: : 8922404021 9421408007 9421408040 9421408029 9222404002 9122404012

NSYSU--2005 *060112

Task ForceHistory Review : (5 min.)Infrastructure :(15~20 min.)Case Study(25 ~30min.) TFT-LCD Industrial Risk: General Industrial Risk: Service Field Risk & Control:

NSYSU--2005 *060112

ContentReview & History General Description of RiskGeneral Description of BCP General Description of BCM

NSYSU--2005 *060112

Review & History

NSYSU--2005 *060112

Management Golden Triangle

NSYSU--2005 *060112

Risk & BCP & BCM

NSYSU--2005 *060112

Risk & BCP & BCM.

NSYSU--2005 *060112

Risk & BCP & BCM 921 SARS3ABhopal 911

NSYSU--2005 *060112

ICS 1970

1980

NSYSU--2005 *060112

ICS

ICS

NSYSU--2005 *060112

Why ICS?///

NSYSU--2005 *060112

Fundamental of CIS

NSYSU--2005 *060112

Function of CIS /

NSYSU--2005 *060112

Function of CIS

NSYSU--2005 *060112

Function of CISICS

NSYSU--2005 *060112

Main Function of CISICS

NSYSU--2005 *060112

Organization For example

NSYSU--2005 *060112

Some misconceptions . . .We take regular backupsWe have, trained staffIsnt it a dead investment?We can operate without computersIt will nothappento usWe have insurance coverIt is not our main Business and we accept the risk

NSYSU--2005 *060112

Some missed comments . . .Later.Excellent! We will have it some dayTake care of it NOWWhat our techies are doing?We are not in NYWe will cross the bridge

NSYSU--2005 *060112

General Description of Risk

NSYSU--2005 *060112

Risk NATURAL

UNINTENTIONAL

INTENTIONAL

NSYSU--2005 *060112

E Security Physical Logical Network Access Security

NSYSU--2005 *060112

Risk EvaluationDisaster Event ScenariosRisk Ranking of FunctionsCriticalVitalSensitiveNon-critical

NSYSU--2005 *060112

Varying Levels of Disaster

NON DISASTER

DISASTER

CATASTROPHES

NSYSU--2005 *060112

Risk - Measures of likelihood

LevelLikelihoodDefinition5Almost CertainEvent is expected to occur during next business cycle4LikelyEvent will probably to occur during next business cycle3PossibleEvent might occur sometime2Unlikely Event can occur sometime1RareEvent may occur in exceptional circumstances

NSYSU--2005 *060112

Measures of Consequences

LevelConsequenceDefinition5CatastropheLong term business objectives will be significantly impaired.4MajorSignificant impact on long term Business objectives3ModerateObjectives will have impact, and needs more time to recover.2Minor Short term business objective may be hindered, 1InsignificantDoes not affect the long term objectives of business

NSYSU--2005 *060112

Qualitative risk analysis Matrix

Likelihood Consequence InsignificantMinorModerateMajorCatastropheAlmost CertainHHigh RiskHEEEExtreme RiskLikelyMModerateHHEEPossibleLMHEEUnlikelyLLMHERareLLow RiskLMHH

NSYSU--2005 *060112

Impact Analysis :Loss of key staff;Loss of vital records;Global issues, such as change in political climate;Difficulty of operational integration across borders;Disruption of importing and exporting functions;Critical labor relationships;New revenue streams;Supplier disruptions; andRegulatory controls.

NSYSU--2005 *060112

Impact Analysis :Extraordinary recovery expenses;Technology recovery requirements;Special recovery resource requirements;Critical disaster-specific information systems support;Internal and external dependencies;Existing and required work-around procedures; andInsight into the organizations current state of preparedness.

NSYSU--2005 *060112

Which business units, operations and processes are essential to the survival of the organization;How quickly essential business units or processes have to be back in operation before the impacts are catastrophic;What are the most plausible recovery alternatives to meet the recovery windows;What resources are needed to resume operations at a survival level for the essential parts of the business;What elements must be pre-positioned in order to meet the recovery windows;

NSYSU--2005 *060112

Impact Analysis : DecisionWhat will be reused and recovered and to what capacity levels over what period of time;What changes, if any, need to be implemented in the supply chain, inventory and distribution management programs;How to address the organizations internal and external interdependencies; andWhat recovery and continuity policies and procedures must be in place to address both a short-term disaster such as a brief systems failure or a long-term major property loss.

