Preparing for the Convergence of Risk Management & Business Continuity
|
|
- Kerry Arnold
- 8 years ago
- Views:
Transcription
1 Preparing for the Convergence of Risk Management & Business Continuity Disaster Recovery Journal Webinar Series September 5, Strategic BCP, Inc. All rights reserved. strategicbcp.com 1
2 Today s Presenter Frank Perlmutter, CBCP Fperlmutter@strategicbcp.com Former Manager of DR/COOP (BCP) and Risk Manager for the U.S. Department of the Treasury President & Co-Founder of Strategic BCP, creators of ResilienceONE BCM Software Managed BC, Risk, and Process Improvement Programs for over 100 organizations 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 2
3 Background Strategic BCP established in 2004 Purpose: elevate the productivity and relevance of business continuity (BC) professionals ResilienceONE introduced as a milestone in using technology to streamline the process of creating and maintaining BC plans 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 3
4 Webinar Focus Areas Risk Management vs. Business Continuity Risk Management Principles Enterprise Risk Management- Practical Application Operational Risk Management- Practical Application Q&A and Wrap-up 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 4
5 Disaster Recovery Journal Webinar Series Risk Management vs. Business Continuity 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 5
6 Risk Management vs. Business Continuity 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 6
7 Preventative Care vs. Reactive Approach Analyzing the Risk & Preventing It: Eat well, exercise, and take vitamins Reacting to the Risk: Get a heart attack and get revived Proactive vs. Reactive BC Professionals unfortunately tend to focus too much on the reaction Response, Recovery, Restoration Plan/Document-Centric BC Professionals are better served by concentrating adequate focus on the proactive Focuses on mitigating risk of outages before they happen Analysis-centric 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 7
8 Why the Convergence of BC and RM? The convergence of BC and RM has already occurred and continues to evolve Regulations, frameworks, and standards reflect a strong theme of management of risk Decision-makers gravitate towards Risk Management for its continuous value, making BC a subset 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 8
9 Preparation for Current Reality Many BC Professionals are being left behind by unrequited devotion to outdated methods Strong plans do not necessarily equate to a strong ability to actually recover and reduce impact. This reduces the value of the Professional that just focuses on plans Risk Management has value to everyday decision-making; Business Continuity Plans do not 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 9
10 What is the Dominant Discipline? There is an overlap of concepts between the two disciplines The Risk Assessment and Business Impact Analysis are risk-based tools How they are implemented; the value they bring will designate whether the process is a sound risk-based model or not Risk Management as a discipline is generally leading the way Business Continuity is a subset of overall Risk Management 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 10
11 Risk Management Practice Areas Business Continuity/ Incident Management Internal Controls Enterprise Risk Operational Risk Financial Risk Legal Risk Third Party Risk BOD/Ethics Risk Environmental Risk Quality Assurance Information Technology Risk 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 11
12 The Convergence/Overlap NOW: Business Continuity Business Impact Analysis and Risk Assessment Enterprise Risk FUTURE: Internal Controls? Legal Risk? Operational Risk Information Technology Risk Financial Risk Third Party Risk 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 12
13 Disaster Recovery Journal Webinar Series Risk Management Principles 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 13
14 What s Available? A sea of Risk Management regulations, standards, and best practices Business Continuity regulations, standards, and best practices are similarly prevalent There are similarities and guiding principles throughout all of them Focus on the COMMON guiding principles 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 14
15 A Selection of RM Regulations, Standards, Best Practices, Frameworks ISO COSO Framework OCEG GRC Capability Model (Red Book) FERMA 2002 ISO/IEC Basel II and Basel III BS :2007 ISO 22301:2012 NFPA 1600: 2007/2010 COBIT Institute of Operational Risk ISO ISO ISO NIST 800 Series ITIL v.3 DRII/BCI Dodd-Frank Wall Street Reform and Consumer Protection Act of Strategic BCP, Inc. All rights reserved. strategicbcp.com 15
16 Focus on What Delivers Value Regulations Mandatory authoritative rules dealing with details or procedures having the force of law, which are issued by and authority of government Standards and Best Practices Voluntary criteria, voluntary guidelines and best practices used to enhance the quality, performance, reliability, and consistency of products, services and/or processes Our Guidance: With so many mandatory standards, we have seen that most examiners and executives are paying little attention to voluntary standards Standards and best practices in both BC and RM tend to be conceptual, with little guidance on practical implementation Mandatory vs. Voluntary 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 16
