Tag Archives: business continuity

Incident Management – an explanation and example

Advent IM Security Consultant, Del Brazil, offers some guidance on best practice in Incident Management.

Incident Management is defined by the Information Technology Infrastructure Library (ITIL) is ‘To restore normal service operation as quickly as possible and minimise the impact on business operations, thus ensuring that agreed levels of service are maintained.’  Although this definition is very much aligned to the service delivery element of IT, organisations should translate it to all areas of the organisation to form the basis of any incident management strategy.

Any Incident Management process should include:-

Incident detection and recording – Ensuring that sufficient and appropriate means of both detecting and reporting of incidents is critical, as failure to report incidents can have a serious impact upon an organisation.  There maybe a legal requirement for incidents to be reported such as incidents associated with the loss of personal data or security breaches related to protectively marked information, although not applicable to every organisation.  Ensuring that an incident is correctly reported will facilitate the correct actions are taken in line with the incident management plan and thus ensure the correct allocation of resources.

An example maybe that an individual receives an email from an untrusted source and without realising any inherent risk, opens an attachment, which in turn causes their terminal to become unresponsive.  The individual contacts the IT department in the first instance in order to initiate some form of containment measures, whilst also documenting down how the incident occurred.

Classification and initial support – There are various levels of severity associated with different types of incident and ensuring that they are correctly classified will mean that the appropriate resources or emergency services are tasked accordingly.  These levels of severity range from low impact/minor incident requiring a limited number and type of resources, through to a major incident, which has the potential to impact on the whole organisation and requires a substantial amount of resources to manage or recover from.  In the early stages of any incident the support provided by a designated incident response team is vital as their initial actions can have potentially massive implications on the organisations ability to resume normal operations.

Following on from the previous example the incident may be classified as a low priority at this stage as only one terminal/user has been affected.  The IT department may have tasked a limited number of resources in tracking down the suspicious email on the mail server and then taken the appropriate quarantining and/or deleting procedures.

Investigation and diagnosis – Further and ongoing investigations into the incident may identify trends or patterns that could further impact on the organisation, once normal operations have been resumed.

Keeping in mind the example previously discussed, should the initial findings of the IT department reveal that the email has been received by a large number of users, then further impact analysis should be undertaken to establish the impact or effect on services before any additional resources are dedicated to resolving the issue.  This further investigation requires an organisation-wide broadcast, highlighting the incident and what actions should be taken in the event that users received suspicious emails or attachments.

Resolution and recovery – Ensuring that the correct rectification method is deployed is paramount, as no two incidents are the same and as such any incident management plan should have a degree of flexibility to accommodate potential variations.

Using our example scenario, the correct rectification solution in this instance would be to purge the mail server of any copies of the suspicious email and then to execute the scanning of the mail server with an anti-virus and/or anti-spam product.  Consideration should be given as to whether to take the mail server off line to perform the relevant scans, however any potential down time may impact on the output of the organisation.  In the event that the mail server is taken off line, it is imperative that communication is maintained with all staff, contractors, customers and third party suppliers etc.

Incident closure – The closure of an incident should be clearly communicated to all parties involved in managing or effecting rectification processes as should a statement stating ‘Business has resumed to normal’ to clearly indicate to all concerned that normal operations can continue.

In our example , it’s essential that all persons involved or impacted by the incident are informed accordingly which formally closes the incident.  This also reassures any interested parties that normal service has been resumed thus preventing any additional business continuity plan being invoked.

Incident ownership, monitoring, tracking and communication – An Incident Manager/Controller should take clear ownership of any incident so that all relevant information is communicated in an effective way to facilitate informed decisions to be made along with the correct allocation of resources.

As always, good communication is vital not only with staff, emergency services and the press but also with key suppliers and customers, as these may have to invoke their own business continuity plans as a result of the incident.  Business continuity plans ensure critical outputs are maintained but the invoking of a plan comes at a cost, whether it be financial or an impact to operational outputs.  It is therefore imperative that once an incident has been deemed formally closed then key suppliers and customers should be informed accordingly, this will  enable them to also return to normal operations.  Post incident analysis or ‘Lessons learnt’ meetings should be held after any incident to highlight any weaknesses or failings so that rectification measures can be introduced accordingly.  Likewise, should there be any good practices or solutions highlighted during the incident, then these should also be captured as they may be used in other areas of the organisation.

