Loss Control Webcast. Disaster Recovery Planning we re not in Kansas anymore



Similar documents
Business Continuity Plan

Business Continuity and Emergency Preparedness Planning. Vandita Zachariah, MA, MBA, CIA HHSC Internal Audit Division May 21, 2010

Fundamentals of Business Continuity Planning Have a Plan!

Temple university. Auditing a business continuity management BCM. November, 2015

Business Resiliency Business Continuity Management - January 14, 2014

2014 NABRICO Conference

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK

How To Plan A Crisis Management Program

The PNC Financial Services Group, Inc. Business Continuity Program

Business Continuity for the New Professional. Britt Corra Enterprise BCM Erika Voss Senior BCM

BCM and DRP - RFP Template

Business Continuity and Disaster Recovery Planning

CISM Certified Information Security Manager

The PNC Financial Services Group, Inc. Business Continuity Program

EXECUTIVE CRISIS MANAGEMENT TRAINING. Presented by Roseanne Rostron, CBCP Raido Response

Business Continuity Policy

Keys to Narrowing Business Continuity Planning Gaps: Training, Testing & Audits

Western Washington University Basic Plan A part of Western s Comprehensive Emergency Management Plan

Why Should Companies Take a Closer Look at Business Continuity Planning?

OPTIONS FOR EDUCATION AND TRAINING...3 LEARNING RESOURCES...5 TABLE TOP EXERCISE: POWER OUTAGE SCENARIO...7

UNION COLLEGE INCIDENT RESPONSE PLAN

ESCB definitions of major business continuity terms in relation to payment and securities settlement systems 1

Is Business Continuity Certification Right for Your Organization?

eet Business continuity and disaster recovery Enhancing enterprise resiliency for the power and utilities industry Power and Utilities Fact Sheet

BCP and DR. P K Patel AGM, MoF

The handouts and presentations attached are copyright and trademark protected and provided for individual use only.

a risk- based approach Tom Clark MBCI, CBCP, CHS-III, CBRM

BUSINESS CONTINUITY: BEST PRACTICE, 2ND EDITION

MHA Consulting. Business Continuity Management 101

Business Continuity Management

How To Prepare For A Disaster

Emergency Response and Business Continuity Management Policy

BUSINESS CONTINUITY PLAN OVERVIEW

ISO 22301: Societal Security Terminology ISO 22313: BCMS Guidance ISO 22398: Exercises and Testing - Guidance

Evaluating and Improving Your Business Continuity Plan

Business Continuity and Disaster Recovery Planning 3/16/2011. Lee Goldstein CPCP, MBCI President Business Contingency Group

Disaster Recovery and Business Continuity Plan

Business Continuity Policy

BUSINESS CONTINUITY POLICY

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

Proposal for Business Continuity Plan and Management Review 6 August 2008

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

BUILDING A SECURITY CONSCIOUS BUSINESS CONTINUITY MANAGEMENT (BCM) PROGRAM

Situation Manual Orange County Florida

Business Continuity Planning and Disaster Recovery Planning

Business Continuity Glossary

Best Practices in Disaster Recovery Planning and Testing

The Business Continuity Maturity Continuum

Introduction UNDERSTANDING BUSINESS CONTINUITY MANAGEMENT

CONTINUITY OF OPERATION PLAN (COOP) FOR NONPROFIT HUMAN SERVICES PROVIDERS

Business Continuity Management Review

Emergency Response and Crisis Managemen Technical Assistance Center STEPS FOR DEVELOPING A SCHOOL EMERGENCY MANAGEMENT PLAN

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

A BCP Tale: From Theory to Practice

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

Overview. Emergency Response. Crisis Management

Company Management System. Business Continuity in SIA

Essential Components of Emergency Management Plans at Community Health Centers Crosswalk of Plan Elements

This presentation will introduce you to the concepts and terminology related to disaster recovery planning for businesses.

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 125. When Disaster Strikes Are You Prepared?

Business Continuity Training and Testing: Narrowing the Gaps

SCADA Business Continuity and Disaster Recovery. Presented By: William Biehl, P.E (mobile)

Business Continuity Template

NIST SP , Revision 1 Contingency Planning Guide for Federal Information Systems

How to Design and Implement a Successful Disaster Recovery Plan

PPSADOPTED: OCT BACKGROUND POLICY STATEMENT PHYSICAL FACILITIES. PROFESSIONAL PRACTICE STATEMENT Developing a Business Continuity Plan

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

Business Continuity Management Framework

NHS Central Manchester Clinical Commissioning Group (CCG) Business Continuity Management (BCM) Policy. Version 1.0

Business Continuity Trends, Requirements and Expectations in Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting

Generally Accepted Practices. Business Continuity Practitioners Drafted by: Disaster Recovery Journal And DRI International

Principles for BCM requirements for the Dutch financial sector and its providers.