17 The Mission of Risk Management Operational Improvement: ability to identify and remediate inefficiently operating processes that may cause outages/impacts Compliance: evidence of properly implemented standards Resilience: ability to identify and remediate infrastructure vulnerabilities that may result in unacceptable impacts 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 17
18 Overarching Principles of Risk Management COSO provides an overall framework and principles for Risk Management COSO was originally housed in controls; has moved to a strategic approach Objectives appear at the top of the cube The right side of cube shows that Risk Management must be considered at all levels of an organization Risk management activities appear on the front of the cube COSO Enterprise Risk Management: Integrated Framework 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 18
19 Disaster Recovery Journal Webinar Series Enterprise Risk Management- Practical Application 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 19
20 Enterprise Risk vs. Operational Risk Enterprise Risk Management focuses on mitigating events that negatively impact an organization s supporting infrastructure People, Facilities, Information Technology, Assets In BC Tool Terms: Risk Assessment, Risk Analysis, Hazard Vulnerability Analysis Operational Risk Management focuses on mitigating vulnerabilities in operational business processes In BC Tool Terms: Business Impact Analysis, Business Impact Assessment, Downtime Impact Analysis Both disciplines focus on managing risk by making decisions (strategic, mitigation, operational, etc.) by balancing benefits with risk 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 20
21 Establishing an Enterprise Risk Appetite Core policy that defines decision-making (Probability x Impact) Mitigated Risk = Enterprise Risk Organizations can set a risk appetite around the factors or the overall risk Remediation budget must align with Risk Appetite 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 21
22 Performing an Enterprise Risk Assessment An Enterprise Risk Assessment (ERA) identifies potential threats that may impact an organization, and identifies measures to limit the probability or impact of these threats. Determine the threats to be included on your Enterprise Risk Assessment. They revolve around your infrastructure. Research and evaluate each risk by probability and impact of occurrence Identify threats outside of the Risk Appetite of the organization Provide a mitigation plan with alternatives that show costs of the mitigation measures and how much of the risk is reduced Obtain sign-off of either the acceptance of the risk (i.e. do nothing) or a mitigation alternative 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 22
23 Sample ERA Report Once risks are quantified, plot them on a grid as shown below. This will help management decide how to deal with the risks (Transfer, Accept, Reduce or Mitigate). Obtain sign-off! I REDUCE MITIGATE M P A C T Management Process Physical ACCEPT Alternate Vendors Controls Controls Controls Terminate Activty Insurance Outsourcing Eliminate Risk TRANSFER P R O B A B I L I T Y Updated Contact Lists Strategic Alliances 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 23
24 Disaster Recovery Journal Webinar Series Operational Risk Management- Practical Application 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 24
25 Operational RM and BC Crossing Paths Operational Risk Management and BC MAY cross paths in several places (if you perform these activities correctly) The Business Impact Analysis Mapping Normal Operations The Business Impact Analysis provides a prioritization of operational processes and linked supporting resources by gauging impact (e.g. RTO s) Mapping (and understanding) normal operations is essential to developing recovery strategies 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 25
26 Gathering OBJECTIVE Data is Critical Your data should be based as much on FACT and as little on OPINION as possible; Don t use a subjective method The Subjective RTO : Popular Asking Method Example Problem #1: There are numerous impacts used to calculate an RTO; respondents couldn t possibly ANALYZE all scenarios in their heads Problem #2: Respondents are not using a consistent scale to determine their RTO; everyone calculates differently in their heads Problem #3: Results reflect limited data integrity, making justification to executives and auditors challenging OBJECTIVE data gathering methods: Provide a consistent scale for all respondents Do not ask respondents to perform on-the-fly analysis Provide better data integrity 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 26
27 Objective Risk-Based Method: Setup Start with gathering quantitative and qualitative factors that reflect the impact of taking down your operations Weight factors as some may be more important than others Set levels of impact for each factor 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 27
28 Objective Risk-Based Method: Data Gathering Establish a timeline with time periods (i.e. your Recovery Timeframe Objectives or RTO s) over which you will measure impact Record your scoring of factors (e.g. reputational harm, regulatory fines, etc) across each function using the scale 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 28
