Thailand

November 2008 Author: Philip Ku, Introduction to BCMS concept

Who we are…

ThailandThailand –– IT Business Dept. IT Business Dept.

歡迎 Welcome欢迎

Willkommen

ようこそ

Bienvenu

Bienvenido

Bem-vindo

Welkom

добредошлиःवागत

Witamy

�����

Thailand

Introduce myself

• Bachelor of Business Administration,Finance and Banking, Assumption University

• Bachelor of Commerce, Business Information System, University of Wollongong, Australia

• Master of Commerce, Business System Analyst, University of Wollongong, Australia

• ITIL V. 1.3 Expert

• Trusted Site Infrastructure Evaluator ( TSI) for Data Center

• Successfully Passed IRCA approved ISO 9000:2000 series

Auditor/Lead Auditor Training Course

• Successfully Passed IRCA approved Information security

management system Lead auditor’s training for ISO 27001 in

Jakarta, Indonesia

• Successfully Passed Auditors and Consultant training program for IT

service management (ISO 20000) in Taipei, Taiwan

• Successfully completed Introduction to CMMI Model V.1. 2 training

program, Bangkok

• Successfully completed Intermediate to CMMI V.1. 2 Training

program, Pittsburg, Pennsylvania, USAPennsylvania, USAPennsylvania, USAPennsylvania, USA.

• Successfully Passed ISO 15504 (SPICE) Lead Assessor Training

program from INTRSA

• Completed a course in Ethical Hacker, Thailand

• Completed course in Network Fundamental and Implementation

Athitanant Apithanataveepat

Thailand

Introduce myself

• Master of Science, Information Technology (Information Science) KMITL (King Mongkut Institute of Technology Lardkrabung), Bangkok, Thailand ,

• Bachelor of Science, Computer Science , Mahidol University, Bangkok, Thailand,

• Bachelor of Science, Pharmaceutical, Mahidol University, Bangkok, Thailand ,

• Introduction to CMMI V1.2 Certificate • IRCA ISMS Lead Auditor Certify (ISO 27001)• IRCA ITSMS Lead Auditor Certify (ISO 20000)• IRCA BCMS Lead Auditor Certify (BS 25999)• Microsoft Certified Database Administrator • Microsoft Certified Systems Administrator • Microsoft Certified Systems Engineer • Microsoft Windows NT 4.0 • Microsoft Certified Professional + Internet • Microsoft Certified Professional • Implementing and Administering a Microsoft® Windows® 2000 Network

Infrastructure• Implementing and Administering a Microsoft® Windows® 2000 Directory

Services Infrastructure• Managing a Windows 2000 Network Environment• Implementing and Supporting Microsoft® Internet Information Server 4.0• Internetworking with Microsoft® TCP/IP on Microsoft® Windows NT™ 4.0• Networking Essentials• Implementing and Supporting NT™ Server 4.0 in the Enterprise• Implementing and Supporting NT™ 4.0 Workstation• Implementing and Supporting NT™ Server 4.0

Matana Kritsadrangporn

Thailand

Contents

• Company profile• BCM concept• Data Privacy Concept• Customer reference

Thailand

Bangkok Software Summit 2010

Introduction to BCMS concept

Thailand

November 2008 Author: Philip Ku, Introduction to BCMS concept

TÜV NORD and IT services

Middle EastMiddle EastSaudi ArabiaUnited Arab Emirates…

AmericaAmericaBrazilUSA

Asia PacificAsia Pacific1. Australia2. China3. Hong Kong, China4. India5. Indonesia6. Iran7. Japan8. Korea9. Malaysia10. Philippines 11. Taiwan, China12. Thailand13. Vietnam 14. …

Central and Eastern EuropeCentral and Eastern EuropeYugoslaviaCroatiaPolandSlovakiaCzech Republic…

Western EuropeWestern EuropeDenmarkGermanyFranceGreeceGreat BritainItalyNetherlandsPortugalSpainTurkey…

