who we are… - software park thailand continu… · • irca bcms lead auditor certify (bs 25999)...
TRANSCRIPT
Thailand
November 2008 Author: Philip Ku, Introduction to BCMS concept
Who we are…
ThailandThailand –– IT Business Dept. IT Business Dept.
歡迎 Welcome欢迎
Willkommen
ようこそ
Bienvenu
Bienvenido
Bem-vindo
Welkom
добредошлиःवागत
Witamy
�����
Thailand
Introduce myself
• Bachelor of Business Administration,Finance and Banking, Assumption University
• Bachelor of Commerce, Business Information System, University of Wollongong, Australia
• Master of Commerce, Business System Analyst, University of Wollongong, Australia
• ITIL V. 1.3 Expert
• Trusted Site Infrastructure Evaluator ( TSI) for Data Center
• Successfully Passed IRCA approved ISO 9000:2000 series
Auditor/Lead Auditor Training Course
• Successfully Passed IRCA approved Information security
management system Lead auditor’s training for ISO 27001 in
Jakarta, Indonesia
• Successfully Passed Auditors and Consultant training program for IT
service management (ISO 20000) in Taipei, Taiwan
• Successfully completed Introduction to CMMI Model V.1. 2 training
program, Bangkok
• Successfully completed Intermediate to CMMI V.1. 2 Training
program, Pittsburg, Pennsylvania, USAPennsylvania, USAPennsylvania, USAPennsylvania, USA.
• Successfully Passed ISO 15504 (SPICE) Lead Assessor Training
program from INTRSA
• Completed a course in Ethical Hacker, Thailand
• Completed course in Network Fundamental and Implementation
Athitanant Apithanataveepat
Thailand
Introduce myself
• Master of Science, Information Technology (Information Science) KMITL (King Mongkut Institute of Technology Lardkrabung), Bangkok, Thailand ,
• Bachelor of Science, Computer Science , Mahidol University, Bangkok, Thailand,
• Bachelor of Science, Pharmaceutical, Mahidol University, Bangkok, Thailand ,
• Introduction to CMMI V1.2 Certificate • IRCA ISMS Lead Auditor Certify (ISO 27001)• IRCA ITSMS Lead Auditor Certify (ISO 20000)• IRCA BCMS Lead Auditor Certify (BS 25999)• Microsoft Certified Database Administrator • Microsoft Certified Systems Administrator • Microsoft Certified Systems Engineer • Microsoft Windows NT 4.0 • Microsoft Certified Professional + Internet • Microsoft Certified Professional • Implementing and Administering a Microsoft® Windows® 2000 Network
Infrastructure• Implementing and Administering a Microsoft® Windows® 2000 Directory
Services Infrastructure• Managing a Windows 2000 Network Environment• Implementing and Supporting Microsoft® Internet Information Server 4.0• Internetworking with Microsoft® TCP/IP on Microsoft® Windows NT™ 4.0• Networking Essentials• Implementing and Supporting NT™ Server 4.0 in the Enterprise• Implementing and Supporting NT™ 4.0 Workstation• Implementing and Supporting NT™ Server 4.0
Matana Kritsadrangporn
Thailand
Contents
• Company profile• BCM concept• Data Privacy Concept• Customer reference
Thailand
Bangkok Software Summit 2010
Introduction to BCMS concept
Thailand
November 2008 Author: Philip Ku, Introduction to BCMS concept
TÜV NORD and IT services
Middle EastMiddle EastSaudi ArabiaUnited Arab Emirates…
AmericaAmericaBrazilUSA
Asia PacificAsia Pacific1. Australia2. China3. Hong Kong, China4. India5. Indonesia6. Iran7. Japan8. Korea9. Malaysia10. Philippines 11. Taiwan, China12. Thailand13. Vietnam 14. …
Central and Eastern EuropeCentral and Eastern EuropeYugoslaviaCroatiaPolandSlovakiaCzech Republic…
Western EuropeWestern EuropeDenmarkGermanyFranceGreeceGreat BritainItalyNetherlandsPortugalSpainTurkey…
Business Continuity Management (BS 25999) Common Criteria (ISO 15408) CMMIFunctional Safety (IEC 61508) ISMS (ISO 27001)ITBPM ITIL / ITSM (ISO 20000)SQ, Security Qualification