Business Continuity Standards A Primer

Guideline on Business Continuity Management

Business Continuity at CME Group

Business Continuity Management For Small to Medium-Sized Businesses

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS)

STEP-BY-STEP BUSINESS CONTINUITY AND EMERGENCY PLANNING MAY

Ohio Supercomputer Center

DRII PP Introduction to the Professional Practices Page 1

Release: 1. BSBCON601B Develop and maintain business continuity plans

Il nuovo standard ISO sulla Business Continuity Scenari ed opportunità

Business Continuity and Risk Management. Ken Kaberia Principal BCM Officer, Enterprise Risk Safaricom Limited

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

Business Continuity Policy

Business Continuity Management Planning Methodology

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

CONTINUITY OF OPERATIONS PLAN TEMPLATE

University of Michigan Disaster Recovery / Business Continuity Administrative Information Systems 4/6/2004 1

Disaster Preparedness & Response

Business Continuity Management Program Development Guide

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

Emergency Preparedness Tips and Actions for the Workplace

Tips and techniques a typical audit programme

Transcription:

Loss Control Webcast Disaster Recovery Planning we re not in Kansas anymore May 15, 2013 1 The information presented in this material has been developed from sources believed to be reliable. It is presented for informational purposes only and should not be constructed as legal, professional or business advice. Everest National Insurance Company and its affiliates accepts no responsibility for the accuracy or completeness of this material. It makes no representations or warranties of any kind herein and disclaims all such representations and warranties. Neither Everest National Insurance Company or its affiliates will be liable for any damages alleged to be caused by the information contained herein. It recommends you consult with legal counsel and/or other professional persons before applying this material. This information is solely for illustrative purposes and does not constitute a contract. Only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions. 2

Disaster Recovery Planning we re not in Kansas anymore Increasing frequency and intensity of natural disasters Increasing dependency on technology Increasing dependency on supply chain Aging infrastructure Emerging risks (cyber, environmental, antibiotics, social media, violence, etc.) 3 Disaster Recovery Planning Disaster Recovery shift to broader, more widely adopted terminology Business Continuity Management Organizational Resilience 4

Business Continuity Definition (ISO 22301) Business continuity is the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. Business continuity management (BCM) is a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. 5 Business Continuity Today s Objectives (What) Components of Business Continuity (How) Assuring Success (Why) Standards and Best Practices 6

Business Continuity 3 Phases Source: Ken Otis Director, Business Continuity & Physical Security Liberty Mutual 7 Emergency Response (Minutes to Hours) Prevention Mitigation Preparedness Response Recovery Emergency Response Objectives Emphasis on safety and security of people (employees and visitors) Evacuation, medical emergencies, shelter in place, etc Contain the incident Minimize injury, property damage, and overall impact Coordinate with local responding public agencies Communicate internally with leadership/management, other departments, other sites 8

Emergency Response Planning Category Item Content Examples Resources Planning Emergency Management Team Local Emergency Response Teams Emergency Supplies Emergency Response Roles & Responsibilities Emergency Procedures Emergency Communication Plans Set guidelines, establish procedures, monitor progress, allocate or assign resources to response teams, plan training, facilitate safety meetings, coordinate with public authorities and landlords, emergency scenario planning, fund and procure emergency supplies and training. Staff members, selected or volunteers, responding in an emergency to protect the safety of their fellow employees. Floor/area wardens, deputies/alternates, searchers, medical emergency responders. First aid, AED s, extinguishers, personal protection, shelter-in-place supplies, flashlights, communication devices, etc. Clearly defined roles and responsibilities for response and preparedness, expectations for ongoing training, drills, improvement. Evacuations, medical emergencies, shelter-in-place, biological, bomb threats, hostile individual, chemical, fire, explosion, power outage, floor maps, assembly areas, safe havens, quick reference, etc. Emergency services, important contacts, hotlines, broadcast notifications, call chains, website updates, social media, pre-defined communication groups and messages. 9 Crisis Management (Hours to Days) Prevention Mitigation Preparedness Response Recovery Crisis Management Objectives Emphasis on crisis leadership, control, communication Protect and account for people Safeguard brand and reputation Communication and public relations Assess impact and damage Establish recovery priorities Allocate resources (staff, equipment, services) Restart operations as quickly as possible 10

