A Decision Model for IT Risk Management on Disaster Recovery

0 downloads 0 Views 143KB Size Report
will focus on one aspect of risk in the Disaster Recovery Center (DRC) since the risk is ... Business Continuity; IT Risk Management; Disaster Recovery Center; ...
Available online at www.sciencedirect.com

ScienceDirect Procedia Technology 11 (2013) 1142 – 1146

The 4th International Conference on Electrical Engineering and Informatics (ICEEI 2013)

A Decision Model for IT Risk Management on Disaster Recovery Center in an Enterprise Architecture Model Jaka Sembiring*, Mohammad Ikhsandana H. Siregar School of Electrical Engineering and Informatics, Institut Teknologi Bandung, Jl. Ganesha 10, Bandung 40132, Indonesia

Abstract This paper describes some factors which influence risk as a variable in Enterprise Architecture (EA) methodology. This reasearch will focus on one aspect of risk in the Disaster Recovery Center (DRC) since the risk is related to the information assets which is easily understood in DRC. The main purpose of this paper is to show the possibility of designing a decision suppport in case of risk. The decision support is given in a mathematical equation. Decision support given in this paper can be implemented in organization to determine the appropriate Tier for their DRC by considering risk.

© 2013 The Authors. Authors. Published Publishedby byElsevier ElsevierB.V. Ltd. Open access under CC BY-NC-ND license. Selection and ofof Information Science & Technology, Universiti Kebangsaan Selection and peer-review peer-reviewunder underresponsibility responsibilityofofthe theFaculty Faculty Information Science & Technology, Universiti Kebangsaan Malaysia Malaysia. Keywords: Enterprise Architecture; Business Continuity; IT Risk Management; Disaster Recovery Center; Decision Support

1. Introduction This paper is derived from the previous research in [1] where Enterprise Architecture (EA) methodology considers four components of architecture i.e. Information Architecture, IT Organization Architecture, IT Architecture, and IT Business Process Architecture. These components consist of several elements, and each element includes several variables. The IT risk management is one of the variable inside Business Continuity element which is belongs to IT Architecture component. The IT risk management becomes important factor for an organization to assure their businesss continuity. One can find several IT risk planning schemes such as National Institute of Standards and Technology (NIST) and ISO

* Corresponding author. Tel.: +62—22-2502260; fax: +62-22-2534222. E-mail address: [email protected]

2212-0173 © 2013 The Authors. Published by Elsevier Ltd. Open access under CC BY-NC-ND license. Selection and peer-review under responsibility of the Faculty of Information Science & Technology, Universiti Kebangsaan Malaysia. doi:10.1016/j.protcy.2013.12.306

Jaka Sembiring and Mohammad Ikhsandana H. Siregar / Procedia Technology 11 (2013) 1142 – 1146

