指導 教授 : 盧淵源 教授 第七組成員 : 陳源裕 8922404021 潘呂美 ...

指指 指指 : 指指指 指指 指指指指指 : 指指指 8922404021 指指指 9421408007 指指指 9421408040 指指指 9421408029 指指指 9222404002 指指指 9122404012 危危危危 危危危危危危

Upload: vea

Post on 22-Jan-2016




0 download


危機管理 與 營運持續管理. 指導 教授 : 盧淵源 教授 第七組成員 : 陳源裕 8922404021 潘呂美 9421408007 楊志偉 9421408040 許勢斌 9421408029 吳瑞春 9222404002 鍾少櫻 9122404012. Task Force.  History Review : 陳源裕 (5 min.)  I nfrastructure : 陳源裕、許勢斌 (15~20 min.)  Case Study(25 ~30min.) - PowerPoint PPT Presentation


  • : : 8922404021 9421408007 9421408040 9421408029 9222404002 9122404012

    NSYSU--2005 *060112

    Task ForceHistory Review : (5 min.)Infrastructure :(15~20 min.)Case Study(25 ~30min.) TFT-LCD Industrial Risk: General Industrial Risk: Service Field Risk & Control:

    NSYSU--2005 *060112

    ContentReview & History General Description of RiskGeneral Description of BCP General Description of BCM

    NSYSU--2005 *060112

    Review & History

    NSYSU--2005 *060112

    Management Golden Triangle

    NSYSU--2005 *060112

    Risk & BCP & BCM

    NSYSU--2005 *060112

    Risk & BCP & BCM.

    NSYSU--2005 *060112

    Risk & BCP & BCM 921 SARS3ABhopal 911

    NSYSU--2005 *060112

    ICS 1970


    NSYSU--2005 *060112



    NSYSU--2005 *060112

    Why ICS?///

    NSYSU--2005 *060112

    Fundamental of CIS

    NSYSU--2005 *060112

    Function of CIS /

    NSYSU--2005 *060112

    Function of CIS

    NSYSU--2005 *060112

    Function of CISICS

    NSYSU--2005 *060112

    Main Function of CISICS

    NSYSU--2005 *060112

    Organization For example

    NSYSU--2005 *060112

    Some misconceptions . . .We take regular backupsWe have, trained staffIsnt it a dead investment?We can operate without computersIt will nothappento usWe have insurance coverIt is not our main Business and we accept the risk

    NSYSU--2005 *060112

    Some missed comments . . .Later.Excellent! We will have it some dayTake care of it NOWWhat our techies are doing?We are not in NYWe will cross the bridge

    NSYSU--2005 *060112

    General Description of Risk

    NSYSU--2005 *060112

    Risk NATURAL



    NSYSU--2005 *060112

    E Security Physical Logical Network Access Security

    NSYSU--2005 *060112

    Risk EvaluationDisaster Event ScenariosRisk Ranking of FunctionsCriticalVitalSensitiveNon-critical

    NSYSU--2005 *060112

    Varying Levels of Disaster




    NSYSU--2005 *060112

    Risk - Measures of likelihood

    LevelLikelihoodDefinition5Almost CertainEvent is expected to occur during next business cycle4LikelyEvent will probably to occur during next business cycle3PossibleEvent might occur sometime2Unlikely Event can occur sometime1RareEvent may occur in exceptional circumstances

    NSYSU--2005 *060112

    Measures of Consequences

    LevelConsequenceDefinition5CatastropheLong term business objectives will be significantly impaired.4MajorSignificant impact on long term Business objectives3ModerateObjectives will have impact, and needs more time to recover.2Minor Short term business objective may be hindered, 1InsignificantDoes not affect the long term objectives of business

    NSYSU--2005 *060112

    Qualitative risk analysis Matrix

    Likelihood Consequence InsignificantMinorModerateMajorCatastropheAlmost CertainHHigh RiskHEEEExtreme RiskLikelyMModerateHHEEPossibleLMHEEUnlikelyLLMHERareLLow RiskLMHH

    NSYSU--2005 *060112

    Impact Analysis :Loss of key staff;Loss of vital records;Global issues, such as change in political climate;Difficulty of operational integration across borders;Disruption of importing and exporting functions;Critical labor relationships;New revenue streams;Supplier disruptions; andRegulatory controls.