Now our example has been correctly identified, treated and business has returned to normal it is imperative that an incident ‘wash up’ meeting takes place to clearly identify those areas for improvement and those that performed well.  The correct allocation of resources during the initial stages of the incident to address what was deemed to be initially a minor incident, resulted minimal impact to not only business outputs, but also to customers or third party suppliers.  The findings of the ‘wash up ‘ meeting should be correctly recorded and analysed for any trends or patterns that may indicate a weakness in security.  In this instance the mail server’s spam filters may have been incorrectly configured or not updated resulting in a vulnerability being exploited.

Any incident management plan should be suitably tested and its effectiveness evaluated with any updates/amendments implemented accordingly.  It would be prudent to exercise any incident management plan annually or when there is a change in the key functions of the organisation.  It is also additionally recommended that all users are reminded of how to report incidents during any annual security awareness education  or training.

As organisations become ever increasingly reliant on internet and IT services, it is imperative that an effective, appropriate and fully tested, Incident Management Procedure is embedded within the organisation.  Failure to ensure this may result in an organisation struggling to deal with or recover from any kind of security incident.

Advertisements

Business Continuity: International Standard Excellence

How resiliant is your supply chain?

Warning (again): contains percentages that you may find rather unnerving.

Business Continuity saw the beginning of change in May this year, when the new International Standard was published.  Moving from a British standard (BS 25999) to an international one (ISO 22301) will offer benefits and reassurance to organisations with international supply chains to consider for instance. It also offers the opportunity to leverage accreditation to potentially lower insurance premiums. Indeed, insurers are increasingly seeking assurance that organisations are compliant with the BC standard before issuing certificates or agreeing premiums.It’s hard to talk about Business continuity without talking benefits. The move to an international standard should create an even greater interest in this increasingly pertinent standard.  According to the CMI Business Continuity Survey, the last three years have seen an increased number of managers in organisations implementing BC plans, from 49% to 58% and now 61%. Most encouragingly, currently 81% of those implementing an effective plan are reporting an effective reduction in business disruption. 77% felt it had improved business resilience. If that is not a clear benefit I don’t know what is!

At the other end of the scale however, we have the organisations that as yet have not fully grasped the importance of planning how to continue business in the event of a BAU threat or disaster. Research done by Norwich Union reported that businesses without an effective BC plan which experienced a disaster have a greatly reduced chance of ever fully recovering. In fact only 8% make to the five years plus mark. It gets worse, 40% never re-open and another 40% re-open but fail within 18 months. Never underestimate reputational damage. How then, can an organisation fail to include Business Continuity Planning into the very fabric of its being? Referring again to the CMI survey, 15% of managers cited a perceived lack of business benefit as a reason for not having a Business Continuity Plan. (I do hope none of these businesses are in the supply chain of any readers…)

However, a staggering naiveté emerges when we read in the same survey that 54% of businesses that do not have a plan say it is because they “rarely get significant levels of disruption in their business”. Given the fact that almost half of businesses surveyed, reported disruption from extreme weather, which cannot only have affected those who have already included it in the scope of their BC plan, surely?

There are a number of factors at work here apart from the unwillingness to acknowledge that sometimes events out of one’s control can impact a business. Also some organisations have a knowledge gap in what they think they can survive and what they can actually survive. Don’t forget reputational damage will be a key indicator in how your talented staff, your clients and your supply chain partners respond to you after a disaster. Another consideration is the best of intentions being poorly researched and  implemented, so another knowledge gap but this time in where the REAL threats and risks lie and planning for things that may be inappropriate whilst real threats are unconsidered. Add to that a good or a less than good plan being poorly implemented, tested and educated through an organisation and you have, what is known among youngsters as an epic fail.

As Business Continuity becomes an international standard, the opportunity for UK businesses to benefit increase. The ability to plan the continuance of business in exceptional circumstances should not be considered exceptional. Supply chain partners, clients, insurers and employees will come to demand this as standard, making the ISO 22301 standard all the more attractive and necessary.

Advent IM – The UKs Leading Independent Holistic Security Consultancy

ARE YOUR BUSINESS CONTINUITY PLANS MORE FAWLTY TOWERS THAN BURJ AL ARAB?

We all know hotels are good in a crisis.

Thanks to uktv.co.uk for the splendid picture of customer service excellence in action or is that inaction...?

Over-booked?  Syndicate out guests to other hotels.

Guest unhappy with room?  Move them.

Laundry, catering, or other supplier lets you down at short notice?  Mmmmmmm……

Hotel is unavailable during a period of peak national occupancy (e.g. the Olympics)?  Let me see……

OK.  So a ‘can do’ attitude and tried and tested crisis arrangements can only do so much.  But what can we do?

The Olympics and other major events are a fantastic opportunity for additional and much-needed revenue for hotels.  However with a little bit of effort – and very little expense – we can protect your business from the potential devastating reputational and financial effects of unforeseen disruptions.

