Title: Illusions of Business Continuity Planning S.C. Leung CISSP, CISA Chairperson, PISA
1Illusions of Business Continuity Planning S.C.
Leung CISSP, CISAChairperson, PISA
2What is BCP for?
- Business Continuity Planning
- Advanced planning and arrangements to insure
continuity of critical functions of an
organization - Preparations and Procedure sufficient for
responding to a disaster - Incident Response as first step to respond to a
disaster
3What is the No.1 Priority ?
- No.1 Priority of Disaster Response Personnel
Life - In all case, do not expose employees to risk.
Risk is greatest in Evacuation
4BC Management Team
Typical BC Management Team
5BC Coordinators
6BC Management Recovery
7Major Plan Components
8Lessons from WTC Bomb Attack 1993
- Out of 350 companies that operated in the WTC
prior to bombing in 1993, - 150 were out of business a year later
- Business Continuity Plan is vital !
9Importance of BCP ratified
- Where the pain had been felt
- BCP Objectives defined
- BCP Management Team formed
- BCP Coordinators nominated
- BCP Procedure developed
- BCP Drill Tests performed
- BCP Resources budgeted
- Risks mitigated and contained to a large extent!
10Lessons from WTC Attack 2001
- By Richard Corcoran, Manager, Global Business
Continuity, Eastman Kodak Company - http//www.contingencyplanning.com/article_index.c
fm?article393
Lessons Learnt from 911
11Human Factors of BCP
- Significant trauma and stress on personnel,
progressively getting worse with each day
MORALE - Companies are not prepared to lose critical
recovery team personnel Key Assumptions for BCP
to work
12DR Planning Flaws
- Companies seriously under-estimated how long it
would take to recover. Some of this was
attributed to loss of staff. - Few customers had workstation recovery plans for
their end users - Budget in DR need to be increased from 3.5 to
6 of IT budget. (Financial sector ? up to
12-15 is required!)
13DR Drill Test Insufficiencies
- Problems in Data Synchronization and links to
feeding and dependent systems -- companies did
not thoroughly test these interfaces - There should have been more testing with end
users.
14DR Maintenance Flaws
- It is very hard to get technical team members to
document their sections of the recovery plan. - Some companies suffered significant vital record
problems because of flaws in their backup and
off-site storage programs - Companies had not updated their capacity
requirements as their environments grew
15Communication Issues
- Many experienced significant network issues
16So what had gone wrong?
- We have got Illusions of BCP
- It is not yet a Reality BCP!
17Re-think BCP
18What is the Focus?
- Many organization put BCP as a technical plan
People
BCP
Technology
Process
19Weakness in People
People
BCP
Technology
Process
20A BCP is a People Plan
- It deals with people
- People Design it
- People Test Implement it
- People make the plan work when it is needed
- People ? the determining factor of BCP success
21Insufficient Training
- Recent Survey found that 70 of respondents did
not get sufficient Business Continuity or
Disaster Training - BCP seems to be more Good Intention than Practice
22People in the Weak Links (1)
- Dependencies in Business Recovery Personnel
- Success in Contacting and Deploying Personnel is
vital to the Execution of BC Plan - Leadership must be Visible
- Leadership must be Available
- Is BC Management always available?
- How if BCM and BCC trapped in disaster site?
23People in the Weak Links (2)
- Release the Dependencies in Business Recovery
Personnel - Flexible Command Structure
- Alternative Recovery Personnel
- Cross-train, Rotate Responsibilities
- More staff involvement
- Off-site staff
24Incident Command System
- ICS a US System for Any Emergency Incident
- Prime Purpose stabilize the incident and provide
for life safety - A Management System
- Adaptable to any emergency or incident
- Single jurisdiction or agency to multiple
jurisdiction or agency
25Incident Command System
- Commander
- the Initial and Highest Ranking Authority
available - Transfer of Command
- When most qualified person arrives
- When Incident changes
- When extended time frame of incident
26ICS Organization Chart
27People in the Weak Links (3)
- Be Realistic about People
- Do not assume everyone is available
- Do not assume everyone knows what to do
- Do not assume everyone works according to plan
- Peoples morale and concerns change over time
28People in the Weak Links (4)
- External Support are not always available
- Can we survive before emergency agencies arrive?
