CBCP业务连续性管理专家培训材料_Area8.ppt

1,Business Continuity ManagementCourse for Advanced Professionals Introduction,2,Subject Area 8:Maintaining&Exercising Business Continuity Plans,3,Lesson Overview,Elements of a testing&exercise programTypes of tests and exercisesBCM program maintenanceThe plan review and audit methodology Maintaining the plan Change factors Plan document control proceduresBCM program maintenance,4,Professional Practices forBusiness Continuity Professionals,Project Initiation and ManagementRisk Evaluation and ControlBusiness Impact AnalysisDeveloping Business Continuity StrategiesEmergency Response and OperationsDeveloping and Implementing Business Continuity PlansAwareness and Training ProgramsMaintaining&Exercising Business Continuity PlansCrisis CommunicationsCoordination with External Agencies,5,Objectives,Pre-plan and coordinate plan exercises,and evaluate and document plan exercise results.Develop processes to maintain the currency of continuity capabilities and the Plan documents in accordance with the organization.s strategic direction.Verify that the Plans will prove effective by comparison with a suitable standard,and report results in a clear and concise manner.,6,The Professionals Role(1/2),Pre-plan and Coordinate the ExercisesFacilitate the ExercisesEvaluate and Document the Exercise ResultsUpdate the Plan,7,The Professionals Role(2/2),Report Results/Evaluation to ManagementCoordinate Ongoing Plan MaintenanceAssist in Establishing Audit Program for the Business Continuity Plan,8,The Planning Process,RiskAssessment&Analysis,PlanDevelopment,ProjectPlanning,StrategyDevelopment,Business Impact Analysis,Awareness&Training,Objective Subject the plan to tests and exercises to ensure that it is operationalSome key tasks Establish objectives,scope and types of tests&exercises Conduct the tests&exercisesSome key deliverables Post-test/exercise results,evaluations,&reports Plan revisions,Testing&Exercising,9,“The safety policy and procedures were in place:the practice was deficient.”extract from Lord Cullens report into the Piper Alpha disasterhttp:/news.bbc.co.uk/1/hi/uk/127335.stm,10,Definitions,TestingEquipmentTechnologiesDurable goods Server UPS device Generator Telecommunications,ExercisingPeople Evacuation procedures Call trees Familiarity with alternate locations Interim procedures Manual processes Self Assessment,11,Testing&Exercising Goal“The goal of testing and exercising your plan is not to find out if it works,but to determine how it doesnt.”,12,Benefits of Testing&Exercising,Assesses viability of planPractice procedures before disasterSatisfies legal and internal audit requirementsIdentifies areas that need modificationEnables BCM program to remain active,up-to-date,understood,and usable Demonstrates the ability to recoverProvides a mechanism for maintaining and updating the plan,13,Benefits of Testing&Exercising I hear.I forget.I see.I rememberI do.I understandChinese Proverb,14,Commitment&Motivation,Senior management needs to understand An untested/unexercised plan is unlikely to succeed in an actual disaster situation Program maintenance and plan review,updating and exercising is an integral part of the plan development and implementation process An untested/unexercised plan could,in an actual disruption be dangerousSenior management should support program by Reading reports Providing direction Allocating resources,15,Testing&Exercising Methodology,The plans are tested to the fullest extent possibleThe costs are not prohibitiveService disruptions are minimalThe results provide a high degree of assurance in recovery capabilityEvaluation provides quality input to plan review and updates,16,Test&Exercise Program Design,Use the scenario to design emergency situations that:Promote preparedness Improve response capability Validate plans,policies,procedures,and systems Determine effectiveness of command,control,and communication functions,17,Test&Exercise Prioritization,Phased approach to exercising Start simple Build upon mastery Add complexity Target a comprehensive exercise,18,Test&Exercise Prioritization,Functional area criticality Those with roles&responsibilities in planEarly participants can serve as valuable role models&advocates to other participantsManagers who are“On the fence”,19,Testing/Exercising as part of Plan Life Cycle,Fullcapabilityexercised,Minor elements tested,Extent ofTest/Exercise,During plandesign,Plan issued,Plan beingmaintained,20,Types of Tests,Quarterly evaluations of alert and notification procedures and systemsEvaluate the ability to access current vital records,systems,and data management software and equipmentEvaluate the logical support,services,and infrastructureEvaluate communications,21,Types of Tests,Static Essential components in placeDynamic Equipment satisfies operational requirementsFunctional Procedures for operating equipment are correct,22,How would you design a test to cover the different levels and functions?,Accounts,Email,CRM,Web serverfor