Preparing for the Convergence of Risk Management & Business Continuity

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Preparing for the Convergence of Risk Management & Business Continuity"

Transcription

1 Preparing for the Convergence of Risk Management & Business Continuity Disaster Recovery Journal Webinar Series September 5, Strategic BCP, Inc. All rights reserved. strategicbcp.com 1

2 Today s Presenter Frank Perlmutter, CBCP Former Manager of DR/COOP (BCP) and Risk Manager for the U.S. Department of the Treasury President & Co-Founder of Strategic BCP, creators of ResilienceONE BCM Software Managed BC, Risk, and Process Improvement Programs for over 100 organizations 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 2

3 Background Strategic BCP established in 2004 Purpose: elevate the productivity and relevance of business continuity (BC) professionals ResilienceONE introduced as a milestone in using technology to streamline the process of creating and maintaining BC plans 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 3

4 Webinar Focus Areas Risk Management vs. Business Continuity Risk Management Principles Enterprise Risk Management- Practical Application Operational Risk Management- Practical Application Q&A and Wrap-up 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 4

5 Disaster Recovery Journal Webinar Series Risk Management vs. Business Continuity 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 5

6 Risk Management vs. Business Continuity 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 6

7 Preventative Care vs. Reactive Approach Analyzing the Risk & Preventing It: Eat well, exercise, and take vitamins Reacting to the Risk: Get a heart attack and get revived Proactive vs. Reactive BC Professionals unfortunately tend to focus too much on the reaction Response, Recovery, Restoration Plan/Document-Centric BC Professionals are better served by concentrating adequate focus on the proactive Focuses on mitigating risk of outages before they happen Analysis-centric 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 7

8 Why the Convergence of BC and RM? The convergence of BC and RM has already occurred and continues to evolve Regulations, frameworks, and standards reflect a strong theme of management of risk Decision-makers gravitate towards Risk Management for its continuous value, making BC a subset 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 8

9 Preparation for Current Reality Many BC Professionals are being left behind by unrequited devotion to outdated methods Strong plans do not necessarily equate to a strong ability to actually recover and reduce impact. This reduces the value of the Professional that just focuses on plans Risk Management has value to everyday decision-making; Business Continuity Plans do not 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 9

10 What is the Dominant Discipline? There is an overlap of concepts between the two disciplines The Risk Assessment and Business Impact Analysis are risk-based tools How they are implemented; the value they bring will designate whether the process is a sound risk-based model or not Risk Management as a discipline is generally leading the way Business Continuity is a subset of overall Risk Management 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 10

11 Risk Management Practice Areas Business Continuity/ Incident Management Internal Controls Enterprise Risk Operational Risk Financial Risk Legal Risk Third Party Risk BOD/Ethics Risk Environmental Risk Quality Assurance Information Technology Risk 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 11

12 The Convergence/Overlap NOW: Business Continuity Business Impact Analysis and Risk Assessment Enterprise Risk FUTURE: Internal Controls? Legal Risk? Operational Risk Information Technology Risk Financial Risk Third Party Risk 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 12

13 Disaster Recovery Journal Webinar Series Risk Management Principles 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 13

14 What s Available? A sea of Risk Management regulations, standards, and best practices Business Continuity regulations, standards, and best practices are similarly prevalent There are similarities and guiding principles throughout all of them Focus on the COMMON guiding principles 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 14

15 A Selection of RM Regulations, Standards, Best Practices, Frameworks ISO COSO Framework OCEG GRC Capability Model (Red Book) FERMA 2002 ISO/IEC Basel II and Basel III BS :2007 ISO 22301:2012 NFPA 1600: 2007/2010 COBIT Institute of Operational Risk ISO ISO ISO NIST 800 Series ITIL v.3 DRII/BCI Dodd-Frank Wall Street Reform and Consumer Protection Act of Strategic BCP, Inc. All rights reserved. strategicbcp.com 15

16 Focus on What Delivers Value Regulations Mandatory authoritative rules dealing with details or procedures having the force of law, which are issued by and authority of government Standards and Best Practices Voluntary criteria, voluntary guidelines and best practices used to enhance the quality, performance, reliability, and consistency of products, services and/or processes Our Guidance: With so many mandatory standards, we have seen that most examiners and executives are paying little attention to voluntary standards Standards and best practices in both BC and RM tend to be conceptual, with little guidance on practical implementation Mandatory vs. Voluntary 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 16

17 The Mission of Risk Management Operational Improvement: ability to identify and remediate inefficiently operating processes that may cause outages/impacts Compliance: evidence of properly implemented standards Resilience: ability to identify and remediate infrastructure vulnerabilities that may result in unacceptable impacts 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 17

18 Overarching Principles of Risk Management COSO provides an overall framework and principles for Risk Management COSO was originally housed in controls; has moved to a strategic approach Objectives appear at the top of the cube The right side of cube shows that Risk Management must be considered at all levels of an organization Risk management activities appear on the front of the cube COSO Enterprise Risk Management: Integrated Framework 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 18