 Here are our top 5 tips for business continuity planning for hotels in 2012:

1.  If you don’t have one, get a business continuity plan now.  And if you do have one, make sure it is still fit for purpose.  If you are not sure how to do this, see our FUN 100 day Olympics Business Continuity Project Plan here.

2.  Make sure your plans factor in key suppliers that your business depends on.  And don’t assume that they have planned for the travel restrictions in place around Olympic venues – I can tell you now, a lot won’t have!

3.  Have a strategy for what to do with your guests if a hotel becomes unavailable for any reason.  Normally you would probably syndicate these out to other hotels, but what if there are no other hotels available and you have umpteen guests on the street and nowhere to put them?

  • Where are you going to move them to?  Are there unoccupied offices that you can access on a short-term lease that you can put day beds or similar in to?
  • How are you going to move them?  Taxi and coach companies will also be enjoying a bumper time so why time set up some strategic partnerships ‘just in case’?
  • What are you going to tell the rest of the world?  A well-managed incident can put column inches on your reputation.  A badly managed incident can have precisely the reverse effect

4.  Don’t assume the impact of major events is localised.  Your business might not be in the vicinity of an Olympic venue but your suppliers might be – or their suppliers – or even their supplier’s suppliers.  The impact on supply chain management was brought home to all of us in the tragic aftermath of the tsunami that stuck Japan a year ago

5.  Ensure your extant reporting processes (crime, utility failure and so on) feed in to your business continuity risk management framework to help identify priority actions for mitigating the impact or likelihood of disruptive events occurring

Mark Goddard – Advent IM Security Consultant

If you want assistance with your Business Continuity Plan, we can help.

We can also help with all aspects of hotel security from Information and physical, including secure card payments through PCI-DSS.

Visit our dedicated Hotel & conferencing webpage www.advent-im.co.uk/hotels.aspx

Is Your Business For The (Olympic) High Jump?

cat athelete

Terrible pun, I know. But if you saw something called ‘Business continuity planning for the Olympics’ you might stop reading.  But please don’t!  I am going to try something that no-one else has ever done before; make business continuity FUN!  I did think about trying to something else that no one had ever done before and beat the Cuban Javier Sotomayor’s 1993 high jump world record of 2.45 metres (8 foot and half an inch in old money) but I have a gammy knee.  You can watch the amazing Senor Sotomayor strut his stuff here in a 10 second video (no sound):

It is fair to say that good, earnest BC professionals like myself have, to date, largely failed to capture the imagination of the man in the street, the man on the Clapham omnibus, or in fact any man, woman, child, dog, cat (apart from the one pictured) or mammal of any description.  And it is unlikely that any career’s advisor has ever had their door beaten down by eager Year 11s desperate to know the best career path in to BC management.  Which is a shame really, because a Dara O’Briain (think ‘Mock The Week’) observed, “Business continuity is brilliant.” (Google it.  I can’t link you to it.  Too many naughty words I am afraid).  But as Mr O’Briain no doubt appreciates, BC is more than worrying about killer bees in the pick and mix and teaching HR how to dig latrines in the car park.

By the middle of April it will be less than 100 days until the Olympics start.  Think you don’t need a business continuity plan?  Think it is too late to get one in place before the Summer?  Think again!  This is your free, FUN 100 day Olympics Business Continuity Project Plan.

Day 1:                    Get management buy-in

Like our friend Javier, you’ll need some support.  He had Fidel Castro and you need your management.

As we know management have lots of people and projects vying for their attention so make your ‘pitch’ stand out to ensure it is successful:

– identify the right management sponsor(s).  They should have an interest in the continuity of the company from a reputational, financial, or just practical point of view

– Sell, sell, sell!  What are your business’s BC ‘drivers’?  Is it financial?  BC planning can cost almost nothing, but can save you a lot of money in the event of disruption to your income.  Is it cultural?  If you have a strong welfare culture the first tenet of BC planning is always the preservation of life.  Is it practical?  Do your customers expect you to have BC plans in place and are you sure that your key suppliers will continue to be there for you during a disruption?  In a recent exercise one of our clients asked over 30 of their major suppliers to provide them with copies of their BC plans.  Only two could!

– Publicise the fact that you are doing this and why you are doing it to the rest of the organisation (or that part of the organisation your BC project covers)

FACT: In a 2011 survey 85% of respondent organisations had experienced supply chain disruption in the past year and you might not be in the South East, but your suppliers, or even their suppliers, might be (http://www.bcifiles.com/SupplyChainResilience2011PublicVersion.pdf)

Day 20:                 The groundwork

Javier had a team.  Dietitians, trainers, conditioning coaches and doctors.  And you’ll need a team as well.

