31/10/2013

1

Prepared Always, Resilient Always

2 31 October 2013

Business Continuity Management

The Uncertainties

25 October 2013

Wong Tew KiatCBCP, MBCI, CITBCM(S), CITPM(S), COMIT(S), Fellow SCS

Founder & Managing Director

3 31 October 2013

What is

Business Continuity Management?

31/10/2013

2

4 31 October 2013

Is a holistic management process that identifies

potential threats to an organization and the impacts to

business operations those threats, if realized, might

cause, and which provides a framework for building

organizational resilience with the capability of an

effective response that safeguards the interests of its

key stakeholders, reputation, brand and value creating

ISO22301

Business Continuity Management (BCM)

5 31 October 2013

Business Continuity Management (BCM)

Have we planned holistically?

6 31 October 2013

Business As Usual

31/10/2013

3

7 31 October 2013

Key Components & Activities

Key Products

Staff

Sales, Marketing, Engineers, Technicians, Procurement,

Finance, Delivery, Transportation

IT Technologies

Computer Systems, Emails, Internet, Sales Order Systems,

Invoicing System, Procurement System, Data Centre and

Network Communications

Raw Materials

Local suppliers, Overseas suppliers, mode of delivery, timeline

delivery, Ability to delivery, Single Point of Failure

Plants

Machineries, electrical power, generators

Warehouse

Inventories, Stocks

Transportation and Delivery

Customers

8 31 October 2013

Key Components & Activities

Key Products

Staff

Sales, Marketing, Engineers, Technicians, Procurement,

Finance, Delivery, Transportation

IT Technologies

Computer Systems, Emails, Internet, Sales Order Systems,

Invoicing System, Procurement System, Data Centre and

Network Communications

Raw Materials

Local suppliers, Overseas suppliers, mode of delivery, timeline

delivery, Ability to delivery

Plants

Machineries, electrical power, generators

Warehouse

Inventories, Stocks

Transportation and Delivery

Customers

Disrupted!

Disrupted!

Disrupted!

Disrupted!

Delivery

?Customer Satisfaction

?

9 31 October 2013

Business Continuity Management (BCM)

Have we analysed the risks and

impacts thoroughly?

31/10/2013

4

10 31 October 2013

Disruptive Events?

8 Sep 2013 – Another 3 die of MERS virus in Saudi Arabia

15 Aug 2013 – H7N9 bird flu may be spread

through human faeces

11 31 October 2013

H5N1 H1N1 SARS

Disruptive Events?

12 31 October 2013

Disruptive Events?

17 Aug 2013 – Fire twice in Shopping Mall 18 Sep 2013 – Ceilings Collapsed

31/10/2013

5

13 31 October 2013

Disruptive Events?

16 & 18 July 2013 – Fire twice at Poly

14 31 October 2013

Disruptive Events?

9 Oct 2013 – Fire. 60,000 customers affected

16 Oct 2013 – banking services disrupted

by "system connectivity issue”

16 Oct 2013 - disruption to its 3G

services was related to a scheduled

network upgrade.

15 31 October 2013

Technologies Risks?

Disruptive Events?

Old and End-of-Life Servers? Old Programming Languages?Old and End-of-Life Network

Cards and Equipment

31/10/2013

6

16 31 October 2013

Disruptions – Suppliers and Delivery (Supply Chains)

Disruptive Events?

Iceland’s disruptive volcano (2010)

The volcanic ash had forced the cancellation

of many flights and disrupted air traffic across

northern Europe, stranding thousands of

passengers.

311 Japan Earthquake (2011)

Factories, buildings, etc destroyed.

17 31 October 2013

?3 Components in an Organisation’s

Business Continuity?

