La lecture en ligne est gratuite
Read Download

Share this publication

ICT Resilience Workshop – October 2011


In October, the BCI hosted an ICT Resilience Workshop. The event provided delegates with a
range of presentations and exercises on all aspects of ICT continuity strategies, with a
particular focus on the potential impact of cloud computing on the approach of
organisations to resilience. The one-day workshop, chaired by Mark Taylor, provided them
with an opportunity to discuss common issues with fellow practitioners and to learn lessons
from their peers in other industry sectors.

The five presentations covered an extensive array of subjects, including: ICT continuity
standards; assessing the impact of ICT failure; the move towards virtualisation; disaster
recovery in the cloud; how to enhance security capabilities in a virtualised environment; roles
and responsibilities in the cloud and assessing cloud provider security.

The presentations were as follows:

• BCM and ICT Continuity Standards: What are their purposes and how can they work
together? Ron Miller MBCI, Principal Consultant, SunGard Availability Services
• The journey to the cloud – as we heard it from customers Liam Farrell, Senior Systems
Engineer, VMware UK Ltd
• Using security to enhance availability Andy Dancer, Chief Technology Officer –
EMEA, TrendMicro
• Business continuity in the cloud Mike Small CEng, FBCS, CITP, Fellow Analyst,
• ICT Resilience Other Considerations Mark Taylor MBCI & Steve Cockcroft, Senior
Consultants at Ultima Risk Management

The purpose of this Report is to provide a summary of the presentations which were given at
the workshop. Copies of the supporting materials (slides) that accompanied each
presentation can be found by accessing the Workshop section on the BCI website

Page 1

ICT Resilience Workshop – October 2011

Presentation one

BCM and ICT Continuity Standards: What are their purposes and how can they
work together?

Ron Miller MBCI, Principal Consultant, SunGard Availability Services

In the opening presentation of the workshop, Ron Miller discussed the role of standards in
facilitating ICT continuity, how the current array of standards were arrived at and what is on
the horizon.

Ron began by explaining the process by which standards in the UK are compiled.
Developed by the BSi on a consensual basis, each standard is put together by a panel of
experts representing a range of constituencies. Unlike in the US, panel members are invited
rather than having to pay to participate. The success of this process, he added, is reflected in
the fact that many British standards have become the building blocks for subsequent ISOs.

Turning to the evolution of present day ICT continuity, Ron traced its origins to the IT DR days
of the 1970s and 1980s. This disaster recovery approach evolved into business continuity,
which took the discipline outside of the ‘IT ghetto’ and into various other aspects of the
organisation. A key driver in this evolution during the early 1990s, particularly in the UK, was
the terrorist threat which caused large organisations to expand their views of continuity
beyond IT and buildings to people. Continuity continued to evolve out from the large
organisations into medium-sized organisations in the latter part of the 1990s and then into the
public sector, particularly with the introduction of the Civil Contingencies Act 2004. SMEs are
also now increasingly embracing BCM.

BS 25999 – British Standard for BCM “Just because you achieve
2006 saw the launch of BS 25999 (Part 1) which
certification… this does not mean aimed to provide guidance to all sectors and sizes
you are guaranteed to recover of company on how to become more resilient and
achieve shorter recovery times in the aftermath of from an incident”
disruptions. It was followed a year later by Part 2,
which enabled certification against the standard.

The standard has proved extremely successful, Ron stated, becoming the BSi’s biggest selling
standard, and also the basis for other standards such as ISO 22301 and ISO 22313 – currently
in final draft form and set to replace Part 2. He warned, however, that people should be
wary of falling into the standard trap – just because you achieve certification to a particular
standard, this does not automatically mean that you are guaranteed to recover from an
incident, but rather that you have the capabilities to recover.

Focusing on ICT-related standards, Ron said that it was a deliberate move by the 25999
panel to not include reference to ICT in the standard. Most IT departments at that point were
reliant upon ISO 27001 for ICT guidance, which was only covered in five out of the 133
security controls in the standard. Furthermore, ISO 27002 only provided 4.5 pages of ‘high-
level guidance’ on ICT out of its 130 pages.

This left IT in somewhat of a limbo, so the decision was made to launch BS 25777. The
standard used the lifecycle of 25999 as its basis and aimed to link ICT more directly to the

Page 2

ICT Resilience Workshop – October 2011

overall objectives of the business. Often it was found that the demands of BC could not be
met by the capabilities of ICT, and it was therefore essential that this new approach serve to
allow the organisation to cut the ICT cloth more effectively by aligning it more closely with
the business.

The need for ISO 27031
Despite an increasing reliance on IT, the function still lacked any clear guidance on ICT
continuity. 25777 had made little headway in the ICT arena as it failed to penetrate into the
IT departments and there was no detailed guidance directly related to 27001. This meant
that there were still significant gaps between business and supporting ICT continuity and
resilience in many organisations.