Crisis Management Planning Category Item Content Examples Resources Planning Crisis Management Team Local Incident Management Team Command Center / Emergency Ops Center Team Roles and Responsibilities Communication Plans Crisis/Incident Procedures Command / Emergency Ops Center Plans Incident command and control organizational structure. Direct crisis response, highest level decision making. Allocate needed resources. Set crisis response priorities. Public relations. Corporate communication. Directly manage crisis/incident response (NIMS ICS model, FEMA). Assess impact, damage, risks, requirements. Communicate status, progress, needs, next steps. Physical or virtual facility located outside the affected area, used to gather, assess, and disseminate information, manage a crisis, and make decisions to effect recovery. Clearly defined roles and responsibilities including accountabilities and authority. Communication plans for each office, including technology, alternatives, call chains, assignments, etc Scenario-based procedures and decision flows to clarify functions and duties, priorities, sequence of events, initiation points for other plans, external coordination requirements, etc. Location alternatives, agreements, requirements, roles, procedures, activity logs, communications, etc. 11 Business Recovery (Days to Months) Prevention Mitigation Preparedness Response Recovery Business Recovery Objectives Emphasis on recovery of business operations (processes, services, products, and communication with customers, business partners, staff) Recover operations efficiently and effectively Align all recovery activities across functions and business areas Monitor recovery and ensure plans stay on track Maintain communications Resume business operations back to pre-incident levels 12

Business Recovery Planning Category Item Content Examples Resources Planning Business Continuity Department and Location Coordinators Business Unit/Department Teams Business Recovery Support Teams Business Impact Analysis Internal and External Communications Asset Inventories Risk Assessment and Mitigation Vendor and Supply Chain Manage and resource planning teams within department or office location. Risk assessment, business impact analysis, recovery prioritization, approve alternatives/workarounds, allocate resources for planning and recovery tasks, resolve gaps and overlaps. Business unit/departmental recovery plans, process alternatives/ workarounds, assign resources for recovery tasks, survey staff, communication plans, risk and asset inventories, requirements for alternative work sites and remote access. Facilities support, office space, physical security, salvage, transportation/ logistics, quality reviews, telecommunications. Inventory of functions and processes, prioritization/sequencing, recovery cost analysis, operational, financial, human resource, customer impacts and risks, recovery time and recovery point objectives, dependencies. Alternatives and procedures, Emergency contacts, broadcast notifications, privacy considerations. Customers, partners, service providers, vendors. Vital records, reference material, technology, specialized equipment, etc. Identification, definition, likelihood, impact, timing considerations, ranking/prioritization, mitigation strategies, monitoring, improvement. Service level agreements, emergency exceptions, contract reviews, dependencies, communications. 13 IT Disaster Recovery Prevention Mitigation Preparedness Response Recovery IT Disaster Recovery Objectives Emphasis on Information Technology (systems, data, telecommunications, IT services, network, data center operations) Provide technology and support for emergency and crisis communications Ensure security and protection of corporate data & technology assets Recover technology and related services efficiently and effectively according to business requirements Coordinate technology recovery services, vendors, contractors Resume technology and services to pre-incident levels 14

IT Disaster Recovery Planning Category Item Content Examples Resources Disaster Recovery Teams Telecommunications/network, infrastructure/engineering, client support, applications, data, security, emergency operations center, command center, alternate work site, facilities. Recovery Site Coldsite, hotsite, colocation, duplicate data center, failover, cloud computing, offsite storage, etc. Alternate Work Sites Alternative office space, permanent, mobile, other corporate offices, remote access, work from home, etc. Includes workstation and workgroup technology, communications, connectivity, power, physical workstation, office supplies, etc. DR Service Providers Disaster recovery vendors, contractors, subject matter experts, etc. Planning Disaster Recovery Plans Recovery aligned with business requirements and business impact analysis, recovery timelines and sequencing, dependencies, decision trees, logging and tracking requirements, physical and logical security considerations, team roles and responsibilities, accountabilities and authorities, workstation and server rebuilds. Reference Configurations, diagrams, runbooks, manuals, scripts, RTO s, RPO s, etc. Vendor Agreements Emergency/Disaster SLA s, dependencies and contingencies, vendor roles and responsibilities, vendor disaster recovery and business continuity plans, etc. Communication Plans Emergency contacts, alternative communication methods, roles and responsibilities, pre-defined groups and messages, etc. 15 Business Continuity Scope Scope All business departments, units, and critical functions All major physical assets, vital records, and information technology All office locations All hazards and disaster scenarios, prioritized by impact and likelihood 16

