about Business you want to know Continuity Tony Drewitt B usiness continuity is crucial to the sur vival of your business Learn how to manage it ef fectively The risks for businesses today are increasing all the time, as are the consequences of incidents and interruptions Too many companies lose time, customers and income because of circumstances beyond their control Companies that have a business continuity plan are able to not only minimise their losses and retain their clients, but also win new business! Everything you want to know about Business Continuity will show you how to develop a modern response to the operational risk landscape and how to prepare your organisation for interruptions to your key activities, minimising the impact on your bottom line, reputation and credibility You will be able to identify and assess the risks to your company and put in place a ‘fit-for-purpose’ business continuity plan which will enable you to meet the expectations of your customers and stakeholders in the event of an unforeseen incident This practical book will guide you through domestic and international standards relating to business continuity, with particular reference to ISO22301 Companies achieving certification under the Standard will communicate to their stakeholders their commitment to uninterrupted supply Your company will enjoy greater customer loyalty and be more competitive, enabling you to retain and win more business! Everything you want to know about Business Continuity is Tony’s third ITG publication and follows the successful BS25999: A Pocket Guide and A Manager’s Guide to BS25999 Buy this book and gain the tools you need to future-proof your business! Ever ything you want to know about Business Continuity Tony Drewitt Tony Drewitt Tony Drewitt held a number of technical, commercial and senior management positions before becoming a full-time management consultant 10 years ago He was one of the first consultants in the UK to achieve full certification under BS25999-2 Tony has been a practising business continuity consultant, trainer and technical expert since 2001 and is a professional member of the Business Continuity Institute Everything you want to know about Business Continuity Eve r y t h i n g TM TM TM www.ebook3000.com Everything You Want to Know About Business Continuity www.ebook3000.com Everything You Want to Know About Business Continuity TONY DREWITT www.ebook3000.com Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publishers and the author cannot accept responsibility for any errors or omissions, however caused Any opinions expressed in this book are those of the author, not the publisher Websites identified are for reference only, not endorsement, and any website visits are always at the reader’s own risk No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licences issued by the Copyright Licensing Agency Enquiries concerning reproduction outside those terms should be sent to the publishers at the following address: IT Governance Publishing IT Governance Limited Unit 3, Clive Court Bartholomew’s Walk Cambridgeshire Business Park Ely Cambridgeshire CB7 4EH United Kingdom www.itgovernance.co.uk © Tony Drewitt 2012 The author has asserted the rights of the author under the Copyright, Designs and Patents Act, 1988, to be identified as the author of this work First published in the United Kingdom in 2012 by IT Governance Publishing ISBN 978-1-84928-201-7 www.ebook3000.com PREFACE Business continuity (BC) is a fairly new concept in many organisations, with the probable exception of banks and some other financial institutions that have traditionally been much more reliant on computer systems than many others and so have had ‘disaster recovery’ arrangements in place for quite some years As attitudes to what is acceptable in business, government and even the voluntary sector change, there is simply more pressure on more of us to something about business continuity But many people feel that they are already doing the majority of what business continuity comprises; however whilst they are probably doing some of it, it is unlikely that they are doing most of it Business continuity is still effectively a voluntary activity for most organisations and it is left to the rather general diligence requirements of the Companies Act (in the UK) and the relevant state incorporation laws in the USA, as well as the requirements for listed corporations, to provide statements of internal control and risk management However, there is growing pressure and expectation upon organisations of all types to formalise their operational resilience by way of business continuity arrangements, though for many the term ‘resilience’ is arguably more appropriate – as we shall see later Of course, the ultimate in resilience would include spare everything! People, workplaces, information and communication systems, processing facilities and so on; all running and fully maintained, just waiting for you to ‘invoke‘ should the need arise Even the very few www.ebook3000.com