Tuesday 30 August 2011

Home Continuity

Regardless of the difference between different cultures, we can identify different scenarios that could be more or less common when talking about home business continuity. Analyzing five components supporting the business identified in the standard BS25999-1, we can determine the following:
  • People: It would consist of the inhabitants of the home, whether family, people who share a flat, etc..
  • Premises :  including home plus appendices (garages, etc.)
  • Information, in both formats: paper and electronic. We all have documents in our homes that could be important e irreplaceable, such as contracts, deeds, official documents, etc.. Furthermore, an increasing amount of information in electronic: photos, videos, documents in our HDD, etc.
  • Technology : perhaps less critical component, since their service is personal and easily restorable.
  • Supplies: traditionally four: electricity, water, gas and telephone.
The following step is define the scenarios that could be part of the scope of our home continuity program and that can be identified as more probable or not depending on the threats of the area in which the home is located. Some examples of scenarios could be:
  • Loss of information (mainly in hdd)
  • Power outage, with different durations
  • Flood
  • Fire
  • Severe Inclement weather: heavy snow or storms, Hurricane
  • Big disasters: Earthquakes, nuclear incidents, etc.
Some of this scenarios are more or less common. For example, some years ago there was a gas blast
50 meters from my house. Although we can think that a lot of damage can be covered by insurance, perhaps there are things that can not be restored with money.

If we analyze the firs scenario of above, sure it has happened to a lot of people: we can loss all information in our hdd, including photographs, videos, etc, so our home continuity program must define the mechanisms that we're going to use to safeguard the information There are some options, like burn CDs and carry them to a different location (the hose of a relative, for example) or upload photos or videos to a cloud service, like google drive or dropbox.

We have to continue with the other scenarios in order to develop our hole Home Continuity Plan and be sure that we are not going to loss what we store in our homes. Testing would be funny, specifically if you have young children.
No comments:
Tags:

Friday 19 August 2011

Personal Accreditations in BCM



In order to grant professional knowledges about Business Continuity, there are two international organism focused only in BCM. These are the agencies that are currently recognized:

For historical reasons, DRRI has more recognition and is best known in America, in both North America and Latin America, and Australia,  since BCI has more presence in Europe and Asia.

The certification schema of both entities are very similar and is based on passing an exam y accredit the experience in different Business Continuity domains.

BCI
The different types of accreditations are the following one;
  • CBCI: Basically, means passing the exam. 
  • AMBCI (Associate Member): Statuary member, it has the same vote right and possibilities to be elected as staff of BCI. To archive the accreditation is required to be CBCI and accredit a year of experience with two difference referenced.
  • SBCI (Specialist) Specialies has to demonstrate at least two years experience in BCM one of the 6 domains of continuity:  Policy and management, analyst, strategic services, response, planning and support, testing and audit and training and awareness. It could also valid to demonstrate experience in a related discipline, like information security risk.
  • MBCI (Member) must demonstrate being working as business continuity practitioners with at least three years full time experience in BCM. They will need to pass the BCI Certificate at the higher “Pass with Merit” rate.
In this link can be seen the official definitions.

The exam is managed by Prometric , although a registrarion in BCI is required befoure the exam. The exam is based in the Good Practice Guide GPG .

DRII
The accreditations are very similar:
  • ABCP (Associate Business Continuity Professional) Equivalent to CBCI, thats mean accredit pass the exam without experience requirements
  • CFCP (Certified Functional Continuity Professional) Requires pass the exam and demonstrate 2 years of experience in tree knowledge areas (SME: Project initiation and management, Risk Evaluation and control, Business Impact Analysis, Develping BC strategies, Emergency Response and Operations, Developing and implementing BC plans, Awareness program and Training, Maintaining and Exercising BC plans, Crisis Comunications and coordination with external agencies).
  • CBCP (Certified Business Continuity Professional) Requires pass the exam and demonstrate at least 2 years of experience in 5 knowledge areas.
  • MBCP (Master Business Continuity Professional) Reserved for specialists in business continuity, evaluated by DRii, with more than five years of experience in, at least, 7 knowledge areas.
In this link  can be seen the official definitions.

The exam is in-class and there are periodical scheduler all around the world. In Europe there are organized from Italy.

Business Continuity accreditations in Spain have less recognition than others accreditations related with Information Security, like CISA, from ISACA, or CISSP from ISC2, and are difficult to achive because of the language and the scheduling of exams, but they have a high value in a medium and long term.


