BUILDING A SECURITY CONSCIOUS BUSINESS CONTINUITY MANAGEMENT (BCM) PROGRAM

Transcription

1 BUILDING A SECURITY CONSCIOUS BUSINESS CONTINUITY MANAGEMENT (BCM) PROGRAM SAM STAHL, CBCP, MBCI EMC GLOBAL PROFESSIONAL SERVICES PROGRAM MANAGER [email protected] ASIS SHANGHAI,

2 AGENDA Overview Definitions ASIS Security Councils/Security Concerns Recovery Program Goals Considerations BCM Governance Program Teams Methodologies Recovery & Response Plans Exercises Measurements and Reporting Standard Documentation and Templates Questions to ask Next Steps 2

3 OVERVIEW Building a Security Conscious Business Continuity (BCM) Program This presentation illustrates how comprehensive BCM Programs can be developed to include security functions. Includes key elements of the ASIS Crisis Management and Business Continuity Council s annual Crisis Management Workshop which strives to illustrate the importance of security functions and organizations within recovery programs. 3

4 DEFINITIONS Recovery Program/Continuity Program/Crisis Management Program Governance Teams vs. Recovery Teams Disaster Recovery Business Continuity Crisis Management vs. Emergency Management vs. Incident Response Emergency Response Organizational Resilience Business Impact Analysis (BIA) Recovery Time Objective (RTO) Recovery Point Objective (RPO) SLAs, DOUs, Contracts & Regulations Hierarchical Criticality Categorizations 4

5 ASIS COUNCILS/SECURITY CONCERNS Academic and Training Programs Banking and Financial Services Commercial Real Estate Crime and Loss Prevention Crisis Management and Business Continuity Cultural Properties Defense and Intelligence Economic Crime Fire and Life Safety Food Defense and Agriculture Security Gaming and Wagering Protection Global Terrorism and Political Instability Healthcare Security Hospitality, Entertainment and Tourism Security Information Asset Protection and Pre-Employment Screening Information Technology Security Investigations Law Enforcement Liaison Leadership and Management Practices Military Liaison Petrochemical, Chemical, and Extractive Industry Security Pharmaceutical Security Physical Security Retail Loss Prevention School Safety and Security Security Architecture and Engineering Security Services Supply Chain and Transportation Security Utilities Security 5

6 RECOVERY PROGRAM GOALS Recovery Of Of Critical Functions & Assets & Infrastructure Sales/Marketing Manufacturing Shipping Communications HR Security Customers Legal Accounting Outside Resources Products, Services, & Communications Facilities Helpdesk Products, Services, & Communications R&D Payroll IT 6

7 RECOVERY & SECURITY CONSIDERATIONS Regulatory Local, State, Federal (Homeland Security, Financial regulations, Import/Export regulations, Etc.) Customer Contracts to perform at certain levels Guaranteed Sole provider Service Level Agreements Enterprise Risk Management Security Awareness Industry Trends Industry Conferences Security Organization s Business Local & Global Politics Disasters News BUSINESS PROCESSES Internal Meet BC/DR documented goals RTOs RPOs SLAs Audits APPLICATION INFRASTRUCTURE TECHNOLOGY INFRASTRUCTURE 7

8 BCM GOVERNANCE Governance Model Template Program Teams Recovery Program Goals Objectives Expectations Rules Regulations Standards Procedures Proposed Schedules Executive Steering Committee Program Management Office BC & DR Specialists Business Unit Teams IT/Asset Teams PLAN Business Impact Analysis, Risk Analysis, & Recovery Strategy Planning BUILD Develop the Business Continuity Management (BCM) Program MANAGE Conduct on-going BCM activities Critical Business Functions Recovery Point Objectives Critical Applications Recovery Time Objectives BCM Governance Emergency Response & Management Plan Recovery Strategy Disaster Recovery Plans Business Continuity Plans 8

9 GOVERNANCE RECOVERY PROGRAM TEAMS Governance Executive Steering Committee Program Management Office (PMO) High Level Oversight Program Delivery Recovery Specialists Business Continuity Disaster Recovery Etc. Day to Day Recovery Responsibilities Plan-Build-Maintain Assist the Plan Owners as needed Recovery Teams Executive Management CM Corporate Local Management CM Local/Geographical Business Units BC IT Organization DR Facilities Fire, Life, Safety Unique Recovery Teams responsible for the development and implementation of specific recovery plans 9

