2. Agenda
1 Colt
2 Business Continuity Management and Regulation
3 Key elements of Risk, Response and Recovery planning
4 Identifying and evaluating asset risks for Business Continuity
5 Business Continuity Strategies
6 Questions and Answers.
2
5. Legislation and Regulations in India
•Information Technology Act as amended by Act of 2008
•The Information Technology (Amendment) Bill, 2006
•.IN Domain Name Registration Policy
•Semiconductor Integrated Circuits Layout-Design Rules, 2001
•Semiconductor Integrated Circuits Layout Design Act 2000
•Rules for Information Technology Act 2000
•.IN Domain Name Dispute Resolution Policy
•Gujarat Information technology Rules, 2004
•Karnataka Cyber Cafe Regulations
•Information Technology Act, 2000
•India BCP (1. Reserve Bank of India (RBI); 2. Securities & Exchange Board of India
(SEBI); 3. National Stock Exchange (NSE); 4. Bombay Stock Exchange (BSE))
5
6. Legislation and Regulations International
•European Union Data Protection Directive of 1998
•EU Internet Privacy Law of 2002 (DIRECTIVE 2002/58/EC)
•MAS Business Continuity Management Guidelines (June 2003) (MAS (Monetary
authority of Singapore)
•Guidance Note GGN 232.1 Risk Assessment and Business Continuity Management
(APRA) Australia
•Sarbanes-Oxley Act of 2002 (PL 107-204 2002 HR 3763) – Section 404 (PCAOB (Public
Company Accounting Oversight Board)) US
•HIPAA (Health Insurance Portability and Accountability Act) Final Security Rule #7.
Contingency Plan (164.308 (a) (7) (i) (GAO) US
•Interagency Paper for Strengthening the Resilience of US Financial System
•STO BR IBBS-1.0-2010 (Central Bank of the Russian Federation (STO BR IBBS-1.0-
2006))
•The Civil Defence & Emergency Management Act (2002 New Zealand)
•Manual for the Development of Contingency Plans in Financial Institutions. Japan FSA
(FISC (The Centre for Financial Industry Information System)) Japan
6
7. Management standards
International Organization for Standardization
•ISO/IEC 27001:2005 (formerly BS 7799-2:2002) ISMS
•ISO/IEC 27002:2005 (remunerated ISO17999:2005) Information Security Management –
Code of Practice
•ISO/IEC 22399:2007 Guideline for incident preparedness and operational continuity
management
•ISO/IEC 24762:2008 Guidelines for information and communications technology disaster
recovery services
•IWA 5:2006 Emergency Preparedness
British Standards Institution
•BS 25999-1:2006 Business Continuity Management Part 1: Code of practice
•BS 25999-2:2007 Business Continuity Management Part 2: Specification
•BS 25777:2008 Information and communications technology continuity management –
Code of practice
7
9. Risk:
is the potential that a chosen
action or inaction will lead to a
loss.
implies that a choice is
having an influence on the
outcome .
Potential losses themselves
may also be called "risks".
Almost any human endeavour
carries some risk.
Risk management is the identification, assessment, and prioritization of risks followed by
coordinated and economical application of resources to minimize, monitor, and control the
probability and/or impact of unfortunate events or to maximize the realization of
opportunities (defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative)
9
10. Response and Recovery
Risk assessment process:
•is a step in a risk management procedure.
•Risk assessment is the determination of quantitative or qualitative value of risk.
•Defines relation to a concrete situation and a recognized threat.
•Methods for assessment of risk may differ between industries
•potential loss and probability of occurrence - can be very difficult to measure
•Financial decisions, such as insurance, express risk in money values.