Critical

Businesses

Data

Centre /

Infrastructures

IT Systems

Full BCM

18 31 October 2013

3 Key “Push Factors” for BCM

1. Monetary Authority of Singapore (MAS)

– June 2003 | MAS BCM Guidelines

– Oct 2004 | MAS Outsourcing Guidelines

– June 2013 | Technology Risk Management Guide

31/10/2013

7

19 31 October 2013

3 Key “Push Factors” for BCM

2. ICT Resiliency | End 2012

� ICT Equipment Resiliency

� ICT Systems Resiliency

� Data Centre Resiliency

IT Systems

Data

Centre /

Infrastructures

20 31 October 2013

3 Key “Push Factors” for BCM

3. Singapore Business Federation (SBF)

– SS540 - 2008 | Business Continuity Management Standards

– SS ISO22301 – Dec 2012 | BCM Systems Requirements

� SS540 was launched by then Deputy Prime Minister and Coordinating Minister

for National Security – Prof Jayakumar on 7 Nov 2008

� To enhance corporate resilience in Singapore, selected Government or public

agencies will consider tenderers’ level of BCM-readiness as

part of the procurement process. In longer term, we will look

at moving towards preferring suppliers of essential services

which are BCM ready during our procurements

� More than 100 Companies being BCM Certified in 2013

21 31 October 2013

Critical Businesses / Services

? Critical

Businesses

7 BCM Principles

31/10/2013

8

22 31 October 2013

MAS BCM Guidelines | 2003

– 7 Principles

� Principle 1 – Board of Directors and Senior Management should be responsible for

their Institution’s Business Continuity Management

� Principle 2 – Institutions should embed Business Continuity Management into their

Business-as-usual operations, incorporating sound practices

� Principle 3 – Institutions should test their Business Continuity Plan regularly, and

meaningfully

� Principle 4 – Institutions should develop Recovery Strategies and set recovery time

objectives for critical business functions

� Principle 5 – Institutions should understand and appropriately mitigate

interdependency risk of critical business functions

� Principle 6 – Institutions should plan for wide-area disruption

� Principle 7 – Institutions should practise a separation policy to mitigate concentration

risk of critical business functions

Critical

Businesses

23 31 October 2013

MAS Outsourcing Guidelines | 2004

� Clause 4 – Legal and Regulatory Obligations

� An institution has to take steps to ensure that the service provider employs a

high standard of care in performing the service as if the activity were not

outsourced and conducted within the institution

� Clause 5 – Material outsourcing

� An institution should undertake periodic reviews of its outsourcing arrangements

to identify new material outsourcing risks as they arise

� Clause 6 – Risk Management Practices

� Role of the Board and Senior Management

� Evaluation of Risks

� Capability of Service Providers

� Outsourcing Agreement

� Confidentiality and Security

� Business Continuity Management

� Monitoring and Control of Outsourced Activities

� Audit and Inspection

� Outsourcing outside Singapore/within a Group

� Outsourcing of Internal Audit to External Auditors

Critical

Businesses

24 31 October 2013

MAS TRM Guidelines| 2013(Technology Risk Management)

� Clause 3 – Oversight of Technology Risks by Board of Directors and Senior Management

� Clause 4 – Technology Risk Management Framework

� Clause 5 – Management of IT Outsourcing Risks

� Clause 6 – Acquisition and Development of Information Systems

� Clause 7 – IT Service Management

� Clause 8 – Systems Reliability, Availability and Recoverability

� Clause 9 – Operational Infrastructure Security Management

� Clause 10 – Data Centres Protection and Controls

� Clause 11 – Access Control

� Clause 12 – Online Financial Services

� Clause 13 – Payment Card Security (ATM, Credit and Debit Cards

� Clause 14 – IT Audit

IT Systems

Data

Centre /

Infrastructures

31/10/2013

9

25 31 October 2013

MAS TRM Guidelines| 2013(Technology Risk Management)

� Clause 4 – Technology Risk Management Framework

Risk

Identification

Risk

Assessment

Risk

Treatment

Risk Monitoring

& Reporting

Risk identification entails the determination of the threats and vulnerabilities to the FI’s

IT environment which comprises the internal and external networks, hardware,software, applications, systems interfaces, operations and human elements.

