CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE

Size: px
Start display at page:

Download "CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE"

Transcription

1 1 CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE Gavin McLintock P.Eng. CISSP PCIP

2 2 METCALFE POWER STATION 16 April 2013 Sophisticated physical attack 27 Days outage $15.4 million

3 3 MAROOCHY WATER DISTRICT 2000 Malicious insider hack attack 800,000 litres of raw sewage spilled > $1million

4 4 NEW ORLEANS 29 August 2005 Hurricane 1464 dead Major, continuing economic & social losses >$150 Billion est. cost

5 5 NORTHEASTERN NORTH AMERICA 14 August 2003 Power blackout cascading failure 2 days 11 deaths > 50 million people affected $6 Billion est. cost

6 6 FUKUSHIMA 11 March 2011 Earthquake & Tsunami 2 nd worst radiation release >300,000 evacuated

7 7

8 8

9 9

10 10 CRITICAL INFRASTRUCTURE PROTECTION The art & science of preparing an organization to be resilient in the face of catastrophe

11 11 Interdependencies , Critical Infrastructure Institute

12 12 Interdependencies

13 13 All Hazards

14 All Hazards THREAT SPECTRUM Tends Towards Criminal Threats Tends Towards Asymmetric Threats Hazards Tends Towards Military Threats

15 15 Resiliency

16 CIP ASSESSMENT PROGRAM Comprehensive evaluation of the current state of the organization s: Critical assets Threat/risk situation Event management and recovery capability Operational resilience

17 CIP ASSESSMENT PROGRAM OBJECTIVE Assist management with an assessment of local CIP and security activities Offer recommendations based on the likelihood of various threat/hazard scenarios

18 CIP ASSESSMENT TEAM

19 PROCESS METHODOLOGY

20 NATURAL GAS ELECTRICITY GENERATING PLANTS Putrajaya Malaysia 625 MW GTAA 112 MW

21 ENERGY FACILITY COMBINED CYCLE GAS TURBINE PLANT To Electricity Grid (Output) Transformer Natural Gas Supply (Input)

22 22 CIP ASSESSMENT METHODOLOGY No impact on normal operations No test or compromise of security systems

23 CIP RISK MANAGEMENT MODEL Measures & Controls to Safeguard Assets Mission Criticality Assessment Threat Assessment Vulnerability Assessment Risk Assessment R I S K M A N A G E M E N T Assets Personnel Materiel/ Objects Facilities & Infrastructure Information Activities I N C I D E N T Plan, Supervise and Review Conditions for Mission Success Consequence Management Incident Response Management Action Management Reaction , Critical Infrastructure Institute

24 DEFINE THE MISSION We aim to be an efficient and dynamic power generation facility that provides a quality product in the areas of safety, customer service, reliability, and shareholder value, while ensuring minimal environmental impact Via MISSION ANALYSIS PROCESS Tasks & Assets needed to accomplish the mission Page: 24

25 ASSESS CRITICALITY Why Criticality It is not possible to protect everything all of the time A CIP program needs to identify, evaluate and prioritize those assets that are most critical to mission success Criticality Assessment Identifies, evaluates and prioritizes those assets that are most critical to achieving mission success Methodologies such as CARVER, Business Impact Assessment (BIA) and Statement of Sensitivity provide a systematic way to determine and rank criticality

26 ASSESS CRITICALITY: CARVER TOOL Asset C A R V E R Total Comments Gas Turbines (x 3) Starting Generator Heat Exchangers (x 3) Steam Turbine Switch Relay Control Bldg Gas Supply Lines Central Control Bldg Used to determine criticality of assets to services/operations Assess each criteria from 1-10, with 10 having most grave consequences

27 ASSESS THREATS AND HAZARDS Threat/Hazard A real or potential condition that has the ability to compromise the availability, integrity or confidentiality of an asset Condition may be Deliberate (Malicious) Environmental (Natural) Accidental

28 Situational Awareness Assessment Full Spectrum Threat Categories Criminal Cyber Natural Accidents Espionage Terrorism Medium Medium Low Low Low Low Fraud Hacking Snow/Ice Storm Str Collapse Industrial Bombing Theft Insert Malware Lightning Strike Fire Commercial Armed Attack Vandalism Denial of Svc Wind Storm Explosion Foreign Intel Intimidation Drug Use Disruption Flood Transportation Disease Sabotage Disturbance Government Subversion Low Negligible Negligible Negligible Negligible Pandemic Food Poisoning Full Spectrum Threat Categories Disgruntled Employee Single Issue Environmental Policy Supremacist Groups Demonstration Work Slow down Economic Policy Anarchists Stress Strike Regulation Environmental Chart shows likelihood of occurrence

29 ASSESS VULNERABILITY Vulnerability The characteristics of an asset s design, location, security posture, process, or operation that render it susceptible to destruction, incapacitation, or exploitation by mechanical failures, natural hazards, or malicious acts Vulnerability Assessment Identify areas of weakness that could result in consequences of concern, taking into account intrinsic structural weaknesses, protective measures, resiliency, and redundancies

