strengthening the weakest link: business continuity management for smes
Post on 01-Jan-2016
37 Views
Preview:
DESCRIPTION
TRANSCRIPT
Strengthening the weakest link:Business Continuity Management for
SMEs
Dr. L. Marinos, ENISA
Essen, 5 October 2010
SME working assumption
• SMEs are generated out of entrepreneurship and have low level of resources for “non-productive” investments
• Most of SMUs (esp. owners) have low level of BC knowledge• SMEs are not in the position to fully develop BCP• Even in case that there is some IT-knowledge, availability is
usually not part of it • SMEs tend to use standard components (soft- and hardware)
What is Business Continuity?
• Business Continuity is the ability to continue the business in an (for the customer) acceptable.
• For SMEs needs to be:
• Low cost
• Simple
• Practical
• Affordable on the long term
Business Continuity (Full version)
Deliver BCP
Sustain BCM Programme
Maintain and Review BCP
Develop Awareness
Train Staff
Test BCP
Write Test Plan
Determine Type of Test
Conduct Test
Deliver Debrief/Test Report
Define BCM Framework
Initiate BCM Programme
Assign BCM and Incident Responsibilities
Define BCM Policy
Identify the Organisation
Assess Risks and Impacts
Analyze Results
Prioritize Recovery Define Critical Resource
Requirements
Conduct Business Impact Analysis
Determine Recov. Options
Agree Recovery Strategy
Design BCP
Design BCM Approach
Business Resumption Plan
IT Service Continuity Plan
Communications and Media Plan
Recovery Support Plan
Business Recovery Plan
Incident Management Plan
Incident Response Plan
Interface to other operational and product processes
AdaptedRisk ManagementActivities
Short term
Middle term
Long term
Recurrence
Problems with BC (..as other sec issues)
• Too complicated• Not business oriented• Too focused on technical assets• Too much concentration on threats• Too reliant on estimates of “probability”• Threat and vulnerability assessments too technical• Unrealistic targets• No clear action plan• TOO SLOW!
Source: Jeremy Ward
Business Continuity „Light“
• Low expertise in the area of BC
• Simply structured
• Balance between simplicity and effectiveness
• Understandable relations between used terminology
• Good basis for knowledge transfer
ENISA-Approach
Business Continuity Plan
Phase 1
Select Risk Profile
Phase 2
Critical Assets Identification
Asset Control CardsAsset Control
CardsAsset Based Continuity Controls
Org. Control CardsOrg. Control Cards
Org. Control CardsOrganizational Continuity Controls
Phase 4
Implementation and
Management
Phase 3
Controls Selection
Controls Implementation Plan
http://www.enisa.europa.eu/act/rm/risk-management-for-smes-and-micro-enterprises
In Conclusion
• We see tendencies for simpler approaches
• Become business oriented (no technical, threat etc.)
• Promote through professional associations
• Develop corresponding certification schemes
• Promote generation of a relevant “market”
Thank you for your attention
louis.marinos@enisa.europa.eu
ENISA Risk Management Web Pages: www.enisa.europa.eu/rmra
top related