Illusions of Business Continuity Planning S.C. Leung CISSP, CISA Chairperson, PISA

1
Illusions of Business Continuity Planning S.C.
Leung CISSP, CISAChairperson, PISA
2
What is BCP for?

• Business Continuity Planning
• Advanced planning and arrangements to insure
  continuity of critical functions of an
  organization
• Preparations and Procedure sufficient for
  responding to a disaster
• Incident Response as first step to respond to a
  disaster

3
What is the No.1 Priority ?

• No.1 Priority of Disaster Response Personnel
  Life
• In all case, do not expose employees to risk.
  Risk is greatest in Evacuation

4
BC Management Team
Typical BC Management Team
5
BC Coordinators
6
BC Management Recovery
7
Major Plan Components
8
Lessons from WTC Bomb Attack 1993

• Out of 350 companies that operated in the WTC
  prior to bombing in 1993,
• 150 were out of business a year later
• Business Continuity Plan is vital !

9
Importance of BCP ratified

• Where the pain had been felt
• BCP Objectives defined
• BCP Management Team formed
• BCP Coordinators nominated
• BCP Procedure developed
• BCP Drill Tests performed
• BCP Resources budgeted
• Risks mitigated and contained to a large extent!

10
Lessons from WTC Attack 2001

• By Richard Corcoran, Manager, Global Business
  Continuity, Eastman Kodak Company
• http//www.contingencyplanning.com/article_index.c
  fm?article393

Lessons Learnt from 911
11
Human Factors of BCP

• Significant trauma and stress on personnel,
  progressively getting worse with each day
  MORALE
• Companies are not prepared to lose critical
  recovery team personnel Key Assumptions for BCP
  to work

12
DR Planning Flaws

• Companies seriously under-estimated how long it
  would take to recover. Some of this was
  attributed to loss of staff.
• Few customers had workstation recovery plans for
  their end users
• Budget in DR need to be increased from 3.5 to
  6 of IT budget. (Financial sector ? up to
  12-15 is required!)

13
DR Drill Test Insufficiencies

• Problems in Data Synchronization and links to
  feeding and dependent systems -- companies did
  not thoroughly test these interfaces
• There should have been more testing with end
  users.

14
DR Maintenance Flaws

• It is very hard to get technical team members to
  document their sections of the recovery plan.
• Some companies suffered significant vital record
  problems because of flaws in their backup and
  off-site storage programs
• Companies had not updated their capacity
  requirements as their environments grew

15
Communication Issues

• Many experienced significant network issues

16
So what had gone wrong?

• We have got Illusions of BCP
• It is not yet a Reality BCP!

17
Re-think BCP

18
What is the Focus?

• Many organization put BCP as a technical plan

People
BCP
Technology
Process
19
Weakness in People
People
BCP
Technology
Process
20
A BCP is a People Plan

• It deals with people
• People Design it
• People Test Implement it
• People make the plan work when it is needed
• People ? the determining factor of BCP success

21
Insufficient Training

• Recent Survey found that 70 of respondents did
  not get sufficient Business Continuity or
  Disaster Training
• BCP seems to be more Good Intention than Practice

22
People in the Weak Links (1)

• Dependencies in Business Recovery Personnel
• Success in Contacting and Deploying Personnel is
  vital to the Execution of BC Plan
• Leadership must be Visible
• Leadership must be Available
• Is BC Management always available?
• How if BCM and BCC trapped in disaster site?

23
People in the Weak Links (2)

• Release the Dependencies in Business Recovery
  Personnel
• Flexible Command Structure
• Alternative Recovery Personnel
• Cross-train, Rotate Responsibilities
• More staff involvement
• Off-site staff

24
Incident Command System

• ICS a US System for Any Emergency Incident
• Prime Purpose stabilize the incident and provide
  for life safety
• A Management System
• Adaptable to any emergency or incident
• Single jurisdiction or agency to multiple
  jurisdiction or agency

25
Incident Command System

• Commander
• the Initial and Highest Ranking Authority
  available
• Transfer of Command
• When most qualified person arrives
• When Incident changes
• When extended time frame of incident

26
ICS Organization Chart
27
People in the Weak Links (3)

• Be Realistic about People
• Do not assume everyone is available
• Do not assume everyone knows what to do
• Do not assume everyone works according to plan
• Peoples morale and concerns change over time

28
People in the Weak Links (4)

• External Support are not always available
• Can we survive before emergency agencies arrive?