    NSYSU--2005 *060112

    Impact Analysis :Extraordinary recovery expenses;Technology recovery requirements;Special recovery resource requirements;Critical disaster-specific information systems support;Internal and external dependencies;Existing and required work-around procedures; andInsight into the organizations current state of preparedness.

    NSYSU--2005 *060112

    Which business units, operations and processes are essential to the survival of the organization;How quickly essential business units or processes have to be back in operation before the impacts are catastrophic;What are the most plausible recovery alternatives to meet the recovery windows;What resources are needed to resume operations at a survival level for the essential parts of the business;What elements must be pre-positioned in order to meet the recovery windows;

    NSYSU--2005 *060112

    Impact Analysis : DecisionWhat will be reused and recovered and to what capacity levels over what period of time;What changes, if any, need to be implemented in the supply chain, inventory and distribution management programs;How to address the organizations internal and external interdependencies; andWhat recovery and continuity policies and procedures must be in place to address both a short-term disaster such as a brief systems failure or a long-term major property loss.

    NSYSU--2005 *060112

    Critical Recovery Time Period

    Depends on the nature of businessApplications to be recoveredEnd User Computing ResourcesProcessing Priorities

    NSYSU--2005 *060112

    Critical ParameterCritical Business FunctionsAcceptable Recovery TimeResources CommittedMajor DivisionsSupport ServicesBusiness OperationsData Processing Support

    NSYSU--2005 *060112

    Business ContinuityWhy is it the responsibility of Senior Management?What are the components of Business Continuity Plan?Senior ManagementUser ManagementUser & Data Processing ProceduresPersonnel who must respond to Disaster Scenarios are most important

    NSYSU--2005 *060112

    Key Decision Making PersonnelTeam LeadersEquipment and S/w VendorsRecovery Site RepresentativesNetwork Re-routing ServicesOffsite Media CustodiansInsurance AgentsContract Services

    NSYSU--2005 *060112

    ProceduresEmergency Action ProcedureNotification ProcedureDisaster DeclarationSystems RecoveryNetwork RecoveryUser Recovery (Manual Procedures)Salvage Operations

    NSYSU--2005 *060112

    BCP & Reconstruction MethodologiesEmergency Action TeamDamage Assessment TeamEmergency Management TeamOffsite Storage TeamsSoftware TeamApplication TeamSecurity TeamEmergency Operations Team

    NSYSU--2005 *060112

    Computer Hardware AlternativesHot SitesReady to Operate Within Several HoursNot for long term extended useNetwork ComponentWarm SitesPartially Configured with network connectionsWithout Main ComputerCold SitesSite with only basic environment

    NSYSU--2005 *060112

    Off-Site FacilitiesSecurity and Control of Off-Site FacilitiesPhysical Access ControlsEnvironmental Monitoring & ControlMedia and Documentation BackupPeriodic Backup ProceduresFrequency of RotationVarious Media and Documentation CreatedInventory (list) must be maintainedAutomated Tape Management System

    NSYSU--2005 *060112

    Basic PremiseSenior Management InvolvementCost EffectiveMultiple Levels of Recovery Disaster Recovery PlanDrills, Upgrades and Audits

    NSYSU--2005 *060112

    DRP TestingGoals of TestingTo validate (and identify flaws in) plan procedures and strategies; To obtain information about recovery strategy implementation time;To demonstrate output performance of systems, networks and backup in recovery mode and compare with the same in production mode;To demonstrate recovery plan adequacy to examiners, auditors and management;To adapt existing plans to encompass new requirements of the business;To familiarize recovery teams with their roles within the plan.

    NSYSU--2005 *060112

    Risk Management - final 1) 2) 3) 4) 5) 6) 7) 8) 9) 10)

    NSYSU--2005 *060112

    Risk Management - final 1. 2. 3.