The launch of ISO 27031 served to fill this gap, providing an ICT-focused standard on business
continuity. It takes the core elements of 25777, Ron explained, and places them into an
information security context. Its aim is to help IT think about BCM in an IT-centric way, but still
in relation to the BC objectives of the organisation. 27031 supports the PDCA process and
provides guidance which expands upon ISO 27002. Furthermore, it helps in the
implementation of the controls contained within ISO 27001.

ISO 24762
Ron then turned his attention to ISO 24762, a standard which provides guidelines for
information and communications technology disaster recovery services. He stated that its
aim was to facilitate the provision of information and communications technology disaster
recovery (ICT DR) services as part of business continuity management, and was designed to
be applicable to both “in-house” and “outsourced” ICT DR service providers of physical
facilities and services.

However, Ron stated that the standard was of little real value and was a shining example of
how not to put together a standard. The document was based on the Singapore standard
and had not gone through the normal ISO consultation processes. It did not integrate with
any BCM standards and furthermore did not integrate with ISO 27031. The standard is now at
the beginning of a revision process.

Concepts and principles of ISO 27031
Turning once again to ISO 27031, Ron stated that the primary aim of the standard was to
facilitate ICT readiness for BC (IRBC). The standard complements and supports BCM and/or

• Improving the incident detection capabilities
• Preventing a sudden or drastic failure
• Enabling an acceptable degradation of operational status should the failure be
• Further shorten recovery time
• Minimising impact upon eventual occurrence of the incident

To illustrate the relationship between IRBC and BC, Ron used the following diagram:

Page 3

ICT Resilience Workshop – October 2011

Looking at the principles of ICT readiness, he said these were based on:

• incident prevention
• nt detection
• response
• recovery
• improvement

Each of these is considered in the context of people, facilities, technology, data, processes,
suppliers etc. He illustrated these principles as follows:

Page 4

ICT Resilience Workshop – October 2011

Incident prevention

• Promotes resilience
• Facilitates identification of critical components in each of the elements which make
up the ICT environment
• Relates ICT criticality to wider business criticalities
• Priorities also driven by BC requirements
• Helps to justify resource and budget for appropriate resilience measures
• Enables you to monitor the performance of resilience measures
• Facilitates review and improvement following exercises, tests and incidents.

ICT readiness:

Examining incident prevention in context, Ron looked at the process in relation to people,
facilities, technology, data, processes and training:

• People – cross-training, succession planning, certification, policies
• Facilities – back-up facilities, secure sites, access control, data centres
• Technology – firewalls, monitoring tools such as intrusion detection, redundancies,
leading edge technology
• Data – storage, review processes, back-up
• Processes – training, access processes, responsibilities
• Suppliers – points of failure, dual sourcing.

Incident detection

IRBC promotes:

• Response before an incident occurs, upon detection of one or a series of related
events that become incidents
• Detecting incidents at the earliest opportunity minimises impact to services, reduces
recovery effort, and preserves quality of service
• Investment in detection should be linked to the business continuity needs.

Focusing on the technology aspect of detection, Ron highlighted the following potential

• Hardware failures
o Malfunctions in racks, servers, storage arrays, tape devices.
• Network
o Data connectivity interruptions, intrusion detection etc.
• Software
o Upgrade issues, unauthorised software, malware etc.
• Data
o Corrupted datasets, incomplete datasets etc.
• Processes
o System changes, maintenance etc.
• Suppliers
o Power failure, telecoms outage.

Page 5 ƒ

ICT Resilience Workshop – October 2011


IRBC promotes existing good practice:
• Confirm nature and extent of incident
o Acquire information
o Assess
o How does it affect the elements of the ICT environment?
How might this affect service-users and the critical activities of the

• Take control of situation
o Automatic or manual failover?
o Determine priorities for mitigating incident
o Determine resource requirements
o Communicate

• Contain the incident
o Auto or manual failover?
o Direct resources to manage situation
o Communicate
Is there concurrent activation of BC Incident Management?
Liaise with rest of organisation
o Activate relevant contingency arrangements

• Communicate with stakeholders
o Communication essential all the way through the response process
o Integration with overall BC incident management process

• Technical recovery plans
o In conjunction with organisational business continuity plans
o Failover of immediately time-critical systems
o Recovery of less time-sensitive systems

• Manage recovery process
o Over hours, days, weeks…..

IRBC promotes improvement:
• Lessons learned from exercises
• Audits/self assessment
• Feedback from periodic BIAs and risk assessments
• Corrective action following incidents
• Preventive action

Page 6

ICT Resilience Workshop – October 2011

The ICT resilience gap
The gap between ICT and the business itself is reducing, Ron stated, due to the increasing
interaction between IT and BCM. However, there is still much work to be done. Cost for
example can be an issue, as often the finance department does not have a sufficient
understanding of ICT-related issues. This is where risk management can play an interim role in
explaining how IT supports money-making activities.

It is also important to manage expectations. Establish what IT can deliver and what
management expects. Often there will be a mismatch and it will be up to the business to
decide where they wish to draw the line in the sand in terms of their recovery expenditure –
but they must have the necessary information to enable them to make this decision. There
will be numerous constraints which come into play, such as technology, budget and
resources; but it is imperative that steps are taken to reduce any misunderstandings that may
exist in relation to the role of technology in business, and the holistic nature of ICT.