•health and environmental decisions, loss is simply a verbal description of the outcome
•IT risk assessment can be performed by a qualitative or quantitative approach
•Quantitative risk assessment ( Annualised Loss Expectancy = Single Loss Expectancy X
Annual Rate of Occurrence)
•Qualitative risk assessment (Critical Information= Confidentiality + Integrity + Availability)
10
12. Identifying Assets
Primary Assets
• Cash and its flow
•Business process and Business Activities
•Information
Supporting Assets
•Site
•Hardware
•Soft ware
•People
•Network
•Organisation
12
15. Relation between Risk Management and BCP
•Risk management process creates important inputs
for the BCP.
•Examples: assets, impact assessments, cost estimates
etc.
• Risk management also proposes applicable controls
for the observed risks.
• Therefore, risk management covers several areas that
are vital for the BCP process.
•However, the BCP process goes beyond risk
management's pre-emptive approach
• Assumes that the disaster will happen at some point.
15
16. Strategy
Risk Management and BCP strategy:
•Avoidance (eliminate, withdraw from or not
become involved)
•Reduction (optimize - mitigate)
•Sharing (transfer - outsource or insure)
•Retention (accept and budget)
All risks can never be fully avoided or
mitigated simply because of financial
and practical limitations. Therefore all
organizations have to accept some
level of residual risks and create a
business continuity plan.
16
17. Case study : Colt
Priority 1 incident can End User
Priority 3 incident can
be defined as a major
be defined as an
disaster at the facility IT Service Desk
incident, which may
causing failure of
Non-IT IT
disrupt a single or
operations for more Incident Incident multiple processes for
than a week. P3 Incident a short period of
Probable cause for Yes Network & Local IT No IT Incident
4hours to 1 day
Incident Manager/BCP Team Management
Incident Incident
Team
Earthquake ,
Environmental P3 Damage Assessment Team
(Corp. Security, BCP , Probable cause for
Disasters, Hurricane, , RE& Facilities , Local IT, HR Incident
Flood, Terrorism etc Inciident
Classification
Incident
Electrical power failure
Incident Incident P3 Contained
Contained Response Team
Communications
Priority 2 incident can P1/P2
services breakdown
be defined as an Country Crisis Management Team /
BCMS Forum
P1
Incident
Contained IT systems failure
incident, which may
disrupt some or all
P2 Unavailability of Staff /
Staff shortage etc.
process beyond 1 day Activate BCP P2 Group Crises
but less than a week. Management Team
Instructions
&
Probable cause for Yes
Updates /
Status/
Incident BCP Team (BC Champ &
Activate BCP & DR
Prolonged
Plans Outage?
Business Recovery Team)
IT systems failure
Communications
services breakdown Incident No
P1
Contained
P1 Incident
Organised and or P2 Incident
Deliberate Disruption
17
18. Case study : Colt
Alternate Workplace: Colt’s strategy for recovery of premises is based on Split Operations,
wherein the operations are split in the ratio of 70:30 e.g. 2 Geographically separated and culturally
different sites in India, and a similar locally suitable setup in Barcelona. There are different
recovery options which have been implemented at Colt as Backup and Recovery Strategies.
Hot site: A Hot site is a recovery site that has the equipment, systems and support resources to
duplicate/replicate Colt’s business functions affected by any occurrence of an event or disaster.
Hot-sites at Colt are generally fully equipped and kept operationally ready. Colt has most of the
Data Centres which meets the requirement of a hot site.
Warm site: Colt’s alternate recovery site which is only partially equipped and can be readied for
operations only as and when required and can be scaled in the same manner as a hot site as per
recovery time objectives (RTO) for systems, functions and processes. Colt has identified premises
which can meet the requirements of a Warm Site as it has connectivity and other basic
infrastructure. They also have SLA and contracts with IT and other suppliers and vendors to meet
the operational requirements.
Dual Processing: Colt has dual processing facility where Business processes across two
locations have been divided (50: 50 or 70: 30 ratio); with live operational infrastructure at both
locations. This enables redundancy of any single (critical) business process delivery across
multiple locations. This gives the effect of having a secondary site which is like a hot site having
some percentage operational capability (and visa versa). If effectively done this will meet the Colt’s
minimum recovery time objective to the minimum required emergency service
18