CBCP业务连续性管理专家培训材料_Area8.ppt

1,Business Continuity Management Course for Advanced Professionals Introduction,2,Subject Area 8: Maintaining & Exercising Business Continuity Plans,3,Lesson Overview,Elements of a testing & exercise program Types of tests and exercises BCM program maintenance The plan review and audit methodology Maintaining the plan Change factors Plan document control procedures BCM program maintenance,4,Professional Practices for Business Continuity Professionals,Project Initiation and Management Risk Evaluation and Control Business Impact Analysis Developing Business Continuity Strategies Emergency Response and Operations Developing and Implementing Business Continuity Plans Awareness and Training Programs Maintaining & Exercising Business Continuity Plans Crisis Communications Coordination with External Agencies,5,Objectives,Pre-plan and coordinate plan exercises, and evaluate and document plan exercise results. Develop processes to maintain the currency of continuity capabilities and the Plan documents in accordance with the organization.s strategic direction. Verify that the Plans will prove effective by comparison with a suitable standard, and report results in a clear and concise manner.,6,The Professionals Role (1/2),Pre-plan and Coordinate the Exercises Facilitate the Exercises Evaluate and Document the Exercise Results Update the Plan,7,The Professionals Role (2/2),Report Results/Evaluation to Management Coordinate Ongoing Plan Maintenance Assist in Establishing Audit Program for the Business Continuity Plan,8,The Planning Process,Risk Assessment & Analysis,Plan Development,Project Planning,Strategy Development,Business Impact Analysis,Awareness & Training,Objective Subject the plan to tests and exercises to ensure that it is operational Some key tasks Establish objectives, scope and types of tests & exercises Conduct the tests & exercises Some key deliverables Post-test/exercise results, evaluations, & reports Plan revisions,Testing & Exercising,9,“The safety policy and procedures were in place: the practice was deficient.” extract from Lord Cullens report into the Piper Alpha disaster http:/news.bbc.co.uk/1/hi/uk/127335.stm,10,Definitions,Testing Equipment Technologies Durable goods Server UPS device Generator Telecommunications,Exercising People Evacuation procedures Call trees Familiarity with alternate locations Interim procedures Manual processes Self Assessment,11,Testing & Exercising Goal “The goal of testing and exercising your plan is not to find out if it works, but to determine how it doesnt.”,12,Benefits of Testing & Exercising,Assesses viability of plan Practice procedures before disaster Satisfies legal and internal audit requirements Identifies areas that need modification Enables BCM program to remain active, up-to-date, understood, and usable Demonstrates the ability to recover Provides a mechanism for maintaining and updating the plan,13,Benefits of Testing & Exercising I hear. I forget. I see. I remember I do. I understand Chinese Proverb,14,Commitment & Motivation,Senior management needs to understand An untested/unexercised plan is unlikely to succeed in an actual disaster situation Program maintenance and plan review, updating and exercising is an integral part of the plan development and implementation process An untested/unexercised plan could, in an actual disruption be dangerous Senior management should support program by Reading reports Providing direction Allocating resources,15,Testing & Exercising Methodology,The plans are tested to the fullest extent possible The costs are not prohibitive Service disruptions are minimal The results provide a high degree of assurance in recovery capability Evaluation provides quality input to plan review and updates,16,Test & Exercise Program Design,Use the scenario to design emergency situations that: Promote preparedness Improve response capability Validate plans, policies, procedures, and systems Determine effectiveness of command, control, and communication functions,17,Test & Exercise Prioritization,Phased approach to exercising Start simple Build upon mastery Add complexity Target a comprehensive exercise,18,Test & Exercise Prioritization,Functional area criticality Those with roles & responsibilities in plan Early participants can serve as valuable role models & advocates to other participants Managers who are “On the fence”,19,Testing/Exercising as part of Plan Life Cycle,Full capability exercised,Minor elements tested,Extent of Test/Exercise,During plan design,Plan issued,Plan being maintained,20,Types of Tests,Quarterly evaluations of alert and notification procedures and systems Evaluate the ability to access current vital records, systems, and data management software and equipment Evaluate the logical support, services, and infrastructure Evaluate communications,21,Types of Tests,Static Essential components in place Dynamic Equipment satisfies operational requirements Functional Procedures for operating equipment are correct,22,How would you design a test to cover the different levels and functions?,Accounts,Email,CRM,Web server for sales,Application,Database,System & Network,Hardware,23,“This has been a