BCI ICT Resilience

BCM & ICT Continuity Standards: What are their purposes and how can they work together?
Ron Miller Principal Consultant
www.sungard.co.uk
What Ill be covering

ISO 27031 and ISO 24762 why?
ICT continuity standards key content and guidance
Principles Elements
The relationships and integration with the GPG, BS 25999
and ISO 22301 ICT recovery versus resilience, addressing common issues
2010 SunGard. | www.sungard.co.uk
It was all about IT DR
BCM growth
Medium Business
IT
Sectors
Public Sector
Big Business
1970s
1980s
TIME
1990s
2000s
BS 25999 British Standard for Business Continuity Management

Provided guidance for
organizations:
Of all sizes In all sectors
What they should do to:

Enhance resilience Provide restoration of key products and services Deliver proven capability to manage disruption (but not how they do it!)
BCM Lifecycle (BS 25999)

Widely adopted UK and beyond Used as basis for ISO 22301
and ISO 22313 Used as the basis for other continuity and resilience standards
TC223 ISO standards US BCM standard
But what about ICT?
ISO 27000
ISO 27001 5 controls (out of 133)

ISO 27002 Four and a half pages of high-level guidance (out of 130 pages)
BS 25777
How BS 25777 integrated with BS 25999
The need for ISO 27031

Increasing dependency on information and
communications technology Comprehensive guidance established for business continuity management - BS 25999 and others
Supported by ICT continuity guidance BS 25777
No detailed guidance directly related to ISO 27001 Significant gaps continue to be present between business
and supporting ICT continuity and resilience in many organisations
11
BS 25777 evolved into.

ISO 27031
Guidelines for information and communication technology readiness for business continuity
Takes the core elements of BS 25777 Links them to an information security anchor Provides guidance which expands upon ISO 27002 Helps in the implementation of controls contained within
ISO 27001
12
ISO 27031
Continues to integrate with
BC Supports the PDCA process

Planning Implementing and operating Assessing, measuring and reviewing Corrective and preventive actions
Supports ISMS
13
ISO 24762 what is it?

Guidelines for information
and communications technology disaster recovery services

provision of information and communications technology disaster recovery (ICT DR) services as part of business continuity management applicable to both in-house and outsourced ICT DR service providers of physical facilities and services.
14
ISO 24762 is it any good?
No!
Based on Singapore standard
ISO consultation process failed BCM community unaware of its existence until too late Service-providers unaware of its existence until too late.
Does not integrate with BCM
standards Does not integrate with ISO 27031 Shining example of how-notto-develop-a-standard
Now at beginning of revision process.
15
ISO 24762 who uses it?
Good question!
16
ISO 24762 - who uses it?
BSi sells it!!

Some dubious claims by
vendors Experts offering advice
17
Concepts and Principles
18
Concepts and Principles of ISO 27031

ICT Readiness for BC
IRBC
Complements and supports BCM and/or ISMS

Improving the incident detection capabilities Preventing a sudden or drastic failure Enabling an acceptable degradation of operational status should the failure be unstoppable; Further shorten recovery time; and Minimising impact upon eventual occurrence of the incident.
19
The relationship between IRBC and BCM
20
The relationship between IRBC and BCM
21
ICT Readiness Principles
22
Key principles
Incident prevention
Incident detection Response
Recovery
Improvement
23
24
Incident prevention
Iterative process ICT Readiness promotes resilience
Facilitates identification of critical components in each of the elements which make up the ICT environment Relates ICT criticality to wider business criticalities Priorities also driven by BC requirements
25
Incident prevention
Iterative process
Justifies resource and budget for appropriate resilience measures Monitors the performance of resilience measures Review and improvement following exercises, tests and incidents
26
Incident prevention
People
27
Incident prevention
People
Facilities
28
Incident prevention
People
Facilities Technology
29
Incident prevention
People
Data
30
Incident prevention
People
Data
Processes
31
Incident prevention
People
Data
Processes
Suppliers
32
Incident detection
IRBC promotes
Response BEFORE an incident occurs, upon detection of one or a series of related events that become incidents Detecting incidents at the earliest opportunity minimizes impact to services, reduces recovery effort, and preserves quality of service Investment in detection should be linked to the business continuity needs
33
Incident detection
People
Hardware failures Malfunctions in racks, servers, storage arrays, tape devices Network Data connectivity interruptions, intrusion detection etc. Software Upgrade issues, unauthorised software, malware etc.
Data
Corrupted datasets, incomplete datasets etc.
Processes
System changes, maintenance etc.
Suppliers
Power failure, telecoms outage
34
Response
IRBC promotes
existing good practice

Confirm nature and extent of incident Take control of situation Contain the incident Communicate with stakeholders (Not necessarily a chronological order.)
35
Response
Confirm nature and
extent of incident
Acquire information Assess How does it affect the elements of the ICT environment?
How might this affect service-users and the critical activities of the organisation?
36
Response
Take control of situation
Automatic or manual failover? Determine priorities for mitigating incident

People Facilities Technology Data Processes Suppliers
Determine resource requirements Communicate
37
Response
Contain the incident Auto or manual failover? Direct resources to manage situation Communicate
Is there concurrent activation of BC Incident Management? Liaise with rest of organisation
Activate relevant contingency arrangements
38
Response
Communicate Communication essential all the way through the response process Integration with overall BC incident management process
39
Recovery
Technical recovery plans
In conjunction with organisational business continuity plans Failover of immediately timecritical systems Recovery of less time-sensitive systems
Manage recovery process

