SlideShare uma empresa Scribd logo

Fms India 2011 Bcm

Sumeet Sharma
Sumeet Sharma

Business Continuity for Real Estate & Facilities professional.

1 de 19
FMS India 2011 BC Management process and regulatory framework Sumeet Sharma © 2010 Colt Technology Services Group Limited. All rights reserved.
Agenda 1 Colt 2 Business Continuity Management and Regulation 3 Key elements of Risk, Response and Recovery planning 4 Identifying and evaluating asset risks for Business Continuity 5 Business Continuity Strategies 6 Questions and Answers. 2
About Colt 1 1 © 2010 Colt Technology Services Group Limited. All rights reserved.
Business Continuity Management and Regulation 2 © 2010 Colt Technology Services Group Limited. All rights reserved.
Legislation and Regulations in India •Information Technology Act as amended by Act of 2008 •The Information Technology (Amendment) Bill, 2006 •.IN Domain Name Registration Policy •Semiconductor Integrated Circuits Layout-Design Rules, 2001 •Semiconductor Integrated Circuits Layout Design Act 2000 •Rules for Information Technology Act 2000 •.IN Domain Name Dispute Resolution Policy •Gujarat Information technology Rules, 2004 •Karnataka Cyber Cafe Regulations •Information Technology Act, 2000 •India BCP (1. Reserve Bank of India (RBI); 2. Securities & Exchange Board of India (SEBI); 3. National Stock Exchange (NSE); 4. Bombay Stock Exchange (BSE)) 5
Legislation and Regulations International •European Union Data Protection Directive of 1998 •EU Internet Privacy Law of 2002 (DIRECTIVE 2002/58/EC) •MAS Business Continuity Management Guidelines (June 2003) (MAS (Monetary authority of Singapore) •Guidance Note GGN 232.1 Risk Assessment and Business Continuity Management (APRA) Australia •Sarbanes-Oxley Act of 2002 (PL 107-204 2002 HR 3763) – Section 404 (PCAOB (Public Company Accounting Oversight Board)) US •HIPAA (Health Insurance Portability and Accountability Act) Final Security Rule #7. Contingency Plan (164.308 (a) (7) (i) (GAO) US •Interagency Paper for Strengthening the Resilience of US Financial System •STO BR IBBS-1.0-2010 (Central Bank of the Russian Federation (STO BR IBBS-1.0- 2006)) •The Civil Defence & Emergency Management Act (2002 New Zealand) •Manual for the Development of Contingency Plans in Financial Institutions. Japan FSA (FISC (The Centre for Financial Industry Information System)) Japan 6
Management standards International Organization for Standardization •ISO/IEC 27001:2005 (formerly BS 7799-2:2002) ISMS •ISO/IEC 27002:2005 (remunerated ISO17999:2005) Information Security Management – Code of Practice •ISO/IEC 22399:2007 Guideline for incident preparedness and operational continuity management •ISO/IEC 24762:2008 Guidelines for information and communications technology disaster recovery services •IWA 5:2006 Emergency Preparedness British Standards Institution •BS 25999-1:2006 Business Continuity Management Part 1: Code of practice •BS 25999-2:2007 Business Continuity Management Part 2: Specification •BS 25777:2008 Information and communications technology continuity management – Code of practice 7
Key Elements of Risk Response and Recovery planning 3 © 2010 Colt Technology Services Group Limited. All rights reserved.
Risk:  is the potential that a chosen action or inaction will lead to a loss.  implies that a choice is having an influence on the outcome . Potential losses themselves may also be called "risks". Almost any human endeavour carries some risk. Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities (defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative) 9
Response and Recovery Risk assessment process: •is a step in a risk management procedure. •Risk assessment is the determination of quantitative or qualitative value of risk. •Defines relation to a concrete situation and a recognized threat. •Methods for assessment of risk may differ between industries •potential loss and probability of occurrence - can be very difficult to measure •Financial decisions, such as insurance, express risk in money values. •health and environmental decisions, loss is simply a verbal description of the outcome •IT risk assessment can be performed by a qualitative or quantitative approach •Quantitative risk assessment ( Annualised Loss Expectancy = Single Loss Expectancy X Annual Rate of Occurrence) •Qualitative risk assessment (Critical Information= Confidentiality + Integrity + Availability) 10
Identifying and evaluating asset risks for business continuity 4 112010 Colt Technology Services Group Limited. All rights reserved. ©
Identifying Assets Primary Assets • Cash and its flow •Business process and Business Activities •Information Supporting Assets •Site •Hardware •Soft ware •People •Network •Organisation 12
