BUILDING A SECURITY CONSCIOUS BUSINESS CONTINUITY MANAGEMENT (BCM) PROGRAM

Similar documents

How To Plan A Crisis Management Program

Business Continuity and Risk Management. Ken Kaberia Principal BCM Officer, Enterprise Risk Safaricom Limited

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

Business Resiliency Business Continuity Management - January 14, 2014

Evaluating and Improving Your Business Continuity Plan

Business Continuity and Disaster Recovery Policy

Business Continuity for the New Professional. Britt Corra Enterprise BCM Erika Voss Senior BCM

BUSINESS CONTINUITY: BEST PRACTICE, 2ND EDITION

2014 NABRICO Conference

Loss Control Webcast. Disaster Recovery Planning we re not in Kansas anymore

Company Management System. Business Continuity in SIA

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd

Proposal for Business Continuity Plan and Management Review 6 August 2008

EXECUTIVE CRISIS MANAGEMENT TRAINING. Presented by Roseanne Rostron, CBCP Raido Response

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

RSA ARCHER BUSINESS CONTINUITY MANAGEMENT AND OPERATIONS Solution Brief

Business Continuity Standards A Primer

Business Continuity and Crisis Management

Tips and techniques a typical audit programme

Temple university. Auditing a business continuity management BCM. November, 2015

How to measure your business resiliency

Business Continuity Management Systems. Protecting for tomorrow by building resilience today

BT Conferencing Business Continuity Management. Planning to stay in business

BCP and DR. P K Patel AGM, MoF

UCF Office of Emergency Management Strategic Plan

Appendix 3 Disaster Recovery Plan

Business Impact Analysis / Disaster Recovery Strategy C I T Y O F H E N D E R S O N

Business Continuity and Emergency Preparedness Planning. Vandita Zachariah, MA, MBA, CIA HHSC Internal Audit Division May 21, 2010

Business Continuity in Healthcare

Business Continuity at CME Group

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

External Supplier Control Requirements BCM

BC / DR Implementation Tying Disaster Recovery Investment to Measurable Business Value

Plan Development Getting from Principles to Paper

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Principles for BCM requirements for the Dutch financial sector and its providers.

RETAIL AUDIT FORUM - AUDITING BUSINESS CONTINUITY

Business Continuity Planning for Water Utilities: Guidance Document [Project #4319]

PSPSOHS606A Develop and implement crisis management processes

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

Business Continuity Plan

The Business Continuity Maturity Continuum

Business Continuity and Disaster Recovery Planning

Business Continuity Trends and Risk Considerations Financial Executives International Portland Chapter June

a risk- based approach Tom Clark MBCI, CBCP, CHS-III, CBRM

The PNC Financial Services Group, Inc. Business Continuity Program

BUSINESS CONTINUITY PLAN OVERVIEW

Hospital Emergency Operations Plan

Search & Rescue Merit Badge

DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY

A GUIDE TO Business Continuity Planning and Disaster Recovery Solutions

Starbucks Creating a Connected Organization through Critical Communications

Business Continuity & Disaster Recovery

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

Incident Management Team The Eight Step Implementation Model. The 8 Step

ESCB definitions of major business continuity terms in relation to payment and securities settlement systems 1

PART 2 LOCAL, STATE, AND FEDERAL EMERGENCY RESPONSE SYSTEMS, LAWS, AND AUTHORITIES. Table of Contents

Business Continuity Management

BUSINESS CONTINUITY MANAGEMENT SINGAPORE SS540 BCM STANDARDS. LSA Consultants Pte Ltd

Recovery Site Evaluation: Finding Viable Alternatives

A Framework for Business Continuity to Provide High Availability in Floating LNG Operations

Protecting Your Business

NHS 24 - Business Continuity Strategy

Generally Accepted Practices. Business Continuity Practitioners Drafted by: Disaster Recovery Journal And DRI International

Moving from BS to ISO The new international standard for business continuity management systems. Transition Guide

Subject Area 1 Project Initiation and Management

Subject Area 1 Project Initiation and Management

MHA Consulting. Business Continuity Management 101

Business Continuity Management Policy

Beyond Effective Security. The Art and Science of Business Continuity Planning

eet Business continuity and disaster recovery Enhancing enterprise resiliency for the power and utilities industry Power and Utilities Fact Sheet

Business Continuity Policy and Business Continuity Management System

State of South Carolina Policy Guidance and Training

Agenda. Creating a Robust Testing Program. Notification Tests. Overview of Testing. Beverly Schulz, CBCP

