Business continuity: Best practices and challenges

Transcription

1 Middle East Annual Conference 2014 Business continuity: Best practices and challenges Guy Peterson Senior Assurance and Resilience Expert Booz Allen Hamilton

2 Ready for what s next. BCM Trends, Best Practices and Challenges Guy Peterson Abu Dhabi 30 April, 2014 This document contains Booz Allen Hamilton Inc. proprietary and confidential business information.

3 Table of contents How Resilient is your own organization? Today s threat environment Why is business continuity important How do we successfully implement a business continuity program Key Considerations when implementing regulation and/or setting up a new BCM program Questions 3

4 How Resilient is your organization? 1. Do you have a contingency planning framework adapted to your Organization and associated Operating model? 2. Are your plans driven from the top down, and aligned with strategic needs? 3. Is your contingency planning coordinated across all departments within the organization? 4. Do you conduct Enterprise wide Risk & Business Impact Analysis? 5. Do you regularly test and exercise your plans? 6. Do you capture lessons learnt as part of a continuous improvement process? If you answered NO to any of these questions your organization may not be best positioned to respond to business disruption or disaster 4

5 Risk management as a formal process has undergone substantial evolution over a relatively short period of time Hurricane & flood destroys Galveston, Texas. Jan 1900 Risk, Uncertainty & Profits published by Frank Knight BP forms Tanker Insurance Company LTD Dec 1920 Sep 1921 Period where Risk was largely shaped by Financial Services industry The Risk Revolution published by Fortune Magazine Jul 1976 Period where Risk was heavily adopted into broader business decision making First Risk Standard Published AS/NZS 4360:1995 Sep 1995 Period where Risk undergoes significant change to adapt to new demands xx 5

6 Approach and Risk continues to evolve in response to a constantly changing threat environment Facility Incident Labour Strike Pandemic Terrorist Attack Natural Disaster Riskdriven Auditdriven Eventdriven 1 Reactive 2 Integrated 3 Adaptive Enterprise perspective Risk governance in place, and incorporated across organization Risk imbedded into decision making processes and organizational culture Cross functional Risk workshops used to provide degree of integration in risk treatment Risk Reporting performed; however, focus is on compliance Internally looking Focused on already realized issues or known risks Very tactical Cyber Attack Business Unit Location/Regi on Scope Enterprise 6

7 This highly dynamic threat environment creates many challenges for security professionals in addressing enterprise risk exposure Threats Types of Risk Functions Challenges Facility Incident Labour Strike Pandemic Terrorist Attack Natural Disaster Cyber Attack Operational Risk Credit Risk Market Risk Compliance Cyber Security Physical Security Personnel Security Legal & Contractual 7 LOB requirements & deliverables Risk / compliance roles Governance committees Risk reviews and events Charters, rules & responsibilities Meetings, agendas & participants Timelines What are the major risks, issues and controls? Where is governance and oversight exercised? What key items are driving expense growth? What redundancies exist? What gaps exists? How can the current state be improved? How can risk and functionality be effectively balanced? How do we break down the functional siloes that exist across different business lines?

8 Today s threat environment is further complicated through our dependence on technology which has created many opportunities for malicious attacks Most organizations are only prepared to handle a fraction of security concerns Known Threat Actors Insiders Criminals State Actors Hacktivists Affinity Groups Vulnerabilities Hyper-Interconnectivity of Information Systems Rapid Technological Infrastructure Expansion Hard to Define Organizational Perimeters Unprepared Workforce and Culture Dissimilar Security Models Applied Across the Enterprise Misaligned Policies Risks Intellectual Property Theft Government and military strategy compromised Monetary Losses Operational Disruptions Theft of classified information National security at risk Media Publicity Regulator Intervention Loss of Public Confidence Representati ve Attacks felt in Middle East Mahdi (2012) Trojan espionage attack designed to target Middle Eastern critical infrastructure firms, engineering students, financial services firms, and government embassies. Shamoon (2012) Saudi Aramco, the worlds largest oil producer, was targeted by hackers for the government s supposed support of oppressive measures in the Middle East. Gauss (2012) One of the most sophisticated pieces of malware yet designed to monitor bank account information and the money flow for various Middle Eastern banks. RasGas Attack (2012) A highly public attack against one of our most valuable national assets that resulted in widespread loss of information services 8