29
People in the Weak Links (5)

• People Interfering your BCP Execution
• Neighbors creating turmoil
• Customers press on critical production
• Suppliers demand cash on delivery of recovery
  services
• Media call in every 15 minutes

30
Weakness in Process
People
BCP
Process
Technology
31
Weak Post-planning

• Pre-planning
• Planning
• Post-planning
• Awareness Program
• Training Program, for BCM, BCC and staff
• Plan Maintenance
• Public Relations and Crisis Communication
• Coordination with Public Authority

32
Awareness Training

• Is it part of your plan? Scheduled? Budgeted
• Has all staff been involved? Do they get the
  awareness to report incidents?
• Continued Education for the BC Coordinator?
• Information sharing of recent disasters and
  lessons learned
• Disaster Recovery Journal www.drj.com
• Disaster Recovery Institute www.drii.org
• Federal Emergency Mgmt. Agency www.fema.gov
• User Groups

33
Maintenance and Update Phase

• The Most Difficult Part of BCP
• How do you Organize, Manage and Coordinate
  Effects of Change?
• Do you have standards and procedure to
  incorporate changes on routine schedule?
• How often do you update your BCP?
• Yearly? Half-yearly? Monthly? When there is a
  critical change?
• Have you budgeted the required resources?

34
Best Practice

• Make BCP part of the routine practice
• Include BCP as key component in the Security
  Policy
• Include in Change Management Procedure Plan
• Reward employee involvement and solution

35
Public Relations /Coordination withPublic
Authorities

• Disaster Declaration Procedure
• Have you developed one?
• Crisis Management Team
• Who are involved?
• Public Relations Program
• Do you find you need to it earlier ?

36
Weakness in Technology
People
BCP
Technology
Process
37
Assumptions of Technical Controls for BCP

• Control measures are around the theme of
  Avoidance of Single Point of Failure
• All controls are assumed working and available

38
Single Point of Failure (1)

• Sometimes the assumption need to be challenged
• Case You building got source from dual power
  grid

39
Single Point of Failure (2)

• Backup site distance
• 400m? 4km? 12km?

40
DR Site Arrangement Usable?

• Reciprocal arrangement is not guaranteed
• DR Services Level guaranteed?
• Staff not familiar with the DR site environment

41
Test Drill enough?

• Staff involvement is low
• Do your drills involve only the Business
  Continuity Coordinators?
• Plan not thoroughly tested
• Something else goes wrong in reality
• Live Test ?!
• Return Home Test

42
Communication Issues

• Mobile phone and wired phone got jammed
• Communication booms in the first moment of
  disaster
• Wrong information

43
Vulnerability of your BCP
Vulnerability Audit Criteria
Network Penetration Test
Capacity Stress Test
BCP What Test?
44
Auditing your BCP (1)

• Risk Scenario Criteria
• Do not assume It wont happen to Me.
• The lesson will come one day Fire, Flood,
  Hardware, Software, Anthrax ...

45
Broaden Scenarios to consider
http//www.contingencyplanning.com/disruption.cfm

• Scenario key BC Personnel is dead
• Worse Case Scenario

46
Auditing your BCP (2)

• BCP Dependencies Criteria
• Drill Test Criteria
• Response Criteria
• Mock Exam untold Scenario

47
Are you ready any time?

• Availability of
• Contact List
• Grab List
• Incident Response Plan
• Are you 7 x 24 x forever ready to go to the
  front line?

48
Summary

• BCP is a peoples plan
• BCP is a communication intensive activity
• Do question your assumptions
• Do develop a flexible teams for BC Mgmt.
  Business Recovery
• Do involve more staff
• Do take Maintenance into serious consideration
• BCP needs your intuition, creation and response
  to succeed. Good Luck!

49
Q A

• Thank You

SC Leung Chairperson, PISA sc.leung_at_pisa.org.hk