> State Street. Corporate Continuity Program. Continuity Organizational Structure. Program Oversight



Similar documents
External Supplier Control Requirements BCM

Business Continuity Plan

How to measure your business resiliency

Professional Practice Eight - Business Continuity Plan Exercise, Audit, and Maintenance

CONTINUITY OF OPERATIONS AUDIT PROGRAM EVALUATION AND AUDIT

The PNC Financial Services Group, Inc. Business Continuity Program

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

D2-02_01 Disaster Recovery in the modern EPU

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS)

Audit of the Disaster Recovery Plan

The Business Continuity Maturity Continuum

Business Resiliency Business Continuity Management - January 14, 2014

CITY UNIVERSITY OF HONG KONG Business Continuity Management Standard

The PNC Financial Services Group, Inc. Business Continuity Program

SCADA Business Continuity and Disaster Recovery. Presented By: William Biehl, P.E (mobile)

Business Continuity Planning (800)

Business Continuity Management Program Development Guide

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

CISM ITEM DEVELOPMENT GUIDE

Preparing for the Convergence of Risk Management & Business Continuity

Measuring Continuity Planning Program. Performance

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

MHA Consulting. Business Continuity Management 101

ISO 22301: Societal Security Terminology ISO 22313: BCMS Guidance ISO 22398: Exercises and Testing - Guidance

CISM ITEM DEVELOPMENT GUIDE

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

Information Technology

EPRR: Toolkit Facilitator Guide

Tips and techniques a typical audit programme

RSA ARCHER BUSINESS CONTINUITY MANAGEMENT AND OPERATIONS Solution Brief

Business Continuity Planning: Bridging the Gap Between IT and Business

National Check Payments Certification. Fraud, Risk, and Risk Mitigation Part II. Copyright 2015 by the Electronic Check Clearing House Organization

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

Overview of how to test a. Business Continuity Plan

DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY

Business Continuity (Policy & Procedure)

BANK OF RUSSIA RECOMMENDATIONS ON STANDARDISATION MAINTENANCE OF INFORMATION SECURITY OF THE RUSSIAN BANKING SYSTEM ORGANISATIONS

Business Continuity for the New Professional. Britt Corra Enterprise BCM Erika Voss Senior BCM

HOW CAN YOU ENSURE BUSINESS CONTINUITY? ISO AUDITS, CERTIFICATION AND TRAINING

Disaster Recovery. Stanley Lopez Premier Field Engineer Premier Field Engineering Southeast Asia Customer Services and Support

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006

Business Continuity Management. Christoph Stute Guatemala March 2012

How To Manage A Disruption Event

PHASE 9: OPERATIONS AND MAINTENANCE PHASE

FINAL Version 1.0 November 6, 2014

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Business Continuity and Disaster Recovery Policy

Infasme Support. Incident Management Process. [Version 1.0]

Industry Sound Practices for Financial and Accounting Controls at Financial Institutions

PROJECT MANAGEMENT PLAN Outline VERSION 0.0 STATUS: OUTLINE DATE:

Flinders University IT Disaster Recovery Framework

Technology Risk Management Are you ready?

Business Continuity Management Charter

Contents. About Perpetuuiti. Continuity Vault. Continuity Patrol. Ops Central. Questions & Answers. Section 2. Section 3. Section 4.

Business Continuity Planning

CA Clarity PPM. Portfolio Management User Guide. v

The Disaster Recovery Self-Assessment Guide and Validation Model. Jim Kates Cognizant Technology Solutions

BPO Service Level Agreement

The ABC s of BCP. Jeremy Sucharski Governance Risk and Compliance G31

A BCP Tale: From Theory to Practice

TELUS Business Continuity Program past and future

BC / DR Implementation Tying Disaster Recovery Investment to Measurable Business Value

RBC Business Continuity Management Program Exercising our Plans. BCAW Presentation

Business Continuity Planning and Disaster Recovery Planning

Central Agency for Information Technology

Sarbanes-Oxley Compliance for Cloud Applications

Why Should Companies Take a Closer Look at Business Continuity Planning?