Preface companies that could afford this don’t have it; it simply doesn’t make any economic sense At the other end of the spectrum are the many organisations that have given no real thought to what might happen if there were some significant interruption to their daily activities; as the world changes their negligence of these risks will continue to become more and more unacceptable On the day I started writing this book, Japan suffered one of the most severe earthquakes in its history and the resulting tsunami wrought devastation upon Sendai and surrounding areas, dominating world news for some time Like the World Trade Center attack in 2001 and others since then, this latest disaster will have more and more people thinking about whether they should finally something about business continuity, or perhaps review what they already have in place But whatever the reason for addressing business continuity now, readers of this book will want to know that there isn’t anything else out there; that they haven’t missed something important to with business continuity that isn’t covered in this book Business continuity isn’t like, for example, financial accounting There are no statutory, or even standard, methods for doing it And whilst there are guidelines and now even a few national standards, it is still largely up to each organisation to decide how it is going to implement its resilience arrangements So there are a number of approaches to the various parts of a ‘reasonable’ business continuity programme; there is the intuitive approach and the analytical approach, both of which are covered But there are few very fundamental differences between any of the approaches that I have ever come across, so I am www.ebook3000.com Preface confident that there isn’t anything else out there, of real value, that this book doesn’t cover I have been to numerous conferences and presentations from people who call themselves ‘thought leaders’, and have not come across any thinking, ideas or philosophy regarding business continuity that is fundamentally at odds with what is covered in this book If you act on everything in this book and get the Board’s cognisant approval for those actions, your organisation should have an entirely reasonable and fit-for-purpose set of BC arrangements that sit well with today’s corporate governance and corporate social responsibility requirements, codes and expectations www.ebook3000.com ABOUT THE AUTHOR Tony Drewitt is a business continuity practitioner and a professional member of the Business Continuity Institute (BCI) He has been a practising consultant, trainer and technical expert in the field of operational risk management and business continuity management (BCM) since 2001, working with a diverse range of organisations of all sizes to put in place effective and sustainable business resilience arrangements and crisis management capabilities Tony started his career as a mechanical engineer in manufacturing industry and has since held a range of technical, commercial and senior management positions before becoming a full-time management consultant 10 years ago He was one of the first consultants in the UK to achieve full certification under BS25999-2, and delivers a range of business continuity foundation courses and masterclasses for a wide variety of organisations throughout the UK Tony is the author of the already successful ITG publications BS25999: A Pocket Guide and A Manager’s Guide to BS25999 www.ebook3000.com ACKNOWLEDGEMENTS My thanks to Lita Cuen of LCRisq, San Diego, California for helping me with the US corporate governance aspects of this book We would like to thank John Kyriazoglou, CICA, M.S., B.A (Honours), International IT and Management Consultant, for his helpful feedback when reviewing the manuscript www.ebook3000.com CONTENTS Introduction 14 Does it really matter? 16 Corporate governance and CSR 17 DR, BC, BCP or BCM? 18 Chapter 1: The Operational Risk Landscape for Business and Other Organisations 19 Weather 22 Energy .23 Operational risk management 24 The risk management process .26 Chapter 2: What Does BCM Actually Achieve? 28 Tangible benefits 30 Chapter 3: An Incredibly Short History: Early DR to 2011 BCM 37 Continuity and resilience 40 Chapter 4: The Role of Standards and Independent Validation 41 Business continuity standards 42 Other standards .45 Compliance .47 Supply chain 47 Corporate governance .48 Chapter 5: The Management System Approach versus a Simple BC Plan 49 Chapter 6: Planning the BCMS 53 What is a BCMS? 53 Chapter 7: Identifying the Organisation’s Requirements 58 Risk assessment 58 Business impact analysis .71 10 www.ebook3000.com Appendix 13 • • • • your name and company name and address, the security code that appears on your invocation card, telephone number where you can be called back and the reason for the call The IT Manager’s first responsibility is to contact members of his/her team to inform them that DR has been invoked Obtain DR plan This IT DR plan is held in several locations, as DR