Business Continuity Management (BS 25999) Common Criteria (ISO 15408) CMMIFunctional Safety (IEC 61508) ISMS (ISO 27001)ITBPM ITIL / ITSM (ISO 20000)SQ, Security Qualification

ISO 9000, QS 9000ISO/TS 16949ISO 14001OHSAS 18001EN 46000HACCPVDA6.1GSCE MarkEMC Test…

Thailand

TÜV NORD AP – IT Security and Safety

• ISMS• ITIL / ITSMS• ITBPM • GSM Audit/TU4

• SQ (Security Qualification)• SigG

• Common Criteria • FIPS 140-2• ZKA Criteria

IT Product / Components

System / Installation

Organizational / Management system

Software / Hardware / Firmware / Embedded Systems

• Functional safety Management as an add on to ISO 9000

• ISO 13849, IEC 62061 (Machinery) • EN 50126, 50129 (Railway) • IEC 60601 (Medical) • IEC 61511 (Process)• IEC 61513 (Nuclear power plant) • ISO 26262 (Automotive) …

• IEC 61508 plus sector specific criteria for machinery, railway, process industry, aviation, automotive and medical equipment

IT IT SafetySafety relatedrelated IT IT SecuritySecurity relatedrelated

Thailand

TÜV NORD AP – IT Service and Certificate

-Certification-IRCA training

IT Product / Components

System / Installation

Organizational / Management system

Software / Hardware / Firmware / Embedded Systems

-Evaluation

Certificate and MarkCertificate and Mark

-Evaluation-Testing

ServiceService

Thailand

Possible BCM coverage

Business Continuity Management

Em

erge

ncy

Man

agem

ent

IT D

isas

ter

Rec

over

y

Fac

ilitie

s M

anag

emen

t

Hum

an R

esou

rces

Sec

urity

Cris

is C

omm

unic

atio

ns &

PR

Kno

wle

dge

Man

agem

ent

Sup

ply

Cha

in M

anag

emen

t

Qua

lity

Man

agem

ent

Hea

th &

Saf

ety

Ris

k M

anag

emen

t

Env

ironm

enta

l Man

agem

ent

Reference: BS25999-1

Thailand

November 2008 Author: Philip Ku, Introduction to BCMS concept

BS 25999-1 and BS 25999-2

• BS 25999-1:2006, Business Continuity Management – Part 1: Code of Practice

• BS 25999-2:2007, Business continuity management – Part 2: Specification

Thailand

BS 25999-1:2006, Code of Practice

Contents

1. Scope and applicability

2. Terms and definitions

3. Overview of business continuity management (BCM)

4. The business continuity management policy 5. BCM programme management

6. Understanding the organization

7. Determining business continue strategy 8. Developing and implementing a BCM response

9. Exercising, maintaining and reviewing BCM arrangements

10. Embedding BCM in the organization’s culture

Thailand

BS 25999-2:2007, Specification

Contents1. Scope2. Terms and definitions 3. Planning the business continuity management system

3.1 General 3.2 Establishing and managing the BCMS3.3 Embedding BCM in the organization’s culture3.4 BCMS documentation and records

4. Implementing and operating the BCMS4.1 Understanding the organization4.2 Determining business continuity strategy 4.3 Developing and implementing a BCM response4.4 Exercising, maintaining and reviewing BCM arrangements

5. Monitoring and reviewing the BCMS5.1 Internal audit5.2 Management review of the BCMS

6. Maintaining and improving the BCMS6.1 Preventive and corrective actions6.2 Continual improvement

Thailand

BS 25999-1 vs. BS 25999-2

• BS 25999-1:2006 , Business Continuity Management – Part 1: Code of Practice

– Contains a comprehensive description of details and minimal information for the implementation of BCMS

– Guidance document , it serves as basis for the understanding of the requirements contained in BS 25999-2

• BS 25999-2:2007 ,Business continuity management – Part 2: Specification– Auditable standard, identified the requirements of BCMS

• PDCA cycle applied to BCMS processes • The business continuity management lifecycle• Documentation requirements

– Required processes for business continuity management has been identified• Business impact analysis, Risk management, BCM strategy, BCM response

BS 25999-2 is specifying, “What are the requirements of BCMS certification”.