30 VULNERABILITY ASSESSMENT - FORMAT FOR OBSERVATIONS Vulnerabilities, Concerns and Positives (Best Practices) from each Functional Specialist Vulnerability An inherent weakness, situation or circumstance that, if left unchanged, may result in loss of life or damage to missionessential resources Concern Noted deviation from best CIP practices that, if not addressed or monitored, could become a vulnerability if impacted by other factors Positive Best practice worth noting Page: 30

31 VULNERABILITIES OBSERVED Situational Awareness Poor top-down communication of potential hazards and threats to employees Lack of enforcement of restrictions on photography Physical Security Failure to enforce access control policy ( tail gating ) Lack of a lock down plan Insufficient security force for higher threat levels Lack of liaison with local law enforcement agencies Engineering Congestion in vehicle inspection area at front gate Lack of a barrier plan Insecure diesel fuel tank for start up generator Inconsistent monitoring of fuel quality

32 VULNERABILITIES OBSERVED Information Technology Security No specific security policy and procedures for SCADA Outdated cyber defences for Enterprise System Inadequate Disaster Recovery Plan for Enterprise System Enterprise System and SCADA passwords and User Identification shared by all production staff OHS and HAZMAT Lack of a pandemic plan Incomplete listing of HAZMAT storage Emergency Response Failure to coordinate security, fire and Emergency Response plans

33 ASSESS RISK Risk Refers to the uncertainty that surrounds future events and outcomes - GoC Integrated Risk Management Framework Attributes of Risk Risk results from a combination of an asset, a threat/hazard, and a vulnerability All three elements must be present If any element is missing, there is no risk RISK VULNERABILITY

34 RISK IMPACT & PROBABILITY TABLE Risk is a factor of Impact and Probability. In this example, impact and probability is measured by assigning numbers. The higher the number, the higher the risk

35 Risk Assessment Consolidated Criticality, Threat, Vulnerability and Risk Table

36 RECOMMEND RISK MANAGEMENT OPTIONS Risk Management The process of selecting and implementing decisions that will minimize the adverse effects of losses due to destruction, disruption or injury, to achieve an acceptable level of risk at an acceptable cost Risk Controls or Safeguards Actions taken to mitigate risks, normally by reducing their probability or impact. They include actions to detect, deny, deter, distract, delay, prevent, protect, respond, destroy, repair, recover and restore

37 RISK MANAGEMENT CONTROLS Engineering Vulnerability: Insecure diesel fuel tank for start up generator Description: Fuel tank has no additional security features other than installation outer security fence. Should fuel tank or fuel supply be tampered with, cold start will not be possible Risk Management Options: Construct back-up fuel tank Construct concrete barrier around tank (s) Install security fence around tank (s) with access controls Install additional lighting Fit locks to filler caps Install intrusion detection system Recommendation: All of the above Page: 37

38 RISK MANAGEMENT CONTROLS Information Technology Security Vulnerability: No specific security policy and procedures for Supervisory Controls and Data Acquisition (SCADA) System in Central Control Building Description: Although there is a Security Policy for IT Enterprise network, there is no specific Security Policy and Procedures on installation SCADA System that provides process control to all systems Risk Management Options: Establish SCADA Security Policy and Procedures Establish Security Awareness and Training plan Recommendation: Develop and implement/disseminate SCADA Security Policy and Procedures Develop and implement SCADA Security awareness and training Page: 38

39 EVALUATE EMERGENCY MANAGEMENT Evaluate plans for Incident Response (Response) Efforts to contain, alleviate or terminate an apprehended incident, to identify and bring to account the threat agents, and to gather information and preserve evidence to that end - PSC Consequence Management (Recovery) Coordination and implementation of measures intended to mitigate the damage, loss, hardship and suffering caused by acts of violence or natural disasters, including measures to restore service, to protect health and safety, and to provide emergency relief - PSC

40 OUT BRIEF - AGENDA Purpose Briefing format Critical Assets Situational Awareness Key observations from Specialists on: Situational Awareness Security Engineering Information Protection Occupational Health/Safety/HAZMAT Emergency Management Sample Threat/Hazard Scenario (s) Summary

41 OUT BRIEF - CIP ASSESSMENT DASHBOARD Installation CIP Readiness CIP Vulnerability Assessment Components Ready Ready w/minor Limitations Ready w/major Limitations Not Ready A. Situational Awareness B. Security C. Engineering D. Information Technology Protection E. Occupational Health & Safety F. HAZMAT Response G. Emergency Management

42 DELIVERABLES CIP Assessment Out-brief Assessment team will offer procedural and/or resource-based solutions Draft Executive Summary and Annexes from functional specialists Final Report (30 Days after Assessment) , Critical Infrastructure Institute

43 43 SUMMARY Every organization has critical infrastructure Understanding your CI and the risks you face increases operational resilience A comprehensive CIP assessment can contribute Sometimes the findings are surprising!