IT Systems

Data

Centre /

Infrastructures

26 31 October 2013

MAS TRM Guidelines| 2013(Technology Risk Management)

� Clause 8 – Systems Reliability, Availability and Recoverability

Systems

Availability

Disaster

Recovery Plan

Disaster

Recovery Testing

Data Backup

Management

System availability are:

• Adequate capacity

• Reliable performance

• Fast response time

• Scalability

• Swift Recovery

Capability

DR Plan:

• Various contingency

scenario

• Major system outages

• Total incapacitation of

primary DC

• Recovery Priorities,

RTO, RPO

DR Testing:

• No impromptu and

untested procedure

• Test and validate

annually

• Test total shutdown

or incapacitation of

primary DC

Data Backup Strategy:

• Direct-Attached

Storage (DAS)

• NAS

• SAN

• Testing & Validation

• Encrypt backup media

IT Systems

27 31 October 2013

MAS TRM Guidelines| 2013(Technology Risk Management)

� Clause 9 – Operational Infrastructure Security Management

Data Loss

Protection

Technology

Refresh Mgt

Networks &

Security Config

Mgt

Vulnerability

Assessment &

Penetration Testing

• Internal Sabotage

• Clandestine

espionage

• Furtive attacks by

trusted staff,

contractors and

vendors

• Data Loss prevention

strategy

• Up-to-date inventory

of software and

hardware

• End-of-support

• Consistent security

settings

• Regular enforcement

checks

• Anti-virus to servers

• Network security

devices

• Identify, assess and

discover security

vulnerabilities

• Conduct in-depth

evaluation of the

security posture of

system

IT Systems

31/10/2013

10

28 31 October 2013

MAS TRM Guidelines| 2013(Technology Risk Management)

Threat

Vulnerability

Risk Assessment

Physical SecurityData Centre

Resiliency

• Security threats

• Operational

weaknesses in DC

• DC’s perimeter and

surrounding

environment

• Access Controls

• Control of access

• Secure and monitor

• Security Systems

• Surveillance tools

• Redundancy

• Fault Tolerance –

electrical power, air

conditioning, fire

suppression and data

communications

• Backup power

� Clause 10 – Data Centre Protection and Controls

Data

Centre /

Infrastructures

29 31 October 2013

MAS TRM Guidelines| 2013(Technology Risk Management)

� Clause 10.0.1 - As FIs’ critical systems, applications, network

devices and data are concentrated and maintained in the data centre

(DC), it is important that the data centre is resilient (?) and physically

secured (?) from internal (?)and external threats (?).

Note: Information from MAS Technology Risk Management Guidelines

o Resilient – Tier Classification? Which Tier?

o Physically secured – TVRA?

o Internal Threats – Human process, overload, etc?

o External Threats – Power outage, dip, lightning, flood, etc?

Data

Centre /

Infrastructures

30 31 October 2013

Note: Information from Eaton Battery Monitoring System

Data Centres Protection and Controls

(UPS Battery Monitoring System)

� Providing a window to the battery with

continuous, accurate monitoring and alarm

notification

Ensuring Resiliency

31/10/2013

11

31 31 October 2013

Fundamentals of Power Infrastructures

� Uninterrupted Power Supply (UPS), batteries and capacitors

o Batteries are always either in a state of charge or recharge

o Once battery begins to discharge its electricity, the voltage drops and

the battery will need to be charged

o Battery autonomy – normally 15-30 minutes

o Batteries may have 5-year life span, depending on its manufacturing

specification

o Capacitors – life span can be 1, 5 or 10 years depending on design

Data

Centre /

Infrastructures

What is the

impact if

they are not

replaced?

32 31 October 2013

Fundamentals of Power Infrastructures

� Sample Line Diagram on power infrastructure

Transformer Primary Power

Panel

Non-

Critical

Loads

Automatic Transfer

Switch

Diesel Generator

Critical Loads

UPS System PDU IT Servers

bypass

Data

Centre /

Infrastructures

33 31 October 2013

Fundamentals of Power Infrastructures

LT

MSB1 MBS2 MBS3 MBS4

Main Circuit Breaker

MCCB ELR

MCB Load

ELCB

RCCBLeakage

Server

Miniature Circuit Breaker

Moulded Case

Circuit Breaker

Earth Leakage

Circuit Breaker

Earth

Leakage

Relay

UPS

Data

Centre /

Infrastructures

31/10/2013

12

34 31 October 2013

Risk

Monitoring

&

Reporting

Data Centre Risks –

Risk Monitoring and Reporting

� Changes in IT environment and delivery channels, risk parameters may change

� Periodic assessment of utilization on powerusage, temperature & humidity reading,

End-of-Life equipment, etc.