Evaluating Assets 1. Net Asset Value • Confidentiality • Integrity • Availability 2. Existing Controls 3. Risk level (Value) •Threat Level • Veurnablity Level 4. Management Decision 5. Mitigation Controls 6. Residual Risk level (Value) 7. Final Management decision and sign off. 13
Business Continuity Strategy 5 © 2010 Colt Technology Services Group Limited. All rights reserved. © 2010 Colt Technology Services Group Limited. All rights reserved.
Relation between Risk Management and BCP •Risk management process creates important inputs for the BCP. •Examples: assets, impact assessments, cost estimates etc. • Risk management also proposes applicable controls for the observed risks. • Therefore, risk management covers several areas that are vital for the BCP process. •However, the BCP process goes beyond risk management's pre-emptive approach • Assumes that the disaster will happen at some point. 15
Strategy Risk Management and BCP strategy: •Avoidance (eliminate, withdraw from or not become involved) •Reduction (optimize - mitigate) •Sharing (transfer - outsource or insure) •Retention (accept and budget) All risks can never be fully avoided or mitigated simply because of financial and practical limitations. Therefore all organizations have to accept some level of residual risks and create a business continuity plan. 16
Case study : Colt Priority 1 incident can End User Priority 3 incident can be defined as a major be defined as an disaster at the facility IT Service Desk incident, which may causing failure of Non-IT IT disrupt a single or operations for more Incident Incident multiple processes for than a week. P3 Incident a short period of Probable cause for Yes Network & Local IT No IT Incident 4hours to 1 day Incident Manager/BCP Team Management Incident Incident Team Earthquake , Environmental P3 Damage Assessment Team (Corp. Security, BCP , Probable cause for Disasters, Hurricane, , RE& Facilities , Local IT, HR Incident Flood, Terrorism etc Inciident Classification Incident Electrical power failure Incident Incident P3 Contained Contained Response Team Communications Priority 2 incident can P1/P2 services breakdown be defined as an Country Crisis Management Team / BCMS Forum P1 Incident Contained IT systems failure incident, which may disrupt some or all P2 Unavailability of Staff / Staff shortage etc. process beyond 1 day Activate BCP P2 Group Crises but less than a week. Management Team Instructions & Probable cause for Yes Updates / Status/ Incident BCP Team (BC Champ & Activate BCP & DR Prolonged Plans Outage? Business Recovery Team) IT systems failure Communications services breakdown Incident No P1 Contained P1 Incident Organised and or P2 Incident Deliberate Disruption 17
Case study : Colt Alternate Workplace: Colt’s strategy for recovery of premises is based on Split Operations, wherein the operations are split in the ratio of 70:30 e.g. 2 Geographically separated and culturally different sites in India, and a similar locally suitable setup in Barcelona. There are different recovery options which have been implemented at Colt as Backup and Recovery Strategies. Hot site: A Hot site is a recovery site that has the equipment, systems and support resources to duplicate/replicate Colt’s business functions affected by any occurrence of an event or disaster. Hot-sites at Colt are generally fully equipped and kept operationally ready. Colt has most of the Data Centres which meets the requirement of a hot site. Warm site: Colt’s alternate recovery site which is only partially equipped and can be readied for operations only as and when required and can be scaled in the same manner as a hot site as per recovery time objectives (RTO) for systems, functions and processes. Colt has identified premises which can meet the requirements of a Warm Site as it has connectivity and other basic infrastructure. They also have SLA and contracts with IT and other suppliers and vendors to meet the operational requirements. Dual Processing: Colt has dual processing facility where Business processes across two locations have been divided (50: 50 or 70: 30 ratio); with live operational infrastructure at both locations. This enables redundancy of any single (critical) business process delivery across multiple locations. This gives the effect of having a secondary site which is like a hot site having some percentage operational capability (and visa versa). If effectively done this will meet the Colt’s minimum recovery time objective to the minimum required emergency service 18
Questions & Answers Thank you for your time and patience Feedback : sumeet.sharma@colt.net 192010 Colt Telecom Group Limited. All rights reserved. ©

