An Overview Information Security Group Business Continuity Management.

An OverviewAn OverviewInformation Security Group

Business Continuity ManagementBusiness Continuity Management

Agenda

Mar-09 2Client Confidential | Tech Mahindra Limited 2009

•Philosophy of Business Continuity Management•Organization Structure•Command Matrix•Disaster Management Flow•Project Initiation & BCM•Continuity Action Plan Documentation•Roles & Responsibilities•Project In-life Monitoring & Control•Project DR Drills •BCP/DR Posture for Projects •Alignment with BS 25999:2007

Company Confidential3

BS 25999, the Standard

BS 25999 is British Standard Institute's standard in the field of Business Continuity Management (BCM), replacing the existing PAS 56.

BCM is a holistic management process that identifies potential threats to the organization and the impact to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and vale creating activities.

BS 25999 has two parts. The first, BS 25999-1:2006 is the “ Code of Practice", takes the form of general guidance and seeks to establish processes, principles and terminology for Business Continuity Management.

The second, BS 25999-2:2007 is the “Specification for Business Continuity Management", specifies requirements for implementing, operating and improving a documented Business Continuity Management System (BCMS), describing only requirements that can be objectively and independently audited.


BCM Overview


Business Impact Analysis & Risk Assessment

Philosophy of the BCM Framework

Business Continuity

Soft Info

Hard Info

People

In servers

In desktops

Skills

Relationships

Knowledge

Stored

Tech Infrastructure

Support

Hardware

Communications

Seats

Security

Power

Software

Enabling functions

Soft Info

Hard Info

People

In servers

In desktops

Skills

Relationships

Knowledge

Stored

Tech Infrastructure

Support

Facilities

Hardware

Communications

Seats

Security

Power

Software

Enabling functions

Readiness to DeliverAvailability of Information


7

BCM Organization Chart

Management Security ForumManagement Security Forum – COO Declares DisasterCOO Declares Disaster

Central DR team – BCM Manager, CISO, Location Security ManagersCentral DR team – BCM Manager, CISO, Location Security ManagersDDIIRREECCTTIIOONN

SSTTAATTUUSS

I I NNFFOO

Potential Disaster Management Team – TIM, FMG/ Facilities, ISGPotential Disaster Management Team – TIM, FMG/ Facilities, ISG

Location Disaster Management TeamLocation Disaster Management Team

Security Security CoordinatorsCoordinators

TIM OICTIM OIC Facilities ManagerFacilities ManagerLocation Security Location Security

ManagerManager

PM &PM & IDU HeadsIDU Heads

Sys Ad Sys Ad & Vendors& Vendors Suppliers/ TeamSuppliers/ Team ISG groupISG group

Mar-09 Client Confidential | Tech Mahindra Limited 2009

BCM Org: Delivery Perspective

8Mar-09 Client Confidential | Tech Mahindra Limited 2009

Roles & Responsibilities


Project Managers – Critical projects


• Custodian of the Continuity Plan for the Project

• Custodian of the Updated Contact List of Critical team members at the site

• Coordinator to track the availability of the Critical personnel for operational continuity

• Coordinate with the Onsite Team to maintain Minimum Operating Levels in light of the disaster at site

• Coordinate with FMG / TIM for necessary logistics of Facilities & Technical Infrastructure

• Coordinate with Resource Management Group (RMG) for seat allocation at alternate site

• Escalate bottlenecks to IDU Head for resolution


Defining RTO, RPO and MTPOD

Maximum Tolerable periodof down time (in hours)

100% Resumption

MTPOD

RPO is the maximum

acceptable level of data loss following an unplanned

“event”,

RTO is defined as the length of time that a business process could be unavailable before the business unit’s operations are significantly

impaired.

MTPOD is defined as the “duration after which anorganization’s viability will be irrevocably threatened if productand service delivery cannot be resumed.”.

MTPOD can be calculated on the following factors•The maximum time period after the start of a disruption within which each activity needs to be resumed•The maximum level at which at which each activity needs to be performed after resumption•The length of time within which normal level of operation need to be resumed

12

Framework Documentation Tree

Global BCM FrameworkGlobal BCM Framework

Disaster Management Disaster Management HandbookHandbook

Non-IT Non-IT DR Action PlanDR Action Plan

DR Test StrategyDR Test Strategy BCM Ops GuideBCM Ops Guide

IT OPS IT OPS DR Action PlanDR Action Plan

Business Continuity Plan of the ProjectBusiness Continuity Plan of the Project


13

Command Matrix FlowCommand Matrix Flow

CCOOMMMMAANNDD

MMAATTRRIIXX

CISOCISO

Center HeadCenter Head

Person Responsible

Global Disaster Declaration

11stst Person Responsible

LOCAL Disaster Declaration with Appraisal to COO

22ndnd Person Responsible

To Activate Disaster Recovery in Consultation of Members of Management Security Forum

