Geekly Articles each Day
📜 ⬆️ ⬇️

Implementation of HSR

10 questions to the Russian standard GOST R 53647.3-2010 “Business Continuity Management. Part 3. Implementation Guide »


A few years ago, I complained that there are few regulatory documents in Russia devoted to the topic of business continuity. More precisely, I was aware of the existence of national standards of the GOST R 53647.1–2009 family “Business Continuity Management. Part 1. Practical Guide "and GOST R 53647.2–2009" Business Continuity Management. Part 2. Requirements. But time passes, and it turned out that the family was replenished with a large number of documents. I want to devote several articles to their consideration.
So, this time the subject of consideration will be GOST R 53647.3-2010 “Business Continuity Management. Part 3. Implementation Guide. As in the case with the previous documents, it is based on the national document of the United Kingdom - BIP 2142: 2007 “The Route Map to Business Continuity Management. Meeting the Requirements of BS 25999. "
Probably, as in any area where specialization is possible, the recommendations of this document will be more understandable and useful to those who already have practical experience in implementing the business continuity management process.

Section 4.1

In developing and implementing the SNBM, the organization should establish the interests of key stakeholders.Who should be considered a participative party?Depending on the type of activity of the organization, the following can be included in the number of parties involved:
  • private and corporate clients,
  • partners,
  • suppliers of goods and services, incl. outsourcing services and landlords,
  • contracting organizations
  • financial organizations and insurance companies
  • regulatory authorities
  • municipal authorities,
  • emergency emergency services,
  • environmental organizations,
  • community organizations
  • MASS MEDIA.

Section 4.2

Determining MNS RequirementsWhat are the reasons for starting work on the creation of the SNBM?Improving the sustainability of the organization in the event of adverse circumstances, economic efficiency, competitiveness, compliance with the requirements of legislation, regulatory bodies, external auditors.

Section 4.4

In the development and implementation of the SNNB, the organization should establish the scope of the SNNB in ​​terms of its key products and services.What should be taken into account when determining the scope of SMNB?At the initial stage, it is difficult to estimate in advance how much time, effort, finance, additional equipment and software will be required, as well as assistance from external organizations to build a CNMS. Therefore, first of all, the scope should be made narrow enough so as not to get bogged down in the complexities of creating a CNSS. Secondly, it is necessary to choose a critical area of ​​activity so that the creation of a SNSS for it would have obvious benefits, and the provision of the necessary resources would not occur on a residual basis.

Section 5.1

Program FinancingWhat is the reason for financing the MNS program?In determining the amount of financing, a compromise is always sought between the amount of possible losses in the event of an unlikely event and the guaranteed costs of protecting against it. In addition to the financial losses listed in the standard, one should consider such consequences as:
  • damage to reputation or the threat of being included in the list of unscrupulous suppliers - for example, when interacting with budget organizations;
  • performance degradation, i.e. processing speed of incoming applications / orders / claims;
  • violation of the deadlines for filing reports (despite the fact that accidents happen at the most inappropriate time);
  • violation of legal requirements;
  • the cost of overtime to eliminate the consequences, and the consequences of idle time can be eliminated for weeks.

A full description of what the organization may lose if it decides to save on preventive actions should be brought to management.

Section 6

Embedding MNS in the culture of the organizationWhat additional benefits does the organization receive from introducing the MNS into its culture?To the benefits of the introduction of the MNS, which are listed in the standard, you can add a few more:
  • identification and protection of basic products and services, ensuring the continuity of their provision;
  • ability to manage incidents, apply effective response measures;
  • understanding of the organization of relations with other organizations, regulatory authorities, government agencies, local authorities, emergency services;
  • the availability of trained personnel capable of effectively responding to incidents or disruptions to the normal course of activities, thanks to the conduct of the necessary exercises;
  • understanding and satisfying the requirements of the parties involved;
  • the advance organization of staff receiving the necessary support in case of disruption of the normal course of business;
  • protection of the organization’s supply chain;
  • protection of the reputation of the organization;
  • compliance with legal and regulatory requirements.

Section 7.1

Document managementHow to manage the MNS program documentation?It must be borne in mind that the management of MNS documentation is not a trivial task. For a mature MNS process, a complete set can contain up to hundreds of document types. In turn, the number of documents of the same type can also reach several dozen (for example, the rules of actions of employees in emergency situations). Manage all this "economy" manually impossible. Fortunately, the market has long been a whole class of specialized software products that automate the implementation of this task. They can be divided into two groups: those that are installed on the equipment of the organization itself (for example, Sungard Availability Services), and those that are provided under the SaaS scheme via the Internet (for example, ClearView Continuity). Each group has pros and cons.
"+""-"
BY- setting up templates, processes, forms for printing in full accordance with their desires- the study of additional software;
- self administration
SaaS- need only the Internet;
- availability of data and their safety in a specialized organization may be higher		- the data remains outside the organization;
- in case of emergency, access may be difficult

