ISO 22301, ISO 27031 (BS 25999-1 and BS

25999-2)
Business Continuity Management & Planning
IT Governance
CEN 667

Project proposal

Goal of the projects are to find applicable measurement and metric methods to improve processes:
For 27000 series of standards 27001 and 27004
For ITIL
For Business Continuity and BS 25999
For Disaster Recovery
For Penetration testing
For Operational and Security Incident management
For Risk Management
Secure method for visual authentication
Mobile securty access with speach recognition
Other agreed with lecturer

Literature review on selected topic - between 500 and 1000 words

Proposal / for improvements of choosen method, approach, techniqe, - up to
2000 words
List of references
Document prepared in two columns as it should
Be prepared for the conference paper
Week report on updates

Project proposal (week 5)

Candidate

Topic

Literature
review draft

Azizah Ibrahim

Mobile IPv6 handover packet loss

NO

Paper

avoidance
Emina Aalikovi

NO

NO

Jasmin Kevri

Algorithm improvement for the

network anomaly detection
using improved KDD 2009

Adnan Miljkovi

Implementation of two factor

authentication for web appliacation

YES (463
words)

Fatih Ozturk

NO

NO

Tarik Kralji

NO

NO

Adnan Kralji

NO

NO

Business Continuity and BS 25999-1 and BS

25999-2
Business Continuity Management & Planning
IT Governance
CEN 667

Lectures Schedule
Week

Topic
Introduction to IT governance

Week 1
Overwiev of Information Security standards - ISO 27000 series of standards (27001,
Week 2 27002, 27003, 27004, 27005)
Week 3 Information Technology Service management ISO 20000-1 and ISO 20000-2
Week 4 ITIL
Week 5 Business Continuity and Standards
Week 6 Disaster Recovery
Week 7 COBIT
Week 8 Project implementation (ISO 10006 and ISO 27003)
Week 9 Midterm
Week 10 Risk Managament (ISO 27005)
Week 11 Application and Network Security and security testing
Week 12 Specific Requirements and Controls Implementation (ISO 27002)
Week 13 Operational and Security Incident managament
Week 14 Perforamnce Measurement and Metrics (ISO 27004)
Week 15 Audit (ISO 19011) and Plan- Do-Check-Act impovement cyclus

Objectives
Approch for Building & Embedding a Business Continuity
management culture
Understanding legal & policy requirements
Overview of the Business Continuity Management (BCM)
process model
Creating the Business Continuity Plan (BCP)
Overview of the BCM life cycle
Introduction to Risk Management Guide & Questionnaire
BS 25999-1 Business continuity management Part 1, Code of
Practice
BS 25999-2 Business continuity management Part 2,
Specification
References: BCI Institute, DRI International

BCP is part of implemented ISMS

(ISO 27001:2005 Anexa A and details in 27002:2005 /
17799:2005)
14 Business continuity management
14.1 Information security aspects of business continuity management
14.1.1 Including information security in the business continuity management process
14.1.2 Business continuity and risk assessment
14.1.3 Developing and implementing continuity plans including information security
14.1.4 Business continuity planning framework
14.1.5 Testing, maintaining and re-assessing business continuity plans

British standards for BC

BS 25999-1 Business continuity management Part 1, Code of Practice
BS 25999-2 Business continuity management Part 2, Specification

Buncefield fuel depot (Hemel Hempstead ) London, December 2005

1
2

10

Northgate Information Solutions

Buncefield fuel depo
1

11
Next case...

12

2
1

Emergecny Response Team / Center for Port

Authority

Responsible for 3 airports, tunels, bridges,

buses and trains meet at Marriot Hotel.
13

14

Major data loss causes

Hardware or System Malfunctions 44%
Human Error 32%

Software Corruption 14%

Computer Viruses 7%
Natural Disasters 3%

Source Gartner
15

Business Continuity Management

The advance planning and preparations
which are necessary to identify the impact
of potential technology losses, develop and
test recovery plan(s) which ensure
continuity of business services in the event
of an emergency or disaster, and administer
a comprehensive training, testing, and
maintenance program.
16

Other BC definition
What is Busines Continuity Plan? (BS 25999-1 and 2) and ISO 27001:2005 in section 14.
Business Continuity Plan (BCP) represents overall
plan of activities necessary to preserve operations /
functions of company in case that activities are
disrupted by any kind of incident or disaster.