19 Disaster Recovery Journal Webinar Series Enterprise Risk Management- Practical Application 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 19

20 Enterprise Risk vs. Operational Risk Enterprise Risk Management focuses on mitigating events that negatively impact an organization s supporting infrastructure People, Facilities, Information Technology, Assets In BC Tool Terms: Risk Assessment, Risk Analysis, Hazard Vulnerability Analysis Operational Risk Management focuses on mitigating vulnerabilities in operational business processes In BC Tool Terms: Business Impact Analysis, Business Impact Assessment, Downtime Impact Analysis Both disciplines focus on managing risk by making decisions (strategic, mitigation, operational, etc.) by balancing benefits with risk 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 20

21 Establishing an Enterprise Risk Appetite Core policy that defines decision-making (Probability x Impact) Mitigated Risk = Enterprise Risk Organizations can set a risk appetite around the factors or the overall risk Remediation budget must align with Risk Appetite 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 21

22 Performing an Enterprise Risk Assessment An Enterprise Risk Assessment (ERA) identifies potential threats that may impact an organization, and identifies measures to limit the probability or impact of these threats. Determine the threats to be included on your Enterprise Risk Assessment. They revolve around your infrastructure. Research and evaluate each risk by probability and impact of occurrence Identify threats outside of the Risk Appetite of the organization Provide a mitigation plan with alternatives that show costs of the mitigation measures and how much of the risk is reduced Obtain sign-off of either the acceptance of the risk (i.e. do nothing) or a mitigation alternative 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 22

23 Sample ERA Report Once risks are quantified, plot them on a grid as shown below. This will help management decide how to deal with the risks (Transfer, Accept, Reduce or Mitigate). Obtain sign-off! I REDUCE MITIGATE M P A C T Management Process Physical ACCEPT Alternate Vendors Controls Controls Controls Terminate Activty Insurance Outsourcing Eliminate Risk TRANSFER P R O B A B I L I T Y Updated Contact Lists Strategic Alliances 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 23

24 Disaster Recovery Journal Webinar Series Operational Risk Management- Practical Application 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 24

25 Operational RM and BC Crossing Paths Operational Risk Management and BC MAY cross paths in several places (if you perform these activities correctly) The Business Impact Analysis Mapping Normal Operations The Business Impact Analysis provides a prioritization of operational processes and linked supporting resources by gauging impact (e.g. RTO s) Mapping (and understanding) normal operations is essential to developing recovery strategies 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 25

26 Gathering OBJECTIVE Data is Critical Your data should be based as much on FACT and as little on OPINION as possible; Don t use a subjective method The Subjective RTO : Popular Asking Method Example Problem #1: There are numerous impacts used to calculate an RTO; respondents couldn t possibly ANALYZE all scenarios in their heads Problem #2: Respondents are not using a consistent scale to determine their RTO; everyone calculates differently in their heads Problem #3: Results reflect limited data integrity, making justification to executives and auditors challenging OBJECTIVE data gathering methods: Provide a consistent scale for all respondents Do not ask respondents to perform on-the-fly analysis Provide better data integrity 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 26

27 Objective Risk-Based Method: Setup Start with gathering quantitative and qualitative factors that reflect the impact of taking down your operations Weight factors as some may be more important than others Set levels of impact for each factor 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 27

28 Objective Risk-Based Method: Data Gathering Establish a timeline with time periods (i.e. your Recovery Timeframe Objectives or RTO s) over which you will measure impact Record your scoring of factors (e.g. reputational harm, regulatory fines, etc) across each function using the scale 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 28

29 Objective Risk Based Method: Prioritizing Operational Activities METRIC: By RTO Set a prioritization of activities by time period Set a points limit for your maximum level of acceptable risk. This is your organizational risk appetite. When totals in a time period first exceed that limit, your maximum timeframe is the time period immediately prior METRIC: By Total Impact Add total for each time period together Provides aggregate risk over the entire time period # RTO Function UNDER 1 DAY 1 DAY 2 DAYS 3 DAYS 4 DAYS 5 DAYS 2 WEEKS 3 WEEKS 4 WEEKS 5 WEEKS 1 Immediately Process Deposits Immediately Take Orders Via Phone DAY Reconciliation- Beginning of Day DAYS Reconciliation- End of Day WEEKS Process Payments to Customers Yellow = Exceeds Maximum Level of Acceptable Risk (6) 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 29

30 Setting a Risk Appetite: Operational Risk Modeling Timeframe # of Functions (x=6) # of Functions (x=12) # of Functions (x=18) Tier Immediately Critical 1 HOUR Critical 8 HOURS Critical 12 HOURS Critical 1 DAY Critical 2 DAYS Critical 3 DAYS Necessary 4 DAYS Necessary 1 WEEK Necessary 2 WEEKS Optional > 2 WEEKS Optional a) X = 6 points 56% are in the one week timeframe (high risk tolerance, strong recovery capability) b) X =12 points 32% are in the one week timeframe (mean risk tolerance) c) X = 18 points 17% are in the one week timeframe (low risk tolerance, weak recovery capability) 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 30