sales,Application,Database,System&Network,Hardware,23,“This has been a test.In the eventof an actual emergency,Im outta here!”,24,Types of Exercises,Scheduled or surprisePlan reviewTabletop/desktopWalk through/hands-onModular/component,Functional/LOBSimulation/mockComprehensive/full-scale,25,Exercise Best Practices,Exercise public/private partnerships Emergency evacuations Shelter-in-place Hazardous materials drills Community Emergency Response Teams(CERT),26,Exercise Best Practices,Use real-life situations to test emergency procedures Emergency Situation,27,Testing&Exercise Program,Business Continuity PlanTesting/Exercise Program,Comprehensive,Plan Review,Tabletop,Functional,Modular,Walkthrough,Simulation,Self-Assessment,28,Confidentiality,Establish ground rules to address confidentialityEnsure that confidential test data is protected after exercise,29,Test/Exercise Frequency,At least annually or as significant changes occurShould be ongoing and increase in complexityDocument and budget BCM testing&exercising as an ongoing,multi-year program,30,Define Test&Exercise Requirements,Objectives and levels of successIdentify types of tests&exercisesEstablish and document scopeProvide a schedule Logistics and pre-planning componentsPlan and reporting structure,31,Planning Test&Exercise Objectives,To see if plan can be executedTo familiarize participants with plan To demonstrate plan is accurate and completeTo validate plans assumptionsTo confirm that the plan will help to recover the organization,32,Planning&Coordinating Exercises,Determine scope of exercise What will be exercise?Elements of the worst-case scenario Who will be involved?Those with plan roles and responsibilities When will exercise occur and under what timeframe?Why will exercise occur?Where will the exercise occur?,33,Facilitating Tests&Exercise,Facilitation during tests&exercisesPersonnelMaterialsProcedures in the test/exercise should be consistent with those required in an actual event,34,Evaluating Test/Exercise&Results,BC planning team and audit department might work together to evaluate a test or exerciseObservation or qualitative methodDocumentation or quantitative method Use quantifiable criteria Compare timelines from previous exercises Benchmark comparisons Measurable objectives Incident logs Legal,contractual,or regulatory requirementsProvide feedback on results to participants,35,Documenting Test/Exercise Results,Part of the permanent record of the organization Demonstrate due diligence Prudent business practices Chronicle the organizational BCM program commitment over time.Materials and reports generated during test/exercise Action items and issues logs Plan updates and changes Lessons learned Next steps,36,Analyzing Results,Use the forms provided Compare expected performance to actual resultsCompare exercise to prior tests/exercisesReference key recovery documents BIAAnalyze information gathered,37,Analyzing Results,Analyze and compare recovery timesValidate that procedures are documented and up to dateValidate specific aspects of organizations BCM programIs key scenario still valid?Is overall recovery possible?Puzzle,38,Professional Practices forBusiness Continuity Professionals,Project Initiation and ManagementRisk Evaluation and ControlBusiness Impact AnalysisDeveloping Business Continuity StrategiesEmergency Response and OperationsDeveloping and Implementing Business Continuity Plans Awareness and Training ProgramsMaintaining&Exercising Business Continuity PlansCrisis CommunicationsCoordination with External Agencies,39,The Planning Process,RiskAssessment&Analysis,PlanDevelopment,ProjectPlanning,StrategyDevelopment,Business ImpactAnalysis,Awareness&Training,Objective Update the Plan(s)constantly to reflect changed conditions in the organizationSome key tasks Perform periodic review and update at least annually Update when there are changes to the organizationSome key deliverables A current and actionable plan A change management process,Testing&Exercising,BCM Plan,Maintenance&Updating,40,BCM Maintenance Activities,Technology,Program,Business,Project,41,Maintenance Objective,To evaluate consistency within the plan,between the plan and other aspects of the overall program,and between the plans and the current characteristics of the organization,42,Why Conduct a Plan Review and Audit?,Organize,manage,and coordinate effects of changeEstablish standards to incorporate change on routine scheduleReduce negotiations on Who/How/When/Why/Where maintenance is doneClarify effects of change on interdependent recovery functions,43,Plan Review&Audit Methodology,Create goals&methods for conducting review Specific,measurable statements that elicit conclusions about whether the plan satisfies the objective(s)Should define how the team will go about collecting the necessary information,44,Plan Review&Audit Methodology,Critique organization and plans internal consistency to determine usabilityDoes the plan incorporate RTO?Gain an understanding of functional requirements