ISO 9000, QS 9000ISO/TS 16949ISO 14001OHSAS 18001EN 46000HACCPVDA6.1GSCE MarkEMC Test…
Thailand
TÜV NORD AP – IT Security and Safety
• ISMS• ITIL / ITSMS• ITBPM • GSM Audit/TU4
• SQ (Security Qualification)• SigG
• Common Criteria • FIPS 140-2• ZKA Criteria
IT Product / Components
System / Installation
Organizational / Management system
Software / Hardware / Firmware / Embedded Systems
• Functional safety Management as an add on to ISO 9000
• ISO 13849, IEC 62061 (Machinery) • EN 50126, 50129 (Railway) • IEC 60601 (Medical) • IEC 61511 (Process)• IEC 61513 (Nuclear power plant) • ISO 26262 (Automotive) …
• IEC 61508 plus sector specific criteria for machinery, railway, process industry, aviation, automotive and medical equipment
IT IT SafetySafety relatedrelated IT IT SecuritySecurity relatedrelated
Thailand
TÜV NORD AP – IT Service and Certificate
-Certification-IRCA training
IT Product / Components
System / Installation
Organizational / Management system
Software / Hardware / Firmware / Embedded Systems
-Evaluation
Certificate and MarkCertificate and Mark
-Evaluation-Testing
ServiceService
Thailand
Possible BCM coverage
Business Continuity Management
Em
erge
ncy
Man
agem
ent
IT D
isas
ter
Rec
over
y
Fac
ilitie
s M
anag
emen
t
Hum
an R
esou
rces
Sec
urity
Cris
is C
omm
unic
atio
ns &
PR
Kno
wle
dge
Man
agem
ent
Sup
ply
Cha
in M
anag
emen
t
Qua
lity
Man
agem
ent
Hea
th &
Saf
ety
Ris
k M
anag
emen
t
Env
ironm
enta
l Man
agem
ent
Reference: BS25999-1
Thailand
November 2008 Author: Philip Ku, Introduction to BCMS concept
BS 25999-1 and BS 25999-2
• BS 25999-1:2006, Business Continuity Management – Part 1: Code of Practice
• BS 25999-2:2007, Business continuity management – Part 2: Specification
Thailand
BS 25999-1:2006, Code of Practice
Contents
1. Scope and applicability
2. Terms and definitions
3. Overview of business continuity management (BCM)
4. The business continuity management policy 5. BCM programme management
6. Understanding the organization
7. Determining business continue strategy 8. Developing and implementing a BCM response
9. Exercising, maintaining and reviewing BCM arrangements
10. Embedding BCM in the organization’s culture
Thailand
BS 25999-2:2007, Specification
Contents1. Scope2. Terms and definitions 3. Planning the business continuity management system
3.1 General 3.2 Establishing and managing the BCMS3.3 Embedding BCM in the organization’s culture3.4 BCMS documentation and records
4. Implementing and operating the BCMS4.1 Understanding the organization4.2 Determining business continuity strategy 4.3 Developing and implementing a BCM response4.4 Exercising, maintaining and reviewing BCM arrangements
5. Monitoring and reviewing the BCMS5.1 Internal audit5.2 Management review of the BCMS
6. Maintaining and improving the BCMS6.1 Preventive and corrective actions6.2 Continual improvement
Thailand
BS 25999-1 vs. BS 25999-2
• BS 25999-1:2006 , Business Continuity Management – Part 1: Code of Practice
– Contains a comprehensive description of details and minimal information for the implementation of BCMS
– Guidance document , it serves as basis for the understanding of the requirements contained in BS 25999-2
• BS 25999-2:2007 ,Business continuity management – Part 2: Specification– Auditable standard, identified the requirements of BCMS
• PDCA cycle applied to BCMS processes • The business continuity management lifecycle• Documentation requirements
– Required processes for business continuity management has been identified• Business impact analysis, Risk management, BCM strategy, BCM response
BS 25999-2 is specifying, “What are the requirements of BCMS certification”.