9 The risk management programs of many organization s have not kept pace with the changes in business complexity Business Environment Complexity 1990s Centralized Reactive Risk Mitigation Distributed (Decentralized) Integrated Risk Networked Adaptive Enterprise Resilience Largely independent and autonomous business environments Point of Presence (PoP) type operating model serving a locality or region Clearly defined boundaries in terms of markets, areas of operation, etc Regional business environments PoP with regional governance structures Boundaries not always clearly defined Global business environments PoP with global governance structures Boundaries no longer apply, or are not easily distinguishable 9

10 Traditional Stovepipe approaches to managing security fail to adequately mitigate Risk in today s highly dynamic business environments Typical Organisational Stovepipes Limitations of Traditional Model Incident Crisis Comms Incident Command Framewor k Operation s Center IT Security IT Security Information Security IT Disaster Recovery IT Disaster Recovery Critical Infra. Protection Incident Response Continuity of Operations OHS Physical Security Physical Security Personne l Safety Personnel Security Personnel Security Risk Operational Risks Project Risks Strategic Risks Early Warning Limited awareness of operating conditions, risk exposures and critical gaps across the organisation focus on individual silos Responsibilities and activities are dispersed across various functions with potential for overlap or duplication No clear accountability exists for ensuring the continuity of the business No clear performance metrics exist Difficulty in linking organisational strategy to multiple similar functions Investment decisions are not optimised across the enterprise and the Executive Boards have limited transparency into incident, recovery and continuity management 10

11 The solution is to take a broad Enterprise wide program that consolidates the full breadth of available resources in managing Risk Siloed Integrated Optimized Emergency DRP Crisis BCP Incident Response BCM Incident Response Enterprise Security Incident Enterprise Response Enterprise\ Security BCM Risk Personnel Security Operational Risk Physical Security ICT Security Strategic Risk Enterprise\ Risk Enterprise Resilience High levels of functional fragmentation Complex management processes Slow reaction time to risk Promotes dysfunctional behavior Some levels of functional fragmentation Decentralized management Improved ability to respond to risk 11 Little or no functional fragmentation Top-down management approach Highly dynamic response to risk Resilient security posture

12 Engagement of Executive Staff Develop Contingency plans Integrate situational awareness capability Establish cross-functional capability Enhance response capabilities Facilitate dynamic Risk response capability Engage appropriate resources Performance Measurement Mature and test the program Release policy and guidance Risk & Business Impact Analysis Implement Enterprise Risk framework Establish a monitor and update capability Business Continuity is most effectively implemented using business strategy principles to position the program for success Corporate Strategy Key Earnings Drivers Essential Processes, Technology & Organizations Risks & Vulnerabilities CLIENT Dependencies Additional Insights Priorities & Imperatives through Goals Strategy Implementation Busines s Need 1 Mission & Vision The Enterprise Resilience Program will 2 Views & Perspectives 3 Risk Assessment Framework Options Implementation Roadmap 4 Action Plan(s) Capturing perspectives through: Stakeholder ; Purpose ; and Issue

13 An appropriate framework needs to be developed to manage the business continuity planning process in context of unique organizational requirements 7 6 Governance, Capability & Preparedness 2 Enterprise Risk Integrated Security 3 Project Planning Risk Assessment & Analysis The Business Continuity Planning Process Maintenance & Updating Strategic Risk Operational Risk Security Risk 1 Risk & Business Impact Analysis (BIA) and Physical Security Information Security Personnel Security 4 5 Business Impact Analysis Strategy Development Response Situational Awareness Incident Response Test & Exercise Contingency Planning Operations (COOP); Processes (BCP); Functional (DRP, etc) Plan Developmen t Awarenes s & Training Testing & Exercising The Plan Source: Disaster Recovery Institute International (DRII) 13

14 A gap analysis is used to develop options, and a single go forward strategy is recommended to implement the business continuity program Current State Capability Resilience Maturity Scale Desired Maturity No Capability Limited Capability Siloed Capability Integrated Capability Optimised Capability 1 Business Impact Analysis + 2 Risk + 3 Integrated Security Response Contingency Planning Governance, Capability & Preparedness Capability Gap