� At least a monthly or quarterly review

Data

Centre /

Infrastructures

35 31 October 2013

Flu Pandemic Business Continuity Guides- 2006

� Disease Outbreak Response System Condition (DORSCON)

Alert Green

Level 0

Public health threat to Singapore is low, no novel influenza virus outbreaks

anywhere in the world

Alert Green

Level 1Global concern with isolated animal-to-human transmission

Alert Yellow

Inefficient human-to-human transmission outside Singapore. The risk of

important into Singapore is elevated. Where there are isolated imported

cases, such cases have not resulted in sustained transmission locally

Alert Orange

Globally and / or locally, larger cluster(s) but human-to-human spread is still

localized suggesting that virus is becoming increasingly better adapted to

humans but may not yet be fully transmissible

Alert Red

Situation where there is a pronounced risk of acquiring the disease from the

community. There is an increasing trend of mortality and morbidity rates

among affect cases. The healthcare system is likely to be overwhelmed

Alert black

Morbidity and mortality rates are exceeding high, and emergency measures

are needed to bring situation under control. Healthcare and other social

support systems are overwhelmed by the pandemic.

Critical

Businesses

36 31 October 2013

Business Continuity Management - Framework

Business

Impact Analysis

Continuity

Strategy

Business Continuity

Procedures

Business Continuity

Test & Exercise

Programme

Management

Business Continuity

Management

Business

Impact Analysis

+ + = Data

Centre /

Infrastructures

Critical

Businesses IT SystemsFull BCM

31/10/2013

13

37 31 October 2013

Empowering Your Organization with. . . ..

38 31 October 2013

Empowering Your Organization with. . . ..BCM Guidelines

Data Centre Standards

MAS BCM Guidelines

MAS Outsourcing Guidelines

MAS Technology Risk Management

ISO22301 BCMS Requirements

IS22313 BCMS Guidelines

ICT Resiliency

TIA-942

Uptime Institute

Risk Assessments

Walk-around

Identify

Assess

Mitigate

Control and Monitor

Awareness &

Trainings

Business Continuity Mgt

Data Centre

IT Technologies

Internal Auditor

39 31 October 2013

Turn your nightmares into

sweet dreams instead.

(Even before it happens!)

“Seeing is Believing”…. See to Assess, Not Ask to Assess

1. Walk-around

2. Identify (See)

3. Assess

4. Mitigate Risks in…..

Data Centre Risks:

Power Overloading

Hot Spots

High Temperatures

End-of-Life UPS

Batteries /

Capacitors

Technology Risks:End-of-Life –

Servers, Software

and Network

Equipment

Source Code Escrow

Critical ServicesProcess Risk

Environment Risk

Operating Risk

Uncertainties

“Certainties”

31/10/2013

14

40 31 October 2013

Peace of Mind

Resilience

Turn your nightmares into sweet dreams instead.

(Even before it happens!)

41 31 October 2013

3 Components in an Organisation’s

Business Continuity

Critical

Businesses

Data

Centre /

Infrastructures

IT Systems

Full BCM

42 31 October 2013

• Murphy’s Law

– “Anything that can go wrong will go wrong”

• John Wooden – 1910

– “Failure to prepare is preparing to fail.”

• Chinese Proverb

–不怕 一万 , 只怕万 一

Expect the Unexpected

31/10/2013

15

43 31 October 2013

Coming….. 11 – 14 Nov 2013

44 31 October 2013

Coming….. 19 – 20 Nov 2013

45 31 October 2013

Thank You

Wong Tew Kiat

CBCP, MBCI, CITBCM(S), CITPM(S), COMIT(S), Fellow SCSFounder & Managing DirectorOrganisation Resilience Management Pte Ltd

M +65 98585127E + wongtk@ormgt.com.sgW + www.ormgt.com.sg