test. In the event of an actual emergency, Im outta here!”,24,Types of Exercises,Scheduled or surprise Plan review Tabletop/desktop Walk through/hands-on Modular/component,Functional/LOB Simulation/mock Comprehensive/full-scale,25,Exercise Best Practices,Exercise public/private partnerships Emergency evacuations Shelter-in-place Hazardous materials drills Community Emergency Response Teams (CERT),26,Exercise Best Practices,Use real-life situations to test emergency procedures Emergency Situation,27,Testing & Exercise Program,Business Continuity Plan Testing/Exercise Program,Comprehensive,Plan Review,Tabletop,Functional,Modular,Walkthrough,Simulation,Self-Assessment,28,Confidentiality,Establish ground rules to address confidentiality Ensure that confidential test data is protected after exercise,29,Test/Exercise Frequency,At least annually or as significant changes occur Should be ongoing and increase in complexity Document and budget BCM testing & exercising as an ongoing , multi-year program,30,Define Test & Exercise Requirements,Objectives and levels of success Identify types of tests &exercises Establish and document scope Provide a schedule Logistics and pre-planning components Plan and reporting structure,31,Planning Test & Exercise Objectives,To see if plan can be executed To familiarize participants with plan To demonstrate plan is accurate and complete To validate plans assumptions To confirm that the plan will help to recover the organization,32,Planning & Coordinating Exercises,Determine scope of exercise What will be exercise? Elements of the worst-case scenario Who will be involved? Those with plan roles and responsibilities When will exercise occur and under what timeframe? Why will exercise occur? Where will the exercise occur?,33,Facilitating Tests & Exercise,Facilitation during tests & exercises Personnel Materials Procedures in the test/exercise should be consistent with those required in an actual event,34,Evaluating Test/Exercise & Results,BC planning team and audit department might work together to evaluate a test or exercise Observation or qualitative method Documentation or quantitative method Use quantifiable criteria Compare timelines from previous exercises Benchmark comparisons Measurable objectives Incident logs Legal, contractual, or regulatory requirements Provide feedback on results to participants,35,Documenting Test/Exercise Results,Part of the permanent record of the organization Demonstrate due diligence Prudent business practices Chronicle the organizational BCM program commitment over time. Materials and reports generated during test/exercise Action items and issues logs Plan updates and changes Lessons learned Next steps,36,Analyzing Results,Use the forms provided Compare expected performance to actual results Compare exercise to prior tests/exercises Reference key recovery documents BIA Analyze information gathered,37,Analyzing Results,Analyze and compare recovery times Validate that procedures are documented and up to date Validate specific aspects of organizations BCM program Is key scenario still valid? Is overall recovery possible? Puzzle,38,Professional Practices for Business Continuity Professionals,Project Initiation and Management Risk Evaluation and Control Business Impact Analysis Developing Business Continuity Strategies Emergency Response and Operations Developing and Implementing Business Continuity Plans Awareness and Training Programs Maintaining & Exercising Business Continuity Plans Crisis Communications Coordination with External Agencies,39,The Planning Process,Risk Assessment & Analysis,Plan Development,Project Planning,Strategy Development,Business Impact Analysis,Awareness & Training,Objective Update the Plan (s) constantly to reflect changed conditions in the organization Some key tasks Perform periodic review and update at least annually Update when there are changes to the organization Some key deliverables A current and actionable plan A change management process,Testing & Exercising,BCM Plan,Maintenance & Updating,40,BCM Maintenance Activities,Technology,Program,Business,Project,41,Maintenance Objective,To evaluate consistency within the plan, between the plan and other aspects of the overall program, and between the plans and the current characteristics of the organization,42,Why Conduct a Plan Review and Audit?,Organize, manage , and coordinate effects of change Establish standards to incorporate change on routine schedule Reduce negotiations on Who/How/When/Why/Where maintenance is done Clarify effects of change on interdependent recovery functions,43,Plan Review & Audit Methodology,Create goals & methods for conducting review Specific, measurable statements that elicit conclusions about whether the plan satisfies the objective (s) Should define how the team will go about collecting the necessary information,44,Plan Review & Audit Methodology,Critique organization and plans internal consistency to determine usability Does the plan incorporate RTO? Gain an understanding of functional requirements Check internal documents Review of service agreements,45,Plan Review & Audit Methodology,Addresses consistency Within plan Between plan and BCM program