Recomendados

Stream 2 - Don't Risk IT
Stream 2 - Don't Risk ITStream 2 - Don't Risk IT
Stream 2 - Don't Risk IT
IBM Business Insight
 
Florida Association of Community Colleges, Council of Student Affairs Present...
Florida Association of Community Colleges, Council of Student Affairs Present...Florida Association of Community Colleges, Council of Student Affairs Present...
Florida Association of Community Colleges, Council of Student Affairs Present...
Margolis Healy
 
Walter Ammann - Business Continuity Management within the Concept of Integrat...
Walter Ammann - Business Continuity Management within the Concept of Integrat...Walter Ammann - Business Continuity Management within the Concept of Integrat...
Walter Ammann - Business Continuity Management within the Concept of Integrat...
Global Risk Forum GRFDavos
 
BC Components and CM Lifecycle
BC Components and CM LifecycleBC Components and CM Lifecycle
BC Components and CM Lifecycle
Zaszou
 
David wilkie task 1 gbs7502
David wilkie task 1 gbs7502David wilkie task 1 gbs7502
David wilkie task 1 gbs7502
dawilkie
 
Apdip disaster mgmt
Apdip disaster mgmtApdip disaster mgmt
Apdip disaster mgmt
Mohammad Reza Eghtesadian
 
Valley Zoo Hazard Assessment
Valley Zoo Hazard AssessmentValley Zoo Hazard Assessment
Valley Zoo Hazard Assessment
City of Edmonton, Community Facility Services
 
Operations Foundation Business Brief 2
Operations Foundation Business Brief 2Operations Foundation Business Brief 2
Operations Foundation Business Brief 2
wdjohnson1
 

Recomendados

Stream 2 - Don't Risk IT
Stream 2 - Don't Risk ITStream 2 - Don't Risk IT
Stream 2 - Don't Risk IT
IBM Business Insight
 
Florida Association of Community Colleges, Council of Student Affairs Present...
Florida Association of Community Colleges, Council of Student Affairs Present...Florida Association of Community Colleges, Council of Student Affairs Present...
Florida Association of Community Colleges, Council of Student Affairs Present...
Margolis Healy
 
Walter Ammann - Business Continuity Management within the Concept of Integrat...
Walter Ammann - Business Continuity Management within the Concept of Integrat...Walter Ammann - Business Continuity Management within the Concept of Integrat...
Walter Ammann - Business Continuity Management within the Concept of Integrat...
Global Risk Forum GRFDavos
 
BC Components and CM Lifecycle
BC Components and CM LifecycleBC Components and CM Lifecycle
BC Components and CM Lifecycle
Zaszou
 
David wilkie task 1 gbs7502
David wilkie task 1 gbs7502David wilkie task 1 gbs7502
David wilkie task 1 gbs7502
dawilkie
 
Apdip disaster mgmt
Apdip disaster mgmtApdip disaster mgmt
Apdip disaster mgmt
Mohammad Reza Eghtesadian
 
Valley Zoo Hazard Assessment
Valley Zoo Hazard AssessmentValley Zoo Hazard Assessment
Valley Zoo Hazard Assessment
City of Edmonton, Community Facility Services
 
Operations Foundation Business Brief 2
Operations Foundation Business Brief 2Operations Foundation Business Brief 2
Operations Foundation Business Brief 2
wdjohnson1
 
Muttart Hazard Assessment
Muttart Hazard AssessmentMuttart Hazard Assessment
Muttart Hazard Assessment
City of Edmonton, Community Facility Services
 
Return on Security Investment
Return on Security InvestmentReturn on Security Investment
Return on Security Investment
Conferencias FIST
 
Kinsmen Hazard Assessment
Kinsmen Hazard AssessmentKinsmen Hazard Assessment
Kinsmen Hazard Assessment
City of Edmonton, Community Facility Services
 
FEP Hazard Assesment
FEP Hazard AssesmentFEP Hazard Assesment
FEP Hazard Assesment
City of Edmonton, Community Facility Services
 
Swenson Group Vvma
Swenson Group VvmaSwenson Group Vvma
Swenson Group Vvma
mhunter22
 