1143

standard. But from the holistic EA point of view, an organization needs generic guideline for implementing risk management in information technology. This paper describes some factors which influence risk as a variable in EA methodology. This reasearch will focus on one aspect of risk in the Disaster Recovery Center (DRC) since the risk is related to the information assets which is easily understood in DRC. The main purpose of this paper is to show the possibility of designing decision suppport in case of risk. Disaster recovery is a planned process to restore system, data and also infrastructure which is needed to support main business operation. DRC is a second location from which back up available to the main data center in case the main center is facing a serious threat. DRC would be able to restore data for the organization so that the business process of the organization is not disturbed [2]. DRC is a back up data center which is integrated in order to anticipate possible occurance of disaster [3]. For the purpose of modelling in this paper the DRC consist of four Tiers i.e.: Offsite, Cold Site, Warm Site, and Hot Site, as described in [2,3]. In this research we employ the sequential transformative strategy or Sequential Transformative Design (STD) as described in [4]. This paper uses IT-BSC and Strategy Map as a qualitative tools, and information theory as a quantitative tools. The IT-BSC has four perspective areas which are slightly different from original BSC. The four perspective areas of IT-BSC are customer orientation, corporate contribution, operational excellence, and future orientation. Each perspective area is equiped with (i) several objectives which influences IT requirements at certain organization, (ii) several measurements, (iii) several organization targets, and (iv) several initiatives [5]. IT-BSC is used as a tool to extract subject and data from literatures to form objectives and measurements. Furthermore the ITBSC is also used as a tool to ensure the objectivity of every objectives obtained. Apart from IT-BSC, in qualitative stage we also use strategy map to determine whether a subject from one perspective area is related to the subject in other perspective area [6]. The objectives and measurements become the input variable at quantitative stage. In the quantitative stage, this paper utilizes several aspects of information theory such as (i) information can be quantified, can be calculated an operated systematically, (ii) information contain uncertainty and inversely proportional to uncertainty, and (iii) information theory can be used as a mathematical model of a random pattern [7,8]. 2. Analysis, Design and Simulation 2.1. Analysis Stage At this stage we obtain the objectives and measurement variable of the risk management at the DRC through four analysis steps i.e. (i) mapping of each perspective area with seven information criteria, (ii) prioritization using information criteria, (iii) strategy map and (iv) objectives identification using ITBSC. In the first step we are using ITBSC and COBIT information criterias as a mapping tools. In the second step, the result of the mapping in the first step will generate a sequence of the perspective area based on the number of appearance of information criteria. In this stage we employ ITIL ver. 3 as a reference for requirement [9]. We find the order of the sequence based of the number of appearance as follows: (i) Customer Orientation, (ii) Corporate Contribution, (iii) Operational Excellence, and (iv) Future Orientation. In the third analysis step we create a strategy map based on the sequence order of the perspective area from the second stage before. Using delienation on the strategy map, one can find three types of subjects, i.e. global risk management goals, regulation and IT standardization goals, and DRC objectives. The later objectives will be the focus in this research as given in Fig. 1.

1144

Jaka Sembiring and Mohammad Ikhsandana H. Siregar / Procedia Technology 11 (2013) 1142 – 1146

Fig. 1. DRC objectives obtained after delienation on the Strategy Map.

The final analysis step is to identify the objectives and measurements of each subjects. We use [3,10,11] as a reference, and we obtain 17 measurements for DRC development process that can be identified, see Table 1 in the first column. These objective and measurement will be the input for the next design stage. 2.2. Design Stage The design stage consists of four steps. In the first step, as in [13] we obtain the primary and secondary indicators using objective and measurement parameters from analysis stage before, see Table 1 column 5 and 6. This primary and secondary indicators become the input for the second step. In the second step, we create a dependency table for decision of DRC in each perspective area, see Table 1 column 2, 3 and 4 using investment dependency method in [13]. In this step, we can find the level of dependency of each perspective area. Table 1. Measurements dependency level at each IT-BSC perspective area. Perspective area and measurements Future Orientation 1. Level of the disaster possibility 2. Disaster frequency Operational Excellence 1. Velocity level 1. Measurements level 2. Complexity level 3. Distance level 4. Budget 5. Quality level 6. Control level 7. Security level 8. Regulation fulfilling level Corporate contribution 1. Critical assessment level 2. Budget Customer Orientation 1. Time 2. Data 3. Recovery performance assessment

Dependency level High (3)

Medium (2)

Low (1)

Primary Indicator

¥ ¥

¥ ¥

¥ ¥ ¥ ¥ ¥

Secondary Indicator

¥ ¥ ¥ ¥ ¥

¥ ¥ ¥

¥ ¥ ¥

¥

¥

¥

¥

¥

¥

¥

¥ ¥ ¥

¥ ¥

1145

Jaka Sembiring and Mohammad Ikhsandana H. Siregar / Procedia Technology 11 (2013) 1142 – 1146

In the third step using maturity model of COBIT on the awareness and communication attributes [12], we propose a basic formula for decision as in Eq. (1), ‫ = )ݔ(ܪ‬െ ݈‫ ݃݋‬10ି௫Τହ

(1)

where H(x) is generic factor value, x is awarenes maturity factor, and 5 refer to the five level of maturity of COBIT. H(x) can be seen an uncertainty in each organization since each organization has different maturity level. For the purpose described in this paper, the function H(x) need to be adjusted into weighting function using several assumption to obtained a more general form. Some assumptions to be considered in deriving the general formula are as follows: a) f(H(x)) is a linear function correspond to the dependency level in each perspective area, b) value of function f(H(x)) is a dependency level for each IT-BSC perspective area which is correspond to the actual condition of certain organization with value between 0 to 3, and c) optimization can be obtained through first derivative of the function f(H(x)). Following the assumption above the function f(H(x)) for each perspective area becomes ݂(‫= ))ݔ(ܪ‬