29People in the Weak Links (5)
- People Interfering your BCP Execution
- Neighbors creating turmoil
- Customers press on critical production
- Suppliers demand cash on delivery of recovery
services - Media call in every 15 minutes
30Weakness in Process
People
BCP
Process
Technology
31Weak Post-planning
- Pre-planning
- Planning
- Post-planning
- Awareness Program
- Training Program, for BCM, BCC and staff
- Plan Maintenance
- Public Relations and Crisis Communication
- Coordination with Public Authority
32Awareness Training
- Is it part of your plan? Scheduled? Budgeted
- Has all staff been involved? Do they get the
awareness to report incidents? - Continued Education for the BC Coordinator?
- Information sharing of recent disasters and
lessons learned - Disaster Recovery Journal www.drj.com
- Disaster Recovery Institute www.drii.org
- Federal Emergency Mgmt. Agency www.fema.gov
- User Groups
33Maintenance and Update Phase
- The Most Difficult Part of BCP
- How do you Organize, Manage and Coordinate
Effects of Change? - Do you have standards and procedure to
incorporate changes on routine schedule? - How often do you update your BCP?
- Yearly? Half-yearly? Monthly? When there is a
critical change? - Have you budgeted the required resources?
34Best Practice
- Make BCP part of the routine practice
- Include BCP as key component in the Security
Policy - Include in Change Management Procedure Plan
- Reward employee involvement and solution
35Public Relations /Coordination withPublic
Authorities
- Disaster Declaration Procedure
- Have you developed one?
- Crisis Management Team
- Who are involved?
- Public Relations Program
- Do you find you need to it earlier ?
36Weakness in Technology
People
BCP
Technology
Process
37Assumptions of Technical Controls for BCP
- Control measures are around the theme of
Avoidance of Single Point of Failure - All controls are assumed working and available
38Single Point of Failure (1)
- Sometimes the assumption need to be challenged
- Case You building got source from dual power
grid
39Single Point of Failure (2)
- Backup site distance
- 400m? 4km? 12km?
40DR Site Arrangement Usable?
- Reciprocal arrangement is not guaranteed
- DR Services Level guaranteed?
- Staff not familiar with the DR site environment
41Test Drill enough?
- Staff involvement is low
- Do your drills involve only the Business
Continuity Coordinators? - Plan not thoroughly tested
- Something else goes wrong in reality
- Live Test ?!
- Return Home Test
42Communication Issues
- Mobile phone and wired phone got jammed
- Communication booms in the first moment of
disaster - Wrong information
43Vulnerability of your BCP
Vulnerability Audit Criteria
Network Penetration Test
Capacity Stress Test
BCP What Test?
44Auditing your BCP (1)
- Risk Scenario Criteria
- Do not assume It wont happen to Me.
- The lesson will come one day Fire, Flood,
Hardware, Software, Anthrax ...
45Broaden Scenarios to consider
http//www.contingencyplanning.com/disruption.cfm
- Scenario key BC Personnel is dead
- Worse Case Scenario
46Auditing your BCP (2)
- BCP Dependencies Criteria
- Drill Test Criteria
- Response Criteria
- Mock Exam untold Scenario
47Are you ready any time?
- Availability of
- Contact List
- Grab List
- Incident Response Plan
- Are you 7 x 24 x forever ready to go to the
front line?
48Summary
- BCP is a peoples plan
- BCP is a communication intensive activity
- Do question your assumptions
- Do develop a flexible teams for BC Mgmt.
Business Recovery - Do involve more staff
- Do take Maintenance into serious consideration
- BCP needs your intuition, creation and response
to succeed. Good Luck!
49Q A
SC Leung Chairperson, PISA sc.leung_at_pisa.org.hk