COOCOO


14

TechM Recovery Strategy : ERP~DRP~Recovery

Incident

Evacuation* & People Safety**

IT Services Fail Over – Alt path

ISP & Vendors Support Called in

Internal / External Communication

Recover Single Point Failure Projects / Ops

Alternate Site Fail over & Ops begin

Appraise Customer

Recover to Min Operating Levels

Resumption of Business

ERP

D

R

P

Recovery

ERPERP – Emergency Response Plan – Emergency Response PlanDRPDRP – Disaster Recovery Plan – Disaster Recovery Plan * Fire, Bomb Threat , Post Earthquake tremor with re-entry after All Clear & 2 hours Post Earthquake tremor Evacuation** Always 1st Priority** Always 1st Priority

Key WordsKey Words

Recovery & Resumption FlowRecovery & Resumption Flow


15

TechM Top Level Disaster Management Flow

Incident

Confirm Incident Reported ( FMG for Non-IT , TIM for IT incidents

Inform HR / FMG / ISG / TIM at Location & DR TEAM

Communicate to Teams via email / PA System

Track & Keep Center Head & Location Informed of Status

Identify Critical Projects & Site Dependent Projects / Ops

Check People Safety & Assess Damage – Site, IDU’s & Functions

Alert Onsite & Alternate Site or Move Teams to take over & Inform Customers

Recover to MOL with IDU, Vendor, FMG, TIM, & ISG Support

Resumption Team Decides Mode to Attain Normal Operations

PPOOTTEENNTTIIAALL

DDIISSAASSTTEER R

MMGGTT

DISASTER

MANAGMENT

Recovery

Potential Disaster to Recovery Management FlowPotential Disaster to Recovery Management Flow


Disaster Events Considered

SNoSNo Disaster CauseDisaster Cause EventsEvents

1 Natural Causes Fire, Earthquake, Flood, Epidemics (eg Avian Flue)Fire, Earthquake, Flood, Epidemics (eg Avian Flue)

2 Human Causes War , Civic Unrest, Terrorist AttackWar , Civic Unrest, Terrorist Attack

3 Utility Disruption Power, Postal Services, TransportPower, Postal Services, Transport

4 Resource Disruptions No Server Room, No PeopleNo Server Room, No People

5 IT Disasters

5a Data Communication IPLC, MPLS, VPN & InternetIPLC, MPLS, VPN & Internet

5b Denial of Service DOS Attacks , Anti-Virus DOS Attacks , Anti-Virus

5c Equipment Failures Hardware FailuresHardware Failures

5d Software Configuration Failures

RDBMS, Data corruption RDBMS, Data corruption

5e Core IT Services Failures

ISP Interruptions, Mail ServicesISP Interruptions, Mail Services


BC Drill – Project Monitor & Control

Project In-Project In-Life CycleLife Cycle

Annual Drill Annual Drill ScheduleSchedule

Call Tree Drill Call Tree Drill

QuarterlyQuarterly

Data RestorationData Restoration

Quarterly Quarterly

Environment Environment Rebuild Rebuild

YearlyYearly

Drill Drill Assessment Assessment ReportsReports

Rehearsal or Rehearsal or Client DrillClient Drill

YearlyYearly


BC Plan, BC Test Automation Dashboard

Information Security Group

Mar-09 19

Information Security Dashboard

Client Confidential | Tech Mahindra Limited 2009

Mar-09 20

Aligned with BS 25999:2007 Standard

Allows Project Managers to enter the BCP details into online system. Hence structered data entry is possible.

System makes sure that all the necessary data is entered by the PMs. There are several validations on data which is entered. Hence the work load on the reviewers gets reduced.

System provide instant online help for the PMs. By clicking on “?” icon users can understand the terminologies used in BCP.

System provides predefined list of values for some of the fields. This helps PMs understand what is expected from them to enter in the field.

System generates word document BC Plan on submission of BCP Data.

Features of the BCP Tool


Mar-09 21

Data Entry Screens

Step 1 - Project Details

Step 2 - Project Overview

Step 3 - Critical Process Definition

Step 4 - Infrastructure requirements

Step 5 - Recovery Activity Definition

Step 6 - Notification flow and Command Structure Matrix

Step 7 - Contacts Information

Step 8 - Vital Records and Summary

User needs to enter data in eight data entry screens for creating BCP plan aligned with BCM Standard BS

25999:2007


Mar-09 22

Vital Records

Finally user clicks on submit button. System generates BCP plan word document and sends to Project Manager and reviewer. Reviewer reviews the document and finalizes version.

Vital Records


Mar-09 23

Contents of BCP Plan


1 PROJECT DETAILS2 VERSION HISTORY3 BUSINESS CONTINUITY MANAGEMENT AT TECH MAHINDRA LTD4 PROJECT DETAILS

4.1 Engagement overview4.2 Project overview4.3 Brief on Project Requirements4.4 Brief on Contractual obligations4.5 Brief on Service Level Agreement4.6 Agreed Recovery Time Objective4.7 Need & Scope of the project BCP

5 PROJECT RESOURCE DISTRIBUTION6 PRIORITY OF CRITICAL PROCESSES AND OWNERSHIP7 INFRASTRUCTURE REQUIREMENTS

7.1 Connectivity requirements7.2 Recovery Point Objective

8 RECOVERY TIME OBJECTIVE OF THE CRITICAL PROCESSES9 INCIDENT RESPONSE ACTIVITIES & OWNERSHIP

9.1 Partial Damage within site9.2 Full Damage at site9.3 Location/City unavailable9.4 Country unavailable

10 INCIDENT RESPONSE COMMAND STRUCTURE AND CONTROL FLOW

11 NOTIFICATION CONTROL STRUCTURE12 CRITICAL RESOURCE INFORMATION13 PROJECT MANAGEMENT INFORMATION14 CLIENT COMMUNICATION INFORMATION15 VITAL RECORDS16 LEARNING INCORPORATED FROM EXERCISING OF BCP /DR DRILLS.