No comments:
Tags:

Wednesday 10 August 2011

Components supporting Business


Business continuity has been promoted mainly by two industries: financial and insurance. This two industries have some common characteristics that could explain this maturity in business continuity programs:
  • They have specific regulation, usually related with economic sanctions, like Basel and Solvency.
  • Their principal business process are focused in not too much locations, mainly data centers and call centers, which makes that resilience could be grant in an easy way. It would be enough backing up  this central locations because others facilities are not such important for the continuity of the business.
  • The grade of industrialization and automation of their processes are very high. This makes that they are highly dependent on the information technology infrastructure, what makes that backup and restoration measures will be a in this high in a high percentage too.

In Spain, this two industries have been historically highlighted because their preparation. One of them with recovery services related with their data centers and others making a further step with recovery facilities with workstations.

As a result of the over-development of IT Service continuity, nowadays each data center, doesn't matters if is big or small or if it's hired or owned,  has their own recovery measurements, granting a false feeling of protection. A high number of directors thinks that they have a good business continuity program only because they have a recovery data center, although the main business process were not supported by IT infrastructure, and therefor, are not backed up.
 
There wouldn't be effective to recover the IT infrastructure in a hospital when a legionella virus infection has taken place, for example. In a similar way it would be in most of disaster scenarios that could be included in the scope of the business continuity program of a hospital. What's the problem then? We must identify what the components that supports business are.

The best way to identify this resources are use the ones identified in the BS-25999-2, that is:
  • people (7.3)
  • premises (7.4)
  • technology (7.5)
  • information (7.6)
  • supplies (7.7)

Without using any statistic method, it could be possible to identify the dependency on business from different type of resources described above of each industry. This is what I want to describe in the following graphs:

It's clear than, in the financial industry, IT infrastructure supports a high percentage of business, taking into account other issues, like providers which are in charge of distributing cash around all customers every morning in order to cover their necessities. So it would be easyer for them to be prepared that, for example, a hospital, in which all components has to be taken into account in a similar way.

As a conclusion, one of the first steps required to develop a business continuity program is to identify which component is essential to grant product and services delivery to their customers for each of the scenarios included in the scope of the program. It's a good practice use the five components of business continuity identified in BS-25999-1.

No comments:
Tags:

Wednesday 3 August 2011

Historical evolution of norms, standards and legislation in BCM

Before the expected ISO 22301 will be published and, probably, will be the reference standard world wide, its convenient to make a revision of the set of guides and standards that nowadays shows the way in Business Continuity.

The first standards that can be remembered is the  NIST 800-34 "Contingency Planning Guide for IT" from US government. This is the standard in which some terms and definitions begins to be used, and this terms had endured over time. This are DRP, COOP, BCP, etc. This standard were published in 2002 and, without any doubt, were the first statement of intent in the IT Service continuity.

At the same time, the Business Continuity Institute (BCI) published the first version of the Good Practice Guide (GPG) which would be later become the seed of the BS25999 standard. It was more focused in Business continuity that the 800-34. BSi decided in 2003 used as a base to develop the standard, publishing the PAS-56 (Publicly Available Specification). This PAS was in force until the publication of BS-25999-1 that repeal the PAS in 2006. At the same time, the standard BS-25999-2 was launched, with the description of the management system and the certification schema.
Standards developers organizations from Singapore and Australia has been traditionally aware about business continuity and had published different norms and standards, that complete the "occidental" standards. Singapore, for example, published the SS507 BC/DR Service Providers that looks for define the characteristics that providers has to met in other to be certificated as a BC provider. During a while, this standard was considered as a rival of BS-25999 in their fight to establish the base of the new ISO standard, but it was not very used in other countries.

In 2006 was published the PAS-77 standard by BSi. It was focused in covering the IT Service that in  was not taken into account in BS-25999 and was primarily motivated by the criticism. In 2008 this standard become BS-25777 IT Service Continuity Management and in 2011 was became in ISO 27031, although it's not expected that this standard would had a certification schema in in the future. It's important to advice that the committee in charge of the development of this standard is 27 (IT) and not 22 (Social Security).
In the following picture it can be seen a timeline that could clarify this scenarios of norms and standards:
Hope the 22301 will become in the definitely standard that give a boost to the business continuity sector from a certification perspective.
No comments:
Tags: ,
Subscribe to: Posts (Atom)