29 Objective Risk Based Method: Prioritizing Operational Activities METRIC: By RTO Set a prioritization of activities by time period Set a points limit for your maximum level of acceptable risk. This is your organizational risk appetite. When totals in a time period first exceed that limit, your maximum timeframe is the time period immediately prior METRIC: By Total Impact Add total for each time period together Provides aggregate risk over the entire time period # RTO Function UNDER 1 DAY 1 DAY 2 DAYS 3 DAYS 4 DAYS 5 DAYS 2 WEEKS 3 WEEKS 4 WEEKS 5 WEEKS 1 Immediately Process Deposits Immediately Take Orders Via Phone DAY Reconciliation- Beginning of Day DAYS Reconciliation- End of Day WEEKS Process Payments to Customers Yellow = Exceeds Maximum Level of Acceptable Risk (6) 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 29
30 Setting a Risk Appetite: Operational Risk Modeling Timeframe # of Functions (x=6) # of Functions (x=12) # of Functions (x=18) Tier Immediately Critical 1 HOUR Critical 8 HOURS Critical 12 HOURS Critical 1 DAY Critical 2 DAYS Critical 3 DAYS Necessary 4 DAYS Necessary 1 WEEK Necessary 2 WEEKS Optional > 2 WEEKS Optional a) X = 6 points 56% are in the one week timeframe (high risk tolerance, strong recovery capability) b) X =12 points 32% are in the one week timeframe (mean risk tolerance) c) X = 18 points 17% are in the one week timeframe (low risk tolerance, weak recovery capability) 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 30
31 Understanding Operations is Essential Many BC Professionals skip right to Recovery Operations, instead of documenting normal business process first 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 31
32 Reengineering Operations Are there any inefficiencies or vulnerabilities in the highest value activities? Provide a process mapping (i.e. a standard operating procedure) for each of the highest value activities Notice manual steps and repeated activities Provide roadmap to investigating automation solutions Implement best solution 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 32
33 People, Technology, Facilities, and Assets Support Your Critical Activities People Technology Operations Facilities & Assets 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 33
34 Reviewing Supporting Operational Infrastructure Are there any inefficiencies or vulnerabilities in the highest value operational infrastructure? Establish an expertise in one or more areas and spot risks and vulnerabilities What are some common risks and vulnerabilities in these areas? Offer cost effective/high value mitigation alternatives Over/under utilization of resources Offer economies of scale with people, IT, and vendor resources Offer cost-cutting measures to reduce under-utilized resources 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 34
35 RED FLAGS: Spotting BCM/RM Tools and Methods That Lead Users Down the Wrong Path Poor Reporting and Analytics Focus on paper planning Limited custom reporting or extensive reporting setup Output very similar to input Subjective Data Gathering Methods Long questionnaires that ASK USERS to calculate risk; system should provide detailed calculations Excessive narrative justification of risk measurements Inability to group risks at different organizational levels e.g. by region, facility, department, supporting asset, etc Strategic BCP, Inc. All rights reserved. strategicbcp.com 35
36 Questions? 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 36
37 Wrap-Up For more insights: Contact Frank Perlmutter, CBCP Visit Attend Frank s presentation on BC Metrics Sept. DRJ World Conference, San Diego 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 37
How to measure your business resiliency
How to measure your business resiliency Define the KPI s/kri s and scorecards to control your security and business continuity capabilities Krzysztof Pulkiewicz BCMLogic krzysztof.pulkiewicz@bcmlogic.com
More informationBusiness Continuity Trends, Requirements and Expectations in 2009. Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting
Business Continuity Trends, Requirements and Expectations in 2009 Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting Overview What Is Business Continuity? The Value Proposition What
More informationDriving Operational Risk Management Into the Customer/Product Value Chain
Driving Operational Risk Management Into the Customer/Product Value Chain Eric Staffin, MBCI, CISSP Vice President, Global Head of Product & Infrastructure Risk Management Thomson Reuters, Investment &
More informationPrinciples for BCM requirements for the Dutch financial sector and its providers.
Principles for BCM requirements for the Dutch financial sector and its providers. Platform Business Continuity Vitale Infrastructuur Financiële sector (BC VIF) Werkgroep BCM requirements 21 September 2011
More informationeet Business continuity and disaster recovery Enhancing enterprise resiliency for the power and utilities industry Power and Utilities Fact Sheet
Power and Utilities Fact Sh Business continuity and disaster recovery Enhancing enterprise resiliency for the power and utilities industry A holistic approach to business resiliency and disaster recovery
More informationBusiness Continuity Planning 101. +1 610 768-4120 (800) 634-2016 www.strohlsystems.com info@strohlsystems.com
Business Continuity Planning 101 Presentation Overview What is business continuity planning Plan Development Plan Testing Plan Maintenance Future advancements in BCP Question & Answer What is a Disaster?