NSYSU--2005 *060112

Critical Recovery Time Period

Depends on the nature of businessApplications to be recoveredEnd User Computing ResourcesProcessing Priorities

NSYSU--2005 *060112

Critical ParameterCritical Business FunctionsAcceptable Recovery TimeResources CommittedMajor DivisionsSupport ServicesBusiness OperationsData Processing Support

NSYSU--2005 *060112

Business ContinuityWhy is it the responsibility of Senior Management?What are the components of Business Continuity Plan?Senior ManagementUser ManagementUser & Data Processing ProceduresPersonnel who must respond to Disaster Scenarios are most important

NSYSU--2005 *060112

Key Decision Making PersonnelTeam LeadersEquipment and S/w VendorsRecovery Site RepresentativesNetwork Re-routing ServicesOffsite Media CustodiansInsurance AgentsContract Services

NSYSU--2005 *060112

ProceduresEmergency Action ProcedureNotification ProcedureDisaster DeclarationSystems RecoveryNetwork RecoveryUser Recovery (Manual Procedures)Salvage Operations

NSYSU--2005 *060112

BCP & Reconstruction MethodologiesEmergency Action TeamDamage Assessment TeamEmergency Management TeamOffsite Storage TeamsSoftware TeamApplication TeamSecurity TeamEmergency Operations Team

NSYSU--2005 *060112

Computer Hardware AlternativesHot SitesReady to Operate Within Several HoursNot for long term extended useNetwork ComponentWarm SitesPartially Configured with network connectionsWithout Main ComputerCold SitesSite with only basic environment

NSYSU--2005 *060112

Off-Site FacilitiesSecurity and Control of Off-Site FacilitiesPhysical Access ControlsEnvironmental Monitoring & ControlMedia and Documentation BackupPeriodic Backup ProceduresFrequency of RotationVarious Media and Documentation CreatedInventory (list) must be maintainedAutomated Tape Management System

NSYSU--2005 *060112

Basic PremiseSenior Management InvolvementCost EffectiveMultiple Levels of Recovery Disaster Recovery PlanDrills, Upgrades and Audits

NSYSU--2005 *060112

DRP TestingGoals of TestingTo validate (and identify flaws in) plan procedures and strategies; To obtain information about recovery strategy implementation time;To demonstrate output performance of systems, networks and backup in recovery mode and compare with the same in production mode;To demonstrate recovery plan adequacy to examiners, auditors and management;To adapt existing plans to encompass new requirements of the business;To familiarize recovery teams with their roles within the plan.

NSYSU--2005 *060112

Risk Management - final 1) 2) 3) 4) 5) 6) 7) 8) 9) 10)

NSYSU--2005 *060112

Risk Management - final 1. 2. 3.

NSYSU--2005 *060112

1. 2. 3. 4. 5. Risk Management - final

NSYSU--2005 *060112

1 2 3 4

Risk Management - final

NSYSU--2005 *060112

Risk Management

NSYSU--2005 *060112

General Description of BCP(Business Contingency Plan)

NSYSU--2005 *060112

Business continuity planning

PreventionResponseResumptionRecoveryRestoration

NSYSU--2005 *060112

BCPThe process of: developmenttesting maintenance of a plan To assist the organisation:recover critical IT systems in an effective and efficient manner to ensure minimal business disruption

NSYSU--2005 *060112

BCPDRP (Disaster Recovery Plan)Plan to recover out from a Disaster

BCP (Business continuity plan)Plan for Business Continuity Planning In case of Disasters/ Non Disasters

NSYSU--2005 *060112

BCP Objectives:Ensuring health and life safety protection;Minimizing interruptions to business/service operations;Resuming critical operations within a specified time after a disaster;Minimizing financial loss;Assuring clients, customers, community, suppliers, employees and share holders and stakeholders that their interests are protected; andMaintaining a positive public image of the organization