This is where your BC project really starts getting ‘out there’ (scary).  Before day 20 you should identify representatives from key business functions (IT, HR, Finance, Facilities Management, Operations and so on) to talk to.  Ideally you will get them together all at the same time, but you could speak to them individually (or as a hybrid of the two).  You may choose to prepare a pro-forma for them to complete and this information will form the bedrock of your BC plans.  Generally the sorts of things you would ask for are:

– their key business activities (e.g. for HR this might be Recruitment, reward and employee engagement)

– the resources (people, technology, information, premises and so on) these activities are dependent on)

– the impact on the business of not doing these activities

– how soon we would want these activities restored in a period of disruption; and

– how much electronic information they can tolerate losing in a disruption

Day 40:                 Bringing it all together

Most sportsmen and women have a strategy.  For Javier it would have been which heights to Pass or Attempt.  And you will need a strategy as well.

Obviously you can’t just stick all the information gathered in to a folder, photocopy it umpteen times, and present it to the business as their BC Plan.  They would rightly think this a bit crummy.  The information gathered needs some kind of rationalisation and this is where you start to develop your embryonic Plan.  You should be able to categorise the information from your representatives in to thematic areas.  E.g. Systems, People, Premises and Accommodation [some extra info for Hotels coming very soon] Suppliers and so on.  This can be rough bullet points or something more substantial.  You then need to find people to turn these thematic areas in to chapters for your Plan.  This could be the same or different people who provided you with the information in the first place.  You shouldn’t write the Plan.  This is a BUSINESS Continuity Plan and the Business needs to take ownership for it.

Day 60:                 The Plan

Javier had plans for training, meals and competitions and all sorts of other things and now you have yours as well.

There is no set format for a BC Plan.  It could be electronic, hardcopy, or a combination of both.  Your business representatives can help decide this.  After all, it is their Plan!

Day 80:                 Practice makes perfect

Javier was the best at what he did (recording 17 of the highest 24 jumps ever recorded) because he practised, and so should you.

There are lots of ways to practice business continuity and ‘test’ your Plan.  Communication cascades, systems recoveries, desktop exercises and full simulation tests amongst them.  You will need to decide what is right for your organisation.  The important thing is that you capture feedback and lessons learned from your tests and incorporate this in to revised Plans.

Day 100:               The end of the road?

Unlike Javier, who retired in 2001, your business continuity plans are never ‘over’.

You will need to regularly remind people about the business continuity plan, make sure people are trained to operate it, and ensure it is regularly tested and updated.  But well done; you got there.  And you may not get lots of gold medals and acclaim like our high-jumping marvel but you will have the satisfaction of doing a good job well and after all, as Dara observed, “Business continuity is brilliant.”

Mark Goddard – Advent IM Security Consultant and Business Continuity Professional

http://www.advent-im.co.uk/business_continuity.aspx

Business Continuity and the joy of getting it right

Effective resource allocation can come from Threat Assessment as the starting point for Business Continuity

I was encouraged to hear that  Business Continuity adoption amongst managers has risen 2011 vs 2010, according to the CMI Business Continuity Survey 2011

As I read the data, I wondered about the level of threat perceived in some categories. This looks to have resulted in issues being added to BC plans for some businesses, such as Terrorist Damage. I can understand that if this kind of incident were to occur then it is extremely serious and may halt all business. Clearly lots of businesses felt the same way – they perceived major threat and scoped it in to their BC plans. However not as many perceived or scoped the Loss of Water/Sewerage and its potential impact on business. This affected 9% of the businesses surveyed. I am glad I didn’t have occasion to be visiting or working at any of the businesses that experienced Loss of Water or Sewerage…

Another point this data this raised was Extreme Weather, the percentage of businesses who experienced disruption due to Extreme weather, far outstripped the percentage who had perceived or scoped it as a threat.

I find these results to be compelling reasons to take the Threat Assessment approach. Businesses are all impacted by tightening budgets and stretched resource. Placing resource in the right areas and making sure you have all angles covered in your BC plan is even more vital if your resource is tight. Leaving something out of scope because you have not perceived it as a serious threat, such has extreme weather, could cost your business substantially.

On talking to a colleague, one of our Consultants, about this survey he also pointed out the Supply Chain result,

“Only one third (34%) of respondent organisations identified
supply chain disruption as a threat and even fewer (26%) have included this
within the scope of their business continuity response.  Highlighted by
the tragic events in Japan earlier this year and codified in the new ISO 28002
Standard (Resilience in the Supply Chain) we hope strengthened supply chain
planning comes out stronger in follow up studies.”