31 Understanding Operations is Essential Many BC Professionals skip right to Recovery Operations, instead of documenting normal business process first 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 31

32 Reengineering Operations Are there any inefficiencies or vulnerabilities in the highest value activities? Provide a process mapping (i.e. a standard operating procedure) for each of the highest value activities Notice manual steps and repeated activities Provide roadmap to investigating automation solutions Implement best solution 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 32

33 People, Technology, Facilities, and Assets Support Your Critical Activities People Technology Operations Facilities & Assets 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 33

34 Reviewing Supporting Operational Infrastructure Are there any inefficiencies or vulnerabilities in the highest value operational infrastructure? Establish an expertise in one or more areas and spot risks and vulnerabilities What are some common risks and vulnerabilities in these areas? Offer cost effective/high value mitigation alternatives Over/under utilization of resources Offer economies of scale with people, IT, and vendor resources Offer cost-cutting measures to reduce under-utilized resources 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 34

35 RED FLAGS: Spotting BCM/RM Tools and Methods That Lead Users Down the Wrong Path Poor Reporting and Analytics Focus on paper planning Limited custom reporting or extensive reporting setup Output very similar to input Subjective Data Gathering Methods Long questionnaires that ASK USERS to calculate risk; system should provide detailed calculations Excessive narrative justification of risk measurements Inability to group risks at different organizational levels e.g. by region, facility, department, supporting asset, etc Strategic BCP, Inc. All rights reserved. strategicbcp.com 35

36 Questions? 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 36

37 Wrap-Up For more insights: Contact Frank Perlmutter, CBCP Visit Attend Frank s presentation on BC Metrics Sept. DRJ World Conference, San Diego 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 37

Evaluating/Applying Relevant BCM Standards: Which is the Best One to Follow?

Evaluating/Applying Relevant BCM Standards: Which is the Best One to Follow? Evaluating/Applying Relevant BCM Standards: Which is the Best One to Follow? September 23, 2013 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 1 Today s Presenter Frank Perlmutter, CBCP,

More information

September 10, 2012. Determining Which Metrics to Gather. Selecting Your Business Continuity Metrics Tool Belt & Mapping Your Metrics Game Plan

September 10, 2012. Determining Which Metrics to Gather. Selecting Your Business Continuity Metrics Tool Belt & Mapping Your Metrics Game Plan All About Business Continuity Metrics Agenda Business Continuity Metrics 101 Determining Which Metrics to Gather Selecting Your Business Continuity Metrics Tool Belt & Mapping Your Metrics Game Plan Superpowered

More information

How to measure your business resiliency

How to measure your business resiliency How to measure your business resiliency Define the KPI s/kri s and scorecards to control your security and business continuity capabilities Krzysztof Pulkiewicz BCMLogic krzysztof.pulkiewicz@bcmlogic.com

More information

eet Business continuity and disaster recovery Enhancing enterprise resiliency for the power and utilities industry Power and Utilities Fact Sheet

eet Business continuity and disaster recovery Enhancing enterprise resiliency for the power and utilities industry Power and Utilities Fact Sheet Power and Utilities Fact Sh Business continuity and disaster recovery Enhancing enterprise resiliency for the power and utilities industry A holistic approach to business resiliency and disaster recovery

More information

Business Continuity Trends, Requirements and Expectations in 2009. Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting

Business Continuity Trends, Requirements and Expectations in 2009. Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting Business Continuity Trends, Requirements and Expectations in 2009 Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting Overview What Is Business Continuity? The Value Proposition What

More information

Driving Operational Risk Management Into the Customer/Product Value Chain

Driving Operational Risk Management Into the Customer/Product Value Chain Driving Operational Risk Management Into the Customer/Product Value Chain Eric Staffin, MBCI, CISSP Vice President, Global Head of Product & Infrastructure Risk Management Thomson Reuters, Investment &

More information

Principles for BCM requirements for the Dutch financial sector and its providers.

Principles for BCM requirements for the Dutch financial sector and its providers. Principles for BCM requirements for the Dutch financial sector and its providers. Platform Business Continuity Vitale Infrastructuur Financiële sector (BC VIF) Werkgroep BCM requirements 21 September 2011

More information

Business Continuity Planning 101. +1 610 768-4120 (800) 634-2016 www.strohlsystems.com info@strohlsystems.com

Business Continuity Planning 101. +1 610 768-4120 (800) 634-2016 www.strohlsystems.com info@strohlsystems.com Business Continuity Planning 101 Presentation Overview What is business continuity planning Plan Development Plan Testing Plan Maintenance Future advancements in BCP Question & Answer What is a Disaster?