44 44 FURTHER INFORMATION Gavin McLintock McLintock Consulting Peter Johnston President Lansdowne Technologies Inc

Cornell University PREVENTION AND MITIGATION PLAN

Cornell University PREVENTION AND MITIGATION PLAN Cornell University PREVENTION AND MITIGATION PLAN Table of Contents Table of Contents Section 1 Prevention-Mitigation Introduction...2 Section 2 Risk Assessment...2 2.1 Risk Assessment Components...2 2.2

More information

Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary

Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary May 2007 Environmental Protection Agency Executive Summary

More information

Business Continuity Planning Guide

Business Continuity Planning Guide Business Continuity Planning Guide For Small Businesses Prepared by the City of Vaughan Emergency Planning Department 1 Business Continuity Planning Business Continuity Planning (BCP) is a planning process

More information

Lessons Learned from a Basic Vulnerability Assessment and Emergency Response Plan Update Project in Greensboro

Lessons Learned from a Basic Vulnerability Assessment and Emergency Response Plan Update Project in Greensboro Lessons Learned from a Basic Vulnerability Assessment and Emergency Response Plan Update Project in Greensboro Steve Drew, Director, Greensboro Water Resources Department Jack Moyer, Carolinas / Tennessee

More information

Prepared by Rod Davis, ABCP, MCSA November, 2011

Prepared by Rod Davis, ABCP, MCSA November, 2011 Prepared by Rod Davis, ABCP, MCSA November, 2011 Disaster an event, which causes the loss of an essential service, or part of it, for a length of time which imperils mission achievement. (Andrew Hiles,

More information

Cyber Security & State Energy Assurance Plans

Cyber Security & State Energy Assurance Plans Cyber Security & State Energy Assurance Plans Michigan Cyber Summit 2011 Friday, October 7, 2011 Jeffrey R. Pillon, Director of Energy Assurance National Association of State Energy Officials What is Energy

More information

Risk Management Handbook

Risk Management Handbook Risk Management Handbook 1999 Introduction Risk management is the process of selecting and implementing countermeasures to achieve an acceptable level of risk at an acceptable cost. The analytical risk

More information

Security Risk Assessment Tool

Security Risk Assessment Tool Security Risk Assessment Tool Version: (Draft) 24 April 2014 This tool was developed by the ACT Safety & Security Community of Practice (SSCP) for use by ACT Alliance members and partners. 1. Purpose of

More information

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain 1. What is the most common planned performance duration for a continuity of operations plan (COOP)? A. 30 days B. 60 days C. 90 days D. It depends on the severity of a disaster. 2. What is the business

More information

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery Disaster Recovery 1.1 Introduction Every day, there is the chance that some sort of business interruption, crisis, disaster, or emergency will occur. Anything that prevents access to key processes and

More information

BUSINESS CONTINUITY PLANNING GUIDELINES

BUSINESS CONTINUITY PLANNING GUIDELINES BUSINESS CONTINUITY PLANNING GUIDELINES Washington University in St. Louis The purpose of this guide is to serve as a tool to all departments, divisions, and labs across the University in building a Business

More information

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan EMERGENCY PREPAREDNESS PLAN Business Continuity Plan GIS Bankers Insurance Group Powered by DISASTER PREPAREDNESS Implementation Small Business Guide to Business Continuity Planning Surviving a Catastrophic

More information

MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0

MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0 MAJOR PROJECTS CONSTRUCTION SAFETY SECURITY MANAGEMENT PROGRAM STANDARD HS-09 Document Owner(s) Tom Munro Project/Organization Role Supervisor, Major Projects Safety & Security (Canada) Version Control:

More information

Disaster Ready. By: Katie Tucker, Sales Representative, Rolyn Companies, Inc

Disaster Ready. By: Katie Tucker, Sales Representative, Rolyn Companies, Inc By: Katie Tucker, Sales Representative, Rolyn Companies, Inc Are you and your facility disaster ready? As reported by the Red Cross, as many as 40 percent of small businesses do not reopen after a major

More information

Risk Assessment Guide

Risk Assessment Guide KirkpatrickPrice Assessment Guide Designed Exclusively for PRISM International Members KirkpatrickPrice. innovation. integrity. delivered. KirkpatrickPrice Assessment Guide 2 Document Purpose The Assessment

More information

Risk Management Guide for Information Technology Systems. NIST SP800-30 Overview

Risk Management Guide for Information Technology Systems. NIST SP800-30 Overview Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve

More information

Section A: Introduction, Definitions and Principles of Infrastructure Resilience

Section A: Introduction, Definitions and Principles of Infrastructure Resilience Section A: Introduction, Definitions and Principles of Infrastructure Resilience A1. This section introduces infrastructure resilience, sets out the background and provides definitions. Introduction Purpose