can be invoked at anytime The plan can also be obtained from: • • • • the safe in head office (hard copy and on CD), the DR facility in [location 1, location 2], IT team members (on CD) or the intranet Travel and hotels Members of the IT team will travel independently to their designated site by the safest route and method Hotel accommodation will be arranged by the response team Recovery point All data will be recovered from the most recent available back-up tapes; usually at close of business on the working day before the interruption/incident, but in certain cases maybe two days prior Replicated data will failover automatically to the last log ship point 246 Appendix 13 DR facility The IT team are required to sign in at the DR facility and will require some form of photo identity, such as passport or photo driving license The supplier’s staff are available to show the IT team where all relevant facilities are These include showers and a rest room, although there are no sleeping facilities – hotel accommodation is arranged by the response team at invocation Base system builds Immediately following invocation, [DR provider] will commence the build of servers, including a base operating system, name and IP on each of the servers We can either choose to accept the pre-built servers or build from scratch ourselves during a disaster Workplace recovery – desktops/telephony/printing/faxing [Provider] will image the 50 currently contracted number of desktop PCs with the standard ghost images The telephony provision is as follows: four inbound dedicated DDI numbers for inbound and outbound calls and 20 telephones These numbers are allocated following invocation and will then be provided to the IT team to arrange redirection as per procedure P3.02 247 Appendix 13 Domain controller and ad restoration Follow procedure in Appendix G The DC will be rebuilt from scratch as per the procedure Exchange server restoration Follow procedure in Appendix H File server restoration Follow procedure in Appendix I System A application restoration Follow procedure in Appendix J System B application restoration Follow procedure in Appendix K Blackberry system Follow procedure in Appendix Q Opera payroll system Follow procedure in Appendix R 248 Appendix 13 Reporting and communication Reporting and communication are essential to ensure that we can recover from a major incident The IT Manager must report to the response team technology member at regular intervals (specified in the Response Team document) and when any milestone is met Milestones are listed in the checklist in Appendix B A detailed IT action log must be kept by the IT Manager during the incident A template can be seen in Appendix D IT DR team The team is made up as follows: Role Responsible Team Leader Systems Systems Desktop support Business support staff Division A Division B Customer liaison 249 Deputy Appendix 13 Initial testing IT is responsible for the provision of the technical components, and for testing that these function effectively It is essential that the business get involved with the testing, to prove capability and to aid mutual understanding of the activities and resources needed to achieve the common goal of business recovery User acceptance testing will be conducted at the recovery/DR site by the following: Function/ application Test duration Tested by IT link tests 0.67 h ‘IT 1, IT 2, IT 3’ Office and e-mail 15 m Business System A 1h Business System B 1h Business System C 1h Business System D 15 m Business System E 15 m Business System F 15 m Business System G 15 m Business BlackBerry 10 m Business 250 Appendix 13 IT DR Gantt chart The IT DR Gantt chart should be used as the primary sequence and timescale guide for the restoration process A hard copy of the project plan is attached to this plan and a soft copy is in P3.03 Achievement of milestones is to be reported to the response team technology member IT DR plan checklist Task Resources Milestone Start Invocation Senior management make decision to invoke Cascade to IT Manager Obtain IT DR plan from offsite location IT Manager Invoke with [DR provider] IT Manager Cascade to IT team IT Manager 251 Finish Appendix 13 Arrange travel to [DR provider] DR site IT BC Manager Arrange hotels for (response IT team team) Logistics and travel Travel to [DR provider] DR site IT Manager, (DR Team) IT 1,IT Travel to [DR provider] DR workplace site IT Delivery of tapes [Storage to [DR provider] provider] Report arrival of tapes at [DR provider] IT Manager Sign in at [DR provider] DR site and locate IT Manager, recovery suite IT 1, IT Report IT DR team in recovery site IT Manager Y Storage Manager build 252 Appendix 13 SM server base build – Windows 2003 + SP2 IT SM installation and configuration IT Install SM client onto servers IT SM test restore IT Report SM test restore IT Manager Y System base builds Domain controller build [DR provider] File server base build – Windows 2003 + SP2 [DR provider] Exchange server base build – Windows 2003 + SP2 [DR provider] System