BS 25999-1 is describing the methodologies of, “How to implement and to fulfill the BCMS requireme nts”.
Thailand
Applicable scope for BCMS
Sales / Mkt.Production HR R&D
Management
IT
3rd parties
3rd parties: -Supplier, e.g. raw material-Service provider, e.g. telecom, power, maintenance-Business partners
Interested parties : -Shareholder -Customers-Government
Finance
Process
-Customer service-Operation-Office administrative-Supply chain management -Channel management-…
Scope A
Scope B
BCMS applicable to -All organizations (or parts thereof), regardless of type, size and nature of business.
Thailand
Process for identifying the BCMS scopeIdentify the requirements
Identify Key product and service
Identify the supporting activities
Identify the objectives
Business continuity programme
Business continuity Business impact analysis (BIA) and Risk assessment (RA)
Thailand
What is “business continuity”?
• Strategic and tactical capability of the organization to plan for and response to incidents and business disruptions in order to continue business operations at an acceptable predefined level
BS 25999-2:2007, 2.3
It is a capability of the organization to effectively response to incidents and business disruptions.
Thailand
What are going to happen in the future…?
Thailand
December 30, 2008 IRCA (AXXXXX) BCMS Auditor Conversion Training Course, v2r018
Developing and implementing a BCM response
• Purpose – To enable the organization to develop and implement
appropriate BCM plans and arrangements to manage any incident and continue its critical activities.
BS 25999-2:2007, 4.3
Thailand
Incident, Business continuity and Recovery
Timeline
Recovery / resumption – back-to-normal
Incident response
Business continuity
Tim
e ze
ro
Incident!! Overall recovery objective:“Back-to-normal” as quickly as possible
BS 25999-1:2006, Figure 2
Within minutes to hours :Staff and visitors accounted for casualties dealt with damage containment / limitation damage assessment invocation of BCP
Within minutes to days :Contact staff, customers, suppliers, etc., recovery of critical business process rebuild lost work-in-progress
Within weeks to months :Damage repair / replacement relocation to permanent place of work recovery of costs from insurers
Thailand
How I can manage an incident and recover?
Business recovery plans (BRP)
Incident management plans (IMP)
Business continuity plans (BCP)
How I can manage an incident and recover?
Thailand
21
Business continuity plans (BCPs) and incident management plans (IMPs)
• The organization shall have documented plans that details how the organization will manage an incident and how it will recover or maintain its activities to a predetermined level in the event of a disruption.
BS 25999-2:2007, 4.3.3
Thailand
22
Incident response structure
• The organization shall nominate incident response personnel with the necessary responsibility, authority and competence to managean incident.
• The incident response structure shall provide for personnel to:– Confirm the nature and extent of an incident;
– Trigger an appropriate business continuity response;– Have plans , processes and procedures for the activation, operation,
coordination and communication of the incident response. – Have resources available to support the plans, processes and
procedures to manage an incident; and
– Communicate with stakeholders.
BS 25999-2:2007, 4.3.1
BS 25999-2:2007, 4.3.2
Thailand
23
Example: model of incident response
Level Action Roles
Gold Strategic Senior (Incident) management
Silver Tactical Business continuity team
Bronze Operational Incident response & Business unit resumption teams
Esc
alat
ion
Control
Thailand
24
Business recovery plans (BRP)
• Organizations may develop specific plans to recover or resume operations back to a “normal” state (recovery plans).
• However, in some incidents it might not be possible to define what “normal” looks like until some time after the incident, so that it might not be possible to implement recovery plans immediately.
• Organizations might therefore wish to ensure that business continuity plans are capable of extended operation, giving time for the development of recovery (“back-to-normal”) plans.
BS 25999-1:2006, 8.2.5
Thailand
25
BCP and IMP
• Each plan shall:a) Have a defined purpose and scope;
b) Be accessible to and understood by those who will use them;
c) Be owned by named person(s) who is responsible for their review, update and approval; and
d) Be aligned with relevant contingency arrangements external to the organization.
