital  Prioritize [0-5], [Critical, High, Medium, Low]
  • 20. 20©Copyright 2006, Dan Houser Qualitative Loss Impact  Loss impact in terms of intangibles, emotions and understanding  Lost confidence: customers, shareholders, regulators, investors  Loss of customer services capability  Drop in staff morale  Drop in staff productivity  Customer inconvenience
  • 21. 21©Copyright 2006, Dan Houser Risk Analysis Process Human Life & Vital Business Processes Information Software Facilities
  • 22. 22©Copyright 2006, Dan Houser BIA Worksheet Function Financial Qualitative RTO RPO Human Resources $100,000 Medium Public Relations Minimal Critical Asset Environ'tl Controls $1,250,000 High Soup Kitchen $34,000 Critical Operations Center $55,000 High
  • 23. 23©Copyright 2006, Dan Houser Analysis of Loss Estimates  Threshold analysis:  Interview senior management for a better understanding of loss threshold.  At what threshold do losses become unbearable?  $1 million? $10 million? $100 million?  Stability of Threat Environment  Unstable environments get higher priority  Example: Processing center near fault line
  • 24. 24©Copyright 2006, Dan Houser Time Sensitivity of Vital Functions  Conduct interviews to determine time criticality of vital functions.  What is the maximum downtime that can be absorbed without a significant impact to the mission?  What are the costs associated with ½ that duration? 1/3? (linear, exponential, logorithmic, bursty)  Determination of vital time functions…
  • 25. 25©Copyright 2006, Dan Houser BCP Recovery Time Parameters  MTD: Maximum Tolerable Downtime Maximum outage duration, by business function. (a.k.a. – RTO)  RPO: Recovery Point Objective Maximum outage duration before normal operations are resumed  Note that the RPO doesn’t start when the disaster starts, but starts at the first prior viable restart point (e.g. previous night backup tape).
  • 26. 26©Copyright 2006, Dan Houser BIA Worksheet Function Financial Qualitative RTO RPO Human Resources $100,000 Medium 1 day 2 wks Public Relations Minimal Critical 1 hr 4 wks Asset Environ'tl Controls $1,250,000 High 1 hr 3 days Soup Kitchen $34,000 Critical 4 hr 2 wks Operations Center $55,000 High 1 hr 5 days
  • 27. 27©Copyright 2006, Dan Houser Continuity Strategies  Facility Plans  Minor – shelter in place  Major – relocate  Disaster – execute disaster relocation plan  Business Plans  Manual processing  Co-processing / Reciprocal agreements  Queue and hold  Outside services
  • 28. 28©Copyright 2006, Dan Houser Business Continuity ROI For each vital function covered by BCP, calculate the qualitative and quantitative costs.  Catastrophic loss of the business function = ____  Qualitative loss of the function means ______ & ______.  Planning, exercising and maintaining the BCP will cost _______.  Executing the BCP will cost ____ per day, forecasted maximum cost of _____.
  • 29. 29©Copyright 2006, Dan Houser BCP ROI Example: Operations Center Predicted Losses 1 Day 3 Day 7 Day 21 Day Loss of Facility 14000 51800 191660 1341620 Business Function Offline 0 10000 67000 603000 Contractual Penalties 0 0 25000 45000 Parallel Operations 1500 12000 44400 164280 Extraordinary Expenses 100 5000 15000 72000 Recovery Costs 500 1850 6845 25327 Likelihood 2 0.2 0.1 0.01 ALE $29,200 $13,730 $28,291 $16,482 $87,703 Business Continuity Planning & Testing BIA $11,000 Continuity Plan Development $16,000 BCP Exercises & Refinement $49,500 BCP Mgmt - Year 2-4 $6,000 BCP Exercises - Year 2-4 $10,500 Amortized cost $23,250 Net Risk: $64,453
  • 30. 30©Copyright 2006, Dan Houser Risk Analysis Process Critical High Medium Low $100,000 $1 million $10 million $100 million Net Cost
  • 31. 31©Copyright 2006, Dan Houser Critical High Medium Low $100,000 $1 million $10 million $100 million Net Cost Risk Analysis Process A C B D E F J G H
  • 32. 32©Copyright 2006, Dan Houser Continuity Procedure Development  Objectives:  Document a detailed business continuity procedure  Establish testing and training methods  Establish a maintenance approach for the Continuity Plan  Major Activities:  Develop service function plans, including data processing, telecommunications, etc.  Develop business function plans  Develop facility plans  Test selected continuity procedures  Define ongoing support processes  Deliverables:  Business and service recovery plans  Plan maintenance programs  Employee awareness program  Test / Excersize documentation  Restoration plan
  • 33. 33©Copyright 2006, Dan Houser Recovery Testing / Excercise Structured Walk-Through Exercise Occurs when the functional representatives meet to review the plan in detail. This involves a thorough look at each of the plan steps, and the procedures that are invoked at that point in the plan. This ensures that the actual planned activities are accurately described in the plan. Checklist Exercise Method of testing the plan by distributing copies to each of the functional areas. Each area reviews the plan and checks off the points that are listed. This process ensures that the plan addresses all concerns and activities. Tabletop Exercise Participants review and discuss the actions they would take per their plans, but do not perform any of these actions. The exercise is typically under the guidance of exercise facilitators.
  • 34. 34©Copyright 2006, Dan Houser Recovery Testing / Excercise Standalone Test A test conducted on a specific component of a plan, in isolation from other components, typically under simulated operating conditions. Integrated Test A test conducted on multiple components of a plan, in conjunction with each other, typically under simulated operating conditions
  • 35. 35©Copyright 2006, Dan Houser Recovery Testing / Exercise Simulation Exercise where all operational and support functions meet to practice execution of the plan based on a scenario that is played out to test the reaction of all functions to various situations. Only those materials and information available in a real disaster are allowed to be used during the simulation, and the simulation continues up to the point of actual relocation to the alternate site and shipment of replacement equipment. (a.k.a. Scenario Testing) Parallel Exercise Essentially an operational test. In this test, the critical systems are placed into operation at the alternative site to see if things run as expected. The results can be compared with the real operational output and differences noted.
  • 36. 36©Copyright 2006, Dan Houser Recovery Testing Full Interruption Test When full normal operations are completely shut down, and the processing is conducted at the alternate site using the materials that are available in the offsite storage location and personnel that are assigned to the recovery teams.
  • 37. 37©Copyright 2006, Dan Houser BCM Process Lifecycle Source: wikipedia
  • 38. 38©Copyright 2006, Dan Houser Summary  While interlocked, ensure that Business Continuity is a different exercise from DRP.  Use a blend of quantitative and qualitative determinates for risk  Keep in mind the pyramid: People, Process, Data, Software, Hardware  Ensure continuous assessment of BCP – address with any significant business change
  • 39. 39©Copyright 2006, Dan Houser Q&A Contact Info: Dan Houser Dan.houser@gmail.com
  • 40. 40©Copyright 2006, Dan Houser Sources Jackson, Carl B. The Business Impact Assessment Process, The Handbook of Information Security Management, 3rd Ed. 1999. Accessed 4/26/2006, http://tinyurl.com/zgq7f Stacey, Timothy R. Best Practice in Contingency Planning or Contingency Planning Program Maturity, The Handbook of Information Security Management, 5th Ed. Vol 2, Auerbach Publishers, 2005. Texas Department of Information Resources, Information Resources Asset Protection Council. Business Continuity Planning Guidelines, 2nd ed, 2004. Accessed 4/26/2006, http://tinyurl.com/l4pyv