More information

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA 1 Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA Learning Objectives 2 To understand the concept of Business Continuity Management To understand

More information

Business Continuity & Disaster Recovery

Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Safety First Quality Every Time 1 Business Continuity & Disaster Recovery Planning Who here has a formal Business Continuity & Disaster Recovery plan? The purpose

More information

IT Risk Management Life Cycle and enabling it with GRC Technology. 21 March 2013

IT Risk Management Life Cycle and enabling it with GRC Technology. 21 March 2013 IT Risk Management Life Cycle and enabling it with GRC Technology 21 March 2013 Overview IT Risk management lifecycle What does technology enablement mean? Industry perspective Business drivers Trends

More information

Business Continuity Management

Business Continuity Management Business Continuity Management Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not

More information

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four Data Handling in University Business Impact Analysis ( BIA ) Agenda Overview Terminologies Performing

More information

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data CRISC Glossary Term Access control Access rights Application controls Asset Authentication The processes, rules and deployment mechanisms that control access to information systems, resources and physical

More information

Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting

Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting Consulting and Professional Services Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting Designing an Operational Risk Program for

More information

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY 14304-1745

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY 14304-1745 ECP - 601: Effective Business Continuity Management: ISO 22301 This 3-day course provides an intensive, hands-on workshop covering all major aspects for the design of an effective Business Continuity Plan

More information

Vendor Risk Management Financial Organizations

Vendor Risk Management Financial Organizations Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current

More information

RSA ARCHER BUSINESS CONTINUITY MANAGEMENT AND OPERATIONS Solution Brief

RSA ARCHER BUSINESS CONTINUITY MANAGEMENT AND OPERATIONS Solution Brief RSA ARCHER BUSINESS CONTINUITY MANAGEMENT AND OPERATIONS Solution Brief INTRODUCTION Now more than ever, organizations depend on services, business processes and technologies to generate revenue and meet

More information

Business Continuity in Healthcare

Business Continuity in Healthcare Business Continuity in Healthcare Cynthia Simeone, CBCP, PMP Director Business Resilience Catholic Health Initiatives Scott Ream President Virtual Corporation 1 Session Speakers Cynthia Simeone, CBCP,

More information

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD. Business Continuity Management & Disaster Recovery Planning Presented by: Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD. 1 What is Business Continuity Management? Is a holistic management

More information

NIST Cybersecurity Framework & A Tale of Two Criticalities

NIST Cybersecurity Framework & A Tale of Two Criticalities NIST Cybersecurity Framework & A Tale of Two Criticalities Vendor Management & Incident Response Presented by: John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Presented

More information

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT JANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14

More information

External Supplier Control Requirements BCM

External Supplier Control Requirements BCM External Supplier Control Requirements BCM BCM Requirement Description BCM Tiers Recovery Time Objective Why this is important 1. Business Continuity Policy Supplier will have a documented Business Continuity

More information

Proposal for Business Continuity Plan and Management Review 6 August 2008

Proposal for Business Continuity Plan and Management Review 6 August 2008 Proposal for Business Continuity Plan and Management Review 6 August 2008 2008/8/6 Contents About Newton IT / Quality of our services. BCM & BS25999 Overview 2. BCM Development in line with BS25999 3.

More information

Governance, Risk, and Compliance (GRC) White Paper

Governance, Risk, and Compliance (GRC) White Paper Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:

More information

Business Continuity / Disaster Recovery Context

Business Continuity / Disaster Recovery Context Capability Business Continuity / Disaster Recovery Context What is Business Continuity? The Business Continuity Program Life Cycle Copyright: Virtual Corporation, 1994 2006 Modified U.S. DoD Graphic Normal

More information

Disaster Recovery and Unstable Furniture

Disaster Recovery and Unstable Furniture Disaster Recovery and Unstable Furniture Presented by Michael Richmond, CISSP #SuperConf15 #SuperConf15 Essentials of Information Technology Where we came from Primarily single source Largely asynchronous

More information

Temple university. Auditing a business continuity management BCM. November, 2015

Temple university. Auditing a business continuity management BCM. November, 2015 Temple university Auditing a business continuity management BCM November, 2015 Auditing BCM Agenda 1. Introduction 2. Definitions 3. Standards 4. BCM key elements IT Governance class - IT audit program

More information

www.pwc.com Business Resiliency Business Continuity Management - January 14, 2014

www.pwc.com Business Resiliency Business Continuity Management - January 14, 2014 www.pwc.com Business Resiliency Business Continuity Management - January 14, 2014 Agenda Key Definitions Risks Business Continuity Management Program BCM Capability Assessment Process BCM Value Proposition

More information

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk Industrial Cyber Security Risk Manager Proactively Monitor, Measure and Manage Industrial Cyber Security Risk Industrial Attacks Continue to Increase in Frequency & Sophistication Today, industrial organizations