More information

BUSINESS CONTINUITY PLAN

BUSINESS CONTINUITY PLAN How to Develop a BUSINESS CONTINUITY PLAN To print to A4, print at 75%. TABLE OF CONTENTS SUMMARY SUMMARY WHAT IS A BUSINESS CONTINUITY PLAN? CHAPTER PREPARING TO WRITE YOUR BUSINESS CONTINUITY PLAN CHAPTER

More information

Oil & Gas Industry Towards Global Security. A Holistic Security Risk Management Approach. www.thalesgroup.com/security-services

Oil & Gas Industry Towards Global Security. A Holistic Security Risk Management Approach. www.thalesgroup.com/security-services Oil & Gas Industry Towards Global Security A Holistic Security Risk Management Approach www.thalesgroup.com/security-services Oil & Gas Industry Towards Global Security This white paper discusses current

More information

Emergency Preparedness: Learning Objectives. Minimizing and Controlling Future Disasters. SHRM Disaster Preparedness Survey 3.

Emergency Preparedness: Learning Objectives. Minimizing and Controlling Future Disasters. SHRM Disaster Preparedness Survey 3. Emergency Preparedness: 1 Minimizing and Controlling Future Disasters October 7-8, 2013 Presenter: Marna Hayden, SPHR Hayden Resources Inc. www.haydenhr.com Learning Objectives How to develop emergency

More information

U.S. Fire Administration. The Critical Infrastructure Protection Process Job Aid

U.S. Fire Administration. The Critical Infrastructure Protection Process Job Aid U.S. Fire Administration The Critical Infrastructure Protection Process Job Aid Emergency Management and Response- Information Sharing and Analysis Center FA-313 2nd Edition: August 2007 Table of Contents

More information

Increasing Energy Reliability & Resiliency NGA Policy Institute for Governors' Energy Advisors Denver Colorado, September 11, 2013

Increasing Energy Reliability & Resiliency NGA Policy Institute for Governors' Energy Advisors Denver Colorado, September 11, 2013 + Increasing Energy Reliability & Resiliency NGA Policy Institute for Governors' Energy Advisors Denver Colorado, September 11, 2013 Jeffrey R. Pillon, Director, Energy Assurance Programs National Association

More information

Threat and Hazard Identification and Risk Assessment

Threat and Hazard Identification and Risk Assessment Threat and Hazard Identification and Risk Assessment Background/Overview and Process Briefing Homeland Security Preparedness Technical Assistance Program May 2012 PPD-8 Background A linking together of

More information

Assessment of natural hazards, man made hazards, technical and societal related risks and associated impact.

Assessment of natural hazards, man made hazards, technical and societal related risks and associated impact. Aon Business Continuity Planning The Aon Business Continuity Planning practice provides consulting services that allow Aon clients to measure and manage their strategic and tactical risks through Crisis

More information

What is Cyber Liability

What is Cyber Liability What is Cyber Liability Ubiquitous Warfare Espionage Media Operational Data Security and Privacy Tech 1 Data Security and Privacy Data Breach Response Costs Privacy Regulatory Action Civil Litigation INSURABLE

More information

IAEA INTERNATIONAL FACT FINDING EXPERT MISSION OF THE NUCLEAR ACCIDENT FOLLOWING THE GREAT EAST JAPAN EARTHQUAKE AND TSUNAMI

IAEA INTERNATIONAL FACT FINDING EXPERT MISSION OF THE NUCLEAR ACCIDENT FOLLOWING THE GREAT EAST JAPAN EARTHQUAKE AND TSUNAMI IAEA INTERNATIONAL FACT FINDING EXPERT MISSION OF THE NUCLEAR ACCIDENT FOLLOWING THE GREAT EAST JAPAN EARTHQUAKE AND TSUNAMI Tokyo, Fukushima Dai-ichi NPP, Fukushima Dai-ni NPP and Tokai NPP, Japan 24

More information

DASTA Guide to Business Continuity (BC) and Disaster Recovery (DR) Planning

DASTA Guide to Business Continuity (BC) and Disaster Recovery (DR) Planning Your Documents. Our Management. DASTA Guide to Business Continuity (BC) and Disaster Recovery (DR) Planning Dr. Robert L. Bailey, CRM, MIT, ECMp L E A R N M O R E A B O U T D A S T A A T W W W. D R M.