15 Work streams The Strategy provides clear guidance across the organization to ensure the program is successfully implemented Phase 1 x x Months Phase 2 x - x Months Phase 3 x x Months Engagement of Executive Staff Establish cross-functional capability Engage appropriate resources Develop Contingency plans Enhance response capabilities Performance Measurement Integrate situational awareness capability Facilitate dynamic Risk response capability Mature and test the program Release policy and guidance Establish a monitor and update capability Risk & Business Impact Analysis Implement Enterprise Risk framework Foundational: Establishing the necessary capability to build the program Maturing: Integrating the program and introducing functional capability Optimized: Transformation to Best Practice capability 15

16 Each strategic activity is supported by an Action Plan to establish clear direction, expected performance measures and accountability Strategy Engagement of Executive Staff Establish crossfunctional capability Engage appropriate resources Release policy and guidance Supporting Initiatives Assign appropriate ownership and accountabilities Establish defined roles and responsibilities Establish appropriate governance framework through forums, committees, R&R, etc Develop initial team makeup requirements for an Emergency Operations Centre, covering a range of business disruptions Establish BCM team with sufficient resources to undertake qualitative analysis of program Formalise information flow between existing forums Build on current capabilities through increasing collaboration across program capability areas Build capabilities focused on integrating BCM domains (Risk, Security etc) Initiate Training and Awareness Program Develop Contingency Planning Policy and Guidance Phase in Which Initiatives Commence Capability Uplift Phase 1 Program established at enterprise level Phase 1 Enterprise wide pragmatic view of BCM capabilities Phase 1 Resources in place to apply qualitative assessment of program content Phase 1 Alignment around common objectives Action Plan Action Plan Engagement of Executive staff Action Plan Establish cross functional capability Action Plan Engage appropriate resources Release Policy & Guidance 16

17 Ultimately the vision is to position the organization to respond to an event in a planned way, with managed levels of business disruption Lifecycle Event Phases and Activity Streams Approaches to Crisis Following a crisis, an Adaptive program is positioned to more effectively respond to a given event within required timelines while managing cost /benefit tradeoffs Source: Booz Allen 17

18 Business Continuity is standardized both internationally & nationally, and becoming heavily regulated at a federal and/or industry levels International National Abu Dhabi International Organization for Standardisation (ISO) 22301:2012 Societal Security Business Continuity Systems Requirements. ISO31000:2009 Risk management Principles and guidelines ISO27001:2013 Information Security ISO27031:2011 ICT Readiness for Business Continuity Business Continuity Standard AE/HSC/7000:2012 Version (1) issued by the National Emergency Crisis and Disasters Authority of the Higher National Security Council of the United Arab Emirates; and, Environment, Health & Safety (EHS) currently under development NESA currently under development CICPA Regulations & Requirements for security permits Sector/Industry regulators i.e. Telecommunications Regulatory Authority (TRA) Various Laws & Regulations ADSIC Information Security Policy & Standards Sector/Industry regulators i.e. Regulation & Supervision Bureau (RSB) 18

19 In context of a regulatory environment and/or a new BCM program, there are many valuable lessons learned to be considered The processes described in standards should only be seen as minimal considerations. Standards are intentionally written at a high level to be broadly applicable to all organizations! Relevant to the AE-HSC-7000 Standard, the concepts described in the standard must be adapted to organizational context to be successfully implemented! Don t only seek to comply with regulation taking a minimal approach to business continuity may pass audit requirements; however, is unlikely to address risk appropriately. Tradeoffs need to be understood to make informed decisions Amount of analysis required to provide meaningful data Analysis methodologies Risk : All Hazards vs. detailed threat analysis BIA : Detailed business process mapping vs. Value Chains, etc Return on Investment (ROI) needs to balance investment decisions into risk control 19

20 Enterprise resilience is a reality for many organizations that choose to invest in business continuity Executive Support is mandatory to success!; A strong culture of Responsibility and Accountability must be imbedded over time. Upfront investment into Strategy development will ensure the program is adapted to the organization; Defining accurate strategic objectives; Structures and Frameworks; Performance Monitoring; Assessing Options, tradeoffs, etc.; Skills and Expertise; Having the right people available throughout different stages of implementation Alignment of other activities and projects; Understanding the environment, and simplifying wherever possible 20

21 Questions? Guy Peterson Senior Associate Booz Allen Hamilton Office: ; UAE Mobile: ; 21