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Energy Network marcus evans
 
ACT Hazard Assessment
ACT Hazard AssessmentACT Hazard Assessment
ACT Hazard Assessment
City of Edmonton, Community Facility Services
 
Preparing For The Governance Backlash
Preparing For The Governance BacklashPreparing For The Governance Backlash
Preparing For The Governance Backlash
UNSW Canberra
 
20[1].03.Simplified Security
20[1].03.Simplified Security20[1].03.Simplified Security
20[1].03.Simplified Security
ravichar
 
Sibos innotribe 3
Sibos innotribe 3Sibos innotribe 3
Sibos innotribe 3
Pamela Cytron
 
Tpcs risk table.xls
Tpcs risk table.xlsTpcs risk table.xls
Tpcs risk table.xls
eriko51
 
eircom Managed Security
eircom Managed Securityeircom Managed Security
eircom Managed Security
eircom
 
Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security Program
Seccuris Inc.
 
Is0 749 sample business plan of nesans
Is0 749 sample business plan of nesansIs0 749 sample business plan of nesans
Is0 749 sample business plan of nesans
Balan Jeevana
 
Sahana Presentation 20090827
Sahana Presentation 20090827Sahana Presentation 20090827
Sahana Presentation 20090827
GavinTreadgold
 
Hutton B Side Sf
Hutton B Side SfHutton B Side Sf
Hutton B Side Sf
Alexander Hutton
 
Safetydivnewslettersummer05
Safetydivnewslettersummer05Safetydivnewslettersummer05
Safetydivnewslettersummer05
supperman2011
 
Debs 2012 basic proactive
Debs 2012 basic proactiveDebs 2012 basic proactive
Debs 2012 basic proactive
Opher Etzion
 
Blogger
BloggerBlogger
Blogger
revistaamazonia
 
World-Class Incident Response Management
World-Class Incident Response ManagementWorld-Class Incident Response Management
World-Class Incident Response Management
Keith Smith
 
Business Meets IT presentation: Business Continuity
Business Meets IT presentation: Business ContinuityBusiness Meets IT presentation: Business Continuity
Business Meets IT presentation: Business Continuity
William Visterin
 
Risk Management - Business Continuity Planning and Management
Risk Management - Business Continuity Planning and ManagementRisk Management - Business Continuity Planning and Management
Risk Management - Business Continuity Planning and Management
Cody Shive
 

Mais conteúdo relacionado

Mais procurados

Return on Security Investment
Return on Security InvestmentReturn on Security Investment
Return on Security Investment
Conferencias FIST
 
Tpcs risk table.xls
Tpcs risk table.xlsTpcs risk table.xls
Tpcs risk table.xls
eriko51
 
Is0 749 sample business plan of nesans
Is0 749 sample business plan of nesansIs0 749 sample business plan of nesans
Is0 749 sample business plan of nesans
Balan Jeevana
 
Safetydivnewslettersummer05
Safetydivnewslettersummer05Safetydivnewslettersummer05
Safetydivnewslettersummer05
supperman2011
 

Mais procurados (19)

Muttart Hazard Assessment
Muttart Hazard AssessmentMuttart Hazard Assessment
Muttart Hazard Assessment
 
Return on Security Investment
Return on Security InvestmentReturn on Security Investment
Return on Security Investment
 
Kinsmen Hazard Assessment
Kinsmen Hazard AssessmentKinsmen Hazard Assessment
Kinsmen Hazard Assessment
 
FEP Hazard Assesment
FEP Hazard AssesmentFEP Hazard Assesment
FEP Hazard Assesment
 
Swenson Group Vvma
Swenson Group VvmaSwenson Group Vvma
Swenson Group Vvma
 
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
 
ACT Hazard Assessment
ACT Hazard AssessmentACT Hazard Assessment
ACT Hazard Assessment
 
Preparing For The Governance Backlash
Preparing For The Governance BacklashPreparing For The Governance Backlash
Preparing For The Governance Backlash
 
20[1].03.Simplified Security
20[1].03.Simplified Security20[1].03.Simplified Security
20[1].03.Simplified Security
 
Sibos innotribe 3
Sibos innotribe 3Sibos innotribe 3
Sibos innotribe 3
 
Tpcs risk table.xls
Tpcs risk table.xlsTpcs risk table.xls
Tpcs risk table.xls
 
eircom Managed Security
eircom Managed Securityeircom Managed Security
eircom Managed Security
 
Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security Program
 
Is0 749 sample business plan of nesans
Is0 749 sample business plan of nesansIs0 749 sample business plan of nesans
Is0 749 sample business plan of nesans
 
Sahana Presentation 20090827
Sahana Presentation 20090827Sahana Presentation 20090827
Sahana Presentation 20090827
 
Hutton B Side Sf
Hutton B Side SfHutton B Side Sf
Hutton B Side Sf
 
Safetydivnewslettersummer05
Safetydivnewslettersummer05Safetydivnewslettersummer05
Safetydivnewslettersummer05
 
Debs 2012 basic proactive
Debs 2012 basic proactiveDebs 2012 basic proactive
Debs 2012 basic proactive
 
Blogger
BloggerBlogger
Blogger
 

Semelhante a Fms India 2011 Bcm

Business Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_revBusiness Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_rev
Shanker Sareen
 
Disaster recovery
Disaster recoveryDisaster recovery
Disaster recovery
iban3x
 

Semelhante a Fms India 2011 Bcm (20)

World-Class Incident Response Management
World-Class Incident Response ManagementWorld-Class Incident Response Management
World-Class Incident Response Management
 
Business Meets IT presentation: Business Continuity
Business Meets IT presentation: Business ContinuityBusiness Meets IT presentation: Business Continuity
Business Meets IT presentation: Business Continuity
 
Risk Management - Business Continuity Planning and Management
Risk Management - Business Continuity Planning and ManagementRisk Management - Business Continuity Planning and Management
Risk Management - Business Continuity Planning and Management
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planning
 
Dubai Nov08 Erm Gs Khoo
Dubai Nov08 Erm Gs KhooDubai Nov08 Erm Gs Khoo
Dubai Nov08 Erm Gs Khoo
 
Security and Business Continuity Working Together
Security and Business Continuity Working TogetherSecurity and Business Continuity Working Together
Security and Business Continuity Working Together
 
Industrial Control Systems and Incident Response
Industrial Control Systems and Incident Response Industrial Control Systems and Incident Response
Industrial Control Systems and Incident Response
 
An Introduction To ICT Continuity Based On BS 25777
An Introduction To ICT Continuity Based On BS 25777An Introduction To ICT Continuity Based On BS 25777
An Introduction To ICT Continuity Based On BS 25777
 
IT Disaster Recovery & Business Continuity
IT Disaster Recovery & Business ContinuityIT Disaster Recovery & Business Continuity
IT Disaster Recovery & Business Continuity
 
Barqa Edinburgh Final
Barqa Edinburgh FinalBarqa Edinburgh Final
Barqa Edinburgh Final
 
Security Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeSecurity Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To Consume
 
Business Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_revBusiness Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_rev
 
DS Crisis Management Foundation Introduction
DS Crisis Management Foundation IntroductionDS Crisis Management Foundation Introduction
DS Crisis Management Foundation Introduction
 
ITSM Academy Webinar - Incident Management
ITSM Academy Webinar - Incident ManagementITSM Academy Webinar - Incident Management
ITSM Academy Webinar - Incident Management
 
Cyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated DisciplineCyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated Discipline
 
Disaster recovery
Disaster recoveryDisaster recovery
Disaster recovery
 
Business continuity overview
Business continuity overviewBusiness continuity overview
Business continuity overview
 
Hawaii Pacific GIS Conference 2012: Disaster Management and Emergency Respons...
Hawaii Pacific GIS Conference 2012: Disaster Management and Emergency Respons...Hawaii Pacific GIS Conference 2012: Disaster Management and Emergency Respons...
Hawaii Pacific GIS Conference 2012: Disaster Management and Emergency Respons...
 