The choice of instrument depends on the specific situation and preferences of the buyer, but it is better to use it from the very beginning of work in the field of MNS.
Section 8.2
Impact analysisWhat important parameter is not mentioned in the standard?The standards dedicated to the topic of continuity, for some reason, do not consider the RPO parameter, Recovery Point Objective (target recovery point), denoting the amount of data that can be lost without threatening the existence of the organization. It is possible that the authors of the standards proceed from the fact that the data should be kept all completely, but life, unfortunately, does not satisfy this requirement. Even companies offering commercial clouds promise to back up customer data starting about 1 time at 2 hours and less often, i.e. data entered in the last 2 hours may be lost. Any technical solution has limitations, so you shouldn’t refuse to use the RPO parameter.
How to conduct an impact analysis?In theory, there are two approaches to conducting an impact analysis on a business.
Bottom-up approach - when the value of one resource is determined, for example, a specific server. For a set of resources that support the provision of a single service or the creation of a single product, the most stringent requirements are selected among all the resources included in this set. The same procedure is repeated for all products or services.
The second “top down” approach is more common and consists in analyzing and comparing information received from managers.
You do not need to ask how important the functions of this unit are. Can you imagine that the manager called his unit not very important?
Of course, everyone will say that they are performing not just important, but critical tasks for the existence of an organization. Therefore, it is better to simply ask to describe the increase in negative consequences in the event of the interruption of each particular function. This will allow to move from qualitative and emotional assessments to quantitative (you would not answer so many calls, you would not process so many transactions, you would not serve so many clients, you would spend so many unaccounted resources).
Section 8.5
Risk assessmentWhat risks are we talking about?It is widely believed that business continuity covers all possible accidents and accidents. But in practice, the use of a single approach to different situations, as a rule, is ineffective. It is possible to propose such a gradation of events violating activities that differ in the composition of the participants in their elimination.
  • Breakage - an event that causes minimal damage, i.e. the damage is negligible compared to, for example, annual revenue or having a negligible impact on the organization’s ability to achieve its goals. Such a problem is solved in the framework of the staff incident management process, and not the process of ensuring continuity.
  • Accident - an event that violates the normal functioning of the processes of the organization. The damage in this case may be unacceptably large (compared to the volume of annual revenue), the event itself makes it impossible to comply with internal SLAs and / or contractual obligations to customers. An accident cannot be resolved as part of the incident management process, but requires the involvement of other people and the activation of the continuity management process.
  • A crisis situation is a situation that cannot be overcome through regular processes. In addition to the continuity management process, it requires the initiation of a crisis management process. Often it can be overcome by the organization itself, although sometimes external events that do not directly affect business processes (economic crisis, the abduction or death of managers, theft of personal data, etc.) are the causes.
  • Large-scale disaster - an event that can not be prevented and which has a huge impact on the life and health of people and property of the organization. Both the very existence of the company and outsiders can be endangered. Large-scale disaster can not be eliminated by the forces of the organization itself. In addition to internal business continuity and crisis management teams, external emergency services and competent authorities play a major role in eliminating the consequences of a disaster.

Thus, it is more rational to limit the range of risks at the very beginning of the implementation of the business continuity process and not to try to cut all the troubles with the same brush.
Section 9.
Defining Business Continuity StrategiesWhat other strategy to develop?To ensure continuity, it is required to make strategic decisions on a wide range of issues: continuation of activities, restoration of IT services, interaction with the media, logistics and transportation, etc. But there is another topic that is rarely paid due attention - the strategy of using the premises of the organization.
In the face of an emergency situation, the company, in order to continue functioning, must consider how the requirements for such premises will be met, such as a warehouse for equipment transferred from the affected / unavailable premises; warehouse for products that continue to be produced; headquarters crisis management; spare office space for employees who have left a full-time workplace. In some cases, a particular organization may have needs in other areas, for example, a reception room or a garage.
To meet all these needs, you can use several ways, for example, temporarily use your own premises for another purpose, move employees to branches, rent space in a commercial data center, temporarily move part or all of the business processes to rooms of friendly companies, or organize work of employees on home.
Any of the adopted strategic decisions or their combination has its advantages and disadvantages and requires early preparation, allocation of resources, technical and organizational modernization, study of the market of proposals, negotiations and conclusion of contracts with third parties, for which there will be no time at the moment of occurrence of an emergency.
Section 10.4
Content of a business continuity planWhat else could be useful in the plan?The standard lists many points that must necessarily be contained in the plans. But the experience of writing such documents for many organizations suggests that several more topics remain unlisted, which for some situations can be very useful.
  1. The plan should indicate the ways, channels, regularity, responsible for information exchange with employees and their relatives, key stakeholders and emergency services in emergency situations. It should be borne in mind that worrying about their relatives, in case of impossibility to inform them about themselves, will prevent the employee from carrying out his duties, and worried relatives with their persistent calls can block the work of communication channels.
  2. It is useful in the plan to describe the minimum level of competencies that is required for its implementation. In an emergency situation, people unfamiliar with the actions, applications or tools described in it can be involved in the implementation of the plan. The situation with the recovery is unlikely to improve, if at the next step a person will be perplexedly spread her arms with the words “I don’t know how to do it”.
  3. In the plan itself, it is useful to indicate who, in what way, with how often, updates the document so that it is up to date at the right moment. In many cases, the plan itself, with minor modifications, can be used to conduct tests and exercises to restore activities.


')

Source: https://habr.com/ru/post/245579/

More articles:


All Articles