More informationDesigning an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting
Consulting and Professional Services Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting Designing an Operational Risk Program for
More informationPAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA
1 Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA Learning Objectives 2 To understand the concept of Business Continuity Management To understand
More informationHow To Improve Your Business
IT Risk Management Life Cycle and enabling it with GRC Technology 21 March 2013 Overview IT Risk management lifecycle What does technology enablement mean? Industry perspective Business drivers Trends
More informationBusiness Continuity Management
Business Continuity Management Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not
More informationBusiness Continuity & Disaster Recovery
Business Continuity & Disaster Recovery Safety First Quality Every Time 1 Business Continuity & Disaster Recovery Planning Who here has a formal Business Continuity & Disaster Recovery plan? The purpose
More informationRSA ARCHER BUSINESS CONTINUITY MANAGEMENT AND OPERATIONS Solution Brief
RSA ARCHER BUSINESS CONTINUITY MANAGEMENT AND OPERATIONS Solution Brief INTRODUCTION Now more than ever, organizations depend on services, business processes and technologies to generate revenue and meet
More informationInstitute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY 14304-1745
ECP - 601: Effective Business Continuity Management: ISO 22301 This 3-day course provides an intensive, hands-on workshop covering all major aspects for the design of an effective Business Continuity Plan
More informationBusiness Continuity in Healthcare
Business Continuity in Healthcare Cynthia Simeone, CBCP, PMP Director Business Resilience Catholic Health Initiatives Scott Ream President Virtual Corporation 1 Session Speakers Cynthia Simeone, CBCP,
More informationJoint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four
Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four Data Handling in University Business Impact Analysis ( BIA ) Agenda Overview Terminologies Performing
More informationExternal Supplier Control Requirements BCM
External Supplier Control Requirements BCM BCM Requirement Description BCM Tiers Recovery Time Objective Why this is important 1. Business Continuity Policy Supplier will have a documented Business Continuity
More informationShankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.
Business Continuity Management & Disaster Recovery Planning Presented by: Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD. 1 What is Business Continuity Management? Is a holistic management
More informationCENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT
CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT JANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14
More informationProposal for Business Continuity Plan and Management Review 6 August 2008
Proposal for Business Continuity Plan and Management Review 6 August 2008 2008/8/6 Contents About Newton IT / Quality of our services. BCM & BS25999 Overview 2. BCM Development in line with BS25999 3.
More informationBusiness Continuity / Disaster Recovery Context
Capability Business Continuity / Disaster Recovery Context What is Business Continuity? The Business Continuity Program Life Cycle Copyright: Virtual Corporation, 1994 2006 Modified U.S. DoD Graphic Normal
More informationGovernance, Risk, and Compliance (GRC) White Paper
Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:
More informationVendor Risk Management Financial Organizations
Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current
More informationCRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data
CRISC Glossary Term Access control Access rights Application controls Asset Authentication The processes, rules and deployment mechanisms that control access to information systems, resources and physical
More informationDisaster Recovery and Unstable Furniture
Disaster Recovery and Unstable Furniture Presented by Michael Richmond, CISSP #SuperConf15 #SuperConf15 Essentials of Information Technology Where we came from Primarily single source Largely asynchronous
More informationTemple university. Auditing a business continuity management BCM. November, 2015
Temple university Auditing a business continuity management BCM November, 2015 Auditing BCM Agenda 1. Introduction 2. Definitions 3. Standards 4. BCM key elements IT Governance class - IT audit program
More informationBusiness Continuity Planning
Business Continuity Planning We believe all organisations recognise the importance of having a Business Continuity Plan, however we understand that it can be difficult to know where to start. That s why
More informationNIST Cybersecurity Framework & A Tale of Two Criticalities
NIST Cybersecurity Framework & A Tale of Two Criticalities Vendor Management & Incident Response Presented by: John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Presented
More informationBusiness Intelligence & Business Continuity