BS 25999-2:2007, 4.3.3
Thailand
26
BCP and IMP
• The plans shall collectively contain:a) Identified lines of communications;
b) Key tasks and reference information;
c) Defined roles and responsibilities for people and teams having authority during and following an incident;
d) Guidelines and criteria regarding which individuals have the authority to invoke each plan and under what circumstances;
e) A method by which each plan is invoked;
f) Meeting locations which alternatives, and up-to-date contact and mobilization details for any relevant agencies, organizations and resources what might be required to support the response;
g) A process for standing down once the incident is over;
BS 25999-2:2007, 4.3.3
Thailand
27
BCP and IMP
• The plans shall collectively contain: (continue)h) A reference to the essential contact details for all key stakeholders;
i) Details to manage the immediate consequences of a business disruption giving due regard to :1) The welfare of individuals;
2) Strategic and operational options for responding to the disruption; and
3) Prevention of further loss or unavailability of critical activities;
j) Details for managing a incident including:1) Provision foe managing issues during an incident; and
2) Processes to enable continuity and recovery of critical activities;
k) Details on how and under what circumstances the organization will communicate with employees and their relatives, key stakeholders and emergency contacts;
BS 25999-2:2007, 4.3.3
Thailand
28
BCP and IMP
• The plans shall collectively contain: (continue)l) Details on the organization’s media response following an incident, including:
1) The incident communications strategy;2) Preferred interface with the medial;3) Guideline or template for drafting a statement for the media; and 4) Appropriate spokespeople;
m) A method for recording key information about the incident, actions taken and decisions made;
n) Details of actions and tasks that need to be performed;
o) Details of the resources required for business continuity and business recovery at different points in time; and
p) Prioritized objectives in terms of the critical activities to be recovered, the timescales in which they are to be recovered and the recovery levels needed for each critical activity.
BS 25999-2:2007, 4.3.3
Thailand
What “resources”are required when I implement BCM?
Premises
TechnologyInformation
Supplies Stakeholders
Local responders
Top management
People
Thailand
The BCM lifecycle
BCM programmemanagement
Understanding Understanding the organizationthe organization
Determining Determining BCMBCM
strategystrategy
Exercising, Exercising, maintaining maintaining
and reviewing and reviewing
Developing and Developing and implementing implementing BCM responseBCM response
Thailand
PDCA cycle and BCM lifecycle
Interested Interested partiesparties
Business Business continuity continuity
requirements requirements and and
expectations expectations
Continual improvement of the Continual improvement of the business continuity management systembusiness continuity management system
Interested Interested partiesparties
Managed Managed business business continuitycontinuity
PlanPlanPlan
Act Act Act
Check Check Check
Do Do Do
3.3. Planning the BCMSPlanning the BCMS
4.4. Implementing Implementing and Operating and Operating the BCMSthe BCMS
5.5. Monitoring and Monitoring and reviewing the BCMSreviewing the BCMS
6.6. Maintaining and Maintaining and improving the BCMSimproving the BCMS
BCM programmemanagement
Understanding Understanding the organizationthe organization
Determining Determining BCMBCM
strategystrategy
Exercising, Exercising, maintaining maintaining
and reviewing and reviewing
Developing and Developing and implementing implementing BCM responseBCM response
The PDCA cycle applies to all parts of the BCM lifecycle
The BCM lifecycle represents the continue operation of the
business continuity programme within the organization
The PDCA cycle is the means of ensuring that business continuity
is effectively managed and improved .
Thailand
Bangkok Software Summit 2010
Introduction to Data Privacy Concept
Thailand
Definition to know…..