10 GOVERNANCE (CONT.) METHODOLOGY: ASIS/BSI BCM Plan (Establish the management system) Establish management system policy, objectives, processes, and procedures relevant to managing business continuity risks and improving response and recovery processes that deliver results in accordance with me organization s strategic needs. Do (Implement and operate the management system) Check (Monitor and review the management system) Implement and operate the management system policy, controls, processes, and procedures. Monitor, assess, measure, and review performance against management system policy, objectives, and practical experience; report the results to management for review; and determine and authorize actions for remediation and improvement. Act (Maintain and improve the management system) Take corrective and preventive actions, based on the results of tile internal management system audit and management review, re-appraising the scope of the BCMS and business continuity policy and objectives to achieve continual improvement of the management system. BSi: British Standards Institute 10

11 GOVERNANCE (CONT.) METHODOLOGY: DISASTER RECOVERY INSTITUTE INTERNATIONAL (DRII) According to the Disaster Recovery Institute International (DRII), a BC Program should contain the following areas: Program Initiation and Management Risk Evaluation and Control Business Impact analysis Business Continuity Strategies Emergency Response and Operations Business Continuity Plans Awareness and Training Programs Business Continuity Plan exercise, audit and maintenance Crisis Communications Coordination with external agencies 11

12 GOVERNANCE (CONT.) RECOVERY METHODOLOGY FLOW PLAN BUILD MANAGE Business Impact Analysis, Risk Analysis, & Recovery Strategy Planning Develop the Business Continuity Management (BCM) Program Conduct on-going BCM activities Critical Business Functions Critical Applications BCM Governance Recovery Point Objectives Recovery Time Objectives Emergency Response & Management Plan Recovery Strategy Disaster Recovery Plans Business Continuity Plans 12

13 GOVERNANCE (CONT.) Recovery & Response Plans Emergency Response Plans Incident Management Evacuation Plans Shelter in Place Intruder Alert Active Shooter, Etc. Emergency Management Organizational Emergency Management Geographical Business Continuity Business unit/ Location Disaster Recovery IT, critical resources Specialized plans for unique areas R&D Manufacturing, Etc. Emergency Response & Management Plan Evaluation Plans Disaster Recovery Plans Incident Management Plans Business Continuity Plans 13

14 GOVERNANCE (CONT.) RECOVERY AND RESPONSE PLANS Corporate EMT Team/Plan PROVIDES: Executive Guidance Executive Decisions Financial Support Internal/External communications Geographic Emergency Management Team Corporate Emergency Management Team This is usually the team that Declares a Disaster or Authorizes an Emergency Response Geographic EMT Team/Plan PROVIDES for Local management Guidance Decisions Financial Support Internal/communications Business Unit Business Continuity Team Geographic IT Asset Disaster Recovery Team People & Property Impacts Network & Infrastructure Impacts Business Unit Impacts People Buildings People People Buildings Technical Buildings Retail Stores Data Centers DR CTRs Comms Outages/Escalations for: Information Technology Network Services Data Distribution Data Replication Critical Business Processes Maintain Product and Services Delivery Maintain Billing Process Fund Bank Accounts/Pay Employees Manage Reputation and Brand Impact Manage Internal and External Communications 14

15 GOVERNANCE: EXERCISES YOU NEED TO KNOW THAT YOU CAN REALLY RECOVER! If you don t test, you don t really know if it works Training, conditioning, & improvement Business Continuity exercise the recovery of business functions Business processes usually ranked by importance Emergency response Crisis management Disaster Recovery exercise the recovery of assets All assets, not just IT Information technology, facilities, manufacturing, personnel, etc. Continuous Improvement Find & fix points of failure Operational Risks Identify Accept or mitigate 15

16 EXERCISES - WHO SHOULD PARTICIPATE Crisis Management Team Response Teams Business Unit Teams Other Teams/Agencies/Organizations Participation or due diligence Handicap employees Non-recovery team employees Police: Town, County, State, DOC, other Business Fire Hospitals Office of Emergency Management Military Other Support Teams, such as Facilities, HR, Finance, Corporate Communications Operations Technology Information Technology Support Teams Regulators FEMA Strategic Vendors Strategic Customers? Post Office Risk School officials Other private companies 16