Over hours, days, weeks..
40
Improvement
IRBC promotes
improvement
Lessons learned from exercises Audits/self assessment Feedback from periodic BIAs and risk assessments Corrective action following incidents Preventive action
41
The ICT Resilience Gap
Why do organisations
get it wrong? The consequences of the gap
42
Managing Expectations?
ICT Teams plan for this?
Service users expect this?
Information value is the key

IT departments are
custodians of information They are NOT the owners of the information They do not know its value
Value is not always about money Value can be reputational, service-related etc.
45
Mismatch of expectations
IT Youll get what we choose to give you Business What do you mean? Dont you give us
EVERYTHING?????
Constraints
Technological Budgetary Resource
Fundamental misunderstandings about business and role
of technology Fundamental misunderstandings about the holistic nature of ICT
The example of email
The impact of ICT loss

Impacts are not always
obvious ICT requirements postdisruption can be quite different from business-asusual Criticality of the same data can vary widely across the organisation not all data is born equal! Recovery is frequently not an option
48
The consequences
Mismatch of ICT resilience implementation and
organisational requirements
Wasteful of expenditure and resource Provides the WRONG ICT environment in the WRONG timescales IT departments frequently concentrate on DR rather than resilience and continuity
We dont need to bother about uptime because we know we have good DR They dont ask users the right questions
Business departments dont know/share continuity requirements
RTOs RPOs
Each sides knowledge of information availability capabilities and requirements remains unknown to the other
49
The consequences
The organisation
implements an information security programme which fails to deliver on information availability
50
ICT Resilience
How can the costs be justified?
How can ISO 27031 help?
51
Getting value for money

Mechanism for realism in
service-user BCM requirements

Relates RTOs and RPOs to Minimum Business Continuity Objectives
Rationalises IT DR spend
Justifies cost to the business
Resilience versus
Recovery
ISO 27031 and BS 25999

Holistic view of ICT and how it fits
within the organisation

People Facilities Technology Data Processes Suppliers
..and how they fit into the
principles of:
Incident prevention Incident detection Response Recovery Improvement
Embedding ICT Readiness

Provides a framework for
ensuring ICT Readiness is aligned with business requirements Gets IT and service-users involved in validation Provides budgetary and business rationale for investment in ICT resilience
Supports and complements BS 25999 and ISO 27001

Provides the guidance which supports BCM and
information security goals ICT Readiness is driven by business/organizational requirements (not the other way round) ICT Readiness and resilience capabilities feed back into organizational goals Ensures that information availability is tackled as effectively as confidentiality and integrity.

BCI ICT Resilience

Uploaded by

Copyright:

Available Formats

BCI ICT Resilience

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BCI ICT Resilience

Uploaded by

Copyright:

Available Formats

BCM & ICT Continuity Standards: What are their purposes and how can they work together?

Ron Miller Principal Consultant

What Ill be covering

The relationships and integration with the GPG, BS 25999

2010 SunGard. | www.sungard.co.uk

It was all about IT DR

2010 SunGard. | www.sungard.co.uk

2010 SunGard. | www.sungard.co.uk

BS 25999 British Standard for Business Continuity Management

What they should do to:

2010 SunGard. | www.sungard.co.uk

BCM Lifecycle (BS 25999)

2010 SunGard. | www.sungard.co.uk

But what about ICT?

2010 SunGard. | www.sungard.co.uk

ISO 27001 5 controls (out of 133)

2010 SunGard. | www.sungard.co.uk

2010 SunGard. | www.sungard.co.uk

How BS 25777 integrated with BS 25999

2010 SunGard. | www.sungard.co.uk

The need for ISO 27031

and supporting ICT continuity and resilience in many organisations

2010 SunGard. | www.sungard.co.uk

BS 25777 evolved into.

2010 SunGard. | www.sungard.co.uk

BC Supports the PDCA process

2010 SunGard. | www.sungard.co.uk

ISO 24762 what is it?

and communications technology disaster recovery services

2010 SunGard. | www.sungard.co.uk

ISO 24762 is it any good?

Does not integrate with BCM

ISO 24762 who uses it?

2010 SunGard. | www.sungard.co.uk

ISO 24762 - who uses it?

BSi sells it!!

vendors Experts offering advice

2010 SunGard. | www.sungard.co.uk

Concepts and Principles

2010 SunGard. | www.sungard.co.uk

Concepts and Principles of ISO 27031

Complements and supports BCM and/or ISMS

2010 SunGard. | www.sungard.co.uk

The relationship between IRBC and BCM

2010 SunGard. | www.sungard.co.uk

The relationship between IRBC and BCM

2010 SunGard. | www.sungard.co.uk

ICT Readiness Principles

2010 SunGard. | www.sungard.co.uk

2010 SunGard. | www.sungard.co.uk

2010 SunGard. | www.sungard.co.uk

Iterative process ICT Readiness promotes resilience

2010 SunGard. | www.sungard.co.uk

2010 SunGard. | www.sungard.co.uk

2010 SunGard. | www.sungard.co.uk

2010 SunGard. | www.sungard.co.uk

2010 SunGard. | www.sungard.co.uk

2010 SunGard. | www.sungard.co.uk

2010 SunGard. | www.sungard.co.uk

2010 SunGard. | www.sungard.co.uk