Business Intelligence & Business Continuity BCM Maturity Curve April 22, 2013 COOP Systems Briefing 2 Chris Alvord, CEO, COOP Systems CBCP, MBCI, Former DRII Certified Trainer OCEG GRC, ISO 22301 Lead
More informationDisaster Recovery Policy
Disaster Recovery Policy INTRODUCTION This policy provides a framework for the ongoing process of planning, developing and implementing disaster recovery management for IT Services at UCD. A disaster is
More informationNIST Cybersecurity Framework What It Means for Energy Companies
Daniel E. Frank J.J. Herbert Mark Thibodeaux NIST Cybersecurity Framework What It Means for Energy Companies November 14, 2013 Your Panelists Dan Frank J.J. Herbert Mark Thibodeaux 2 Overview The Cyber
More informationBCP and DR. P K Patel AGM, MoF
BCP and DR P K Patel AGM, MoF Key difference between BS 25999 and ISO 22301 ISO 22301 puts a much greater emphasis on setting the objectives, monitoring performance and metrics aligning BC to top management
More informationThe Role of Internal Audit In Business Continuity Planning
The Role of Internal Audit In Business Continuity Planning Dan Bailey, MBCP Page 0 Introduction Dan Bailey, MBCP Senior Manager Protiviti Inc. dan.bailey@protiviti.com Actively involved in the Information
More informationIndustrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk
Industrial Cyber Security Risk Manager Proactively Monitor, Measure and Manage Industrial Cyber Security Risk Industrial Attacks Continue to Increase in Frequency & Sophistication Today, industrial organizations
More informationISACA North Dallas Chapter
ISACA rth Dallas Chapter Business Continuity Planning Observations of Critical Infrastructure Environments Ron Blume, P.E. Ron.blume@dyonyx.com 214-280-8925 Focus of Discussion Business Impact Analysis
More informationBusiness Continuity Plan
Business Continuity Plan October 2007 Agenda Business continuity plan definition Evolution of the business continuity plan Business continuity plan life cycle FFIEC & Business continuity plan Questions
More informationMaryland Association of Boards of Education Insurance Programs
Insurance Programs ENTERPRISE RISK MANAGEMENT John Magoon, ARM (P, E), CBCP, MBCI Risk Management Officer, MABE jmagoon@mabe.org 443 603 0399 A PERFECT DAY Our Goals 1.2 1 0.8 0.6 0.4 0.2 0 Actual Goal
More informationNIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015
NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015 Overview The University of Pittsburgh NIST Cybersecurity Framework Pitt NIST Cybersecurity Framework Program Wrap Up Questions
More informationBusiness Continuity Planning (BCP) 101
2011/EPWG/WKSP/004 Intro 1 Business Continuity Planning (BCP) 101 Submitted by: Business Continuity Management Institute Workshop on Private Sector Emergency Preparedness Sendai, Japan 1-3 August 2011
More informationwww.pwc.com Business Resiliency Business Continuity Management - January 14, 2014
www.pwc.com Business Resiliency Business Continuity Management - January 14, 2014 Agenda Key Definitions Risks Business Continuity Management Program BCM Capability Assessment Process BCM Value Proposition
More informationRisk Assessment & Enterprise Risk Management
Risk Assessment & Enterprise Risk 1 Healthcare Corporate Governance Today s environment requires building a culture of risk awareness and management of risk across the organization, while formulating less
More informationBuilding Security In:
#CACyberSS2015 Building Security In: Intelligent Security Design, Development and Acquisition Steve Caimi Industry Solutions Specialist, US Public Sector Cybersecurity September 2015 A Little About Me
More informationChapter 1: An Overview of Emergency Preparedness and Business Continuity
Chapter 1: An Overview of Emergency Preparedness and Business Continuity After completing this chapter, students will be able to: Describe organization and facility stakeholder needs during and after emergencies.
More informationIndustrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk
Industrial Cyber Security Risk Manager Proactively Monitor, Measure and Manage Cyber Security Risk With Today s Cyber Threats, How Secure is Your Control System? Today, industrial organizations are faced
More informationJoint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three
Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three Information Security- Perspective for Management Business Impact Analysis ( BIA ) and Business
More informationDeveloping an Effective Enterprise Risk Management Program
Developing an Effective Enterprise Risk Management Program Jay Brietz, CPA and CIA Senior Manager This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationSTANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices
A S I S I N T E R N A T I O N A L Supply Chain Risk Management: Risk Assessment A Compilation of Best Practices ANSI/ASIS/RIMS SCRM.1-2014 RA.1-2015 STANDARD The worldwide leader in security standards
More informationDisaster Recovery Journal Spring World 2014
Disaster Recovery Journal Spring World 2014 What works: Services and service supply chain business continuity risk management Don Hall, CBCP, Cisco Services Business Continuity Analyst Cisco Systems, Inc.