    NSYSU--2005 *060112

    1. 2. 3. 4. 5. Risk Management - final

    NSYSU--2005 *060112

    1 2 3 4

    Risk Management - final

    NSYSU--2005 *060112

    Risk Management

    NSYSU--2005 *060112

    General Description of BCP(Business Contingency Plan)

    NSYSU--2005 *060112

    Business continuity planning


    NSYSU--2005 *060112

    BCPThe process of: developmenttesting maintenance of a plan To assist the organisation:recover critical IT systems in an effective and efficient manner to ensure minimal business disruption

    NSYSU--2005 *060112

    BCPDRP (Disaster Recovery Plan)Plan to recover out from a Disaster

    BCP (Business continuity plan)Plan for Business Continuity Planning In case of Disasters/ Non Disasters

    NSYSU--2005 *060112

    BCP Objectives:Ensuring health and life safety protection;Minimizing interruptions to business/service operations;Resuming critical operations within a specified time after a disaster;Minimizing financial loss;Assuring clients, customers, community, suppliers, employees and share holders and stakeholders that their interests are protected; andMaintaining a positive public image of the organization

    NSYSU--2005 *060112

    NSYSU--2005 *060112

    NSYSU--2005 *060112

    NSYSU--2005 *060112

    BCP Methodology Risk Assessment - Identifying and assessing threats and vulnerabilitiesBusiness Impact Analysis - Ascertaining economic impact of disasters on business functions and processesPlanning - Formulating comprehensive plan covering the assets, employees and business goalsImplementation and testing - Iterating on testing and refinementMaintenance - Reviewing on ongoing basis to keep the plan up-to-date

    NSYSU--2005 *060112

    Call Tree

    NSYSU--2005 *060112

    BCP - final Business Continuity Plan, BCP

    NSYSU--2005 *060112

    General Description of BCM (Business Contingency Management)

    NSYSU--2005 *060112

    BCM Business Continuity Management is the act of anticipating incidents which will affect mission critical functions and processes for the organization and ensuring that it responds to any incident in a planned and rehearsed manner.

    NSYSU--2005 *060112

    Future Developments BCM process


    Your Business





    Develop and

    Implement BCM

    Plans & Solution(s)

    Building &

    Embedding a

    BCM Culture



    and Audit

    B C M



    NSYSU--2005 *060112

    The McKinsey report estimated that business interruption costs totaled $1.8 billion building damage costs reached $30 billion. Trauma and stress affecting the ability of personnel to perform effectively.Companies had failed to update disaster recovery capacity requirements as their business needs grew. 911-Outcome

    NSYSU--2005 *060112

    It is less expensive to avoid or mitigate a risk than to restore resources to "business as usual" after an interruption event.If the business continues to operate in the face of an interruption event, it will keep its customers satisfied (and not lose them to the competition) may pick up some new customersIt may lower insurance costs and enhance the business standing in the financial community Why BCM?

    NSYSU--2005 *060112

    Need of BCPOrganization/Business survival might depend on it.Interruptions cost money. Downtime results in increased expenses, lost revenue, and lost customers. Contractual obligation. Most large companies stipulate in their contracts that suppliers must deliver the services or products they've contracted for - no matter what. Statutory requirement. Many countries made BCP as statutory requirement for running business

    NSYSU--2005 *060112

    Need of BCM Ever-growing dependence on IT.Business and government cannot function if computers are inoperable. For business, the stakes are high:inability to serve customers, loss of goodwill, missed opportunities, inability to competedirect financial loss due to the inability to conduct financial transactions or ship productslegal liabilities.

    NSYSU--2005 *060112

    Business & BCM

    NSYSU--2005 *060112

    Business Continuity Management

    BCM Includes: A project for development of Business Continuity Plan Disaster Recovery Procedures Plan Testing Documentation of Plans Monitoring and updating. Assets Identification Business Impact Analysis Assets Classification Alternate procedures Cost-Benefit analysis

    NSYSU--2005 *060112

    Business Continuity Management

    Disaster Recovery ProceduresRecovery prioritiesRecovery arrangementsPlan TestingPaper Test/Walk Through/Table-top testPreparedness TestSystem testDrills.Documentation of Plans

    NSYSU--2005 *060112

    Business Continuity Management

    Monitoring and updating.Periodic testing Test result and adjustments Changes in:AssetsPersons/Team/Contact detail EnvironmentThreats New Threats and VulnerabilitiesMaintenance of up-to-date Documentation

    NSYSU--2005 *060112

    DRP Types of test

    Modular tests Test a set of procedures Strategy tests Validate entire strategy Determine implementation times of plan strategiesParallel tests Validation of recovery strategys capability to handle the anticipated workload Establishing shift schedules for recovery operations Mock disasters A disaster scenario is articulated and recovery teams step through procedures to cope with the interruption