More information

Kick Starting your Business Continuity Program

Kick Starting your Business Continuity Program 425.670.8700 www.continuityleadership.com Kick Starting your Business Continuity Program Phil Lambert President phil@continuityleadership.com The Center for Continuity Leadership Phil 20 years in field

More information

EPRR: Toolkit Business Impact

EPRR: Toolkit Business Impact NHS England Business Continuity Management EPRR: Toolkit Business Impact Assessment (BIA) Template Appendix 3.1 0 [Intentionally Blank] 1 INTRODUCTION The purpose of this document is to assist those who

More information

Company Management System. Business Continuity in SIA

Company Management System. Business Continuity in SIA Company Management System Business Continuity in SIA Document code: Classification: Company Project/Service Year Document No. Version Public INDEX 1. INTRODUCTION... 3 2. SIA S BUSINESS CONTINUITY MANAGEMENT

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Business Continuity Plan

Business Continuity Plan Business Continuity Plan October 2007 Agenda Business continuity plan definition Evolution of the business continuity plan Business continuity plan life cycle FFIEC & Business continuity plan Questions

More information

ITMF Disaster Recovery and Business Continuity Committee Report for the UGA IT Master Plan

ITMF Disaster Recovery and Business Continuity Committee Report for the UGA IT Master Plan ITMF Disaster Recovery and Business Continuity Committee Report for the UGA IT Master Plan I. Executive Summary Planning for continued operation during unforeseen catastrophic events, and for returning

More information

Desktop Scenario Self Assessment Exercise Page 1

Desktop Scenario Self Assessment Exercise Page 1 Page 1 Neil Jarvis Head of IT Security & IT Risk DHL Page 2 From reputation to data loss - how important is business continuity? Neil Jarvis Head of IT Security (EMEA) DHL Logistics IT Security Taking

More information

Disaster Recovery Plan (DRP) / Business Continuity Plan (BCP)

Disaster Recovery Plan (DRP) / Business Continuity Plan (BCP) Preface Computer systems are the core tool of today s business and are vital to every business from the smallest to giant organizations. Money transactions, customer service are just simple examples. Despite

More information

Identifying Cyber Risks and How they Impact Your Business

Identifying Cyber Risks and How they Impact Your Business 10 December, 2014 Identifying Cyber Risks and How they Impact Your Business David Bateman, Partner, K&L Gates, Seattle Sasi-Kanth Mallela, Special Counsel, K&L Gates, London Copyright 2013 by K&L Gates

More information

PSPSOHS606A Develop and implement crisis management processes

PSPSOHS606A Develop and implement crisis management processes PSPSOHS606A Develop and implement crisis management processes Revision Number: 1 PSPSOHS606A Develop and implement crisis management processes Modification History Not applicable. Unit Descriptor Unit

More information

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005 AUDITOR GENERAL S REPORT Protection of Critical Infrastructure Control Systems Report 5 August 2005 Serving the Public Interest Serving the Public Interest THE SPEAKER LEGISLATIVE ASSEMBLY THE PRESIDENT

More information

Oil and Gas Industry A Comprehensive Security Risk Management Approach. www.riskwatch.com

Oil and Gas Industry A Comprehensive Security Risk Management Approach. www.riskwatch.com Oil and Gas Industry A Comprehensive Security Risk Management Approach www.riskwatch.com Introduction This white paper explores the key security challenges facing the oil and gas industry and suggests

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information

Release: 1. BSBCON601B Develop and maintain business continuity plans

Release: 1. BSBCON601B Develop and maintain business continuity plans Release: 1 BSBCON601B Develop and maintain business continuity plans BSBCON601B Develop and maintain business continuity plans Modification History Release Release 1 Comments This version first released

More information

RISK ASSESSMENT GUIDELINES

RISK ASSESSMENT GUIDELINES RISK ASSESSMENT GUIDELINES A Risk Assessment is a business tool used to gauge risks to the business and to assist in safeguarding against that risk by developing countermeasures and mitigation strategies.

More information

Module 2 - Public Health Preparedness

Module 2 - Public Health Preparedness Module 2 - Public Health Preparedness Objectives Define a public health emergency List examples of types of public health events and emergencies Overview Protecting the public from health threats involves

More information

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning The world has experienced a great deal of natural and man-made upheaval and destruction in the past few years, including tornadoes,

More information

ABA Section of Public Utility, Communications & Transportation Law Safety and Security in Transport

ABA Section of Public Utility, Communications & Transportation Law Safety and Security in Transport ABA Section of Public Utility, Communications & Transportation Law Safety and Security in Transport Commercial Nuclear Power Plants Stan Blanton Nuclear Power Subcommittee The Regulatory Landscape NRC

More information

APPENDIX XII: EMERGENCY SUPPORT FUNCTION 12 - ENERGY

APPENDIX XII: EMERGENCY SUPPORT FUNCTION 12 - ENERGY APPENDIX XII: EMERGENCY SUPPORT FUNCTION 12 - ENERGY PRIMARY AGENCIES: Public Service Commission and the Florida Energy and Climate Commission SUPPORT AGENCIES: Nuclear Regulatory Commission, Florida Rural

More information

Cyber security: Practical Utility Programs that Work

Cyber security: Practical Utility Programs that Work Cyber security: Practical Utility Programs that Work Securing Strategic National Assets APPA National Conference 2009 Michael Assante Vice President & CSO, NERC June 15, 2009 The Electric Grid - Challenges