More information

NIST Cybersecurity Framework What It Means for Energy Companies

NIST Cybersecurity Framework What It Means for Energy Companies Daniel E. Frank J.J. Herbert Mark Thibodeaux NIST Cybersecurity Framework What It Means for Energy Companies November 14, 2013 Your Panelists Dan Frank J.J. Herbert Mark Thibodeaux 2 Overview The Cyber

More information

Business Continuity Planning

Business Continuity Planning Business Continuity Planning We believe all organisations recognise the importance of having a Business Continuity Plan, however we understand that it can be difficult to know where to start. That s why

More information

The Role of Internal Audit In Business Continuity Planning

The Role of Internal Audit In Business Continuity Planning The Role of Internal Audit In Business Continuity Planning Dan Bailey, MBCP Page 0 Introduction Dan Bailey, MBCP Senior Manager Protiviti Inc. dan.bailey@protiviti.com Actively involved in the Information

More information

Business Intelligence & Business Continuity

Business Intelligence & Business Continuity Business Intelligence & Business Continuity BCM Maturity Curve April 22, 2013 COOP Systems Briefing 2 Chris Alvord, CEO, COOP Systems CBCP, MBCI, Former DRII Certified Trainer OCEG GRC, ISO 22301 Lead

More information

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners. Auditing the Business Continuity Process Dr. Eric Schmidt, Principal, Transitional Data Services, Inc. Business continuity audits are rapidly becoming one of the most urgent issues throughout the international

More information

Risk Assessment & Enterprise Risk Management

Risk Assessment & Enterprise Risk Management Risk Assessment & Enterprise Risk 1 Healthcare Corporate Governance Today s environment requires building a culture of risk awareness and management of risk across the organization, while formulating less

More information

Developing an Effective Enterprise Risk Management Program

Developing an Effective Enterprise Risk Management Program Developing an Effective Enterprise Risk Management Program Jay Brietz, CPA and CIA Senior Manager This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

ISACA North Dallas Chapter

ISACA North Dallas Chapter ISACA rth Dallas Chapter Business Continuity Planning Observations of Critical Infrastructure Environments Ron Blume, P.E. Ron.blume@dyonyx.com 214-280-8925 Focus of Discussion Business Impact Analysis

More information

Business Continuity Planning (BCP) 101

Business Continuity Planning (BCP) 101 2011/EPWG/WKSP/004 Intro 1 Business Continuity Planning (BCP) 101 Submitted by: Business Continuity Management Institute Workshop on Private Sector Emergency Preparedness Sendai, Japan 1-3 August 2011

More information

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three Information Security- Perspective for Management Business Impact Analysis ( BIA ) and Business

More information

ERM Standards of Practice and Shared Risk Principles

ERM Standards of Practice and Shared Risk Principles ERM Standards of Practice and Shared Risk Principles ERM 2011 Symposium Chicago IL March 15, 2011 Carol Fox Director, Strategic and Enterprise Risk Practices Agenda Global risk governance drivers Evolving

More information

BCP and DR. P K Patel AGM, MoF

BCP and DR. P K Patel AGM, MoF BCP and DR P K Patel AGM, MoF Key difference between BS 25999 and ISO 22301 ISO 22301 puts a much greater emphasis on setting the objectives, monitoring performance and metrics aligning BC to top management

More information

Disaster Recovery Journal Spring World 2014

Disaster Recovery Journal Spring World 2014 Disaster Recovery Journal Spring World 2014 What works: Services and service supply chain business continuity risk management Don Hall, CBCP, Cisco Services Business Continuity Analyst Cisco Systems, Inc.

More information

Building Security In:

Building Security In: #CACyberSS2015 Building Security In: Intelligent Security Design, Development and Acquisition Steve Caimi Industry Solutions Specialist, US Public Sector Cybersecurity September 2015 A Little About Me

More information

Maryland Association of Boards of Education Insurance Programs

Maryland Association of Boards of Education Insurance Programs Insurance Programs ENTERPRISE RISK MANAGEMENT John Magoon, ARM (P, E), CBCP, MBCI Risk Management Officer, MABE jmagoon@mabe.org 443 603 0399 A PERFECT DAY Our Goals 1.2 1 0.8 0.6 0.4 0.2 0 Actual Goal

More information

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015 Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015 2015 CloudeAssurance Page 1 Table of Contents Copyright and Disclaimer... 3 Appendix A: Introduction... 4 Appendix

More information

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk Industrial Cyber Security Risk Manager Proactively Monitor, Measure and Manage Cyber Security Risk With Today s Cyber Threats, How Secure is Your Control System? Today, industrial organizations are faced

More information

Business Continuity and Disaster Recovery Planning

Business Continuity and Disaster Recovery Planning Business Continuity and Disaster Recovery Planning Jennifer Brandt, CISA A p r i l 16, 2015 HISTORY OF STINNETT & ASSOCIATES Stinnett & Associates (Stinnett) is a professional advisory firm offering services