More informationMoving Forward with IT Governance and COBIT
Moving Forward with IT Governance and COBIT Los Angeles ISACA COBIT User Group Tuesday 27, March 2007 IT GRC Questions from the CIO Today s discussion focuses on the typical challenges facing the CIO around
More informationERM Standards of Practice and Shared Risk Principles
ERM Standards of Practice and Shared Risk Principles ERM 2011 Symposium Chicago IL March 15, 2011 Carol Fox Director, Strategic and Enterprise Risk Practices Agenda Global risk governance drivers Evolving
More informationThis article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.
Auditing the Business Continuity Process Dr. Eric Schmidt, Principal, Transitional Data Services, Inc. Business continuity audits are rapidly becoming one of the most urgent issues throughout the international
More informationThe Business Continuity Maturity Continuum
The Business Continuity Maturity Continuum Nick Benvenuto & Brian Zawada Protiviti Inc. 2004 Protiviti Inc. EOE Agenda Terminology Risk Management Infrastructure Discussion A Proposed Continuity Maturity
More informationBusiness Continuity Planning. Presentation and. Direction
Business Continuity Planning Presentation and Direction Thomas Bronack, president Data Center Assistance Group, Inc. 15180 20 th Avenue Whitestone, NY 11357 Phone: (718) 591-5553 Email: bronackt@dcag.com
More informationBy. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd
BS 25999 Business Continuity Management By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd 1 Contents slide BSI British Standards 2006 BS 25999(Business Continuity) 2002 BS 15000
More informationProject Management and ITIL Transitions
Project Management and ITIL Transitions April 30 th 2012 Linda Budiman Director CSC 1 Agenda Thought Leadership: Linda Budiman What is ITIL & Project Management: Applied to Transitions Challenges & Successes:
More informationSTREAM Cyber Security
STREAM Cyber Security Management Software Governance, Risk Management & Compliance (GRC) Security Operations, Analytics & Reporting (SOAR) Fast, flexible, scalable, easy to use and affordable software
More informationBusiness Continuity and Disaster Recovery Planning
Business Continuity and Disaster Recovery Planning Jennifer Brandt, CISA A p r i l 16, 2015 HISTORY OF STINNETT & ASSOCIATES Stinnett & Associates (Stinnett) is a professional advisory firm offering services
More information> State Street. Corporate Continuity Program. Continuity Organizational Structure. Program Oversight
> State Street An Integrated Approach to Continuity Metrics & Progress Reporting Presented to: Continuity Insights May 2007 Presented by: Chris Glebus Continuity Organizational Structure Executive Management
More informationwww.pwc.com Governance, Risk and Compliance Update & Hot Topics Pittsburgh Chapter IIA December 3, 2012
www.pwc.com Governance, Risk and Compliance Update & Hot Topics Pittsburgh Chapter IIA December 3, 2012 Agenda Introduction Mark Gibbons 12:00 12:05 Governance, Risk and Compliance Overview Mark Gibbons
More informationSubject Area 1 Project Initiation and Management
DRII/BCI Professional Practice Narrative: Establish the need for a Business Continuity Plan (BCP), including obtaining management support and organizing and managing the BCP project to completion. (This
More informationDisaster Recovery & Business Continuity Related, but NOT the Same! Teri Stokes, Ph.D., Director GXP International
Disaster Recovery & Business Continuity Related, but NOT the Same! Teri Stokes, Ph.D., Director GXP International BCP Definitions Business Continuity Plan: An ongoing process supported by senior management
More informationMoving from BS 25999-2 to ISO 22301. The new international standard for business continuity management systems. Transition Guide
Transition Guide Moving from BS 25999-2 to ISO 22301 The new international standard for business continuity management systems Extract from The Route Map to Business Continuity Management: Meeting the
More informationEnterprise Risk Management
Cayman Islands Society of Professional Accountants Enterprise Risk Management March 19, 2015 Dr. Sandra B. Richtermeyer, CPA, CMA What is Risk Management? Risk management is a process, effected by an entity's
More informationThe President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.