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

CISM Certified Information Security Manager

Business Continuity Planning Principles and Best Practices Tom Hinkel and Zach Duke

Subject Area 1 Project Initiation and Management

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

Yale University Business Continuity Planning (BCP) Quick Start Guide

Business Continuity Management

Bank of Papua New Guinea Prudential Standard BPS251: Business Continuity Management

KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity

Business Continuity Plan Assessment Tool v1.0

Creating a Business Continuity Plan for your Health Center

Prudential Standard CPS 232 Business Continuity Management

Software Inventory Best Practices. Issued: April 26, Approved: Bruce F Gordon 04/26/2016 Chairperson Date

OFFICE OF AUDITS & ADVISORY SERVICES IT DISASTER RECOVERY AUDIT FINAL REPORT

Best Practices in Developing an IT Disaster Recovery Plan. Vijaykumar Kulkarni AGM Product Management

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

Business Continuity Management AIRM Presentation

Business Continuity & Recovery Plan Summary

Sound Transit Internal Audit Report - No

Internal Audit Department NeighborWorks America. Audit Review of the Business Continuity Plan (BCP) Management and Documentation

MGIC BUSINESS CONTINUITY PROGRAM

Transcription:

> State Street An Integrated Approach to Continuity Metrics & Progress Reporting Presented to: Continuity Insights May 2007 Presented by: Chris Glebus Continuity Organizational Structure Executive Management Corporate Continuity & Client Services (CCCS) Senior Management Business Continuity Manager Business Continuity Team Leader Business Continuity Team Leader Business Continuity Team Leader 2 Program Oversight Examining & Audit Committee of the Board of Directors Annual progress report and meeting Executive Management Annual Continuity Compliance Reporting Signoff on business and application continuity requirements Major Risk Committee Enterprise Risk Management Semi-annual presentation of Continuity Program to Major Risk Committee Corporate Audit Regulatory Audits 3 1

Program Foundation Program Standards Business Functions Applications & Technology Facilities Incident Management Staff Business Function Downtime Tolerance Levels Level 1 (0-4 hours) Level 2 (5-8 hours) Level 3 (9-24 hours) Level 4 (25-72 hours) Level 5 (73+ hours) Incident Management Recovery Scenarios Site Interruption Technology Interruption Counterparty and Market Human Factor Application Priority Groupings Priority 1 (0-8 hours) Priority 2 (9-24 hours) Priority 3 (+24 hours) Continuity Exercises (Facilities, Staff, Technology) Stand alone System / Application Corporate-wide / Data Center Business Relocation Call Tree / Notification Client Recovery INTRA Data Center 4 Benefits of Metrics Tracking / Compliance Reporting Well defined standards and measurements reduce subjectivity in assessing current status A repeatable measurable process demonstrates progress made in enhancing continuity capabilities Demonstrated progress can assist in gaining funding for continuity solutions Executive accountability drives home visibility and importance The value proposition - information can be used for projects other than BCP and reduce associated costs of gathering and tracking redundant data mergers and acquisition, asset management, risk management, operations, risk management, facilities, corporate security, information security, etc. Provides an effective tool for internal and external audits 5 Compliance Reporting Plan Evaluation Structure comprised of: Standards Criteria Compliance Requirement Measurement Compliance Detail / Considerations Assessing the Plans initial assessment vs. ongoing reporting 80/20 split - Self Assessment / Corporate Assessment Standards integrate both Business and Technical Continuity for an overall picture Each application / system is linked to a Business Continuity Plan Ability to break out technical detail for reporting purposes 6 2

Compliance Reporting Business Continuity Plan must be owned at an executive level Effective Compliance / Metric Reporting should cover several levels Overall Corporate Roll-up for benchmarking and trend analysis Executive Management - overall plan status by executive, plan status by standard, overall application by executive, detail status for each application IT Executives overall summary for applications supported, detail for applications supported Business Continuity Managers - plan level by standard and criteria, detail for applications owned Controls in place for ownership and accountability Business Continuity Plan names and executive owner sign-off Business Function names, recovery requirements, and executive owner sign-off Application names, recovery requirements, and executive owner sign-off 7 Plan Evaluation Structure Business Continuity Example Standard 2 Identification and prioritization of all business functions and their recovery time objectives. Criteria Compliance Requirement Measurement Compliance Detail / Considerations 2-b Conduct a Formal Business Impact Analysis (BIA) on a Scheduled Basis and Establish a Continuity Plan 1.For existing business units, BIA must be conducted every 18 months with EVP review & sign-off 2.New business units must complete a BIA within three (3) months of inception and or change of control, with EVP review and sign-off and a Business Continuity Plan within six (6) months of inception Green:all requirements met Red:requirements not met New business units can start building components of their Business Continuity Plan at the same time that the BIA is being conducted i.e. call tree, etc. New business units may come from mergers and acquisitions Change of control is defined as the point in time at which State Street assumes control of the acquired business When naming plans for business units, utilize standardized continuity plan naming convention: [Standard Text] _ [Free form Text] _ [ Locations] Ex: GLOBAL - SVCS _ BANKING SERVICES _MAO 3.BIA final results should be included in plan, e.g. Appendix 8 Plan Evaluation Structure Technical Continuity Example Standard 3 Identification of all technology resources required to support business functions i.e. applications and systems Criteria Compliance Requirement Measurement Compliance Detail / Considerations 3-fIdentify All Applications Owned by the Executive Manager of the Plan / Business Unit and the Corresponding Recovery Information. 9 1. Document the following for each application owned: Application Name Executive Manager / EVP (Business Owner) Recovery Time Objective in hours Recovery Point Objective Production location of the application* Recovery location of the application* Platform 2. Map each application to a business continuity plan Composite Applications Green: information provided for all applications owned Yellow: information missing for less than 25% of applications owned Red:information missing for 25% or more of applications owned N/A:not applicable, do not own applications Individual Application Green: all information available for a given application Red:information missing for a given application owned N/A:not applicable, do not own applications The business owner of an application is defined as an Executive Manager / EVP The business owner must approve / sign-off on recovery requirements for new applications and changes in recovery requirements for existing applications Recovery Time Objective (RTO) is defined as the total elapsed time from the time an event is declared through the time when the business unit has complete functionality of the application, including the time to recover the application Recovery Point Objective (RPO) is defined as the acceptable age of the data (defined as a point in time), relative to the recovery event that is made available to the business unit when the system is recovered. For example, an application may have an RTO of 8 hours and an RPO to point of failure, which means that no data loss can occur Verify through your Application Support department that the Application Recovery Plan is located on Oasis or comparable documentation repository 3