More information

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices A S I S I N T E R N A T I O N A L Supply Chain Risk Management: Risk Assessment A Compilation of Best Practices ANSI/ASIS/RIMS SCRM.1-2014 RA.1-2015 STANDARD The worldwide leader in security standards

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis (BIA) Page

More information

Solving the Business Continuity Puzzle

Solving the Business Continuity Puzzle Solving the Business Continuity Puzzle Chris Copeland Assoc. Business Continuity Professional (ABCP) January 11, 2011 Session Overview Topics we will cover today: 1. Defining Business Continuity (BC) &

More information

Information Technology Governance. Steve Crutchley CEO - Consult2Comply www.consult2comply.com

Information Technology Governance. Steve Crutchley CEO - Consult2Comply www.consult2comply.com Information Technology Governance Steve Crutchley CEO - Consult2Comply www.consult2comply.com What is IT Governance? Information Technology Governance, IT Governance is a subset discipline of Corporate

More information

Business Continuity Plan

Business Continuity Plan Business Continuity Plan October 2007 Agenda Business continuity plan definition Evolution of the business continuity plan Business continuity plan life cycle FFIEC & Business continuity plan Questions

More information

www.pwc.com Governance, Risk and Compliance Update & Hot Topics Pittsburgh Chapter IIA December 3, 2012

www.pwc.com Governance, Risk and Compliance Update & Hot Topics Pittsburgh Chapter IIA December 3, 2012 www.pwc.com Governance, Risk and Compliance Update & Hot Topics Pittsburgh Chapter IIA December 3, 2012 Agenda Introduction Mark Gibbons 12:00 12:05 Governance, Risk and Compliance Overview Mark Gibbons

More information

Disaster Recovery Policy

Disaster Recovery Policy Disaster Recovery Policy INTRODUCTION This policy provides a framework for the ongoing process of planning, developing and implementing disaster recovery management for IT Services at UCD. A disaster is

More information

Enterprise Risk Management

Enterprise Risk Management Cayman Islands Society of Professional Accountants Enterprise Risk Management March 19, 2015 Dr. Sandra B. Richtermeyer, CPA, CMA What is Risk Management? Risk management is a process, effected by an entity's

More information

Moving Forward with IT Governance and COBIT

Moving Forward with IT Governance and COBIT Moving Forward with IT Governance and COBIT Los Angeles ISACA COBIT User Group Tuesday 27, March 2007 IT GRC Questions from the CIO Today s discussion focuses on the typical challenges facing the CIO around

More information

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015 NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015 Overview The University of Pittsburgh NIST Cybersecurity Framework Pitt NIST Cybersecurity Framework Program Wrap Up Questions

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program subsidiaries) 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis

More information

Business Continuity Planning. Presentation and. Direction

Business Continuity Planning. Presentation and. Direction Business Continuity Planning Presentation and Direction Thomas Bronack, president Data Center Assistance Group, Inc. 15180 20 th Avenue Whitestone, NY 11357 Phone: (718) 591-5553 Email: bronackt@dcag.com

More information

CORE Security and GLBA

CORE Security and GLBA CORE Security and GLBA Addressing the Graham-Leach-Bliley Act with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com

More information

Business Continuity Management 2022: Where we have been? Where are we going?

Business Continuity Management 2022: Where we have been? Where are we going? www.pwc.com Business Continuity Management 2022: Where we have been? Where are we going? Agenda Introduction Business Continuity Management (BCM) 2022 overview BCM 2022 highlights Methodology BCM skill

More information

Chapter 1: An Overview of Emergency Preparedness and Business Continuity

Chapter 1: An Overview of Emergency Preparedness and Business Continuity Chapter 1: An Overview of Emergency Preparedness and Business Continuity After completing this chapter, students will be able to: Describe organization and facility stakeholder needs during and after emergencies.

More information

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd BS 25999 Business Continuity Management By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd 1 Contents slide BSI British Standards 2006 BS 25999(Business Continuity) 2002 BS 15000

More information

STREAM Cyber Security

STREAM Cyber Security STREAM Cyber Security Management Software Governance, Risk Management & Compliance (GRC) Security Operations, Analytics & Reporting (SOAR) Fast, flexible, scalable, easy to use and affordable software

More information

> State Street. Corporate Continuity Program. Continuity Organizational Structure. Program Oversight

> State Street. Corporate Continuity Program. Continuity Organizational Structure. Program Oversight > State Street An Integrated Approach to Continuity Metrics & Progress Reporting Presented to: Continuity Insights May 2007 Presented by: Chris Glebus Continuity Organizational Structure Executive Management

More information

Disaster Recovery & Business Continuity Related, but NOT the Same! Teri Stokes, Ph.D., Director GXP International

Disaster Recovery & Business Continuity Related, but NOT the Same! Teri Stokes, Ph.D., Director GXP International Disaster Recovery & Business Continuity Related, but NOT the Same! Teri Stokes, Ph.D., Director GXP International BCP Definitions Business Continuity Plan: An ongoing process supported by senior management

More information

Cybersecurity Maturity Assessment: Are you where you should be?