The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013. The Executive Order calls for the development of a voluntary risk based Cybersecurity Framework
More informationChecklist of ISO 22301 Mandatory Documentation
Checklist of ISO 22301 Mandatory Documentation 1) Which documents and records are required? The list below shows the minimum set of documents and records required by ISO 22301:2012 (the standard refers
More informationENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE
ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE JANUARY 2015 U.S. DEPARTMENT OF ENERGY OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY Energy Sector Cybersecurity Framework Implementation
More informationInformation Security Management for SMEs: Implementating and Operating a Business Continuity Management System (BCMS) Using PDCA Cycle
Proceedings of FIKUSZ 13 Symposium for Young Researchers, 2013, 133-141 pp The Author(s). Conference Proceedings compilation Obuda University Keleti Faculty of Business and Management 2013. Published by
More informationBy: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015
Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level June 9, 2015 By: Tracy Hall MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company,
More informationInformation Technology Governance. Steve Crutchley CEO - Consult2Comply www.consult2comply.com
Information Technology Governance Steve Crutchley CEO - Consult2Comply www.consult2comply.com What is IT Governance? Information Technology Governance, IT Governance is a subset discipline of Corporate
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine
More informationThe PNC Financial Services Group, Inc. Business Continuity Program
The PNC Financial Services Group, Inc. Business Continuity Program 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis (BIA) Page
More informationThe PNC Financial Services Group, Inc. Business Continuity Program
The PNC Financial Services Group, Inc. Business Continuity Program subsidiaries) 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis
More informationCloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015
Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015 2015 CloudeAssurance Page 1 Table of Contents Copyright and Disclaimer... 3 Appendix A: Introduction... 4 Appendix
More informationCORE Security and GLBA
CORE Security and GLBA Addressing the Graham-Leach-Bliley Act with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com
More informationA risky business. Why you can t afford to gamble on the resilience of business-critical infrastructure
A risky business Why you can t afford to gamble on the resilience of business-critical infrastructure Banking on a computer system that never fails? Recent failures in the retail banking system show how
More informationWhite Paper: ISO 22301 Business Continuity Management An Overview. ISO 22301 Business Continuity Management An Overview
White Paper: ISO 22301 Business Continuity Management An Overview ISO 22301 Business Continuity Management An Overview Introduction As incidents such as malicious activism, terrorist attacks and environmental
More informationUnderstanding Today s Enterprise Risk Management Programs
Understanding Today s Enterprise Risk Management rograms Joel Tietz, TIAA-CREF Managing Director, Enterprise Risk Management March 23, 2015 TIAA-CREF - UBLIC USE Agenda 1) Enterprise Risk Management rograms
More informationItaly. EY s Global Information Security Survey 2013
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
More informationWHITE PAPER Leveraging GRC for PCI DSS Compliance. By: Chris Goodwin, Co-founder and CTO, LockPath
WHITE PAPER Leveraging GRC for PCI DSS Compliance By: Chris Goodwin, Co-founder and CTO, LockPath The Payment Card Industry Data Security Standard ( PCI DSS ) is set forth by a consortium of payment card
More informationENTERPRISE RISK MANAGEMENT FRAMEWORK
ENTERPRISE RISK MANAGEMENT FRAMEWORK COVENANT HEALTH LEGAL & RISK MANAGEMENT CONTENTS 1.0 PURPOSE OF THE DOCUMENT... 3 2.0 INTRODUCTION AND OVERVIEW... 4 3.0 GOVERNANCE STRUCTURE AND ACCOUNTABILITY...