A server base build [DR provider] System B server base build [DR provider] System C server base build [DR provider] 253 Appendix 13 App server base build [DR provider] BlackBerry server base build [DR provider] Domain System state restore of DC and rebuild AD IT Test domain authentication IT File restore File server files – departmental IT File server files – user IT Report departmental and user files restore IT Manager Y Contact information [DR provider] Other 254 Appendix 13 Taxi firms National rail enquiries 08457 484950 http://www.nationalrail.co.uk Hotel lists will require updating subject to confirmation of changes to [DR provider] technology and recovery sites 255 Appendix 13 Hotels near [DR provider] Hotels near [DR provider] Hotels near [DR provider] IT team Action log Date Time Action Who 256 Planned Y/N Appendix 13 [DR provider] DR site location Software required – held at [DR provider] Software media pack required for DR [list] SYSTEM RESTORE PROCEDURES 257 ITG RESOURCES IT Governance Ltd sources, creates and delivers products and services to meet the real-world, evolving IT governance needs of today’s organisations, directors, managers and practitioners The ITG website (www.itgovernance.co.uk) is the international one-stop-shop for corporate and IT governance information, advice, guidance, books, tools, training and consultancy http://www.itgovernance.co.uk/bc_dr.aspx is the information page on our website for our disaster recovery and business continuity resources Other Websites Books and tools published by IT Governance Publishing (ITGP) are available from all business booksellers and are also immediately available from the following websites: www.itgovernance.co.uk/catalog/355 provides information and online purchasing facilities for every currently available book published by ITGP www.itgovernance.eu is our euro-denominated website which ships from Benelux and has a growing range of books in European languages other than English www.itgovernanceusa.com is a US$-based website that delivers the full range of IT Governance products to North America, and ships from within the continental US www.itgovernanceasia.com provides a selected range of ITGP products specifically for customers in South Asia 258 ITG Resources www.27001.com is the IT Governance Ltd website that deals specifically with information security management, and ships from within the continental US Pocket Guides For full details of the entire range of pocket guides, simply follow the links at www.itgovernance.co.uk/publishing.aspx Toolkits ITG’s unique range of toolkits includes the IT Governance Framework Toolkit, which contains all the tools and guidance that you will need in order to develop and implement an appropriate IT governance framework for your organisation Full details can be found at www.itgovernance.co.uk/ products/519 For a free paper on how to use the proprietary Calder-Moir IT Governance Framework, and for a free trial version of the toolkit, see www.itgovernance.co.uk/calder_moir.aspx There is also a wide range of toolkits to simplify implementation of management systems, such as an ISO/IEC 27001 ISMS or a BS25999 BCMS, and these can all be viewed and purchased online at: http://www.itgovernance.co.uk/catalog/1 Best Practice Reports ITG’s range of Best Practice Reports is now at www.itgovernance.co.uk/best-practice-reports.aspx These offer you essential, pertinent, expertly researched information on a number of key issues including Web 2.0 and Green IT 259 ITG Resources Training and Consultancy IT Governance also offers training and consultancy services across the entire spectrum of disciplines in the information governance arena Details of training courses can be accessed at www.itgovernance.co.uk/training.aspx and descriptions of our consultancy services can be found at http://www.itgovernance.co.uk/consulting.aspx Why not contact us to see how we could help you and your organisation? Newsletter IT governance is one of the hottest topics in business today, not least because it is also the fastest moving, so what better way to keep up than by subscribing to ITG’s free monthly newsletter Sentinel? It provides monthly updates and resources across the whole spectrum of IT governance subject matter, including risk management, information security, ITIL and IT service management, project governance, compliance and so much more Subscribe for your free copy at: www.itgovernance.co.uk/newsletter.aspx 260 .. .Everything You Want to Know About Business Continuity www.ebook3000.com Everything You Want to Know About Business Continuity TONY DREWITT www.ebook3000.com Every... this book will want to know that there isn’t anything else out there; that they haven’t missed something important to with business continuity that isn’t covered in this book Business continuity. .. HB 221-2004 – Business Continuity Management Handbook, • HB 292-2006 – A Practitioner’s Guide to Business Continuity Management, and • HB 293-2006 – Executive Guide to Business Continuity Management