BS 25999-1 is describing the methodologies of, “How to implement and to fulfill the BCMS requireme nts”.

Thailand

Applicable scope for BCMS

Sales / Mkt.Production HR R&D

Management

IT

3rd parties

3rd parties: -Supplier, e.g. raw material-Service provider, e.g. telecom, power, maintenance-Business partners

Interested parties : -Shareholder -Customers-Government

Finance

Process

-Customer service-Operation-Office administrative-Supply chain management -Channel management-…

Scope A

Scope B

BCMS applicable to -All organizations (or parts thereof), regardless of type, size and nature of business.

Thailand

Process for identifying the BCMS scopeIdentify the requirements

Identify Key product and service

Identify the supporting activities

Identify the objectives

Business continuity programme

Business continuity Business impact analysis (BIA) and Risk assessment (RA)

Thailand

What is “business continuity”?

• Strategic and tactical capability of the organization to plan for and response to incidents and business disruptions in order to continue business operations at an acceptable predefined level

BS 25999-2:2007, 2.3

It is a capability of the organization to effectively response to incidents and business disruptions.

Thailand

What are going to happen in the future…?

Thailand

December 30, 2008 IRCA (AXXXXX) BCMS Auditor Conversion Training Course, v2r018

Developing and implementing a BCM response

• Purpose – To enable the organization to develop and implement

appropriate BCM plans and arrangements to manage any incident and continue its critical activities.

BS 25999-2:2007, 4.3

Thailand

Incident, Business continuity and Recovery

Timeline

Recovery / resumption – back-to-normal

Incident response

Business continuity

Tim

e ze

ro

Incident!! Overall recovery objective:“Back-to-normal” as quickly as possible

BS 25999-1:2006, Figure 2

Within minutes to hours :Staff and visitors accounted for casualties dealt with damage containment / limitation damage assessment invocation of BCP

Within minutes to days :Contact staff, customers, suppliers, etc., recovery of critical business process rebuild lost work-in-progress

Within weeks to months :Damage repair / replacement relocation to permanent place of work recovery of costs from insurers

Thailand

How I can manage an incident and recover?

Business recovery plans (BRP)

Incident management plans (IMP)

Business continuity plans (BCP)

How I can manage an incident and recover?

Thailand

21

Business continuity plans (BCPs) and incident management plans (IMPs)

• The organization shall have documented plans that details how the organization will manage an incident and how it will recover or maintain its activities to a predetermined level in the event of a disruption.

BS 25999-2:2007, 4.3.3

Thailand

22

Incident response structure

• The organization shall nominate incident response personnel with the necessary responsibility, authority and competence to managean incident.

• The incident response structure shall provide for personnel to:– Confirm the nature and extent of an incident;

– Trigger an appropriate business continuity response;– Have plans , processes and procedures for the activation, operation,

coordination and communication of the incident response. – Have resources available to support the plans, processes and

procedures to manage an incident; and

– Communicate with stakeholders.

BS 25999-2:2007, 4.3.1

BS 25999-2:2007, 4.3.2

Thailand

23

Example: model of incident response

Level Action Roles

Gold Strategic Senior (Incident) management

Silver Tactical Business continuity team

Bronze Operational Incident response & Business unit resumption teams

Esc

alat

ion

Control

Thailand

24

Business recovery plans (BRP)

• Organizations may develop specific plans to recover or resume operations back to a “normal” state (recovery plans).

• However, in some incidents it might not be possible to define what “normal” looks like until some time after the incident, so that it might not be possible to implement recovery plans immediately.

• Organizations might therefore wish to ensure that business continuity plans are capable of extended operation, giving time for the development of recovery (“back-to-normal”) plans.

BS 25999-1:2006, 8.2.5

Thailand

25

BCP and IMP

• Each plan shall:a) Have a defined purpose and scope;

b) Be accessible to and understood by those who will use them;

c) Be owned by named person(s) who is responsible for their review, update and approval; and

d) Be aligned with relevant contingency arrangements external to the organization.