You can also see this disparity at work when you look at some of the more ‘people or opinion’ based categories. More than half of the surveyed businesses (53%) perceived Loss of Skills to be a major threat and yet only 30% had in in scope. This is even more pronounced when you look at Damage to Reputation/Brand with 51% identifying a major threat and only 24% putting it in scope.

Perceiving a threat is a small part of the equation, getting it in proportion and then making sure you know what other threats your business’ continued operation faces, is vital.

Ellie

www.advent-im.co.uk

Given the interest in Business Continuity as an enabler, I have an update which you may also find useful. It is a set of FAQ’s and soon it will be posted on our website along with a Jargon Buster.

BCM FAQs

What is business continuity?

Business continuity is a series of steps organisations take before an interruption has occurred to reduce the impact of an incident, regardless of its cause or effect.

Is business continuity the same as disaster recovery?

Like most professions business continuity management has its own vocabulary which can be confusing to the initiated (see our business continuity jargon buster).  To make matters worse there is not always universal agreement as to which definition is right and some of these terms are hotly debated within the business continuity community!  However most business continuity professionals agree that disaster recovery relates to the restoration and resumption of technology, whilst business continuity (as the name suggests) is wider and also includes people, buildings, information and equipment.

So who should have responsibility for business continuity in an organisation?

There is no one single answer to this and it will depend on the nature (scale, composition and interdependencies) of your organisation.  In most organisations IT will be a critical component to the maintenance and resumption of business services during a disruption (see disaster recovery – above) which will make it very difficult for them to take responsibility for everything else. So unless your senior management can be assured that IT can implement a technology-neutral approach to business continuity it may be advantageous that responsibility for business continuity sits outside of IT.

Advent IM can recommend options for the location of business continuity responsibilities within your organisation.

We already have a business continuity plan.  Do we need to do anything else?

It depends.  Business continuity plans are one of those things that can quickly become outdated and obsolete.  If the plan reflects the needs of the business, is regularly tested and everyone knows what they need to do in the event of an incident then well done – there is not much else to do!  Otherwise you probably need to do a bit more to make your plan a living document.

Advent IM can recommend ways of improving, embedding and testing your business continuity plans.

We are a category 1 or 2 responder under the Civil Contingencies Act.  Do we have to do anything else?

The Civil Contingencies Act 2004 (CCA04) makes it a legal requirement for some public authorities (or those carrying out the role of a public authority) to maintain plans for the purpose of assuring, so far as is reasonably practicable, that if an emergency occurs they are able to continue to perform their functions.  As above, if your planning reflects the needs of the business, is regularly tested and everyone knows what they need to do in the event of an incident then you should give yourself a pat on the back.  If not, then you probably need to do more.  Either way you should consider getting an independent and professional review of your business continuity arrangements.

What is BS25999?

BS25999 is the British Standard for business continuity management since 2006.  The standard is based on underlying principles and is not-prescriptive meaning it is scalable to all organisations, regardless of their size or nature and most approaches to business continuity share common ground with BS25999.  Some organisations choose to align themselves to the standard whilst others choose to become fully accredited.  Depending on the organisation there are benefits and disadvantages to both and we can advise what is best for you and your organisation.  BS25999 is scheduled to be replaced by international standards (ISO22399 / ISO22301) 2012 but the new standards will almost certainly be significantly based on BS25999 anyway.  There is no statutory requirement for BS25999 compliance or accreditation but some organisations (e.g. the finance sector and public authorities) mandate the requirement for business continuity planning.

Business continuity sounds expensive and time consuming.  Are there any benefits?

Firstly it does not have to be expensive.  A lot of good business continuity work focuses on making sure everyone knows what is in place and what they have to do in the event of an incident and does not necessarily involve spending lots of money!  Also, business continuity does not have to be time consuming.  In all but the largest organisations business continuity management is often part of someone’s existing job role rather than a dedicated function, although a good business continuity management system will have inputs from across the organisation, rather than just being the product of one or two individuals.  The benefits of a well conceived and properly delivered system of business continuity management can include:

  • Cost reduction:Business continuity management can help identify opportunities for;  improved resource allocation, risky interdependencies, inefficient business processes, lower      insurance premiums and significantly reduced costs in the event of an incident occurring.
  • Increased performance:  Proven resilience can be a prerequisite to winning business and can provide         opportunities for improving collaborative working and hardening systems and  processes.
  • Reputation: Improved business continuity management can assure clients, stakeholders and employees that you are a professional organisation who behaves professionally.

Ellie

www.advent-im.co.uk