《CBCP业务连续性管理专家培训材料_Area8.ppt》由会员分享,可在线阅读,更多相关《CBCP业务连续性管理专家培训材料_Area8.ppt(77页珍藏版)》请在三一办公上搜索。
1、1,Business Continuity ManagementCourse for Advanced Professionals Introduction,2,Subject Area 8:Maintaining&Exercising Business Continuity Plans,3,Lesson Overview,Elements of a testing&exercise programTypes of tests and exercisesBCM program maintenanceThe plan review and audit methodology Maintainin
2、g the plan Change factors Plan document control proceduresBCM program maintenance,4,Professional Practices forBusiness Continuity Professionals,Project Initiation and ManagementRisk Evaluation and ControlBusiness Impact AnalysisDeveloping Business Continuity StrategiesEmergency Response and Operatio
3、nsDeveloping and Implementing Business Continuity PlansAwareness and Training ProgramsMaintaining&Exercising Business Continuity PlansCrisis CommunicationsCoordination with External Agencies,5,Objectives,Pre-plan and coordinate plan exercises,and evaluate and document plan exercise results.Develop p
4、rocesses to maintain the currency of continuity capabilities and the Plan documents in accordance with the organization.s strategic direction.Verify that the Plans will prove effective by comparison with a suitable standard,and report results in a clear and concise manner.,6,The Professionals Role(1
5、/2),Pre-plan and Coordinate the ExercisesFacilitate the ExercisesEvaluate and Document the Exercise ResultsUpdate the Plan,7,The Professionals Role(2/2),Report Results/Evaluation to ManagementCoordinate Ongoing Plan MaintenanceAssist in Establishing Audit Program for the Business Continuity Plan,8,T
6、he Planning Process,RiskAssessment&Analysis,PlanDevelopment,ProjectPlanning,StrategyDevelopment,Business Impact Analysis,Awareness&Training,Objective Subject the plan to tests and exercises to ensure that it is operationalSome key tasks Establish objectives,scope and types of tests&exercises Conduct
7、 the tests&exercisesSome key deliverables Post-test/exercise results,evaluations,&reports Plan revisions,Testing&Exercising,9,“The safety policy and procedures were in place:the practice was deficient.”extract from Lord Cullens report into the Piper Alpha disasterhttp:/news.bbc.co.uk/1/hi/uk/127335.
8、stm,10,Definitions,TestingEquipmentTechnologiesDurable goods Server UPS device Generator Telecommunications,ExercisingPeople Evacuation procedures Call trees Familiarity with alternate locations Interim procedures Manual processes Self Assessment,11,Testing&Exercising Goal“The goal of testing and ex
9、ercising your plan is not to find out if it works,but to determine how it doesnt.”,12,Benefits of Testing&Exercising,Assesses viability of planPractice procedures before disasterSatisfies legal and internal audit requirementsIdentifies areas that need modificationEnables BCM program to remain active
10、,up-to-date,understood,and usable Demonstrates the ability to recoverProvides a mechanism for maintaining and updating the plan,13,Benefits of Testing&Exercising I hear.I forget.I see.I rememberI do.I understandChinese Proverb,14,Commitment&Motivation,Senior management needs to understand An unteste
11、d/unexercised plan is unlikely to succeed in an actual disaster situation Program maintenance and plan review,updating and exercising is an integral part of the plan development and implementation process An untested/unexercised plan could,in an actual disruption be dangerousSenior management should
12、 support program by Reading reports Providing direction Allocating resources,15,Testing&Exercising Methodology,The plans are tested to the fullest extent possibleThe costs are not prohibitiveService disruptions are minimalThe results provide a high degree of assurance in recovery capabilityEvaluatio
13、n provides quality input to plan review and updates,16,Test&Exercise Program Design,Use the scenario to design emergency situations that:Promote preparedness Improve response capability Validate plans,policies,procedures,and systems Determine effectiveness of command,control,and communication functi
14、ons,17,Test&Exercise Prioritization,Phased approach to exercising Start simple Build upon mastery Add complexity Target a comprehensive exercise,18,Test&Exercise Prioritization,Functional area criticality Those with roles&responsibilities in planEarly participants can serve as valuable role models&a
15、dvocates to other participantsManagers who are“On the fence”,19,Testing/Exercising as part of Plan Life Cycle,Fullcapabilityexercised,Minor elements tested,Extent ofTest/Exercise,During plandesign,Plan issued,Plan beingmaintained,20,Types of Tests,Quarterly evaluations of alert and notification proc
16、edures and systemsEvaluate the ability to access current vital records,systems,and data management software and equipmentEvaluate the logical support,services,and infrastructureEvaluate communications,21,Types of Tests,Static Essential components in placeDynamic Equipment satisfies operational requi
17、rementsFunctional Procedures for operating equipment are correct,22,How would you design a test to cover the different levels and functions?,Accounts,Email,CRM,Web serverfor sales,Application,Database,System&Network,Hardware,23,“This has been a test.In the eventof an actual emergency,Im outta here!”