• "���������� �" ���� ���� �������������ก���ก������������������ � ��� ก����ก � !��ก����� "��������#�� "��������$�ก��� ��%�"�����ก��&'��� ���(�&�� ���%����������)���*��%���������� ������%�������ก��ก +��%�&�� &'�,�������)���*- (� ����������.�*�%� /)���&�ก��ก +��������� ��%���"0��� /��,�� ��������0�������� �������ก���ก����������������)��&�� 0��/ก�ก���/��(��
• "����������"����)�" ���� ���� ���������� �1�� �ก��&���� �������ก��%���&2���������3ก��,���ก�( �� ����������)�� �"4�3��������������&�� +�ก���ก��"��ก��ก'��(
Thailand
7 Common Issues related to Data Privacy
1. �����ก5������������&� �&�� 3'��"4ก����0�"���� .&�� 3�,����%��"6(�)� ��� ก���ก5���������ก ��)���5�- 1�.��3-��3'��"4�����ก5������� ����� / ���-(� / ก����ก � ��%��������ก���ก������"�����
2. ���������� �&�� 3�,����%��"6(�)�3�����0�ก���� ��0� /���"4"733��� ��%����3��+�3�ก��0�"���� .���ก��,����%��"6(�)�
3. ก��3��ก5�����������������ก��ก'��(��0�"���� .�����,(���������&��/�� /����(�3 ��3�'�- ",�� ��%��ก��,(
Thailand
4. ,ก�+�&�� ,����%��"6(�)����������� �/�ก����-"3�ก��0�"���� .&�� �ก5��������������� �-�������0ก��&'�- (���/��- (���� �����������3�������������%�)��/& ��%�8 (��'��3���ก9����
5. ��ก � ��"��(#������������ �&�� ����, �� ��� �����%�, �� � ������
6. �����"6(�)�������&�� - "�ก���ก��ก���ก5����� ก���ก5���ก � /��ก��,������������ �
7. ��������&2�,ก������0��/����&2�,ก��/ก�- �����������3��������������� �
7 Common Issues related to Data Privacy
Thailand
Standard related to Data Protection and Privacy
• ISO 9564-3:2003 = Banking -- Personal Identification Number management and security -- Part 3: Requirements for offline PIN handling in ATM and POS systems
• ISO/IEC 18013-3:2009 = Information technology --Personal identification -- ISO-compliant driving license -- Part 3: Access control, authentication an d integrity validation
• ISO 22857:2004 = Health informatics -- Guidelines on data protection to facilitate trans-border flows of personal health information
• Financial services -- Privacy impact assessment .
Thailand
Customer reference of ISMS/ITSMS
• Asia Pacific– India
• Elico Limited、Mahindra-British Telecom Ltd. 、Porritts and Spencers (ASIA) Ltd. 、Onward Technologies Limited, Manufacturing Software Solutions Division, Pune、Tata Consultancy Services Ltd…
– Taiwan• Industrial Technology Research Institute、PICK International Asset Management Co., Ltd. 、Science and Technology
Policy Research and Information Center, NARL、Government Network Service Department, Data Communication Business Group, Chuanghwa Telecom. CO., Ltd、Government Network Service Department, Data…
– Thailand• ISMS (ISO 27001)
– Software Park, CAT Telecom, Metropolitan Electricity Authority…• ITSMS (ISO 20000)
– Stock Exchange of Thailand, Gosoft …
– Vietnam• FPT Software、FPT Information System
– Indonesia• YKK
• European Union – UK
• Mahindra-British Telecom Ltd….– Germany
• T-Online International AG、SAP AG…– Czech Republic
• EUROTEL spol. s r. o. 、BDO IT a.s. 、Home Credit International a.s. 、Elico Limited
Categories: Consultancy、Manufacture、IT、Government agencies、Research institute、Telecom、IDC、NOC、SOC
Categories:International / National companies、Telecom、Software…
Thailand
Q&A
Thanks for your participation. Thanks for your participation.
We are delighted to discuss any question with you.We are delighted to discuss any question with you.
Welcome to our boothWelcome to our booth ……
Thailand
November 2008 Author: Philip Ku, Introduction to BCMS concept
Who we are…
Thailand Thailand –– IT Business Dept. IT Business Dept.
謝謝 Thank you谢谢
Bitte
ありがとうございました
Merci
Gracias
Grazie
Bedankt
благодаря
ध�यवाद
�ا �� �