More information

DISASTER PLANNING AND RECOVERY

DISASTER PLANNING AND RECOVERY PLANNING IS THE KEY TO SUCCESSFUL DISASTER RECOVERY Source: US State Government Disaster Recovery Markets by Frost & Sullivan, A Global Growth Consulting Company DISASTER PLANNING AND RECOVERY In the aftermath

More information

Business Impact Analysis (BIA) and Risk Mitigation

Business Impact Analysis (BIA) and Risk Mitigation Texas Emergency Management Conference 2015 Business Impact Analysis (BIA) and Risk Mitigation Alan Sowell, COOP Unit Supervisor Paul Morado, COOP Unit Planner BIA Implementation Process BIA Private Sector

More information

Beyond Effective Security. The Art and Science of Business Continuity Planning

Beyond Effective Security. The Art and Science of Business Continuity Planning Beyond Effective Security The Art and Science of Business Continuity Planning Fred Young, CIPM, CRM Executive Director Risk Management RE/MAX International Holdings, Inc The Wildlife Experience Business

More information

Plans for CIP Compliance

Plans for CIP Compliance Testing Procedures & Recovery Plans for CIP Compliance DECEMBER 16, 2009 Developed with: Presenters Bart Thielbar, CISA Senior Research hanalyst Sierra Energy Group, a Division of Energy Central Primer

More information

Type Threats Origin. Destruction of equipment or media. Dust, corrosion, freezing. Climatic phenomenon. Seismic phenomenon. Volcanic phenomenon

Type Threats Origin. Destruction of equipment or media. Dust, corrosion, freezing. Climatic phenomenon. Seismic phenomenon. Volcanic phenomenon nnex C (informative) xamples of typical threats The following table gives examples of typical threats. The list can be used during the threat assessment process. Threats may be deliberate, accidental or

More information

Business Continuity for the Hospitality Industry

Business Continuity for the Hospitality Industry MANAGEMENT GUIDE MANAGEMENT for the Hospitality Industry Managing threats and building organisation resilience What is business continuity? According to the Institute, business continuity management is

More information

Nine Steps to Smart Security for Small Businesses

Nine Steps to Smart Security for Small Businesses Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...

More information

Clinic Business Continuity Plan Guidelines

Clinic Business Continuity Plan Guidelines Clinic Business Continuity Plan Guidelines Published: January 2015 Table of Contents Emergency Notification Contacts Primary... 2 Emergency Notification Contacts Backups (in case primary is unavailable)...

More information

Clinic Business Continuity Plan Guidelines

Clinic Business Continuity Plan Guidelines Clinic Business Continuity Plan Guidelines Emergency notification contacts: Primary Role Name Address Home phone Mobile/Cell phone Business Continuity Plan Coordinator QSP Business Continuity Plan Coordinator

More information

Draft 8/1/05 SYSTEM First Rev. 8/9/05 2 nd Rev. 8/30/05 EMERGENCY OPERATIONS PLAN

Draft 8/1/05 SYSTEM First Rev. 8/9/05 2 nd Rev. 8/30/05 EMERGENCY OPERATIONS PLAN Draft 8/1/05 SYSTEM First Rev. 8/9/05 2 nd Rev. 8/30/05 EMERGENCY OPERATIONS PLAN I. INTRODUCTION A. PURPOSE - The University of Hawaii System Emergency Operations Plan (EOP) provides procedures for managing

More information

BUSINESS CONTINUITY PLAN OVERVIEW

BUSINESS CONTINUITY PLAN OVERVIEW BUSINESS CONTINUITY PLAN OVERVIEW INTRODUCTION The purpose of this document is to provide Loomis customers with an overview of the company s Business Continuity Plan (BCP). Because of the specific and

More information

An Introduction to. Business Continuity Planning

An Introduction to. Business Continuity Planning An Introduction to Business Continuity Planning Company Profile Practical Experience European Head Office Extensive Client Base Established 1998 Expert Consultants Global Network Why BCP? I am often asked

More information

Audit of the Disaster Recovery Plan

Audit of the Disaster Recovery Plan Audit of the Disaster Recovery Plan Report # 11-05 Prepared by Office of Inspector General J. Timothy Beirnes, CPA, Inspector General Kit Robbins, CISA, CISM, CRISC, Lead Information Systems Auditor TABLE

More information

BUSINESS IMPACT ANALYSIS.5

BUSINESS IMPACT ANALYSIS.5 Table of Contents I. GENERAL.3 Introduction.3 Scope.3 Components.3 II. BUSINESS IMPACT ANALYSIS.5 Academic Affairs...5 Finance and Administration.6 Planning and Accountability..8 Student Affairs.8 Institutional