Cybersecurity Maturity Assessment: Are you where you should be? Cybersecurity Maturity Assessment: Are you where you should be? NAFCU Services Webinar: 2/23/2016 A subsidiary of Introduction Matt Mitchell, CISSP- Director Risk Assurance 18 years information security

More information

Business Continuity Planning Instructions

Business Continuity Planning Instructions Business Continuity Planning Instructions Business continuity planning is a proactive planning process that ensures critical services or products are delivered during a disruption. In creating the plan,

More information

Re-Emphasizing Risk Management. by George Huff November 9, 2011

Re-Emphasizing Risk Management. by George Huff November 9, 2011 Re-Emphasizing Risk Management by George Huff November 9, 2011 2 Risk Management and Supply Chain Security ISO 28000 s Risk-Based Approach to Management Systems ISO Format adopted from ISO 14001:2004 Environmental

More information

ENTERPRISE RISK MANAGEMENT FRAMEWORK

ENTERPRISE RISK MANAGEMENT FRAMEWORK ENTERPRISE RISK MANAGEMENT FRAMEWORK COVENANT HEALTH LEGAL & RISK MANAGEMENT CONTENTS 1.0 PURPOSE OF THE DOCUMENT... 3 2.0 INTRODUCTION AND OVERVIEW... 4 3.0 GOVERNANCE STRUCTURE AND ACCOUNTABILITY...

More information

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013. The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013. The Executive Order calls for the development of a voluntary risk based Cybersecurity Framework

More information

WHITE PAPER Leveraging GRC for PCI DSS Compliance. By: Chris Goodwin, Co-founder and CTO, LockPath

WHITE PAPER Leveraging GRC for PCI DSS Compliance. By: Chris Goodwin, Co-founder and CTO, LockPath WHITE PAPER Leveraging GRC for PCI DSS Compliance By: Chris Goodwin, Co-founder and CTO, LockPath The Payment Card Industry Data Security Standard ( PCI DSS ) is set forth by a consortium of payment card

More information

CISM ITEM DEVELOPMENT GUIDE

CISM ITEM DEVELOPMENT GUIDE CISM ITEM DEVELOPMENT GUIDE Updated January 2015 TABLE OF CONTENTS Content Page Purpose of the CISM Item Development Guide 3 CISM Exam Structure 3 Writing Quality Items 3 Multiple-Choice Items 4 Steps

More information

Policy 10.105: Enterprise Risk Management Policy

Policy 10.105: Enterprise Risk Management Policy Name: Responsibility: Complements: Enterprise Risk Management Framework Coordinator, Enterprise Risk Management Policy 10.105: Enterprise Risk Management Policy Date: November 2006 Revision Date(s): January

More information

BRIDGING BARRIERS: LEGAL AND TECHNICAL OF CYBERCRIME CASES

BRIDGING BARRIERS: LEGAL AND TECHNICAL OF CYBERCRIME CASES Organizer: BRIDGING BARRIERS: LEGAL AND TECHNICAL OF CYBERCRIME CASES Session 6 : Securing Your Fortress Best practices, standards, techniques and technologies secure your organization from cyber criminals.

More information

Subject Area 1 Project Initiation and Management

Subject Area 1 Project Initiation and Management DRII/BCI Professional Practice Narrative: Establish the need for a Business Continuity Plan (BCP), including obtaining management support and organizing and managing the BCP project to completion. (This

More information

Justifying Business Continuity: How it Impacts Risk Management

Justifying Business Continuity: How it Impacts Risk Management Justifying Business Continuity: How it Impacts Risk Management Joe Elliott Neverfail 2 Agenda Definition of Business Continuity Road Blocks to Justification Defining Risk Management Reduction through the

More information

Italy. EY s Global Information Security Survey 2013

Italy. EY s Global Information Security Survey 2013 Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information

More information

Information Security Management for SMEs: Implementating and Operating a Business Continuity Management System (BCMS) Using PDCA Cycle

Information Security Management for SMEs: Implementating and Operating a Business Continuity Management System (BCMS) Using PDCA Cycle Proceedings of FIKUSZ 13 Symposium for Young Researchers, 2013, 133-141 pp The Author(s). Conference Proceedings compilation Obuda University Keleti Faculty of Business and Management 2013. Published by

More information

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC www.johnrrobles.com jrobles@coqui.net 787-647-3961 John R. Robles- 787-647-3961 1 9/11-2001 The event

More information

White Paper: ISO 22301 Business Continuity Management An Overview. ISO 22301 Business Continuity Management An Overview

White Paper: ISO 22301 Business Continuity Management An Overview. ISO 22301 Business Continuity Management An Overview White Paper: ISO 22301 Business Continuity Management An Overview ISO 22301 Business Continuity Management An Overview Introduction As incidents such as malicious activism, terrorist attacks and environmental