BS 25999-2:2007, 4.3.3

Thailand

26

BCP and IMP

• The plans shall collectively contain:a) Identified lines of communications;

b) Key tasks and reference information;

c) Defined roles and responsibilities for people and teams having authority during and following an incident;

d) Guidelines and criteria regarding which individuals have the authority to invoke each plan and under what circumstances;

e) A method by which each plan is invoked;

f) Meeting locations which alternatives, and up-to-date contact and mobilization details for any relevant agencies, organizations and resources what might be required to support the response;

g) A process for standing down once the incident is over;

BS 25999-2:2007, 4.3.3

Thailand

27

BCP and IMP

• The plans shall collectively contain: (continue)h) A reference to the essential contact details for all key stakeholders;

i) Details to manage the immediate consequences of a business disruption giving due regard to :1) The welfare of individuals;

2) Strategic and operational options for responding to the disruption; and

3) Prevention of further loss or unavailability of critical activities;

j) Details for managing a incident including:1) Provision foe managing issues during an incident; and

2) Processes to enable continuity and recovery of critical activities;

k) Details on how and under what circumstances the organization will communicate with employees and their relatives, key stakeholders and emergency contacts;

BS 25999-2:2007, 4.3.3

Thailand

28

BCP and IMP

• The plans shall collectively contain: (continue)l) Details on the organization’s media response following an incident, including:

1) The incident communications strategy;2) Preferred interface with the medial;3) Guideline or template for drafting a statement for the media; and 4) Appropriate spokespeople;

m) A method for recording key information about the incident, actions taken and decisions made;

n) Details of actions and tasks that need to be performed;

o) Details of the resources required for business continuity and business recovery at different points in time; and

p) Prioritized objectives in terms of the critical activities to be recovered, the timescales in which they are to be recovered and the recovery levels needed for each critical activity.

BS 25999-2:2007, 4.3.3

Thailand

What “resources”are required when I implement BCM?

Premises

TechnologyInformation

Supplies Stakeholders

Local responders

Top management

People

Thailand

The BCM lifecycle

BCM programmemanagement

Understanding Understanding the organizationthe organization

Determining Determining BCMBCM

strategystrategy

Exercising, Exercising, maintaining maintaining

and reviewing and reviewing

Developing and Developing and implementing implementing BCM responseBCM response

Thailand

PDCA cycle and BCM lifecycle

Interested Interested partiesparties

Business Business continuity continuity

requirements requirements and and

expectations expectations

Continual improvement of the Continual improvement of the business continuity management systembusiness continuity management system

Interested Interested partiesparties

Managed Managed business business continuitycontinuity

PlanPlanPlan

Act Act Act

Check Check Check

Do Do Do

3.3. Planning the BCMSPlanning the BCMS

4.4. Implementing Implementing and Operating and Operating the BCMSthe BCMS

5.5. Monitoring and Monitoring and reviewing the BCMSreviewing the BCMS

6.6. Maintaining and Maintaining and improving the BCMSimproving the BCMS

BCM programmemanagement

Understanding Understanding the organizationthe organization

Determining Determining BCMBCM

strategystrategy

Exercising, Exercising, maintaining maintaining

and reviewing and reviewing

Developing and Developing and implementing implementing BCM responseBCM response

The PDCA cycle applies to all parts of the BCM lifecycle

The BCM lifecycle represents the continue operation of the

business continuity programme within the organization

The PDCA cycle is the means of ensuring that business continuity

is effectively managed and improved .

Thailand

Bangkok Software Summit 2010

Introduction to Data Privacy Concept

Thailand

Definition to know…..

