MHA Consulting. Business Continuity Management 101

Transcription

1 0 MHA Consulting Business Continuity Management 101 Presented by: Michael Herrera Brandon Magestro MHA Consulting

2 Agenda MHA Consulting Introduction Business Continuity Management (BCM) Defined 2013 Trends The Business Impact Analysis (BIA) Threat & Risk Assessment (TRA) Business Recovery Plans (BRP) IT Disaster Recovery Plans (DRP) Questions? 1

3 MHA Consulting, Inc. 2 Who We Are Leading boutique consulting firm since 1999 Provider of consulting services to private and public sector companies across the USA Proven cross-industry experience in Business Continuity, Disaster Recovery and IT Optimization What We Do Business Continuity Management Disaster Recovery Planning Training & Awareness Physical Security Consulting Information Technology Optimization & Best Practices Michael Herrera What Makes Us Different Experienced professionals that possess a unique blend of knowledge Experience combines focus, dedication and independence of a specialty firm Proven methodologies and tools Financial and management stability Domestic presence and deep skill-sets of the Big 4 or larger consulting firm

4 Experience & Qualifications MetroWaterDistrict 3

5 BCM Defined Development of strategies, plans and actions which provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might otherwise bring about a seriously damaging or potentially fatal loss to the enterprise. Business Continuity Management: The development of key plans and strategies Protection of your organizations operations The identification and protection of your most critical business processes 4

6 BCM - A Common Language 5 Business Resumption Planning: The process initiated to resume business operations to a level consistent with the business requirements. IT Disaster Recovery Planning: The recovery of information technology processes, systems, applications, databases, and network assets used to support critical business processes. Crisis Management: A series of actions taken to gain control of the event quickly to minimize the affects of an interruption and prepare for recovery. 5

7 BCM Model 6 Design, Dev, Implementation Testing, Maint., Execution Functional Requirements BRP Testing BIA Project Mgmt Policies & Standards Risk Assessment Recovery Strategy Project Initiation Maint DRP Cont Imp. CMT Execute Disaster Recovery Institute International Model 6

8 The Business Continuity Lifecycle 7 Executive Management Support & Sponsorship Compliance Monitoring & Auditing Testing & Maintenance Risk Assessment & Business Impact Analysis Continuity Life Cycle Business Continuity Strategy Design Business Alignment Training & Awareness Plan Development & Strategy Implementation 7

9 Elements of BCM Implementation Process 8 Executive Management sponsorship BCM Governance Program/Team Provide a framework and methodology for understanding, discussing and developing plans Follow a holistic project approach similar to the DRII Model Execute a Threat and Risk Assessment and Business Impact Analysis Research and develop business and IT recovery strategies Develop and formalize crisis management, crisis communication, IT disaster recovery and business recovery plans Institute testing, training and awareness Conduct post-test analysis and make adjustments accordingly Implement a maintenance strategy 8

10 Learning s from 2013 Business Continuity Management (BCM) is the new Business Continuity Planning (BCP). The majority of organizations are renaming their enterprise continuity programs to Business Continuity Management. Business Continuity staffing in most organizations is not increasing. Many organizations continue to either staff minimally or use outside consultants to augment the program Enterprise Risk Management (ERM) is integrating BCM into its process and utilizing the information gathered through BIAs and Threat & Risk Assessments to support identification of risks and exposures; a good sign. 9

11 Learning s from 2013 The Business Impact Analysis (BIAs) study remain as the foundational component to drive the development of the BCM program. However, senior management is continually looking for us to refine the BIA process, shorten business unit participation time in the studies and ensure the rigor in the process clearly identifies the most critical activities and dependencies. We see Recovery Time Objectives (RTOs) continue to get shorter and shorter (e.g., no downtime, 1 hour, 4 hours, etc.) in many of the companies we worked at in The new norm for tolerance for data loss or Recovery Point Objectives (RPOs) across critical business activities is zero or near zero in many companies due to the use of complex technology and automated workflows that virtually eliminate manual workarounds. Business and IT RTO/RPO Alignment Alignment remains a critical gap across a majority of companies whether they are small, medium or large. 10

12 Learning s from 2013 Emergency Notification Systems The use of ENS is becoming widespread. However, organizations routinely struggle with bad contact data and the processes to effectively and efficiently notify associates. Also, its not good with no electrical power. Companies struggle with Recovery Strategies particularly for the business units of the organization. Our most mature clients (financial, utilities) are holding live Recovery Exercises. 11

13 BCM Regulatory Requirements & Guidelines NFPA 1600 HIPAA GLBA FFIEC OSHA FCPA SEC ISO 9000, & QS 9000 State Insurance Departments Critical Infrastructure Protection Security Standards for Electric Market Participants Sound Practices to Strengthen the Resilience of the US Financial System 12

