Business Continuity and Disaster Recovery Planning at UNDP, UN OIM and UN Women

13 January, 2020

...
Photo: ICC/Kudva

Prepared, not Scared

The United Nations Development Programme (UNDP), the United Nations Office of Investment Management (or OIM – formerly, the Investment Management Division or IMD) and UN Women are all subscribers to UNICC’s new Business Continuity and Disaster Recovery Planning (BC-DR) service. This new service supplements many areas of their business, ranging from UNICC advisory (continuity planning), infrastructure, platform, cloud management, and information security.

UN Women has UNICC performed annual Disaster Recovery planning reviews, complemented with training, surveys, and testing exercises. UNICC is working with OIM to enhance its Business Continuity, Disaster Recovery, and Information Security posture. UNICC is also helping OIM obtain two certifications; one for ISO/IEC 27001 (information security management) and ISO/IEC 22301 (business continuity management). UNDP is a newcomer to this service.

UNDP resiliency support

UNDP now subscribes to UNICC’s BC-DR Planning service, while UN Women has been benefiting from the service over the past year. However, each service has itsown requirements. UNDP relies on its service availability and continuity agreements (SCA) to measure its service failover capabilities. ​

The BC/DR Planning service from UNICC provides solid support to our Service Continuity and Availability process and helps UNDP to comply with a number of ISO 20000 certification requirements. We are highly satisfied with how evaluation of the continuity and recovery provisions for each of our mission-critical services is planned and performed by UNICC.

Alexey Kuzmenko, Cybersecurity Specialist, UNDP

UN office of investment management: a resiliency and security seminar

The United Nations Office of Investment Management is responsible for managing the investments for the United Nations Joint Staff Pension Fund, a fund established by the General Assembly of the United Nations to provide retirement, death, disability and related benefits for the staff of the United Nations and the other organizations admitted to membership in the Fund. OIM is also a subscriber to Infrastructure and Platform services at UNICC, for which Business Continuity and Disaster Recovery Planning is a natural add-on.

Lyle McFadyen presenting on Business Continuity Planning for OIM. Photo: UNICC/Kudva

On 12 November 2019, UNICC was invited to present at an all-day Crisis Management Team retreat focusing on OIM’s organizational resiliency and security. Organized by Qing (Ray) Zheng and Suyog Sanklecha of OIM, the agenda focused on ongoing Business Continuity and Disaster Recovery planning for OIM, attended by OIM’s Crisis Management Team. UNICC’s Anish Sethi, Chief, Clients and Projects joined the group to watch Lyle McFadyen, Senior Solutions Architect, and Nitesh Kudva, Information Security Specialist present on the importance of OIM’s Business Continuity Planning and Information Security Management.

​UNICC provides added value with their expertise in planning, building, training, and testing our information security, and our business continuity planning efforts. These services ensure that we identify any continuity, resiliency, or security gaps in our business-critical systems and mitigate them appropriately.

Rajiv Prabhakar, Head of Information Systems, UN OIM

Nitesh Kudva discussing information security as a key part of organisational resilience. Information security’s triad. Photo: UNICC/McFadyen

The day began with an overview on Information Security awareness from Nitesh Kudva. Information security threats can create business continuity breaches, which affects the reputation and value of any company or organization. Therefore, it is imperative that managers have the means to ensure the security of their systems, and continuity of operations in the event of a disaster or an emergency.

As a part of the Information Security Management System approach in Information Security services from UNICC, Nitesh Kudva presented potential threats to OIM’s information security posture. He explained how OIM’s information security department and UNICC are working to protect the organization when they secure the confidentiality, availability, accuracy, and integrity of an organisation’s information.

Nitesh intrigued the audience by spoofing the meeting room’s Wi-Fi, to show how simple it was to hack wireless devices in a public place. Furthermore, to better demonstrate that any organization is susceptible to cyber-attacks, he presented results and statistics from a recently performed “phishing” exercise. The results showed that any organization can have security breaches and that training and vigilance is a non-stop effort. Nitesh emphasized the value of providing on-going training and resources to OIM staff for everyone to realize their role in protecting OIM’s information.

A representative data governance model. / The four phases of emergency management. Photo courtesy of County of Fairfax, VA

The four phases of emergency management. Lyle McFadyen later presented on Business Continuity planning. His goal was to help the Crisis Management Team members recognise their roles in the event of a disaster and respond effectively. He encouraged the OIM Crisis Management Team to understand how more frequent incidents have become, and to recognize how effective it is to have a prepared plan in place and tested. The BC-DR plan includes resources responsible for activating the plan as well as where teams should relocate to in case of a disaster. The recommendations provided were part of the ongoing process of plan improvement, so that the plans evolve with the priorities of the business.

As an annual exercise, next year Nitesh and Lyle are updating OIM’s continuity plans and will report on risks and business impact to the organisation, provide additional testing, and create training exercises for OIM. All these efforts will be to help OIM participants better recognise situations and respond effectively.

UN Women: resiliency to support organisational mandates

UN Women is the United Nations entity dedicated to gender equality and the empowerment of women. A global champion for women and girls, UN Women was established to accelerate progress on meeting their needs worldwide. It is an innovative Agency that is moving quickly to the cloud, and to other disruptive technologies, to optimise business across its offices.

With UNICC services such as Information Security, Azure and Application Support, AWS Managed Services and ServiceNow support, BC-DR was a no-brainer to ensure that enterprise platforms are well-protected.

Often disaster recovery and business continuity are forgotten because we are too busy meeting our organisational mandates. This service provides the UN with a needed skill set that many organisations do not have.

Soren Thomassen, Chief of Information Systems and Technology

On 5 December, UNICC performed an annual disaster recovery exercise at UN Women. Soren Thomassen, Chief of Information Systems and Technology, Sachiko Hasumi, Corporate Information Security and Compliance Manager, Ali Jafry, Manager, Platform and Service, Ismail Sabir, Manager, Information Communications Technology and Subhash Vinjamuri, Microsoft Azure Consultant joined the exercise facilitated by UNICC.

UN Women Disaster Recovery exercise. Photo: UNICC/McFadyen

The tabletop exercise presented a challenging scenario to the participants. While it established that their DR plan is properly constructed and that it operational meets an organisation’s requirements. The exercise helped the team identify areas of improvement to their plans – to account for any unexpected issues or gaps and to continuously improve their response. It also highlighted the need to work together, communicate with the crisis management team, and make effective decisions in a short time. With sound BC-DR planning in place, and training to know how to act during a crisis, Soren and his team are well prepared to meet most failures or disasters that might threaten UN Women’s enterprise infrastructure, applications or data.