> Sample Compliance Reports Business Continuity Manager Business Continuity Manager - Plan Compliance Detail Jane Doe N/A John Doe 11 > Sample Compliance Reports Business Executive Roll-up 4

Executive Business Owner - Plan Compliance Summary 13 Executive Business Owner - Application Compliance Summary 14 Executive Business Owner - Application Compliance Detail Note: Location Code Legend is also provided 15 5

> Sample Compliance Reports Corporate Roll-up State Street Corporation Overall Plan Compliance Summary by Standard 17 State Street Corporation Overall Application Compliance Summary 18 6

> Sample Compliance Reports Trend Analysis Trending of Annual Compliance Reporting for All Criteria 100% 27% 80% 14% 18% 5% 7% 8% 60% 40% 65% 75% 81% 20% 0% 2003 Complete 20 2004 Partially Complete 2005 Incomplete > Getting Started Rome Was Not Built in A Day 7

Getting Started Create a steering / advisory committee of executives Business and corporate support groups Define, document, and communicate standards and measurements to Business Continuity Managers and Business Executives Start with a few metrics to get the process moving forward add more later Don t need to integrate business and technology continuity metrics in first pass Email announcements and workshops / training for Business Continuity Managers Determine frequency of reporting Define, develop, and implement controls and processes for plan and application ownership Multiple business units using an application? Primary BU funding the application owns it Define, develop, and implement reports required by audience Corporate Roll-up, Executive Management, IT Executives, Business Continuity Managers, etc. Provide comment capabilities on BCM reports Define, develop, and implement tools to track and report on standards Microsoft products (Excel, PowerPoint) can be used to start; consider databases and on-line distribution 22 Getting Started 23 Gather Data Use any data that has already been collected and ask for validation / changes with executive sign-off Where there is no data Obtain BUSINESS plan and application ownership list by business unit Jointly assess each plan and application to establish a solid baseline for reporting with established target dates As always get sign-off Provide preliminary view of reports to one or two Business Continuity Managers and a Business Executive for feedback Before sending reports to executives, preview reports to Business Continuity Managers make necessary modifications Conduct first round of reporting and ensure executive awareness of baseline measurement Communicate ongoing maintenance process (self assessment vs. corporate assessment) Repeat! Making Program and Reporting Enhancements Work with subject matter experts in developing enhancements i.e. Global Realty, Corporate Security, Information Technology, etc. Review proposed enhancements with steering / advisory committee for feedback and approval Ease into enhancements that strengthen and or increase standards, criteria, compliance requirements, and or measurements within a plan. Slowly eliminate partials Provide enough time for Business Continuity Managers to comply with enhancements 6 month lead time between announcement and compliance Consider exception reporting for high risk items Consider trending analysis 24 8

Continuity Application Suite Continuity Reporting System Dependency Reporting LDPRS Envision CBCP Business Functions Global Processing Timeframes Business to Applications, Facilities, etc. Future replacement for CPD Application Repository Future replacement for Recovery Exercise Database Compliance Reporting Database (CPD) Continuity Compliance Reporting DR APP Application Repository MS Access - Not Scaleable The Conduit Corporate Feeds People Soft Location State Street Notify Automated notification tool for Incident Management 25 Legend Strategic Continuity applications Initial continuity applications to be retired > Stand Alone Recovery Exercise Database Tracks Technology Recovery Exercise Objectives, Results, and Resolution Initial continuity applications for compliance reporting Questions? 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information