NSYSU--2005 *060112

NSYSU--2005 *060112

NSYSU--2005 *060112

NSYSU--2005 *060112

BCP Methodology Risk Assessment - Identifying and assessing threats and vulnerabilitiesBusiness Impact Analysis - Ascertaining economic impact of disasters on business functions and processesPlanning - Formulating comprehensive plan covering the assets, employees and business goalsImplementation and testing - Iterating on testing and refinementMaintenance - Reviewing on ongoing basis to keep the plan up-to-date

NSYSU--2005 *060112

Call Tree

NSYSU--2005 *060112

BCP - final Business Continuity Plan, BCP

NSYSU--2005 *060112

General Description of BCM (Business Contingency Management)

NSYSU--2005 *060112

BCM Business Continuity Management is the act of anticipating incidents which will affect mission critical functions and processes for the organization and ensuring that it responds to any incident in a planned and rehearsed manner.

NSYSU--2005 *060112

Future Developments BCM process

Understanding

Your Business

Business

Continuity

Management

Strategies

Develop and

Implement BCM

Plans & Solution(s)

Building &

Embedding a

BCM Culture

Exercising,

Maintenance

and Audit

B C M

Programme

Management

NSYSU--2005 *060112

The McKinsey report estimated that business interruption costs totaled $1.8 billion building damage costs reached $30 billion. Trauma and stress affecting the ability of personnel to perform effectively.Companies had failed to update disaster recovery capacity requirements as their business needs grew. 911-Outcome

NSYSU--2005 *060112

It is less expensive to avoid or mitigate a risk than to restore resources to "business as usual" after an interruption event.If the business continues to operate in the face of an interruption event, it will keep its customers satisfied (and not lose them to the competition) may pick up some new customersIt may lower insurance costs and enhance the business standing in the financial community Why BCM?

NSYSU--2005 *060112

Need of BCPOrganization/Business survival might depend on it.Interruptions cost money. Downtime results in increased expenses, lost revenue, and lost customers. Contractual obligation. Most large companies stipulate in their contracts that suppliers must deliver the services or products they've contracted for - no matter what. Statutory requirement. Many countries made BCP as statutory requirement for running business

NSYSU--2005 *060112

Need of BCM Ever-growing dependence on IT.Business and government cannot function if computers are inoperable. For business, the stakes are high:inability to serve customers, loss of goodwill, missed opportunities, inability to competedirect financial loss due to the inability to conduct financial transactions or ship productslegal liabilities.

NSYSU--2005 *060112

Business & BCM

NSYSU--2005 *060112

Business Continuity Management

BCM Includes: A project for development of Business Continuity Plan Disaster Recovery Procedures Plan Testing Documentation of Plans Monitoring and updating. Assets Identification Business Impact Analysis Assets Classification Alternate procedures Cost-Benefit analysis

NSYSU--2005 *060112

Business Continuity Management

Disaster Recovery ProceduresRecovery prioritiesRecovery arrangementsPlan TestingPaper Test/Walk Through/Table-top testPreparedness TestSystem testDrills.Documentation of Plans

NSYSU--2005 *060112

Business Continuity Management

Monitoring and updating.Periodic testing Test result and adjustments Changes in:AssetsPersons/Team/Contact detail EnvironmentThreats New Threats and VulnerabilitiesMaintenance of up-to-date Documentation

NSYSU--2005 *060112

DRP Types of test

Modular tests Test a set of procedures Strategy tests Validate entire strategy Determine implementation times of plan strategiesParallel tests Validation of recovery strategys capability to handle the anticipated workload Establishing shift schedules for recovery operations Mock disasters A disaster scenario is articulated and recovery teams step through procedures to cope with the interruption

NSYSU--2005 *060112

Building BlocksTeams andResponsibilitiesEffectiveCommunicationRecoveryStrategyEmergencyProcedures Prioritisationof ActivitiesInsuranceBCPCross-trainedPersonnelPeriodic Reviewand UpdationTesting and AdministrationProper Documentation

NSYSU--2005 *060112

BCP-finalPart 1 BCM InfrastructurePart 2 BCMS

NSYSU--2005 *060112

Future Developments BCM process

Understanding

Your Business

Business

Continuity

Management

Strategies

Develop and

Implement BCM

Plans & Solution(s)

Building &

Embedding a

BCM Culture

Exercising,

Maintenance

and Audit

B C M

Programme

Management

NSYSU--2005 *060112

General Description of BCM Flow

NSYSU--2005 *060112

0-1hr.1hr.-2days2days-/BCM

NSYSU--2005 *060112

NSYSU--2005 *060112

NSYSU--2005 *060112

NSYSU--2005 *060112

/ /

NSYSU--2005 *060112

1.2.1.2.1.2.1.2.1.2.

