1 / 22

Planning for Disaster

Planning for Disaster. Ramesh Ramani CISM CGEIT Paramount-Dubai 07 June 2011. Agenda. Disaster Management-Introduction Examples BCP and IT Continuity Process of Disaster Management-PDCA Disaster Management Framework Project Execution Typical Plan Testing the Plan. Disaster Management.

bisa
Télécharger la présentation

Planning for Disaster

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Planning for Disaster Ramesh Ramani CISM CGEIT Paramount-Dubai 07 June 2011

  2. Agenda Disaster Management-Introduction Examples BCP and IT Continuity Process of Disaster Management-PDCA Disaster Management Framework Project Execution Typical Plan Testing the Plan

  3. Disaster Management • Discipline of dealing with and avoiding risks • Discipline that involves preparing for disaster BEFORE it occurs, • Sometimes referred to as Business Continuity Planning (BCP)

  4. Definitions-Disaster “situation or event which overwhelms local capacity, necessitating a request to a national or international level for external assistance.” “An overwhelming ecological disruption occurring on a scale sufficient to require outside assistance” “exceptional events that kill or injure a large number of people” “Strategic and Tactical capability of an organisation to plan for and respond to incidents and business disruptions in order to continue business operations to an acceptable pre defined level”-BS 25999

  5. Examples-Disaster-Black Swan • Japan-March 2011-Reactions-Germany • Middle East Uprising • DHL Express, recently moved its air operations for the Middle East from Bahrain to Sharjah for one week • Egypt to Dubai • Bahrain to Dubai • Tsunami-December 2006 • Haiti Earthquake • Oil Spill-Gulf of Mexico • 9-11 • Flooding Mumbai-2005 • Power Outage Dubai-2005 • Flooding Sharjah-2009 • Volcano Ash-Europe

  6. Middle East • People-Expat Dependency • Volatility • Absence of Laws/Regulations • Monopolistic-Telco/Power etc • BCP-Not generally available in SME • False Sense of Security • ‘In my tent syndrome’ • 37 per cent of CFOs in the region believe financial risk has increased over the past 12 months-Deloitte

  7. IT and BCP • Industry age to information age • Information itself is becoming business • International Standards • ISO 27001:2005-Information Security • BS 25999-Business Continuity Managment • BS 25777-ICT Continuity Management • NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs • ASIS/BSI BCM.01:2010 Business Continuity Management Systems: Developed jointly between ASIS and BSI for North America • AS 5050:2010- Standards Australia

  8. Disaster Management

  9. PM Framework-DR Value Vulnerability Threat BS 25999 BS 25777 Existing setup / Redundancy / New Technologies

  10. Risk Management

  11. Project Execution and Deliverables Aim-Perform BIA/ Risk Assessment on the identified critical /IT assets and develop BCP/Risk Treatment Plan. Develop mandatory policies and controls Aim-Continual Improvement of BCMS/ISMS • Aim • to collect all relevant data pertaining to the scope • develop BIA/Risk Assessment methodology • perform asset enumeration/valuation Aim-Implement BCP/Risk Mitigation Controls based on the BCP/control implementation road map Aim-Provide initial planning and preparation for the assignment. Aim - To Test the BCP/DRP -To audit the ISMS Prepare for ISO 27001/BS 25999 Certification Acquire/ Analyze Data Initial Plan Develop BCMS/ISMS Test BCM/S/ISMS Implement BCMS/ISMS Continual Improvement Certification against BS 25999/ISO 27001 • BC/DR Test Results • ISO 27001 Audit Reports • Vulnerability Assessment-C • Threat Assessment-C • Risk Assessment Report (IS) • BIA (RTO/RPO) • BCP/DRP • Risk Mitigation & Treatment Plan C • Statement of Applicability (ISO 27001) • BCP/DR Policies and Procedures C? • IS Policies and Procedures C ? • SOA (ISO 27001) • BS 25999 Mandatory Controls • Control Implementation Roadmap • Implement controls identified • People (Training/Duties) C • Implementing products C? • Implementing Processes • BIA/Risk Assessment Methodology • Information Asset Valuation/Critical Asset Valuation-C,I,A-C • Critical/ information assets register-C • Scope and Service Acceptance Document C • ISMS/BCMS Scope definition • BC/IS Policy Statement C • BCM/Information Security Steering Committee Charter C

  12. Typical BC Plan • Introduction • Definitions • Abbreviations • Mission, objectives and intent • Key plan assumptions • Business impact analysis • Disaster recovery strategy • Disaster recovery organization • Disaster recovery management team responsibilities • Disaster recovery emergency procedures • Plan administration • Change management • Maintenance of the disaster recovery plan • Testing of the disaster recovery plan

  13. Typical Disaster Recovery Organisation

  14. Basic Principles-DR • Minimize injury to personnel • Minimize damage to equipment and facilities • Achieve a report of injury to personnel and damage assessment within XX hours of the interruption • Recover IT capabilities and functionality within the Critical Time Frames specified • In an emergency situation where life is threatened or you are in danger of physical harm, immediately leave the facility. Never place yourself in a dangerous situation or take unnecessary risks.

  15. Senior Recovery Manager Responsibilities • Pre-Disaster • Approves the final Disaster Recovery Plan • Ensures the Disaster Recovery Plan is maintained • Ensures Disaster Recovery training is conducted • Authorizes periodic Disaster Recovery Plan testing • Post-Disaster • Declares that a disaster has occurred and the Disaster Recovery Plan is activated • Determines the plan strategy to be implemented • Determines alternate team members (if any) and other support members of the recovery process • Authorizes travel and housing arrangements for team members • Authorizes expenditures • Manages and monitors the overall recovery process • Advises Senior Business Managers and user management on the status of the disaster recovery efforts • Coordinates media and press releases

  16. Check Off List-Network Assistant Mission: To restore networking the capabilities required within the Critical Time Frames specified • Upon notification of a disaster by the Management Team assemble at the designated site for a briefing on the extent of damages, escalation plan implemented and support required. • Contact Telco for connecting up DR Site • Indicate to DRT as to resumption details of network • Work closely with software, hardware and restoration team to restore services • Provide internal communication to team members as required • (Network Assistant should be provided with three additional mobile phones as an emergency measure) Under no circumstances should the Network Assistant make any public statements regarding the disaster, its cause or its effect on the operations

  17. Information Technology Checklist-Plan Administration • Change in LAN server(s), terminals, or personal computer workstations • Change in operating system and utility software programs • Change in the design of production systems or files • Addition of deletion of a production system • Change in the scheme of backing up data or equipment • Change in the communications network design • Change in personnel assignments or the Information Technology organization • Change in off-site storage facilities, location or methods of cycling items • Improvements or physical change to the current LAN data center • Review of time frames for availability and delivery of replacement computer components

  18. Corporate Checklist-Plan Administration • Is the Disaster Recovery Plan in conformance with the corporate by laws? • Are Executive Management and the Board of Directors aware of the state and status of the Disaster Recovery Plan and Processes? • Has a new division or department been formed? • Has a new system been developed for computer processing? • Has a system for computer processing been discontinued? • Have individuals within the Recovery Team been transferred, promoted or terminated? • Has an internal system been significantly modified to change the basic functions, data flow requirements or accounting requirements? • Has a sales office been opened, moved or closed?

  19. Testing-Principles

  20. Testing Check List

  21. Testing Check List (Contd)

  22. Planning for Disaster Questions? Comments? Ramesh Ramani CISM CGEIT ramani@pcsuae.com

More Related