g, Auditing,
Testing, g, Training,
g, and Maintaining
g
Your Business Continuity
and Disaster Recovery Planning
B i
Business C
Continuity
i i andd Disaster
Di Recovery
R
Framework
Business Impact
Risk Assessment Strategy Plan
Analysis
Audit Testing
Testing Procedures
Training Maintenance
2 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Frekuensi Pengujian
Pengujian DRP harus dilakukan pada setiap interval tertentu
(minimal sekali dalam setahun atau jika terjadi perubahan yang signifikan)
Frequency of testing BCP by industry group
3 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Strategi dalam Pengujian
Pengujian diperlukan untuk mendapatkan sebuah kombinasi strategi dari elemen – elemen berikut :
T i l
Trial : Memastikan bahwa semua komponen (resources) dapat
me-generate hasil seperti yang diharapkan dan prosedur yang
digunakan adalah prosedur yang efisien
4 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Tipe Pengujian
Orientation/walk-through
Tabletop/Mini-drill
F
Functional
ti lTTesting
ti
Full scale Exercise
Full-scale
5 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Orientation/Walk-Through
Tujuan utama : memastikan bahwa personil utama dari seluruh bagian telah
mengenal BCP dan DRP dengan baik
Untuk individual
Diskusi
dan tim interaktif
Kelompok
K l k
Mengutamakan kecil
pengetahuan
dibanding ketrampilan Karakteristik Fokus :
“team building”
Menitikberatkan pada
elemen
l perencanaan Tidak
Tid k ada
d mobilisasi
bili i
kritis resources
6 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Tabletop Mini-Drill
Melakukan percobaan
dalam bermacam-macam
Fokus pada demonstrasi kondisi
Mobilisasi Sistem
pengontrolan
p g yyang
g Melakukan tugas
beberapa anggota baik d
dengan simulasi
i l i
Tim Pemulihan
Melakukan praktek
Evaluasi performansi dan validasi
dan kemampuan
kemampuan respon
fungsional tertentu
7 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Functional Testing
Karakteristik
Demonstrasi kemampuan Memberikan respon ke lokasi
alternatif (aktual maupun simulasi)
Mencoba berbagai macam
kondisi, bentuk notifikasi dan Mobilisasi personil dan sumber
mobilisasi sumber daya
daya ke beberapa lokasi berbeda
Adanya pengontrol,
evaluator dan pengamat Evaluasi performasi individu & tim
8 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Full-Scale Exercise
Adanya
y sistem kontrol
Demonstrasi pengetahuan
Teliti Melibatkan dan ketrampilan yang
semua
se ua elemen
ee e dimiliki
Dibutuhkannya
Evaluasi performansi
Mobilisasi semua koordinasi lapangan
perusahaan secara keseluruhan elemen Tim Pemulihan dan “aturan bermain”
9 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Evaluasi Tes dan Pengujian
10 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
B i
Business C
Continuity
i i andd Disaster
Di Recovery
R
Framework
Business Impact
Risk Assessment Strategy Plan
Analysis
Audit
Audit Testing Procedures
Training Maintenance
11 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Auditing Disaster Management Standards
ISO 27001
COBIT
NFPA 1600
Internal Framework
Case :
Sharing VisionTM DRP/DRC
I l Audit
Internal A di
12 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Standar 1 – ISO 27001
Security
Policy
Organization
Of Asset
Information Management
Security Human
Resources Standar
d
Physical &
Security
Communications
Kebijakan
Environmental & Operations DRP
Security Management Information
Access Security
Information Control Incident
Systems Business Management
Acquisition, Continuity D
Domain
i ISO 27001
Development & Management
Maintenance
Compliance
13 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Standar 1 – ISO 27001
Business Continuity Management
Menyusun
y p
proses manajemen
j continuityy 1
M
Mengembangkan
b k Business
B i Continuity
C ti it Pl Plan perusahaan
h 4
14 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
St d 2 – National
Standar N ti l Fi
Fire P
Protection
t ti A
Association
i ti
(NFPA) 1600 (USA)
15 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Standar 3 – CoBIT
16 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Standar
St d 3 – CoBIT
C BIT
Disaster Management
DS1 define and manage service levels
DS2 manage third-party services
DS3 manage performance and capacity
DS4 ensure continuous service
DS5 ensure systems security
DS6 identify and allocate costs 1. IT Continuity Framework
2. IT Continuityy Plan Strategy
gy and
DS7 educate and train users
Philosophy
DS8 assist and advise customers 3. IT Continuity Plan Contents
DS9 manage the configuration 4. Minimising IT Continuity Requirements
DS10 manageg pproblems and incidents 5. Maintaining the IT Continuity Plan
DS11 manage data 6. Testing the IT Continuity Plan
DS12 manage facilities 7. IT Continuity Plan Training
DS 13 manage operations 8. IT Continuity Plan Distribution
9 User Department Alternative Processing
9.