Business Continuity - IT Disaster Recovery Discussion Paper - - Commercial in Confidence Version V2.0R Wednesday, 5 September 2012

An Introduction to. Business Continuity Planning

How to Design and Implement a Successful Disaster Recovery Plan

BCM and DRP - RFP Template

Business Continuity Management Planning Methodology

Page Administrative Summary...3 Introduction Comprehensive Approach Conclusion

CISM Certified Information Security Manager

Introduction to Business Continuity Planning

Transcription:

BUILDING A SECURITY CONSCIOUS BUSINESS CONTINUITY MANAGEMENT (BCM) PROGRAM SAM STAHL, CBCP, MBCI EMC GLOBAL PROFESSIONAL SERVICES PROGRAM MANAGER SSTAHL777@GMAIL.COM ASIS SHANGHAI, 2015 1

AGENDA Overview Definitions ASIS Security Councils/Security Concerns Recovery Program Goals Considerations BCM Governance Program Teams Methodologies Recovery & Response Plans Exercises Measurements and Reporting Standard Documentation and Templates Questions to ask Next Steps 2

OVERVIEW Building a Security Conscious Business Continuity (BCM) Program This presentation illustrates how comprehensive BCM Programs can be developed to include security functions. Includes key elements of the ASIS Crisis Management and Business Continuity Council s annual Crisis Management Workshop which strives to illustrate the importance of security functions and organizations within recovery programs. 3

DEFINITIONS Recovery Program/Continuity Program/Crisis Management Program Governance Teams vs. Recovery Teams Disaster Recovery Business Continuity Crisis Management vs. Emergency Management vs. Incident Response Emergency Response Organizational Resilience Business Impact Analysis (BIA) Recovery Time Objective (RTO) Recovery Point Objective (RPO) SLAs, DOUs, Contracts & Regulations Hierarchical Criticality Categorizations 4

ASIS COUNCILS/SECURITY CONCERNS Academic and Training Programs Banking and Financial Services Commercial Real Estate Crime and Loss Prevention Crisis Management and Business Continuity Cultural Properties Defense and Intelligence Economic Crime Fire and Life Safety Food Defense and Agriculture Security Gaming and Wagering Protection Global Terrorism and Political Instability Healthcare Security Hospitality, Entertainment and Tourism Security Information Asset Protection and Pre-Employment Screening Information Technology Security Investigations Law Enforcement Liaison Leadership and Management Practices Military Liaison Petrochemical, Chemical, and Extractive Industry Security Pharmaceutical Security Physical Security Retail Loss Prevention School Safety and Security Security Architecture and Engineering Security Services Supply Chain and Transportation Security Utilities Security 5

RECOVERY PROGRAM GOALS Recovery Of Of Critical Functions & Assets & Infrastructure Sales/Marketing Manufacturing Shipping Communications HR Security Customers Legal Accounting Outside Resources Products, Services, & Communications Facilities Helpdesk Products, Services, & Communications R&D Payroll IT 6

RECOVERY & SECURITY CONSIDERATIONS Regulatory Local, State, Federal (Homeland Security, Financial regulations, Import/Export regulations, Etc.) Customer Contracts to perform at certain levels Guaranteed Sole provider Service Level Agreements Enterprise Risk Management Security Awareness Industry Trends Industry Conferences Security Organization s Business Local & Global Politics Disasters News BUSINESS PROCESSES Internal Meet BC/DR documented goals RTOs RPOs SLAs Audits APPLICATION INFRASTRUCTURE TECHNOLOGY INFRASTRUCTURE 7

BCM GOVERNANCE Governance Model Template Program Teams Recovery Program Goals Objectives Expectations Rules Regulations Standards Procedures Proposed Schedules Executive Steering Committee Program Management Office BC & DR Specialists Business Unit Teams IT/Asset Teams PLAN Business Impact Analysis, Risk Analysis, & Recovery Strategy Planning BUILD Develop the Business Continuity Management (BCM) Program MANAGE Conduct on-going BCM activities Critical Business Functions Recovery Point Objectives Critical Applications Recovery Time Objectives BCM Governance Emergency Response & Management Plan Recovery Strategy Disaster Recovery Plans Business Continuity Plans 8

GOVERNANCE RECOVERY PROGRAM TEAMS Governance Executive Steering Committee Program Management Office (PMO) High Level Oversight Program Delivery Recovery Specialists Business Continuity Disaster Recovery Etc. Day to Day Recovery Responsibilities Plan-Build-Maintain Assist the Plan Owners as needed Recovery Teams Executive Management CM Corporate Local Management CM Local/Geographical Business Units BC IT Organization DR Facilities Fire, Life, Safety Unique Recovery Teams responsible for the development and implementation of specific recovery plans 9