17 EXERCISES Steps to a Successful Exercise Define the objectives Select and prepare the participants Promote the exercise Prepare the scenario and scripts Prepare the exercise timeline Prepare audiovisuals and handouts Plan the logistics Participate or Manage the exercise Conduct debriefings Write the evaluation report Security Assist Update Plans Update the Plans 17

18 EXAMPLE EXERCISE TRACKING CHART Organization/Area Exercised May 2015 West June 2015 National July 2015 East October 2015 Central Customer Operations CSI CI CSI s Distribution & Operations CSI C CSI -- ERM Fraud/Risk Control Operations C C C C Finance C C CSI CS Human Resources CSI -- CSI CSI Information Technology C -- C C Marketing C C C C Physical Security CS -- CS CS IT Security CS -- CS CS All Others C C CSI C Exercise Simulation Bio-terrorism ö -- ö ö Bombing ö ö ö ö Simulated Injuries ö ö ö ö Participation Regional/National Crisis Management Team Participation & support teams Business Continuity Teams Total Participation C = Crisis Management Team Participation S = Provided recovery support efforts or participation I = Resources were impacted by the exercise 18

19 STANDARD DOCUMENTATION/TEMPLATES Governance Model Program Tracking Mechanism Overview and detail Business Impact Analysis Process and Report Risk Analysis Process and Report Strategy Overview - How you will address Responding to a crisis and a recovery (Separate Plans) Managing the crisis and the recovery (Separate Plans) Continuity of Business Functions Recovery of IT and other critical assets and Infrastructure Training Technical and general/cultural awareness Recovery Plan templates One for each type of plan. These should all work together like a well oiled machine Exercises Processes, Scheduling, & Tracking Considerations from contracts, SLAs, and government regulations Glossary 19

20 RECOVERY AND RESPONSE PLANS CHECKLIST Who and what are behind the need for a recovery plan? (Customers, the government, industry rules?) What level of risk can the organization handle? Who is the organization s crisis leader? Do you have business level crisis management teams? Do they meet periodically? What organizations participate in crisis management? Do they utilize internal and external crisis communications plans? Are all the team members trained? Does your crisis management team maintain an up-to-date listing of all business sites, addresses, primary points of contact, etc.? Do you have a designated crisis management command center? 20

21 RECOVERY AND RESPONSE PLANS - CHECKLIST Are the crisis management command centers equipped, operationally and routinely tested? Does the organization have written and tested: Crisis management plan IT/Asset Recovery Plans Business Continuity Plans, etc.? Who is the organization s crisis leader? Do you have business level crisis management teams? Do they meet periodically? What organizations participate in crisis management? 21

22 BCM PROGRAM DRIVERS POCKET GUIDE Note: Depicts an overview of the BCM Program Drivers. Does not show decision points or iterative processes Business Process Owners BIA Questionnaire Risk Questionnaire A Business Continuity plans IDENTIFY & COMPARE: Business Continuity Business Impact Analysis (BIA) & Risk Analysis IMPACTS: Operational financial, Recovery Time & Point Objectives CRITICAL Business Functions & Applications Test, Update and Report on BC Plan Disaster Recovery Develop the Systems Applications mapping (S.A.M) Estimate Recovery Costs based on RTO/RPO Build & maintain DR Solution, Environment & DR Plans DR Plans Based on Recovery Tiers Test, Update and Report on DR Plan Recovery Capability Energy Response & Management Team A Emergency Response & Management Plan Test, Update and Report on ERMP Plan Business Continuity Management Program Strategic planning BCM Policy Statement & Strategy BC, DR, ERMP Planning Performance Assessment Management Review Continual Improvement 22

23 NEXT STEPS Ask the questions Research your organizations efforts in: Business Continuity Management Continuity of Operations Resiliency Crisis Management, Etc. Do your homework Strive to get involved Security Assist 23

24 QUESTIONS & ANSWERS Contact Sam Stahl, at Cellular:

25

26 BIOGRAPHY SAM STAHL, CBCP, MBCI Mr. Stahl is an experienced Certified Business Continuity Planner and has a Master Degree in Project Management. He has developed a number of Business Continuity and Disaster Recovery methodologies. His experience includes developing, implementing, and testing all phases of industry-accepted Business Continuity methodologies at organizations such as VMware, Sammons Financial Group, WellCare, IBM, Dial Corporation, AT&T Wireless, Denver International Airport, the City of Scottsdale (Arizona), Clark County Nevada (Las Vegas), Qwest Communications, Citizens Bank, First American National Bank, American Express, and others. 26