More information

By: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015

By: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015 Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level June 9, 2015 By: Tracy Hall MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company,

More information

Moving from BS 25999-2 to ISO 22301. The new international standard for business continuity management systems. Transition Guide

Moving from BS 25999-2 to ISO 22301. The new international standard for business continuity management systems. Transition Guide Transition Guide Moving from BS 25999-2 to ISO 22301 The new international standard for business continuity management systems Extract from The Route Map to Business Continuity Management: Meeting the

More information

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization Outside View of Increased Regulatory Requirements Regulatory compliance is often seen as sand in the gears requirements

More information

The Business Continuity Maturity Continuum

The Business Continuity Maturity Continuum The Business Continuity Maturity Continuum Nick Benvenuto & Brian Zawada Protiviti Inc. 2004 Protiviti Inc. EOE Agenda Terminology Risk Management Infrastructure Discussion A Proposed Continuity Maturity

More information

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework Dorothy Gjerdrum, ARM-P, Chair of the ISO 31000 US TAG and Executive Director,

More information

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available

More information

Business Continuity Management Framework 2014 2017

Business Continuity Management Framework 2014 2017 Business Continuity Management Framework 2014 2017 Blackpool Council Business Continuity Framework V3.0 Page 1 of 13 CONTENTS 1.0 Forward 03 2.0 Administration 04 3.0 Policy 05 4.0 Business Continuity

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine

More information

ISO Revisions. ISO 9001 Whitepaper. The importance of risk in quality management. Approaching change

ISO Revisions. ISO 9001 Whitepaper. The importance of risk in quality management. Approaching change ISO Revisions ISO 9001 Whitepaper The importance of risk in quality management Approaching change Background and overview to the ISO 9001:2015 revision As an International Standard, ISO 9001 is subject

More information

SCADA Business Continuity and Disaster Recovery. Presented By: William Biehl, P.E. 913-601-0104 (mobile) Bill.Biehl@we-inc.com

SCADA Business Continuity and Disaster Recovery. Presented By: William Biehl, P.E. 913-601-0104 (mobile) Bill.Biehl@we-inc.com SCADA Business Continuity and Disaster Recovery Presented By: William Biehl, P.E. 913-601-0104 (mobile) Bill.Biehl@we-inc.com Business Continuity Planning, a Sound Process A Business Continuity Plan: "A

More information

Assessment of natural hazards, man made hazards, technical and societal related risks and associated impact.

Assessment of natural hazards, man made hazards, technical and societal related risks and associated impact. Aon Business Continuity Planning The Aon Business Continuity Planning practice provides consulting services that allow Aon clients to measure and manage their strategic and tactical risks through Crisis

More information

A risky business. Why you can t afford to gamble on the resilience of business-critical infrastructure

A risky business. Why you can t afford to gamble on the resilience of business-critical infrastructure A risky business Why you can t afford to gamble on the resilience of business-critical infrastructure Banking on a computer system that never fails? Recent failures in the retail banking system show how

More information

BT Conferencing Business Continuity Management. Planning to stay in business

BT Conferencing Business Continuity Management. Planning to stay in business BT Conferencing Business Continuity Management Planning to stay in business Planning for the unexpected In today s connected world, businesses are increasingly dependent on their communications and networked

More information

Cybersecurity and the Threat to Your Company

Cybersecurity and the Threat to Your Company Why is BIG Data Important? March 2012 1 Cybersecurity and the Threat to Your Company A Navint Partners White Paper September 2014 www.navint.com Cyber Security and the threat to your company September

More information

Project Management and ITIL Transitions

Project Management and ITIL Transitions Project Management and ITIL Transitions April 30 th 2012 Linda Budiman Director CSC 1 Agenda Thought Leadership: Linda Budiman What is ITIL & Project Management: Applied to Transitions Challenges & Successes:

More information

Understanding Today s Enterprise Risk Management Programs

Understanding Today s Enterprise Risk Management Programs Understanding Today s Enterprise Risk Management rograms Joel Tietz, TIAA-CREF Managing Director, Enterprise Risk Management March 23, 2015 TIAA-CREF - UBLIC USE Agenda 1) Enterprise Risk Management rograms

More information

Remarks for Admiral David Simpson WTA Advocates for Rural Broadband Spring Meeting Cybersecurity Panel

Remarks for Admiral David Simpson WTA Advocates for Rural Broadband Spring Meeting Cybersecurity Panel Remarks for Admiral David Simpson WTA Advocates for Rural Broadband Spring Meeting Cybersecurity Panel May 5th, 2015 10:00-11:30 a.m. Hyatt Regency, Indian Wells, CA Thank you all for welcoming me. It

More information

Checklist of ISO 22301 Mandatory Documentation

Checklist of ISO 22301 Mandatory Documentation Checklist of ISO 22301 Mandatory Documentation 1) Which documents and records are required? The list below shows the minimum set of documents and records required by ISO 22301:2012 (the standard refers

More information