NSYSU--2005 *060112

NSYSU--2005 *060112

NSYSU--2005 *060112

1h2h20w4h8h12h24h48h1w2w4w8w12w

NSYSU--2005 *060112

Case Study-1

NSYSU--2005 *060112

CS2-

NSYSU--2005 *060112

CS2

NSYSU--2005 *060112

1 2 3 4 5 6 7 CS-2

NSYSU--2005 *060112

8 9 10 11 12 13 14 CS2-

NSYSU--2005 *060112

CS2-

V.P.

/

NSYSU--2005 *060112

CS2- CEO/CFO 2025

NSYSU--2005 *060112

CS3-()Emergency Response Team(ERT)()

NSYSU--2005 *060112

CS3-ERPThe safety & hygiene contingency plan for handling the accidents of chemical leakageEmergency response plan for fire incidentNatural disaster prevent and relieve measure planWater shortage emergency response planElectric power interruption emergency response planTyphoon preparedness and emergency response planEmergency medical treatment contingency plan procedureContagious diseases contingency plan procedureEmergency response plan for avian influenzaEmergency response plan for earthquake incidentSPEC NO.SPEC NO.SPEC NO.SPEC NO.SPEC NO.SPEC NO.SPEC NO.SPEC NO.SPEC NO.SPEC NO.

NSYSU--2005 *060112

CS3-

NSYSU--2005 *060112

CS3-

NSYSU--2005 *060112

CS3-

NSYSU--2005 *060112

CS3-

NSYSU--2005 *060112

CS3-

NSYSU--2005 *060112

CS3- () ()()

NSYSU--2005 *060112

CS3-

NSYSU--2005 *060112

CS4-

PESTSWOT (SBRs) IT

IT

:- ---

NSYSU--2005 *060112

CS4-

PESTSWOT (SBRs)

NSYSU--2005 *060112

Strategic Business Risks (SBRs) CS4-

SBR1

SBR2

SBR3

SBR4

SBR5

SBR6

NSYSU--2005 *060112

= CS4-IT/MIS Audit/Risk ,,,,!

NSYSU--2005 *060112

IT CS4-IT/MIS Audit/Risk :E-BusinessERP/MRPPDMIntranetsExtranets::

NSYSU--2005 *060112

IT CS4-IT/MIS Audit/Risk IT :(Confidential)(Integrity)(Available)

NSYSU--2005 *060112

CS4-IT/MIS Audit/Risk E-mailE-mail

NSYSU--2005 *060112

CS4-IT/MIS Audit/Risk Security =+DetectRespond

NSYSU--2005 *060112

CS4-IT/MIS Audit/Risk 2. ISMS

NSYSU--2005 *060112

CS4-IT/MIS Audit/Risk

NSYSU--2005 *060112

ISO 17799 / BS 7799 security requirements established by the British GovernmentFISMA requirements established by GAO for federal govt. COBIT requirements established by Information Systems Audit and Control Association (ISACA)IETF Site Security Handbook and User Security HandbookCIS Rulers Minimum standards of due care from The Center for Internet Security, a new world-wide standards consortiumThe Top 20 Internet Security Threats from SANSVISA's ten requirements for 21,000 organizations with the VISA logoSAS 70 and SysTrust requirements established by the AICPA

CS4-IT/MIS Audit/Risk

NSYSU--2005 *060112

BS 7799-2 CS4-IT/MIS Audit/Risk

NSYSU--2005 *060112

CS5-0800011686&

NSYSU--2005 *060112

CS6-SARS & Bird Flu INGSARS (SARS)

NSYSU--2005 *060112

No risk is tolerable and " acceptable " Thank you so much for your listening!