14 Conducting the BIA 13 Business Impact Analysis Defined: The careful study of individual business activities and support functions, as well as the system of business processes in their entirety, to better understand objectives regarding continuity of operations. Methodologies and Approaches Relationship between the BIA and Risk Assessment Objectives: Quantify the loss potential Qualify other types of loss Establish Recovery Time Objective Establish Recovery Point Objective 13

15 Threat & Risk Assessment 14 Natural/Environmental Threats Technological Threats Man-made Threats (Accidental and Intentional) Business Process-related Risks Single Points of Failure Personnel Supply Chain Information Technology Availability Risks Third Parties / Vendors 14

16 A Common Ailment 15 A rigorous Business Impact Analysis (BIA), including an analysis of recovery options, helps address the gap between Business Requirements and IT Capabilities currently experienced by many organizations 15

17 Business Recovery Plans 16 Business Recovery Plans (BRPs) are developed to ensure recovery of the critical activities identified in the BIA. At a minimum, the BRP contains the following information. Purpose, scope, assumptions, etc. Activation procedures Listing of critical business activities and priority of recovery Roles and responsibilities Emergency procedures to ensure safety of all affected staff members Response, recovery and resumption procedures Coordination procedures with public authorities Communication procedures Critical information on continuity teams, staff, customers, suppliers, etc. Off-site storage of critical records, documentation and other pertinent resources Copies of the BRP at various secure locations 16

18 Business Recovery Testing 17 Business recovery testing reduces risk that an organization could incur given a disruption of critical business activities that are required to maintain the mission and operations of the organization. Business recovery testing options: Tabletop Exercise / Structured Walkthrough - A tabletop exercise/structured walk-through test is conducted as preliminary step in the overall testing process; however, it is not a preferred testing method. Its objective is to ensure that critical personnel are familiar with the recovery plan and it accurately reflects the organization's ability to recover. Walk Through Drill / Simulation Test - A walk-through drill/simulation test is a secondary step in the overall testing process and is more involved than a tabletop exercise/structured walk-through test because the participants choose a specific event scenario and apply the Business Recovery Plan to it. Functional Drill/Parallel Testing- Test involves the actual mobilization of personnel to other sites in an attempt to establish communications and perform actual recovery processing as set forth in the Plan. TREND: Majority of organizations only perform Tabletop Exercises, few perform Walk through and only a very small number perform functional drills. 17

19 Disaster Recovery Plans 18 The DRP includes all the recovery steps, technology processes, systems, applications, databases and network assets used to support the recovery of the systems and applications required by the critical business activities of the organization. Disaster recovery plans are developed for each critical IT system/application and identifies: Alternative equipment/facilities adequate to recover critical systems Prioritization of recovering critical and non-critical applications Recovery and validation steps for each system and application Personnel requirements/skills in the event of a disaster Critical application programs, third-party services, operating systems, databases, data files, supplies and timeframes needed for recovery Off-site storage of critical back-up media, documentation and other pertinent resources Copies of the DRP at various secure locations 18

20 Disaster Recovery Testing 19 Disaster recovery testing reduces risk that an organization could incur given a severe disruption of business if the computing center and system custodians are unable to recover processing or key technology infrastructure in the event of a disaster. Disaster recovery testing options: Standalone Testing Perform recovery of individual systems and applications. This is a good first step. Integrated Testing Perform recovery of multiple systems and applications that are dependent on each other (upstream and downstream) and see how they work together in the recovered state. Business Activity Testing Perform recovery of a critical business activity from end to end using all of the upstream and downstream systems and applications needed. TREND: Majority of organizations perform standalone and integrated testing but and very few if any perform business activity testing. Unless you have a mature and tested recovery capability, integrated and business activity testing is difficult to achieve by most organizations. 19

21 BCM Metrics Purpose The BCMMETRICS secure, web based self-assessment tool is designed to evaluate the compliance of an enterprise Business Continuity Management (BCM) program to accepted industry best practices and standards. Consistency with Industry Best Practices BCMMETRICS.com uses the leading BCM industry best practices, standards and guidelines as its basis for evaluating the compliance of a program. The tool will comply with a number of widely accepted best practices and standards that include, but are not limited to: ISO BCI Good Practices National Fire Protection Act 1600 (NFPA 1600) Federal Financial Institution Examination Council (FFIEC) BCM Standards 20

22 BCM Metrics 21

23 BCM Metrics 22

24 BCM Metrics 23

25 Questions. 24 If you have questions regarding the information presented today and/or any other DR/BCP questions, please call or Brandon Magestro Director of Operations MHA Consulting,Inc. Mobile: (907)