More informationBusiness resilience: The best defense is a good offense
IBM Business Continuity and Resiliency Services January 2009 Business resilience: The best defense is a good offense Develop a best practices strategy using a tiered approach Page 2 Contents 2 Introduction
More informationMetrics that Matter Security Risk Analytics
Metrics that Matter Security Risk Analytics Rich Skinner, CISSP Director Security Risk Analytics & Big Data Brinqa rskinner@brinqa.com April 1 st, 2014. Agenda Challenges in Enterprise Security, Risk
More informationINFOSEC.MY KNOWLEDGE SHARING SESSION
INFOSEC.MY KNOWLEDGE SHARING SESSION Integration BCM into your Organization: Challenges & Opportunities 31 st October 2007 1 Prabha Ramanathan ( CBCP, MBCI, MBCS, MSCS) Certified Business Continuity Professional.have
More informationFlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk
Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk 2012 The Flynt Group, Inc., All Rights Reserved FlyntGroup.com Enterprise Risk Management and Business
More informationBusiness Continuity Trends and Risk Considerations Financial Executives International Portland Chapter June 12 2013
Business Continuity Trends and Risk Considerations Financial Executives International Portland Chapter June 12 2013 Chitra Gopalakrishnan Director KPMG LLP Agenda Introduction Business Continuity / Disaster
More informationCertified Information Security Manager (CISM)
Certified Information Security Manager (CISM) Course Introduction Course Introduction Domain 01 - Information Security Governance Lesson 1: Information Security Governance Overview Information Security
More informationOverview TECHIS60851. Manage information security business resilience activities
Overview Information security business resilience encompasses business continuity and disaster recovery from information security threats. As well as addressing the consequences of a major security incident,
More informationHow to build a great compliance program for your U.S. imports
How to build a great compliance program for your U.S. imports For the importer of record, compliance means the complete and accurate recording of all internal processes through books and records, from
More informationNational Fire Protection Association s Contribution to Business Continuity Strategies
National Fire Protection Association s Contribution to Business Continuity Strategies about me 1. Retired AVP Senior Business Risk Consultant 2. FM Global Trained: 1. 35 Years Service 2. Founder Member
More informationWelcome to Modulo Risk Manager Next Generation. Solutions for GRC
Welcome to Modulo Risk Manager Next Generation Solutions for GRC THE COMPLETE SOLUTION FOR GRC MANAGEMENT GRC MANAGEMENT AUTOMATION EASILY IDENTIFY AND ADDRESS RISK AND COMPLIANCE GAPS INTEGRATED GRC SOLUTIONS
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationRemarks by. Carolyn G. DuChene Deputy Comptroller Operational Risk. at the
Remarks by Carolyn G. DuChene Deputy Comptroller Operational Risk at the Bank Safety and Soundness Advisor Community Bank Enterprise Risk Management Seminar Washington, D.C. October 22, 2012 Good afternoon,
More informationDigital Infrastructure - A Model For Success
Organizer: BRIDGING BARRIERS: LEGAL AND TECHNICAL OF CYBERCRIME CASES Session 6 : Securing Your Fortress Best practices, standards, techniques and technologies secure your organization from cyber criminals.
More informationHow to Develop Successful Enterprise Risk and Vendor Management Programs
Project Management Institute New York City Chapter January 2014 Chapter Meeting How to Develop Successful Enterprise Risk and Vendor Management Programs Christina S. Kite Senior Vice President Corporate
More informationThe New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework
The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework Dorothy Gjerdrum, ARM-P, Chair of the ISO 31000 US TAG and Executive Director,
More informationBusiness Continuity Planning Instructions
Business Continuity Planning Instructions Business continuity planning is a proactive planning process that ensures critical services or products are delivered during a disruption. In creating the plan,
More informationJustifying Business Continuity: How it Impacts Risk Management
Justifying Business Continuity: How it Impacts Risk Management Joe Elliott Neverfail 2 Agenda Definition of Business Continuity Road Blocks to Justification Defining Risk Management Reduction through the
More informationBusiness Continuity Management Framework 2014 2017
Business Continuity Management Framework 2014 2017 Blackpool Council Business Continuity Framework V3.0 Page 1 of 13 CONTENTS 1.0 Forward 03 2.0 Administration 04 3.0 Policy 05 4.0 Business Continuity
More informationSecurity & IT Governance: Strategies to Building a Sustainable Model for Your Organization
Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization Outside View of Increased Regulatory Requirements Regulatory compliance is often seen as sand in the gears requirements
More informationInformation Technology Auditing for Non-IT Specialist
Information Technology Auditing for Non-IT Specialist IIA Pittsburgh Chapter October 4, 2010 Agenda Introductions What are General Computer Controls? Auditing IT processes controls Understanding and evaluating
More informationBusiness Continuity for Cyber Threat
Business Continuity for Cyber Threat April 1, 2014 Workshop Session #3 3:00 5:30 PM Susan Rogers, MBCP, MBCI Cyberwise CP S2 What happens when a computer program can activate physical machinery? Between
More information