Back-up Procedures
10.Critical IT Resources
*CoBIT: Control Objectives for Information 11. Back-up Site and Hardware
and
d related
l d Technology
h l 12 Off site Back-up
12.Off-site Back up Storage
13.Wrap-up Procedures
17 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Internal Framework
Process People
Kelengkapan DRP Awareness
Organisasi
Pengujian
Technology
Site Assessment
Security
SHARING VISION TM
Scalability
18 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Langkah-langkah
L k hl k h Audit
A dit / R
Review
i
Kelengkapan Framework DRP/BCP
Document Field Assessment Interview
Assessment
Benchmark
Best Practice
Gap Analysis
Reporting Recommendation
19 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Assessment
Benchmark
p Analysis
Gap y
Best Practice Assessment Risk
20 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Assessment
Benchmark
p Analysis
Gap y
Best Practice Assessment BIA
21 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Assessment
Benchmark
p Analysis
Gap y
Best Practice Assessment Strategi (1)
Media backup
Metode backup
Periode backup
Penyimpanan
y p backupp
Pengujian backup
Penanggung jawab backup
Lokasi pengalihan/lokasi pemulihan
Alternatif sistem telekomunikasi
Alternatif sumber energi perusahaan
22 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Assessment
Benchmark
p Analysis
Gap y
Best Practice Assessment Strategi (2)
23 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Assessment
Benchmark
p Analysis
Gap y
Best Practice Assessment Prosedur (1)
Struktur Organisasi:
9 Apakah perusahaan memiliki struktur organisasi yang khusus
menangani penanggulangan bencana yang memiliki deskripsi kerja
dan alur tanggung jawab yang jelas?
9 Apakah setiap anggota tim telah ditunjuk dengan tepat sesuai
kapabilitas masing-masing?
9 Apakah setiap anggota tim telah memahami tugas dan tanggung jawab
masing-masing (baik ketika tidak terjadi bencana maupun saat
bencana dan pasca bencana)?
24 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Assessment
Benchmark
p Analysis
Gap y
Best Practice Assessment Prosedur (2)
Prosedur:
9 Apakah perusahaan memiliki prosedur pra-bencana, saat terjadi bencana
dan setelah bencana?
25 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Assessment
Benchmark
p Analysis
Gap y
Best Practice Assessment Pengujian
9 Apakah
p p
perusahaan sudah p
pernah melakukan p
pengujian
g j terhadap
p DRP?
9 Apakah pengujian telah dilakukan untuk semua bagian DRP?
9 Apakah pengujian dilaksanakan secara reguler?
9 Apakah perusahaan pernah melakukan pengujian dengan mensimulasikan
bencana yang sesungguhnya?
9 Apakah pengujian melibatkan seluruh tim pemulihan dan seluruh
komponen perusahaan?
9 Apakah pengujian berjalan sesuai dengan yang telah direncanakan?
9 Apakah perusahaan telah memiliki rencana pengujian DRP untuk jangka
p j g
panjang?
26 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Assessment
Benchmark
p Analysis
Gap y
Best Practice Assessment Evaluasi Pengujian
Apakah
p p
pengujian
g j yyang
g dilakukan mencapai
p tujuan
j yyang
g telah
ditetapkan?
Apakah ada evaluasi terhadap hasil pengujian yang telah dilakukan?
Ketika dalam pengujian ditemukan hal-hal yang tidak sesuai dengan
kondisi perusahaan, apakah akan mempengaruhi DRP?
27 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Assessment
Benchmark
Gap Analysis
Best Practice Gap Analysis
Analisa gap
(Current Vs
Target)
Management’s
Target Goal
28 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Reporting and Recommendation
Reporting Recommendation
29 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
B i
Business C
Continuity
i i andd Disaster
Di Recovery
R
Framework
Business Impact
Risk Assessment Strategy Plan
Analysis
Training
Training Maintenance
30 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Pelatihan
Initial Training
• Identifikasi kemampuan Perancangan pelatihan :
• Identifikasi kebutuhan pengalaman
Peserta Pelatihan
Metode Pelatihan
Refresher Training Waktu
Observer/pengamat
/p g
• Diadakan secara reguler
• Rotasi agar mendapatkan pengalaman yang sama
• Penilaian
il i terhadap
h d hasil
h il pelatihan
l ih
• Jika terjadi perubahan besar pada DRP, pelatihan tambahan lebih baik
diadakan secepatnya daripada menunggu sesi reguler selanjutnya
31 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
B i
Business C
Continuity
i i andd Disaster
Di Recovery
R
Framework
Business Impact
Risk Assessment Strategy Plan
Analysis
Training Maintenance
Maintenance
32 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Maintain The Business Continuity Plan
33 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Faktor-Faktor Yang Mempengaruhi Perubahan BCP
Perubahan teknologi
Perubahan struktur
organisasi
Perubahan
requirement recovery
Perubahan personil
Masalah pengujian
34 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Maintenance Frequency
Terjadwal
Contoh :
• Prosedur recovery diperbaharui minimum
dalam basis satu tahunan
• Daftar telepon dan inventaris diperbaharui
tiap
i kuartal
k l
Tidak Terjadwal
Contoh :
Perubahan besar pada perusahaan,
perusahaan
operasional bisnis, proses, fungsi, konfigurasi
hardware, jaringan, dll.
35 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Penutup
36 of 37 Testing, Auditing, Training, and Maintaining Your Business Continuity and Disaster Recovery Planning
Merci bien
Arigatoo
Matur Nuwun
Hatur Nuhun
Matur se Kelangkong
Syukron
Kheili Mamnun
Danke
Terima Kasih