Check internal documents Review of service agreements,45,Plan Review&Audit Methodology,Addresses consistency Within plan Between plan and BCM program Between plan and current characteristics of the organization Structure Business processes Outsourcing relationships,46,Plan Review&Audit Methodology,Audits Business continuity planner responsibilities Assist auditor Auditor responsibilities Set audit objectives and scope Assess and select audit method Audit administrative aspects of the BCM program Audit plan structure,content,and action sections Audit plan documentation control procedures,47,Plan Review&Audit Methodology,A plan review should involve Key staff of that plan Participants becoming familiar with the plan document Participants validate that the plan represents strategies and objectives Participants revealing gaps,oversights,and mistakes,48,Plan Review&Audit Methodology,Should address(minimum)Personnel and assigned recovery tasks Personnel and contact numbers Text(recovery procedure)changes Back-up process and what is included Periodic reviews with known deadlines Where input can be made to review process,49,Goals,Efficient or effective?Is your goal to be efficient?Maintaining the plan by doing the job on time and as expected Is your goal to be effective?Doing the right thing vs.doing the job rightBe careful not to make changes that invalidate senior management and business unit approvals!,50,Objectives,Does your plan measure up?Is it accurate,thorough,and complete?Is it logical and make suitable assumptions?Does it support the resumption of necessary information systems and business processes within appropriate timeframes?Are management,personnel,and other stakeholders capable of executing plan?,51,Audit Objectives,Is the structure of plan correct?Is plan and supporting documentation valid?Do the assumptions and scope match the contents?Is the team structure and members current?Are the roles,responsibilities,and tasks current and executable?Is the plan integrated and does it support any dependent plans and the overall organizational objectives?,52,Maintenance Responsibilities,Who should review plan?Business continuity staff Auditors Plan owners/dept.chair Teams Senior management Other,53,Maintenance Responsibilities,Examples BCM planner directs and controls plan maintenance Team members are responsible for team sections Department heads are responsible for detail relating to their department BoD and senior management review and approve plan Internal audit examines plan to determine if it satisfies recovery objectives of organization,is accurate,and up-to-date Self Assessment,54,Maintenance Schedule,Develop plan maintenance schedule Scheduled Time-driven Scheduled at decided time intervals at last annually Unscheduled Event-driven Result of major changes to organization Personnel Changes to team member responsibilities Equipment,55,Maintaining Plans,Maintain the plan Select tools Monitor activities Establish update process Audit and control,56,Sources of change Information,Exercise resultsOrganization directives,announcements,internal messages,strategic business meetingsRegularly scheduled meetings with recovery team leaders Change management meetings,57,Change Factors,Change in Procedure Organizational structure Personnel Physical Technology Recovery requirements Testing issues,58,Change Factors,Tracking changes helps to Carry out more effective reviews Hold more effective exercises Point to areas of plan that need closer attention Develop scenarios for exercises,59,Documenting Review,Document how review is carried out What issues are encounteredConclusions reachedReview after plan is revisedEvaluate all versions of the plan Participation of individuals not on testing team,60,61,62,63,Program Change&Impact,Executive sponsor Recognize and communicate organizational changesSteering Committee Communicate between teams and senior managementBCM team(s)Identify,assign,and map change to interdependentPlan owner Puzzle Changes in functional parts of plan,64,Updating Plans,Areas of responsibility Plan owners update their plans Updates are mapped to related plans Establish validation process Next exercise is scheduled,65,Updating Plans,Generate change management items from incident logsAssign updating task to accountable individualSet due date for update Validate that update is completedEnsure changes required by exercise results are implementedEnsure next exercise includes issues indicated by previous results,66,Plan Document Control Procedure,Establish procedures for plan document control Version control of all documents Assign document ownership Assign numbers to each recovery document Assign each numbered document to specific team member,67,Plan Document Control Procedures,Page replacementChapter replacementPlan replacementOld materials should be returned and destroyed,68,Need to shareknow edge to meet plan goals,Need to protect Plan from com-petitors,terrorists,69,Plan Document Control Procedures,Confidential