    NSYSU--2005 *060112

    Building BlocksTeams andResponsibilitiesEffectiveCommunicationRecoveryStrategyEmergencyProcedures Prioritisationof ActivitiesInsuranceBCPCross-trainedPersonnelPeriodic Reviewand UpdationTesting and AdministrationProper Documentation

    NSYSU--2005 *060112

    BCP-finalPart 1 BCM InfrastructurePart 2 BCMS

    NSYSU--2005 *060112

    Future Developments BCM process


    Your Business





    Develop and

    Implement BCM

    Plans & Solution(s)

    Building &

    Embedding a

    BCM Culture



    and Audit

    B C M



    NSYSU--2005 *060112

    General Description of BCM Flow

    NSYSU--2005 *060112


    NSYSU--2005 *060112

    NSYSU--2005 *060112

    NSYSU--2005 *060112

    NSYSU--2005 *060112

    / /

    NSYSU--2005 *060112

    NSYSU--2005 *060112

    NSYSU--2005 *060112

    NSYSU--2005 *060112


    NSYSU--2005 *060112

    Case Study-1

    NSYSU--2005 *060112


    NSYSU--2005 *060112


    NSYSU--2005 *060112

    1 2 3 4 5 6 7 CS-2

    NSYSU--2005 *060112

    8 9 10 11 12 13 14 CS2-

    NSYSU--2005 *060112




    NSYSU--2005 *060112

    CS2- CEO/CFO 2025

    NSYSU--2005 *060112

    CS3-()Emergency Response Team(ERT)()

    NSYSU--2005 *060112

    CS3-ERPThe safety & hygiene contingency plan for handling the accidents of chemical leakageEmergency response plan for fire incidentNatural disaster prevent and relieve measure planWater shortage emergency response planElectric power interruption emergency response planTyphoon preparedness and emergency response planEmergency medical treatment contingency plan procedureContagious diseases contingency plan procedureEmergency response plan for avian influenzaEmergency response plan for earthquake incidentSPEC NO.SPEC NO.SPEC NO.SPEC NO.SPEC NO.SPEC NO.SPEC NO.SPEC NO.SPEC NO.SPEC NO.

    NSYSU--2005 *060112


    NSYSU--2005 *060112


    NSYSU--2005 *060112


    NSYSU--2005 *060112


    NSYSU--2005 *060112


    NSYSU--2005 *060112

    CS3- () ()()

    NSYSU--2005 *060112


    NSYSU--2005 *060112




    :- ---

    NSYSU--2005 *060112



    NSYSU--2005 *060112

    Strategic Business Risks (SBRs) CS4-







    NSYSU--2005 *060112

    = CS4-IT/MIS Audit/Risk ,,,,!

    NSYSU--2005 *060112

    IT CS4-IT/MIS Audit/Risk :E-BusinessERP/MRPPDMIntranetsExtranets::

    NSYSU--2005 *060112

    IT CS4-IT/MIS Audit/Risk IT :(Confidential)(Integrity)(Available)

    NSYSU--2005 *060112

    CS4-IT/MIS Audit/Risk E-mailE-mail

    NSYSU--2005 *060112

    CS4-IT/MIS Audit/Risk Security =+DetectRespond

    NSYSU--2005 *060112

    CS4-IT/MIS Audit/Risk 2. ISMS

    NSYSU--2005 *060112

    CS4-IT/MIS Audit/Risk

    NSYSU--2005 *060112

    ISO 17799 / BS 7799 security requirements established by the British GovernmentFISMA requirements established by GAO for federal govt. COBIT requirements established by Information Systems Audit and Control Association (ISACA)IETF Site Security Handbook and User Security HandbookCIS Rulers Minimum standards of due care from The Center for Internet Security, a new world-wide standards consortiumThe Top 20 Internet Security Threats from SANSVISA's ten requirements for 21,000 organizations with the VISA logoSAS 70 and SysTrust requirements established by the AICPA

    CS4-IT/MIS Audit/Risk

    NSYSU--2005 *060112

    BS 7799-2 CS4-IT/MIS Audit/Risk

    NSYSU--2005 *060112


    NSYSU--2005 *060112

    CS6-SARS & Bird Flu INGSARS (SARS)

    NSYSU--2005 *060112

    No risk is tolerable and " acceptable " Thank you so much for your listening!