17 MANDATORY DOCUMENTS NEEDED18 READY REFERENCE.

Annexure to BC Plan

24Mar-09 Client Confidential | Tech Mahindra Limited 2009

Mandatory documents to BC Plan include:

•Write-up on the critical processes declared•Configuration & Installation procedures if any and •Standard Operating Procedure•BIA •BCP/DR test plan•Asset and Risk Assessment Sheets•Project management data repository / details

25

Project High Level Action Plan : ERP~DRP~Recovery

Trigger / Incident

Evacuation*, & Team Safety **

Contact all Team Members to assemble

Alert Offshore / Onsite Teams

Internal coordination TIM/FMG/ISG/RMG

Refer Project Continuity Plan & Execute Actions for Single Point Failure Projects

Projects Fail over & Offshore / Onsite supports

Appraise IDU head & Internal Groups

Recover to Minimum Operating Levels achieving RTO

Resumption as Normal Operations

ERP

D

R

P

Recovery

ERPERP – Emergency Response Plan – Emergency Response PlanDRPDRP – Disaster Recovery Plan – Disaster Recovery Plan

*Fire, Bomb Threat , Post Earthquake tremor with Re-entry after All Clear & 2 hrs related to Post Earthquake Tremor evacuation ** Always 1** Always 1stst Priority Priority

Key WordsKey Words

Recovery & Resumption FlowRecovery & Resumption Flow


Baseline BCM Posture for TechM Centers

People Processes Technology

1. Offshore Split Teams

2. Onsite ~ Offshore Model

3. Named Critical Team Members

4. Skill Database for alternate Resourcing

BCM Baseline

1. Data Backup Procedure offered as a baseline for all customers

2. Onsite & Offsite backup tape vaulting

3. Documented SOP’s

1. Common LAN Redundancy & Communication Link

2. Dual ISP, Dual Path

3. Alternate Desktops, File & Print, Email & NAS available

4. Secure Computing at Warm Sites


Facilities - DR Preparedness

SNo Domain Summary Brief

1 Alternate Sites Identified WARM sites for Partial & Full Damage

2 Power Availability Backup Generators available at Site

3 Shifts Working Capability to maintain 3 shifts over General Shift

4 Transportation Contractors are listed to avail services in short notice

5 Cafeteria Can extend to operate in 3 shifts

6 Air Conditioning We have air conditioning for critical areas in redundant modes – Central & Split A/cs

7 Security Manned 24/7

8 Seats Non-Critical Projects will operate in 2nd and 3rd shift

9 Telephones Services Available 24/7


IT - DR Preparedness


1 Communication Links Dual Path, ISP and Auto Fail Over. MPLS and VPN circuits have inbuilt Resilience

2 Redundancy Passive LAN 2 :1

3 Critical IT Elements Available as Hot Standbys at Site / Vendor Location

4 Hardware Equipment AMC

Comprehensive with SLA’s

5 Backup Management Onsite and Offsite backups with tape vaulting

6 Software Support Available on a case to case basis depending upon criticality of software

7 Virus Protection Anti-Virus Software is implemented as baseline

8 TIM Personnel Can administer key equipment over the WAN

9 Resilience in Key Services

All Key services have Primary & Backup Servers to keep MOL running.


Delivery - DR Preparedness


1 Distributed Working We have an Onsite ~ Offshore Model with distributed teams across India Locations

2 MOL – Onsite Capability to maintain MOL at onsite for key projects

3 Critical Resources Identified, Named & Listed in Contact Lists of Projects

4 Shift Working Resource capability to work in 2nd and 3rd Shifts in DR

5 Alternate site working

Critical Resources are made aware to be ready to work from alternate site to maintain MOL

6 Decision Tree PM ~ SPM ~ GH ~ IDU HEAD auto escalation and decision making is a key aspect of this model


Preparedness for Country Unavailable Scenario

SNo Domain Preparedness & Processes In Place

1 Teams We operate in an Onsite-Offshore model ensuring that the Onsite team takes control in case of such emergencies

2 Critical Personnel As a part of our Business Impact Analysis each project identifies critical personnel in the team

3 VISA Preparedness Our Resource Management Group has a database to maintain VISA details of every employee as an Information Database.

4 Ticketing We have all administrative preparedness to meet up with high ticketing requirements

5 Operations Onsite We would operate from our UK Development Center to ensure the continuity is maintained.


Thank You….

Date post:	16-Jan-2016
Category:	Documents
Upload:	christian-fox
View:	219 times
Download:	0 times

An Overview Information Security Group Business Continuity Management.

Documents