More information

Crisis and Emergency Management Plan Development

Crisis and Emergency Management Plan Development Crisis and Emergency Management Plan Development AGENDA Administrative Code Crisis What is a crisis Four phases of crisis management Mitigation/Prevention Preparedness Response Recovery Long-Range Planning

More information

Network & Information Security Policy

Network & Information Security Policy Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk

More information

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD. Business Continuity Management & Disaster Recovery Planning Presented by: Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD. 1 What is Business Continuity Management? Is a holistic management

More information

Improving Energy Infrastructure Security: Costs and Consequences

Improving Energy Infrastructure Security: Costs and Consequences Improving Energy Infrastructure Security: Costs and Consequences Alex Farrell 1,Hisham Zerriffi 2, Lester Lave 2, Granger Morgan 2 1 Energy and Resources Group, UC Berkeley 2 Dept. of Engineering and Public

More information

ALLEN COUNTY CODE TITLE 8 PUBLIC SAFETY ARTICLE 8 COUNTY EMERGENCY MANAGEMENT AGENCY (EMA)

ALLEN COUNTY CODE TITLE 8 PUBLIC SAFETY ARTICLE 8 COUNTY EMERGENCY MANAGEMENT AGENCY (EMA) ALLEN COUNTY CODE TITLE 8 PUBLIC SAFETY ARTICLE 8 COUNTY EMERGENCY MANAGEMENT AGENCY (EMA) 8-8-1 Chapter 1: Title This Ordinance shall be known and may be cited and referred to as the Emergency Management

More information

Interactive-Network Disaster Recovery

Interactive-Network Disaster Recovery Interactive-Network Disaster Recovery BACKGROUND IT systems are vulnerable to a variety of disruptions, ranging from mild (e.g., short-term power outage, disk drive failure) to severe (e.g., terrorism,

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

Water Infrastructure Interdependencies

Water Infrastructure Interdependencies Water Infrastructure Interdependencies John Whitler US EPA Office of Water Water Security Division February 12, 2006 November 2005 DRAFT For Official Use Only Do Not Cite, Circulate, or Copy 1 Overview

More information

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES APPENDIX 1 DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES March 2008 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto TABLE OF CONTENTS EXECUTIVE SUMMARY...1

More information

National Infrastructure Protection Center

National Infrastructure Protection Center National Infrastructure Protection Center Risk Management: An Essential Guide to Protecting Critical Assets November 2002 Summary As organizations increase security measures and attempt to identify vulnerabilities

More information

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs EXECUTIVE SUMMARY Supervisory Control and Data Acquisition (SCADA) systems are used for remote

More information

IBM s Approach to Disaster Recovery and Business Continuity

IBM s Approach to Disaster Recovery and Business Continuity IBM Global Services IBM s Approach to Disaster Recovery and Business Continuity Lausanne, May, 2008 Gérard Vanel, IBM certified Managing Consultant IT infrastructure, BCRS Integrated Technology Services

More information

Lessons from Defending Cyberspace

Lessons from Defending Cyberspace Lessons from Defending Cyberspace The Challenge of Addressing National Cyber Risk Andy Purdy Workshop on Cyber Security Center for American Studies, Christopher Newport College 10 28-2009 Cyber Threat

More information

White Paper. April 2006. Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks

White Paper. April 2006. Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks White Paper April 2006 Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks According to a recent Harris Interactive survey, the country s leading business executives consider

More information

Temple university. Auditing a business continuity management BCM. November, 2015

Temple university. Auditing a business continuity management BCM. November, 2015 Temple university Auditing a business continuity management BCM November, 2015 Auditing BCM Agenda 1. Introduction 2. Definitions 3. Standards 4. BCM key elements IT Governance class - IT audit program

More information

Visit the GPA website to:

Visit the GPA website to: Information Disaster Recovery Plans Session 1 4.2.2 Business Continuity Plans Part 1 Visit the GPA website to: Register for GPA webinars Subscribe to our free enewsletter Download accreditation resources

More information

BUILDING DESIGN FOR HOMELAND SECURITY. Unit IV Vulnerability Assessment

BUILDING DESIGN FOR HOMELAND SECURITY. Unit IV Vulnerability Assessment Unit IV Vulnerability Assessment Vulnerability Any weakness that can be exploited by an aggressor or, in a non-terrorist threat environment, make an asset susceptible to hazard damage Unit IV-2 Unit Objectives

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

SCADA Business Continuity and Disaster Recovery. Presented By: William Biehl, P.E. 913-601-0104 (mobile) Bill.Biehl@we-inc.com

SCADA Business Continuity and Disaster Recovery. Presented By: William Biehl, P.E. 913-601-0104 (mobile) Bill.Biehl@we-inc.com SCADA Business Continuity and Disaster Recovery Presented By: William Biehl, P.E. 913-601-0104 (mobile) Bill.Biehl@we-inc.com Business Continuity Planning, a Sound Process A Business Continuity Plan: "A