GOVERNANCE (CONT.) METHODOLOGY: ASIS/BSI BCM.01-2010 Plan (Establish the management system) Establish management system policy, objectives, processes, and procedures relevant to managing business continuity risks and improving response and recovery processes that deliver results in accordance with me organization s strategic needs. Do (Implement and operate the management system) Check (Monitor and review the management system) Implement and operate the management system policy, controls, processes, and procedures. Monitor, assess, measure, and review performance against management system policy, objectives, and practical experience; report the results to management for review; and determine and authorize actions for remediation and improvement. Act (Maintain and improve the management system) Take corrective and preventive actions, based on the results of tile internal management system audit and management review, re-appraising the scope of the BCMS and business continuity policy and objectives to achieve continual improvement of the management system. BSi: British Standards Institute 10

GOVERNANCE (CONT.) METHODOLOGY: DISASTER RECOVERY INSTITUTE INTERNATIONAL (DRII) According to the Disaster Recovery Institute International (DRII), a BC Program should contain the following areas: 1 2 3 4 5 6 7 8 9 10 Program Initiation and Management Risk Evaluation and Control Business Impact analysis Business Continuity Strategies Emergency Response and Operations Business Continuity Plans Awareness and Training Programs Business Continuity Plan exercise, audit and maintenance Crisis Communications Coordination with external agencies 11

GOVERNANCE (CONT.) RECOVERY METHODOLOGY FLOW PLAN BUILD MANAGE Business Impact Analysis, Risk Analysis, & Recovery Strategy Planning Develop the Business Continuity Management (BCM) Program Conduct on-going BCM activities Critical Business Functions Critical Applications BCM Governance Recovery Point Objectives Recovery Time Objectives Emergency Response & Management Plan Recovery Strategy Disaster Recovery Plans Business Continuity Plans 12

GOVERNANCE (CONT.) Recovery & Response Plans Emergency Response Plans Incident Management Evacuation Plans Shelter in Place Intruder Alert Active Shooter, Etc. Emergency Management Organizational Emergency Management Geographical Business Continuity Business unit/ Location Disaster Recovery IT, critical resources Specialized plans for unique areas R&D Manufacturing, Etc. Emergency Response & Management Plan Evaluation Plans Disaster Recovery Plans Incident Management Plans Business Continuity Plans 13

GOVERNANCE (CONT.) RECOVERY AND RESPONSE PLANS Corporate EMT Team/Plan PROVIDES: Executive Guidance Executive Decisions Financial Support Internal/External communications Geographic Emergency Management Team Corporate Emergency Management Team This is usually the team that Declares a Disaster or Authorizes an Emergency Response Geographic EMT Team/Plan PROVIDES for Local management Guidance Decisions Financial Support Internal/communications Business Unit Business Continuity Team Geographic IT Asset Disaster Recovery Team People & Property Impacts Network & Infrastructure Impacts Business Unit Impacts People Buildings People People Buildings Technical Buildings Retail Stores Data Centers DR CTRs Comms Outages/Escalations for: Information Technology Network Services Data Distribution Data Replication Critical Business Processes Maintain Product and Services Delivery Maintain Billing Process Fund Bank Accounts/Pay Employees Manage Reputation and Brand Impact Manage Internal and External Communications 14

GOVERNANCE: EXERCISES YOU NEED TO KNOW THAT YOU CAN REALLY RECOVER! If you don t test, you don t really know if it works Training, conditioning, & improvement Business Continuity exercise the recovery of business functions Business processes usually ranked by importance Emergency response Crisis management Disaster Recovery exercise the recovery of assets All assets, not just IT Information technology, facilities, manufacturing, personnel, etc. Continuous Improvement Find & fix points of failure Operational Risks Identify Accept or mitigate 15

EXERCISES - WHO SHOULD PARTICIPATE Crisis Management Team Response Teams Business Unit Teams Other Teams/Agencies/Organizations Participation or due diligence Handicap employees Non-recovery team employees Police: Town, County, State, DOC, other Business Fire Hospitals Office of Emergency Management Military Other Support Teams, such as Facilities, HR, Finance, Corporate Communications Operations Technology Information Technology Support Teams Regulators FEMA Strategic Vendors Strategic Customers? Post Office Risk School officials Other private companies 16

EXERCISES Steps to a Successful Exercise Define the objectives Select and prepare the participants Promote the exercise Prepare the scenario and scripts Prepare the exercise timeline Prepare audiovisuals and handouts Plan the logistics Participate or Manage the exercise Conduct debriefings Write the evaluation report Security Assist Update Plans Update the Plans 17