೙ σ೘ ೔సభ ௉೔ ାு(௫) σ೔సభ ௌ೔

(2)

௠ା௡

Optimization function can be obtained as ݂Ԣ(‫= ))ݔ(ܪ‬

σ೙ ೔సభ ௌ೔

(3)

௠ା௡

Finally in the fourth steps by combining Equation (2) and dependency level, one can be obtained a certain value for each perspective area as in Table 2. We use the formula based on the level of awareness in each perspective area. The constant value is obtained from the occurance of primary and secondary indicator in Table 1. Then we can find the dependency level in each perspective area as in Table 2. If an organization does not have an awareness then the dependency will be low and vice versa. Table 3 will help an organization to decide which tier of DRC should be develop based on risk factors that have been considered within organization. Table 2. Summary of DRC Tier perspective area dependency level.

Perspective Area Dependency Level Tier Level Future Orientation

Operational Excellence

Corporate contribution

Customer Orientation

Tier 1

Low

Low

Medium

Low

Tier 2

Low

Medium / Low

Medium

Low / Medium

Tier 3

Low

Medium

Medium

Medium

Tier 4

Low

Medium

High

Medium

1146

Jaka Sembiring and Mohammad Ikhsandana H. Siregar / Procedia Technology 11 (2013) 1142 – 1146

2.3. Simulation This simulation is conducted to verify the variation of the possibility values for the function that has been obtained. This simulation is performed by testing critical values as the input to the function in order to get the variety of results that can be observed. The following table gives the results of the performed simulation process. Table 3. Simulation results



Critical Value

H(x)

f(H(x))



෍ ࡼ࢏

෍ ࡿ࢏

࢏ୀ૚

࢏ୀ૚

Future Orientation

Operational Excellence

Corporate Contribution

Customer Orientation

DRC Tier

Minimum

0

Minimum

Minimum

Low

Low

Low

Low

Unable to Implement DRC

Maximum

1

Maximum

Maximum

Low

High

High

High

4

0.4

Median

Median

Low

Medium

Medium

Medium

3

Median

3. Conclusions We have derived a mathematical function as a generic factor for IT risks management in the context of EA modelling. The mathematical function for each perspective area in an EA modelling is obtained by combining the information theory with the input of all related factor after considering all the variables related to the risk. Decision support derived from mathematical equation can be implemented in organization to decide the appropriate Tier for their DRC by considering risk.

References [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]

Sembiring J., Nuryatno E. T., Gondokaryono Y. Satria. Analyzing the indicators and requirements in main components of Enterprise Architecture methodology development Using Grounded Theory in qualitative methods. Journal Econometrics: Econometric & Statistical Methods – Special Topics e-Journal, Issue 48, Vol. IV, 2011. TCC-Technology, Disaster Recovery Center (DRC) Services, Bangkok, 2008. Snedaker, S., Business Continuity & Disaster Recovery For IT Professionals, Elsevier, Inc., Massachusetts, 2007. Cresswell, J., Research Design: Qualitative, Quantitative, and Mixed Methods Approaches, Sage Publications, Inc., California, 2008. Keyes, J., IT Balanced Scorecard, AurbachPublications, Inc., Florida, 2005. Kaplan, R., David Norton, Having Trouble with Your Strategy? Then Map It!, Harvard Business Review: September-October, 2000. Schneider, T., Information Theory Primer, 2010. Shannon, C., A Mathematical Theory of Communication, The Bell System Technical Journal, 1948. Iqbal, M., Nieves, M., ITIL: Service Strategy, The Stationery Office, London, 2007. Bowman, R., Business Continuity Planning for Data Centers and Systems, John Wiley & Sons, Inc., New Jersey, 2008. Jordan, E., Silcock, L., Beating IT Risks, John Wiley & Sons, Inc., West Sussex, 2005. IT-Governance Institute, COBIT ver. 4.1., IT Governance Institute, Illinois, 2007. Ward, J., Peppard, J., Strategic Planning for Information Systems, John Wiley & Sons, Inc., New York, 2002.