Between plan and current characteristics of the organization Structure Business processes Outsourcing relationships,46,Plan Review & Audit Methodology,Audits Business continuity planner responsibilities Assist auditor Auditor responsibilities Set audit objectives and scope Assess and select audit method Audit administrative aspects of the BCM program Audit plan structure, content, and action sections Audit plan documentation control procedures,47,Plan Review & Audit Methodology,A plan review should involve Key staff of that plan Participants becoming familiar with the plan document Participants validate that the plan represents strategies and objectives Participants revealing gaps, oversights, and mistakes,48,Plan Review & Audit Methodology,Should address (minimum) Personnel and assigned recovery tasks Personnel and contact numbers Text (recovery procedure) changes Back-up process and what is included Periodic reviews with known deadlines Where input can be made to review process,49,Goals,Efficient or effective? Is your goal to be efficient? Maintaining the plan by doing the job on time and as expected Is your goal to be effective ? Doing the right thing vs. doing the job right Be careful not to make changes that invalidate senior management and business unit approvals!,50,Objectives,Does your plan measure up? Is it accurate, thorough, and complete? Is it logical and make suitable assumptions? Does it support the resumption of necessary information systems and business processes within appropriate timeframes? Are management, personnel, and other stakeholders capable of executing plan?,51,Audit Objectives,Is the structure of plan correct? Is plan and supporting documentation valid? Do the assumptions and scope match the contents? Is the team structure and members current? Are the roles, responsibilities, and tasks current and executable? Is the plan integrated and does it support any dependent plans and the overall organizational objectives?,52,Maintenance Responsibilities,Who should review plan? Business continuity staff Auditors Plan owners/dept. chair Teams Senior management Other,53,Maintenance Responsibilities,Examples BCM planner directs and controls plan maintenance Team members are responsible for team sections Department heads are responsible for detail relating to their department BoD and senior management review and approve plan Internal audit examines plan to determine if it satisfies recovery objectives of organization, is accurate, and up-to-date Self Assessment,54,Maintenance Schedule,Develop plan maintenance schedule Scheduled Time-driven Scheduled at decided time intervals at last annually Unscheduled Event-driven Result of major changes to organization Personnel Changes to team member responsibilities Equipment,55,Maintaining Plans,Maintain the plan Select tools Monitor activities Establish update process Audit and control,56,Sources of change Information,Exercise results Organization directives, announcements, internal messages, strategic business meetings Regularly scheduled meetings with recovery team leaders Change management meetings,57,Change Factors,Change in Procedure Organizational structure Personnel Physical Technology Recovery requirements Testing issues,58,Change Factors,Tracking changes helps to Carry out more effective reviews Hold more effective exercises Point to areas of plan that need closer attention Develop scenarios for exercises,59,Documenting Review,Document how review is carried out What issues are encountered Conclusions reached Review after plan is revised Evaluate all versions of the plan Participation of individuals not on testing team,60,61,62,63,Program Change & Impact,Executive sponsor Recognize and communicate organizational changes Steering Committee Communicate between teams and senior management BCM team (s) Identify, assign, and map change to interdependent Plan owner Puzzle Changes in functional parts of plan,64,Updating Plans,Areas of responsibility Plan owners update their plans Updates are mapped to related plans Establish validation process Next exercise is scheduled,65,Updating Plans,Generate change management items from incident logs Assign updating task to accountable individual Set due date for update Validate that update is completed Ensure changes required by exercise results are implemented Ensure next exercise includes issues indicated by previous results,66,Plan Document Control Procedure,Establish procedures for plan document control Version control of all documents Assign document ownership Assign numbers to each recovery document Assign each numbered document to specific team member,67,Plan Document Control Procedures,Page replacement Chapter replacement Plan replacement Old materials should be returned and destroyed,68,Need to share know edge to meet plan goals,Need to protect Plan from com- petitors, terrorists,69,Plan Document Control Procedures,Confidential information Security and control Master distribution list Version identification number Record recipient on distribution list Full copies to all team managers Partial copies to others,70,71,Continuous Process,Continuous Process,Review. Implement. Repeat,Include Activities in the Genera