EXAMPLE EXERCISE TRACKING CHART Organization/Area Exercised May 2015 West June 2015 National July 2015 East October 2015 Central Customer Operations CSI CI CSI s Distribution & Operations CSI C CSI -- ERM Fraud/Risk Control Operations C C C C Finance C C CSI CS Human Resources CSI -- CSI CSI Information Technology C -- C C Marketing C C C C Physical Security CS -- CS CS IT Security CS -- CS CS All Others C C CSI C Exercise Simulation Bio-terrorism ö -- ö ö Bombing ö ö ö ö Simulated Injuries ö ö ö ö Participation Regional/National Crisis Management Team 35 35 30 35 Participation & support teams 53 0 110 104 Business Continuity Teams 12 5 22 19 Total Participation 100 40 162 158 C = Crisis Management Team Participation S = Provided recovery support efforts or participation I = Resources were impacted by the exercise 18

STANDARD DOCUMENTATION/TEMPLATES Governance Model Program Tracking Mechanism Overview and detail Business Impact Analysis Process and Report Risk Analysis Process and Report Strategy Overview - How you will address Responding to a crisis and a recovery (Separate Plans) Managing the crisis and the recovery (Separate Plans) Continuity of Business Functions Recovery of IT and other critical assets and Infrastructure Training Technical and general/cultural awareness Recovery Plan templates One for each type of plan. These should all work together like a well oiled machine Exercises Processes, Scheduling, & Tracking Considerations from contracts, SLAs, and government regulations Glossary 19

RECOVERY AND RESPONSE PLANS CHECKLIST 1 2 3 4 5 6 7 8 9 10 Who and what are behind the need for a recovery plan? (Customers, the government, industry rules?) What level of risk can the organization handle? Who is the organization s crisis leader? Do you have business level crisis management teams? Do they meet periodically? What organizations participate in crisis management? Do they utilize internal and external crisis communications plans? Are all the team members trained? Does your crisis management team maintain an up-to-date listing of all business sites, addresses, primary points of contact, etc.? Do you have a designated crisis management command center? 20

RECOVERY AND RESPONSE PLANS - CHECKLIST 11 12 Are the crisis management command centers equipped, operationally and routinely tested? Does the organization have written and tested: Crisis management plan IT/Asset Recovery Plans Business Continuity Plans, etc.? 13 14 15 16 Who is the organization s crisis leader? Do you have business level crisis management teams? Do they meet periodically? What organizations participate in crisis management? 21

BCM PROGRAM DRIVERS POCKET GUIDE Note: Depicts an overview of the BCM Program Drivers. Does not show decision points or iterative processes Business Process Owners BIA Questionnaire Risk Questionnaire A Business Continuity plans IDENTIFY & COMPARE: Business Continuity Business Impact Analysis (BIA) & Risk Analysis IMPACTS: Operational financial, Recovery Time & Point Objectives CRITICAL Business Functions & Applications Test, Update and Report on BC Plan Disaster Recovery Develop the Systems Applications mapping (S.A.M) Estimate Recovery Costs based on RTO/RPO Build & maintain DR Solution, Environment & DR Plans DR Plans Based on Recovery Tiers Test, Update and Report on DR Plan Recovery Capability Energy Response & Management Team A Emergency Response & Management Plan Test, Update and Report on ERMP Plan Business Continuity Management Program Strategic planning BCM Policy Statement & Strategy BC, DR, ERMP Planning Performance Assessment Management Review Continual Improvement 22

NEXT STEPS Ask the questions Research your organizations efforts in: Business Continuity Management Continuity of Operations Resiliency Crisis Management, Etc. Do your homework Strive to get involved Security Assist 23

QUESTIONS & ANSWERS Contact Sam Stahl, at SStahl777@gmail.com Cellular: 303-810-4806 24

BIOGRAPHY SAM STAHL, CBCP, MBCI Mr. Stahl is an experienced Certified Business Continuity Planner and has a Master Degree in Project Management. He has developed a number of Business Continuity and Disaster Recovery methodologies. His experience includes developing, implementing, and testing all phases of industry-accepted Business Continuity methodologies at organizations such as VMware, Sammons Financial Group, WellCare, IBM, Dial Corporation, AT&T Wireless, Denver International Airport, the City of Scottsdale (Arizona), Clark County Nevada (Las Vegas), Qwest Communications, Citizens Bank, First American National Bank, American Express, and others. 26