18、,24,Types of Exercises,Scheduled or surprisePlan reviewTabletop/desktopWalk through/hands-onModular/component,Functional/LOBSimulation/mockComprehensive/full-scale,25,Exercise Best Practices,Exercise public/private partnerships Emergency evacuations Shelter-in-place Hazardous materials drills Commun
19、ity Emergency Response Teams(CERT),26,Exercise Best Practices,Use real-life situations to test emergency procedures Emergency Situation,27,Testing&Exercise Program,Business Continuity PlanTesting/Exercise Program,Comprehensive,Plan Review,Tabletop,Functional,Modular,Walkthrough,Simulation,Self-Asses
20、sment,28,Confidentiality,Establish ground rules to address confidentialityEnsure that confidential test data is protected after exercise,29,Test/Exercise Frequency,At least annually or as significant changes occurShould be ongoing and increase in complexityDocument and budget BCM testing&exercising
21、as an ongoing,multi-year program,30,Define Test&Exercise Requirements,Objectives and levels of successIdentify types of tests&exercisesEstablish and document scopeProvide a schedule Logistics and pre-planning componentsPlan and reporting structure,31,Planning Test&Exercise Objectives,To see if plan
22、can be executedTo familiarize participants with plan To demonstrate plan is accurate and completeTo validate plans assumptionsTo confirm that the plan will help to recover the organization,32,Planning&Coordinating Exercises,Determine scope of exercise What will be exercise?Elements of the worst-case
23、 scenario Who will be involved?Those with plan roles and responsibilities When will exercise occur and under what timeframe?Why will exercise occur?Where will the exercise occur?,33,Facilitating Tests&Exercise,Facilitation during tests&exercisesPersonnelMaterialsProcedures in the test/exercise shoul
24、d be consistent with those required in an actual event,34,Evaluating Test/Exercise&Results,BC planning team and audit department might work together to evaluate a test or exerciseObservation or qualitative methodDocumentation or quantitative method Use quantifiable criteria Compare timelines from pr
25、evious exercises Benchmark comparisons Measurable objectives Incident logs Legal,contractual,or regulatory requirementsProvide feedback on results to participants,35,Documenting Test/Exercise Results,Part of the permanent record of the organization Demonstrate due diligence Prudent business practice
26、s Chronicle the organizational BCM program commitment over time.Materials and reports generated during test/exercise Action items and issues logs Plan updates and changes Lessons learned Next steps,36,Analyzing Results,Use the forms provided Compare expected performance to actual resultsCompare exer
27、cise to prior tests/exercisesReference key recovery documents BIAAnalyze information gathered,37,Analyzing Results,Analyze and compare recovery timesValidate that procedures are documented and up to dateValidate specific aspects of organizations BCM programIs key scenario still valid?Is overall reco
28、very possible?Puzzle,38,Professional Practices forBusiness Continuity Professionals,Project Initiation and ManagementRisk Evaluation and ControlBusiness Impact AnalysisDeveloping Business Continuity StrategiesEmergency Response and OperationsDeveloping and Implementing Business Continuity Plans Awar
29、eness and Training ProgramsMaintaining&Exercising Business Continuity PlansCrisis CommunicationsCoordination with External Agencies,39,The Planning Process,RiskAssessment&Analysis,PlanDevelopment,ProjectPlanning,StrategyDevelopment,Business ImpactAnalysis,Awareness&Training,Objective Update the Plan
30、(s)constantly to reflect changed conditions in the organizationSome key tasks Perform periodic review and update at least annually Update when there are changes to the organizationSome key deliverables A current and actionable plan A change management process,Testing&Exercising,BCM Plan,Maintenance&
31、Updating,40,BCM Maintenance Activities,Technology,Program,Business,Project,41,Maintenance Objective,To evaluate consistency within the plan,between the plan and other aspects of the overall program,and between the plans and the current characteristics of the organization,42,Why Conduct a Plan Review
32、 and Audit?,Organize,manage,and coordinate effects of changeEstablish standards to incorporate change on routine scheduleReduce negotiations on Who/How/When/Why/Where maintenance is doneClarify effects of change on interdependent recovery functions,43,Plan Review&Audit Methodology,Create goals&metho
33、ds for conducting review Specific,measurable statements that elicit conclusions about whether the plan satisfies the objective(s)Should define how the team will go about collecting the necessary information,44,Plan Review&Audit Methodology,Critique organization and plans internal consistency to dete
34、rmine usabilityDoes the plan incorporate RTO?Gain an understanding of functional requirements Check internal documents Review of service agreements,45,Plan Review&Audit Methodology,Addresses consistency Within plan Between plan and BCM program Between plan and current characteristics of the organiza