17

Business Continuity Management

Pre-planning

Post planning

Planning

Used by permission of DRI International

18

19

 Problem definition
Policy statement
Project sponsor

20

Problem Definition
Disaster Recovery vs. Business Continuity
Late 1960s
1970s

1980s
1990s
2000s

First DR plan IT only US

IT - Dependence on centralized processing
I/S batch mode (not interactive), mainly DR
Online Interactive processing emerges
Specialized software started appearing
Recover the business, not just IS
Online real time processing
Increased number of disasters
Reduced recovery time objectives
Increased number of disasters
Character and integrity of organizations are more in
question

21

Problem Definition
Technology Implications
Business units have fewer resources, increased
liabilities, technology upgrades and training
demands
Business leaders are faced with mandatory
planning, scrutiny and accountability,
implementation must be affordable, and consider
strategic vs. fiscal
IT recovery managers have shorter recovery time
objectives, lower cost solutions to meet business
requirements
22

Policy Statement
Builds and embeds a business continuity
management culture. This is where it becomes an
integral part of the organizations strategic day to day
management.
Addresses:

program scope
goals
roles & responsibilities
reporting
testing
23

Project Sponsor
Industry best practices: senior management
sponsorship is essential to successfully drive
the BCM project by publicizing a clearly
defined BCM policy and appointment of a
BCM champion to implement the policy across
all operational units.

24

 Understanding Business needs

Business Impact Analysis (BIA)
Risk Assessment (RA)

25

Understanding Business
Analysis of the operational aspects of an organization
which BCM is based on to establish what is critical for
its continuance
Analysis should consider the following:

What are your key business objectives

What are the deliverables of the business service
When are the business objectives to be achieved
Who is involved (both internally and externally)
How are they to be achieved

26

Mission Critical Activities (MCA)

Time sensitive critical business

activities & processes required
for normal daily delivery of goods
and services

27

MCAs
Determining MCAs include two
complimentary processes
Business Impact Analysis (BIA)
Risk Assessment (RA)

28

BIA
Establish critical MCAs, their
recovery priorities and
interdependencies so that
recovery time objectives and
recovery point objectives can
be set
29

BIA
Purpose
Supports the whole BCM process
Linear process used to identify, quantify & qualify
impacts on an organization of a loss, interruption
or disruption of a (MCA) & its dependencies
Identifies the minimum level of resources
required to achieve its RTO and RPO for MCA
BIA establishes the organizations risk appetite
Conducted every 12 months
30

BCM Lifecycle
Full Continuity

Fundamental
Requirements

Change Management

"Focus"

Start
Project
Initiation

BIA

MCA

Run Time Obj

Recovery Point Obj

RA

Identify
Analyze
Manage

BCP

Testing &
Exercising

Maintenance
& Update

Reduction
Response
Recovery & Restart
Execution

Continuous
Analysis

Recurring
Process

Incorporate as part of your daily business strategy

Organizational Placement
Vision & Policy Statement

Cost Analysis
to close gaps

Design & Development

Implementation

31

Risk
The potential exposure of a
mission critical activity to damage

32

Risk Management Guide

Present an approach for risk
management to assist state agencies in
assessing risk that could impair their
ability to deliver critical services to
state citizens

33

Scope

Approach explains how to assess

the risk that is associated with a
particular line of business (MCA)
that relies on IT systems

34

Assumptions
The line of business has been identified
The line of business relies on identified automated
system(s)
The automated system has been identified as critical to
support the line of business
The business owner(s) have been identified
Staff has been identified to facilitate the risk assessment
process
The line of business is exposed to risks other than IT
Legal parameters that control delivery of program
services are understood
35

Risk Types
Business Risk The cost and/or lost revenue or funding
associated with an interruption to normal business operations.
Organizational Risk The direct or indirect loss resulting from
one or more of the following:
Inadequate or failed internal processes
People
Systems
External events
Information Technology Risk- The loss of an automated system,
network or other critical information technology resource that
would adversely affect business processes.

36

Risk Impact Categories

Operations Functions that support delivery of agency business services (facilities and
space allocation, personnel, purchasing, financial, communications, etc.)

Technology Information assets that support the IT Infrastructure (security, hardware,

software, middleware, network and communication systems, etc.)

Legal Parameters established by legislative mandates, federal and state regulations,

policy directives and executive orders that impact delivery of program services.

Citizen Services Program services mandated by charter, legislation, or policy that

provides for the delivery of the states business (education, human services, highways,
law enforcement, health and safety, unemployment benefits, vital records, etc.)

Reputation General estimation, by the public, on how state services are delivered
(integrity, credibility, trust, customer satisfaction, image, media relations, political
involvement.)
37

Rating Scale
Low If an event could be expected to have a limited adverse effect on
agency operations (including mission, functions, image or reputation, agency
assets, or individuals; and cause a negative outcome or result in limited
damage to operations or assets, requiring minor corrective actions or repairs.