Bronack Skills - Risk Management and SRE v1.0 12-10-2023.pdf
Bronack Skills - Risk Management and SRE v1.0 12-10-2023.pdfBronack Skills - Risk Management and SRE v1.0 12-10-2023.pdf
Bronack Skills - Risk Management and SRE v1.0 12-10-2023.pdf
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations
 

Fms India 2011 Bcm

  • 1. FMS India 2011 BC Management process and regulatory framework Sumeet Sharma © 2010 Colt Technology Services Group Limited. All rights reserved.
  • 2. Agenda 1 Colt 2 Business Continuity Management and Regulation 3 Key elements of Risk, Response and Recovery planning 4 Identifying and evaluating asset risks for Business Continuity 5 Business Continuity Strategies 6 Questions and Answers. 2
  • 3. About Colt 1 1 © 2010 Colt Technology Services Group Limited. All rights reserved.
  • 4. Business Continuity Management and Regulation 2 © 2010 Colt Technology Services Group Limited. All rights reserved.
  • 5. Legislation and Regulations in India •Information Technology Act as amended by Act of 2008 •The Information Technology (Amendment) Bill, 2006 •.IN Domain Name Registration Policy •Semiconductor Integrated Circuits Layout-Design Rules, 2001 •Semiconductor Integrated Circuits Layout Design Act 2000 •Rules for Information Technology Act 2000 •.IN Domain Name Dispute Resolution Policy •Gujarat Information technology Rules, 2004 •Karnataka Cyber Cafe Regulations •Information Technology Act, 2000 •India BCP (1. Reserve Bank of India (RBI); 2. Securities & Exchange Board of India (SEBI); 3. National Stock Exchange (NSE); 4. Bombay Stock Exchange (BSE)) 5
  • 6. Legislation and Regulations International •European Union Data Protection Directive of 1998 •EU Internet Privacy Law of 2002 (DIRECTIVE 2002/58/EC) •MAS Business Continuity Management Guidelines (June 2003) (MAS (Monetary authority of Singapore) •Guidance Note GGN 232.1 Risk Assessment and Business Continuity Management (APRA) Australia •Sarbanes-Oxley Act of 2002 (PL 107-204 2002 HR 3763) – Section 404 (PCAOB (Public Company Accounting Oversight Board)) US •HIPAA (Health Insurance Portability and Accountability Act) Final Security Rule #7. Contingency Plan (164.308 (a) (7) (i) (GAO) US •Interagency Paper for Strengthening the Resilience of US Financial System •STO BR IBBS-1.0-2010 (Central Bank of the Russian Federation (STO BR IBBS-1.0- 2006)) •The Civil Defence & Emergency Management Act (2002 New Zealand) •Manual for the Development of Contingency Plans in Financial Institutions. Japan FSA (FISC (The Centre for Financial Industry Information System)) Japan 6
  • 7. Management standards International Organization for Standardization •ISO/IEC 27001:2005 (formerly BS 7799-2:2002) ISMS •ISO/IEC 27002:2005 (remunerated ISO17999:2005) Information Security Management – Code of Practice •ISO/IEC 22399:2007 Guideline for incident preparedness and operational continuity management •ISO/IEC 24762:2008 Guidelines for information and communications technology disaster recovery services •IWA 5:2006 Emergency Preparedness British Standards Institution •BS 25999-1:2006 Business Continuity Management Part 1: Code of practice •BS 25999-2:2007 Business Continuity Management Part 2: Specification •BS 25777:2008 Information and communications technology continuity management – Code of practice 7
  • 8. Key Elements of Risk Response and Recovery planning 3 © 2010 Colt Technology Services Group Limited. All rights reserved.
  • 9. Risk:  is the potential that a chosen action or inaction will lead to a loss.  implies that a choice is having an influence on the outcome . Potential losses themselves may also be called "risks". Almost any human endeavour carries some risk. Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities (defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative) 9
  • 10. Response and Recovery Risk assessment process: •is a step in a risk management procedure. •Risk assessment is the determination of quantitative or qualitative value of risk. •Defines relation to a concrete situation and a recognized threat. •Methods for assessment of risk may differ between industries •potential loss and probability of occurrence - can be very difficult to measure •Financial decisions, such as insurance, express risk in money values. •health and environmental decisions, loss is simply a verbal description of the outcome •IT risk assessment can be performed by a qualitative or quantitative approach •Quantitative risk assessment ( Annualised Loss Expectancy = Single Loss Expectancy X Annual Rate of Occurrence) •Qualitative risk assessment (Critical Information= Confidentiality + Integrity + Availability) 10
  • 11. Identifying and evaluating asset risks for business continuity 4 112010 Colt Technology Services Group Limited. All rights reserved. ©