• "���������� �" ���� ���� �������������ก���ก������������������ � ��� ก����ก � !��ก����� "��������#�� "��������$�ก��� ��%�"�����ก��&'��� ���(�&�� ���%����������)���*��%���������� ������%�������ก��ก +��%�&�� &'�,�������)���*- (� ����������.�*�%� /)���&�ก��ก +��������� ��%���"0��� /��,�� ��������0�������� �������ก���ก����������������)��&�� 0��/ก�ก���/��(��

• "����������"����)�" ���� ���� ���������� �1�� �ก��&���� �������ก��%���&2���������3ก��,���ก�( �� ����������)�� �"4�3��������������&�� +�ก���ก��"��ก��ก'��(

Thailand

7 Common Issues related to Data Privacy

1. �����ก5������������&� �&�� 3'��"4ก����0�"���� .&�� 3�,����%��"6(�)� ��� ก���ก5���������ก ��)���5�- 1�.��3-��3'��"4�����ก5������� ����� / ���-(� / ก����ก � ��%��������ก���ก������"�����

2. ���������� �&�� 3�,����%��"6(�)�3�����0�ก���� ��0� /���"4"733��� ��%����3��+�3�ก��0�"���� .���ก��,����%��"6(�)�

3. ก��3��ก5�����������������ก��ก'��(��0�"���� .�����,(���������&��/�� /����(�3 ��3�'�- ",�� ��%��ก��,(

Thailand

4. ,ก�+�&�� ,����%��"6(�)����������� �/�ก����-"3�ก��0�"���� .&�� �ก5��������������� �-�������0ก��&'�- (���/��- (���� �����������3�������������%�)��/& ��%�8 (��'��3���ก9����

5. ��ก � ��"��(#������������ �&�� ����, �� ��� �����%�, �� � ������

6. �����"6(�)�������&�� - "�ก���ก��ก���ก5����� ก���ก5���ก � /��ก��,������������ �

7. ��������&2�,ก������0��/����&2�,ก��/ก�- �����������3��������������� �

7 Common Issues related to Data Privacy

Thailand

Standard related to Data Protection and Privacy

• ISO 9564-3:2003 = Banking -- Personal Identification Number management and security -- Part 3: Requirements for offline PIN handling in ATM and POS systems

• ISO/IEC 18013-3:2009 = Information technology --Personal identification -- ISO-compliant driving license -- Part 3: Access control, authentication an d integrity validation

• ISO 22857:2004 = Health informatics -- Guidelines on data protection to facilitate trans-border flows of personal health information

• Financial services -- Privacy impact assessment .

Thailand

Customer reference of ISMS/ITSMS

• Asia Pacific– India

• Elico Limited、Mahindra-British Telecom Ltd. 、Porritts and Spencers (ASIA) Ltd. 、Onward Technologies Limited, Manufacturing Software Solutions Division, Pune、Tata Consultancy Services Ltd…

– Taiwan• Industrial Technology Research Institute、PICK International Asset Management Co., Ltd. 、Science and Technology

Policy Research and Information Center, NARL、Government Network Service Department, Data Communication Business Group, Chuanghwa Telecom. CO., Ltd、Government Network Service Department, Data…

– Thailand• ISMS (ISO 27001)

– Software Park, CAT Telecom, Metropolitan Electricity Authority…• ITSMS (ISO 20000)

– Stock Exchange of Thailand, Gosoft …

– Vietnam• FPT Software、FPT Information System

– Indonesia• YKK

• European Union – UK

• Mahindra-British Telecom Ltd….– Germany

• T-Online International AG、SAP AG…– Czech Republic

• EUROTEL spol. s r. o. 、BDO IT a.s. 、Home Credit International a.s. 、Elico Limited

Categories: Consultancy、Manufacture、IT、Government agencies、Research institute、Telecom、IDC、NOC、SOC

Categories:International / National companies、Telecom、Software…

Thailand

Q&A

Thanks for your participation. Thanks for your participation.

We are delighted to discuss any question with you.We are delighted to discuss any question with you.

Welcome to our boothWelcome to our booth ……

Thailand

November 2008 Author: Philip Ku, Introduction to BCMS concept

Who we are…

Thailand Thailand –– IT Business Dept. IT Business Dept.

謝謝 Thank you谢谢

Bitte

ありがとうございました

Merci

Gracias

Grazie

Bedankt

благодаря

ध�यवाद

�ا �� �