The consequences of ICT loss
Ron then outlined what he considered to be some of the main potential consequences of
an ICT loss, and highlighted the following points:
• Impacts are not always obvious
• ICT requirements post-disruption can be quite different from business-as-usual
• Criticality of the same data can vary widely across the organisation – not all data is
born equal!
• “Recovery” is frequently not an option

Consequences of mismatch of ICT resilience implementation and organisational
requirements can include:

• Wasteful of expenditure and resource
• Provides the WRONG ICT environment in the WRONG timescales
• IT departments frequently concentrate on DR rather than resilience and continuity
o “We don’t need to bother about uptime because we know we have good
o They don’t ask users the right questions
• Business departments don’t know/share continuity requirements
o RTOs
o RPOs
• Each side’s knowledge of information availability capabilities and requirements
remains unknown to the other
• The organisation implements an information security programme which fails to deliver
on information availability

Getting value for money
Ron concluded his presentation by stating that using an ICT standard can help you to justify
the costs to the business by rationalising the required IT DR spend. Furthermore, it provides a
mechanism for realism in service-user BCM requirements, facilitating greater alignment with
RTOs and RPOs to minimum BC requirements – thereby creating a resilience-based
environment, rather than one founded on recovery.

ISO 27031 and BS 25777 provide a means of establishing a holistic view of ICT and how it fits
into the organisation, in terms of its people, facilities, processes, technology, data and

Page 7

ICT Resilience Workshop – October 2011

suppliers; and furthermore how they fit into the principles of incident prevention, incident
detection, response, recovery and improvement.

ICT Readiness, he finished, provides the guidance which supports BCM and information
security goals. It is driven by business/organisational requirements (not the other way round)
and feeds back into organisational goals.

Presentation two

The journey to the cloud – as we heard it from customers

Liam Farrell, Senior Systems Engineer, VMware UK Ltd

Liam Farrell began by stating that the relationship between IT and business has changed
significantly in recent years. IT is no longer simply focused on ‘the plumbing’ but rather has to
contribute real value to the business.

The responsibility of the CEO, he said, is to create sustainable value whilst being responsive to
a dynamic market, changing workforce, and business environment. A key competitive
advantage is the ability to anticipate and respond to change. In this context, IT is viewed as
a service which can facilitate this. It offers competitive advantage by providing the right
capability at the right time. The role therefore of the CIO is to provide business with the
services it needs, when it needs it, within their resource constraints.

Drivers for cloud computing
Liam then produced a slide which detailed the top drivers for cloud computing initiatives in
organisations taken from the CIO Global Cloud Computing Adoption Survey January 2011.
The top driver, by a significant margin, was business agility (faster time to market, increased
user satisfaction), followed by reducing IT infrastructure investment; reducing IT management
and maintenance resources; and increasing capacity/availability. Disaster recovery/business
continuity ranked sixth in the list of drivers.

What the cloud provides, Liam stated, is the ability to meet the speed to market demands of
today’s corporate environment. If an organisation has a new function, and needs to get the
processes in place immediately to facilitate this new function, through the cloud this is now

The journey so far
In his next slide, Liam illustrated the ‘virtualisation journey’. He broke the journey to date into
three primary stages:

Stage 1 - IT production:
The initial stage in the journey is focused on generating cost efficiencies and is reactive in its
overall approach. Sponsorship at this stage is with IT and its value to the business is very much
from a CAPEX/OPEX perspective. Its capabilities are focused on cost saving, credibility and

Page 8

ICT Resilience Workshop – October 2011

Stage 2:
Business production: The next stage focuses on achieving quality of service and is based on a
more selective approach to IT. Sponsorship has evolved to being both IT and LOB, while its
business value has expanded to include availability and responsiveness. As a result, its key
capabilities are now speed, stability and SLAs.

Stage 3 - ITaaS:
The latest stage in the journey is that which is focused on achieving business agility and is
proactive in its approach. Sponsorship is in the hands of the CIO and its value to the business
has expanded further to encompass compliance and time-to-market; while key capabilities
are now based around streamlined processes, IT-as-service and quality of life.


Better Application Development
Advanced Management and Business Continuity
Virtualisation and Management

This journey, he said, begins with server virtualisation with the organisation seeking cost
savings by reducing the number of physical servers it uses. The next stage in the process sees
the use of virtualisation to facilitate operations management, security and compliance
processes. As the organisation’s virtualisation approach evolves further, the benefits the
system provides from a BCM and DR perspective come into play. Desktop virtualisation is the
next stage in the process, before it achieves full cloud service delivery.

In his opinion, Liam said that approximately 90% of organisations today are either at stages
one or two in their virtualisation journey.

Cloud is changing the new IT landscape
The IT environment in which we operate is rapidly changing, Liam explained. Existing
applications, such as Microsoft and SAP, are now viewed as clunky by the Facebook
generation. People are moving away from the idea of buying a product towards simply
accessing them as a service.

Page 9