  • 12. Identifying Assets Primary Assets • Cash and its flow •Business process and Business Activities •Information Supporting Assets •Site •Hardware •Soft ware •People •Network •Organisation 12
  • 13. Evaluating Assets 1. Net Asset Value • Confidentiality • Integrity • Availability 2. Existing Controls 3. Risk level (Value) •Threat Level • Veurnablity Level 4. Management Decision 5. Mitigation Controls 6. Residual Risk level (Value) 7. Final Management decision and sign off. 13
  • 14. Business Continuity Strategy 5 © 2010 Colt Technology Services Group Limited. All rights reserved. © 2010 Colt Technology Services Group Limited. All rights reserved.
  • 15. Relation between Risk Management and BCP •Risk management process creates important inputs for the BCP. •Examples: assets, impact assessments, cost estimates etc. • Risk management also proposes applicable controls for the observed risks. • Therefore, risk management covers several areas that are vital for the BCP process. •However, the BCP process goes beyond risk management's pre-emptive approach • Assumes that the disaster will happen at some point. 15
  • 16. Strategy Risk Management and BCP strategy: •Avoidance (eliminate, withdraw from or not become involved) •Reduction (optimize - mitigate) •Sharing (transfer - outsource or insure) •Retention (accept and budget) All risks can never be fully avoided or mitigated simply because of financial and practical limitations. Therefore all organizations have to accept some level of residual risks and create a business continuity plan. 16
  • 17. Case study : Colt Priority 1 incident can End User Priority 3 incident can be defined as a major be defined as an disaster at the facility IT Service Desk incident, which may causing failure of Non-IT IT disrupt a single or operations for more Incident Incident multiple processes for than a week. P3 Incident a short period of Probable cause for Yes Network & Local IT No IT Incident 4hours to 1 day Incident Manager/BCP Team Management Incident Incident Team Earthquake , Environmental P3 Damage Assessment Team (Corp. Security, BCP , Probable cause for Disasters, Hurricane, , RE& Facilities , Local IT, HR Incident Flood, Terrorism etc Inciident Classification Incident Electrical power failure Incident Incident P3 Contained Contained Response Team Communications Priority 2 incident can P1/P2 services breakdown be defined as an Country Crisis Management Team / BCMS Forum P1 Incident Contained IT systems failure incident, which may disrupt some or all P2 Unavailability of Staff / Staff shortage etc. process beyond 1 day Activate BCP P2 Group Crises but less than a week. Management Team Instructions & Probable cause for Yes Updates / Status/ Incident BCP Team (BC Champ & Activate BCP & DR Prolonged Plans Outage? Business Recovery Team) IT systems failure Communications services breakdown Incident No P1 Contained P1 Incident Organised and or P2 Incident Deliberate Disruption 17
  • 18. Case study : Colt Alternate Workplace: Colt’s strategy for recovery of premises is based on Split Operations, wherein the operations are split in the ratio of 70:30 e.g. 2 Geographically separated and culturally different sites in India, and a similar locally suitable setup in Barcelona. There are different recovery options which have been implemented at Colt as Backup and Recovery Strategies. Hot site: A Hot site is a recovery site that has the equipment, systems and support resources to duplicate/replicate Colt’s business functions affected by any occurrence of an event or disaster. Hot-sites at Colt are generally fully equipped and kept operationally ready. Colt has most of the Data Centres which meets the requirement of a hot site. Warm site: Colt’s alternate recovery site which is only partially equipped and can be readied for operations only as and when required and can be scaled in the same manner as a hot site as per recovery time objectives (RTO) for systems, functions and processes. Colt has identified premises which can meet the requirements of a Warm Site as it has connectivity and other basic infrastructure. They also have SLA and contracts with IT and other suppliers and vendors to meet the operational requirements. Dual Processing: Colt has dual processing facility where Business processes across two locations have been divided (50: 50 or 70: 30 ratio); with live operational infrastructure at both locations. This enables redundancy of any single (critical) business process delivery across multiple locations. This gives the effect of having a secondary site which is like a hot site having some percentage operational capability (and visa versa). If effectively done this will meet the Colt’s minimum recovery time objective to the minimum required emergency service 18
  • 19. Questions & Answers Thank you for your time and patience Feedback : sumeet.sharma@colt.net 192010 Colt Telecom Group Limited. All rights reserved. ©