35、tion Structure Business processes Outsourcing relationships,46,Plan Review&Audit Methodology,Audits Business continuity planner responsibilities Assist auditor Auditor responsibilities Set audit objectives and scope Assess and select audit method Audit administrative aspects of the BCM program Audit
36、 plan structure,content,and action sections Audit plan documentation control procedures,47,Plan Review&Audit Methodology,A plan review should involve Key staff of that plan Participants becoming familiar with the plan document Participants validate that the plan represents strategies and objectives
37、Participants revealing gaps,oversights,and mistakes,48,Plan Review&Audit Methodology,Should address(minimum)Personnel and assigned recovery tasks Personnel and contact numbers Text(recovery procedure)changes Back-up process and what is included Periodic reviews with known deadlines Where input can b
38、e made to review process,49,Goals,Efficient or effective?Is your goal to be efficient?Maintaining the plan by doing the job on time and as expected Is your goal to be effective?Doing the right thing vs.doing the job rightBe careful not to make changes that invalidate senior management and business u
39、nit approvals!,50,Objectives,Does your plan measure up?Is it accurate,thorough,and complete?Is it logical and make suitable assumptions?Does it support the resumption of necessary information systems and business processes within appropriate timeframes?Are management,personnel,and other stakeholders
40、 capable of executing plan?,51,Audit Objectives,Is the structure of plan correct?Is plan and supporting documentation valid?Do the assumptions and scope match the contents?Is the team structure and members current?Are the roles,responsibilities,and tasks current and executable?Is the plan integrated
41、 and does it support any dependent plans and the overall organizational objectives?,52,Maintenance Responsibilities,Who should review plan?Business continuity staff Auditors Plan owners/dept.chair Teams Senior management Other,53,Maintenance Responsibilities,Examples BCM planner directs and controls
42、 plan maintenance Team members are responsible for team sections Department heads are responsible for detail relating to their department BoD and senior management review and approve plan Internal audit examines plan to determine if it satisfies recovery objectives of organization,is accurate,and up
43、-to-date Self Assessment,54,Maintenance Schedule,Develop plan maintenance schedule Scheduled Time-driven Scheduled at decided time intervals at last annually Unscheduled Event-driven Result of major changes to organization Personnel Changes to team member responsibilities Equipment,55,Maintaining Pl
44、ans,Maintain the plan Select tools Monitor activities Establish update process Audit and control,56,Sources of change Information,Exercise resultsOrganization directives,announcements,internal messages,strategic business meetingsRegularly scheduled meetings with recovery team leaders Change manageme
45、nt meetings,57,Change Factors,Change in Procedure Organizational structure Personnel Physical Technology Recovery requirements Testing issues,58,Change Factors,Tracking changes helps to Carry out more effective reviews Hold more effective exercises Point to areas of plan that need closer attention D
46、evelop scenarios for exercises,59,Documenting Review,Document how review is carried out What issues are encounteredConclusions reachedReview after plan is revisedEvaluate all versions of the plan Participation of individuals not on testing team,60,61,62,63,Program Change&Impact,Executive sponsor Rec
47、ognize and communicate organizational changesSteering Committee Communicate between teams and senior managementBCM team(s)Identify,assign,and map change to interdependentPlan owner Puzzle Changes in functional parts of plan,64,Updating Plans,Areas of responsibility Plan owners update their plans Upd
48、ates are mapped to related plans Establish validation process Next exercise is scheduled,65,Updating Plans,Generate change management items from incident logsAssign updating task to accountable individualSet due date for update Validate that update is completedEnsure changes required by exercise res
49、ults are implementedEnsure next exercise includes issues indicated by previous results,66,Plan Document Control Procedure,Establish procedures for plan document control Version control of all documents Assign document ownership Assign numbers to each recovery document Assign each numbered document t
50、o specific team member,67,Plan Document Control Procedures,Page replacementChapter replacementPlan replacementOld materials should be returned and destroyed,68,Need to shareknow edge to meet plan goals,Need to protect Plan from com-petitors,terrorists,69,Plan Document Control Procedures,Confidential