Moderate If an event could be expected to have a serious adverse effect on

agency operations, agency assets or individuals, and cause significant
degradation in mission capability, place the agency at a significant
disadvantage, or result in major damage to assets, requiring extensive
corrective actions or repairs.
High If an event could be expected to have a severe or catastrophic adverse
effect on agency operations, agency assets, or individuals; and cause a loss of
mission capability for a period that poses a threat to human life, or results in
a loss of major assets.
38

Risk Assessment Approach

Phase I Identify risks

Phase II Analyze risks
Phase III Manage risks

39

Phase I
Identify the Risks
Business leaders / Owners complete
Determine areas of risk that result in
additional analysis in Phase II

40

Phase II
Risk Analysis
Evaluate results identified in phase I
Service delivery owners complete
Determine significance of risk
Utilize reference sources to complete analysis
such as facilities, people, inter-dependencies,
equipment / software inventories
Determine risks that require a gap analysis

41

Phase III
Manage risks
Business leaders / service delivery owners complete
Review risk management control strategies
Where the risk level remains unacceptable, design new
controls or consider other options
Provide a cost benefit analysis for business sponsor
based on defined risk appetite
Consider risk strategies such as:

Transfer the risk

Accept the risk
Reduce the risk
Avoid the risk

Obtain management review & signoff of risk analysis

42

Definition
Consideration
Plan elements
Plan framework structure

43

Business Continuity Planning (BCP)

The process of developing advance
arrangements and procedures that enable an
agency to respond to an event in such a
manner that mission critical activities
supported by information technology (IT)
continue with planned levels of interruption
or essential change.

44

BCP Considerations
Structure must be tailored to the needs and
requirements of the organization
Flexible to allow addition, modification &
maintenance
Minimize dependencies on individuals or outside
entities
Complete, current & tested
Includes a clearly defined & documented change
management process

45

BCP Considerations
Includes a method to establish a clearly
defined & documented BCP that is agreed
to & signed off by the accountable business
owners of the MCA and their dependencies
Includes resource recovery solutions that
are prioritized & tiered dependent upon
their criticality to the organization as
defined by the BIA
46

BCP Considerations
BCM solutions supported by a contractual
agreement should include option for renewal,
conditions that enable the verification of the
agreed level of service (upsizing or downsizing)
A full continuity plan that includes

Reduction
Response
Recovery & resumption
Restoration & return

47

BCP Plan Elements

Systems Overview
Dependencies (business partners, vendors)
Critical staff & emergency contact information
Critical equipment & asset inventory (hardware, etc.)
Critical application inventory & data backups
Plan activation & notification procedures, call trees
Alternate work sites identified, off-site storage
Staff succession plan, business recovery teams
Security requirements
Recovery strategies, work around procedures, resumption
Test schedule
Procedures for plan distribution & executive signoff
48

Department
Head

BUSINESS CONTINUITY PLANNING

FRAMEWORK STRUCTURE

Project
Sponsor

BCM

Facilitator

Support
Activities
Human
Resources

Procurement

People

Contracts

Technology
IT
Infrastructure
Middleware
Software
Systems
Network

Financial

Communication

Facilities

Direct
Pay

Media

Emergency
Response

Operational Units
(Service Delivery)

Division
Section

Division
Section

Division
Section

Division
Section

Division
Section

Division
Section

BCP

BCP

BCP

BCP

BCP

BCP
49

 Emergency Response (evacuation)

Delegation / designation of authority
Command, control & management operations
center
Vendor contracts
Escalation, notification, plan activities
Training & awareness programs
Scenario to execute the plan
Declare disaster
Execute recovery operations
50

Definition
Why testing is important
Types of tests
Establishing a testing plan

51

Testing
Generic phrase used to describe the
critical BCM process of exercising
strategies & BCP plans, rehearsing
team members & staff, testing of
systems (technology infrastructure &
administrative) to demonstrate a BCM
competence and capability.
52

Why Testing Is Important

Evaluate & enable the continuous
improvement of the organizations BCM
capability to recover mission critical
activities, and their dependencies within
the designated timeframe
Evaluate & enable the continuous
improvement of the organizations crisis
management plan execution
53

Test Methodologies

54

Test Plan
Begin simple, escalate gradually
Resources planned for availability during an actual event
should participate during the test
Adoption of a structure & systematic approach to promote
a greater understanding of the process
Obtain the professional commitment and active
participation of managers where success is dependent
Ensure testing is performed on a defined timeline where
lessons learned can be incorporated into BCM
Ensure test plan remains current and viable in line with
organizational change & current risk practice
55

 A BCM maintenance process that requires interaction

with a wide range of managerial & operational roles
from a business & technical perspective
A process that maintains the whole of the organizations
BCM capability
Identifies & includes changes to organizations processes
& systems and validates effective change control
procedures
Date of last & next review is clearly identified &
documented together with the role to complete the task

56

BCM Lifecycle
Full Continuity

Fundamental
Requirements

Change Management

"Focus"

Start
Project
Initiation

BIA

MCA

Run Time Obj

Recovery Point Obj

RA

Identify
Analyze
Manage

BCP

Testing &
Exercising

Maintenance
& Update

Reduction
Response
Recovery & Restart
Execution

Continuous
Analysis

Recurring
Process

Incorporate as part of your daily business strategy

Organizational Placement
Vision & Policy Statement

Cost Analysis
to close gaps

Design & Development

Implementation

57

58

Questions & Answers

59

Thank You!

60