More information

Building Economic Resilience to Disasters: Developing a Business Continuity Plan

Building Economic Resilience to Disasters: Developing a Business Continuity Plan Building Economic Resilience to Disasters: Developing a Business Continuity Plan Buffalo Niagara Region February 26, 2014 Gail Moraton, CBCP Business Resiliency Manager Business Resiliency one important

More information

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist Cyber- Attacks: The New Frontier for Fraudsters Daniel Wanjohi, Technology Security Specialist What is it All about The Cyber Security Agenda ; Protecting computers, networks, programs and data from unintended

More information

ASX SETTLEMENT OPERATING RULES Guidance Note 10

ASX SETTLEMENT OPERATING RULES Guidance Note 10 BUSINESS CONTINUITY AND DISASTER RECOVERY The purpose of this Guidance Note The main points it covers To assist participants to understand the disaster recovery and business continuity arrangements they

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 13 Business Continuity

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 13 Business Continuity Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 13 Business Continuity Objectives Define environmental controls Describe the components of redundancy planning List disaster recovery

More information

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps Agenda Introduction to SCADA Importance of SCADA security Recommended steps SCADA systems are usually highly complex and SCADA systems are used to control complex industries Yet.SCADA systems are actually

More information

Assessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC

Assessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC Assessing Your Disaster Recovery Plans Gregory H. Soule, CPA, CISA, CISSP, CFE Andrews Hooper Pavlik PLC Andrews Hooper Pavlik PLC Agenda Business Continuity Concepts Impact Analysis Risk Assessment Risk

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

Managing IT Security with Penetration Testing

Managing IT Security with Penetration Testing Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Emergency Preparedness Guidelines

Emergency Preparedness Guidelines DM-PH&SD-P7-TG6 رقم النموذج : I. Introduction This Guideline on supports the national platform for disaster risk reduction. It specifies requirements to enable both the public and private sector to develop

More information

Common Threats and Vulnerabilities of Critical Infrastructures

Common Threats and Vulnerabilities of Critical Infrastructures International Journal of Control and Automation 17 Common Threats and Vulnerabilities of Critical Infrastructures Rosslin John Robles 1, Min-kyu Choi 1, Eun-suk Cho 1, Seok-soo Kim 1, Gil-cheol Park 1,

More information

Business Continuity Planning. Donna Curran, Director Audit and Risk Management February, 2014

Business Continuity Planning. Donna Curran, Director Audit and Risk Management February, 2014 Business Continuity Planning Donna Curran, Director Audit and Risk Management February, 2014 Agenda Business Continuity Defined The Importance of a Plan Determining the Costs Business Impact Analysis MTO,

More information

NGO security coordination and other sources of support WITHIN FIRST 1-2 WEEKS. Office/compound/ facility security

NGO security coordination and other sources of support WITHIN FIRST 1-2 WEEKS. Office/compound/ facility security 3 Risk assessment tool BEFORE DEPLOYMENT OR STARTING PROGRAMME Context analysis and actor mapping Risk assessment Security strategies Acceptance, protection and deterrence What is the context and who are

More information

The Technology Trilogy:

The Technology Trilogy: The Technology Trilogy: Security, Disaster Recovery, & Business Continuity Information Technology Services for Colleges and Universities www.thinkeduserve.com The Technology Trilogy: Security, Disaster

More information

EEI Business Continuity. Threat Scenario Project (TSP) April 4, 2012. EEI Threat Scenario Project

EEI Business Continuity. Threat Scenario Project (TSP) April 4, 2012. EEI Threat Scenario Project EEI Business Continuity Conference Threat Scenario (TSP) April 4, 2012 EEI Threat Scenario 1 Background EEI, working with a group of CIOs and Subject Matter Experts, conducted a survey with member companies

More information

Legal Issues / Estonia Cyber Incident

Legal Issues / Estonia Cyber Incident Control System Cyber Security Conference 22 October 2009 Legal Issues / Estonia Cyber Incident Maeve Dion Center for Infrastructure Protection George Mason University School of Law Legal Issues / Estonia

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information

Disaster Recovery Planning

Disaster Recovery Planning NASA IV & V ANNUAL WORKSHOP 202 The 4th International Workshop on Independent Verification & Validation of Software Disaster Recovery Planning Divya Krishnamoorthy Mailam Engineering College, Mailam. (Affiliated

More information

Presenter: October 14, 2009 Mr. Takanobu Ito Managing Director, Asia Pacific & Middle East Operations

Presenter: October 14, 2009 Mr. Takanobu Ito Managing Director, Asia Pacific & Middle East Operations TeleContinuity The Survivable Cyber Solution Presentation For Presenter: October 14, 2009 Mr. Takanobu Ito Managing Director, Asia Pacific & Middle East Operations 2007 TeleContinuity, Inc.. All Rights

More information

Information Security for Managers

Information Security for Managers Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize

More information