Business Continuity Scope All Hazards planning approach Scenario assumptions that provide broad planning, to address many potentially disastrous events Typical beginning scenario assumptions Loss of office location and/or data center, or extended loss of use/access Limited unavailability of key staff Localized disaster, not a large regional event Example expanded or targeted scenarios Pandemic Regional disaster or loss of multiple offices Shelter-in-place Supply chain Active shooter or workplace violence 17 Business Continuity Management POLLING QUESTIONS 18

Business Continuity Objectives (What) Components of Business Continuity (How) Assuring Success (Why) Standards and Best Practices 19 Business Continuity Success Basic Recommendations Executive sponsorship and Governance Ongoing Program, not a Project Continuous Improvement is Foundational Guided by current Best Practices and Standards Everything must be Tested! 20

Business Continuity - Governance Governance Link to Corporate Objectives Enterprise Risk Management (ERM) Provide Executive Steering Senior executive sponsor (accountability) Executive level steering committee (direction/guidance) Board visibility and reporting Alignment with corporate goals Prioritization and cost/benefit Allocation of necessary resources 21 Business Continuity - Governance Governance Establish Corporate Policy Commitment to protect people and assets Commitment to continuous improvement Commitment to organizational resilience Organize Corporate Leadership Business Continuity Coordinators Department heads or designees for each major business area Office managers or designees for each office location Manage and monitor ongoing progress Allocate needed resources Balance against competing priorities Perform ongoing risk assessment 22

Business Continuity - Program Program Management Planning, scheduling, requirements Plan ahead, ensure next steps are crystal clear Quarterly or annual planning cycle Flexibility and creativity in scheduling Insist on clearly defined requirements and objectives Organizing, coordinating, facilitating Cross functional collaboration Stick to objectives and agenda in every meeting Never waste anyone s time 23 Business Continuity - Program Program Management Scope management Commitment to continuous improvement is crucial Limit scope to what is achievable, and of highest priority Adjust scope (with approval) to address resource and priority conflicts Be resourceful with available team members to support those who are struggling 24

Business Continuity - Program Program Management Documentation Establish a documentation standards committee Evaluate documentation alternatives, select appropriate solution - provide easy to use templates or software Make documentation readily available to all team members, but comply with privacy and security requirements Documentation is the primary deliverable, and must be tracked and measured Document everything Notes from every meeting, issues and decisions Periodic and dependable status reports and updates Log exercises, tests, false alarms Ensure document controls are in place 25 Business Continuity - Program Program Management Develop and deploy Training Raise awareness, educate about the risks Provide ongoing instruction for initiating teams, developing plans, emergency procedures, etc. Monitor and measure progress Status reporting against Program Plan Track against agreed deliverable dates Monitor team effectiveness Measure and assess deliverables Tools for tracking progress are crucial 26

Business Continuity Scorecard example 27 Business Continuity Plan, Do, Check, Act Act Plan Do Check 28

Business Continuity - Testing Testing Assumptions All plans must be tested All tests identify improvements Failure is relative, and part of learning Preparation Include representation from all stakeholders Define what you want to test and the overall purpose Ensure feasibility (cost, time, people) Hold regular planning and preparation meetings with stakeholders for each exercise 29 Business Continuity - Testing Type Timing / Purpose Description / Process Orientation / Walkthrough Drills Anytime / as needed Raise awareness or educate Introduction for new people Re-energize mid-stream Clarify roles and responsibilities Check or validate progress or quality at any point Anytime / as needed Raise awareness or educate Increase familiarity to reduce anxiety, panic, freeze Effective for any size group Presentation or discussion format Use moderator to keep discussion focused Group discussion about anticipated actions Open floor to comments or observations about plan improvements Provides overview of plan to motivate and familiarize participants with team roles, responsibilities, expectations, and procedures Informal, low stress, easy to conduct Narrow in scope Quick, brief action Physical, hands-on, experiential Value and improvement through repetition 30

Business Continuity - Testing Type Timing / Purpose Description / Process Table-top Functional or Segment Full-scale Early to mid stage of program development Expose plan gaps Improve plan without full scale simulation Encourage group participation Following completion of a segment, or specialized function Real time decisions and actions Real responses and consequences Following completion of a location plan, including other exercises which demonstrate readiness Evaluates operational capabilities, interactively Facilitates communication across organization and public/private sector Simulation site; conference/large room Facilitated discussion to simulate an emergency Uses injected messages or actions to simulate events Simulates actions/activities in a controlled environment Simulated scenario, as realistic as possible in a controlled environment (short of moving equipment, personnel, etc) Require actual performance of response functions Tests communications, preparedness, and availability Real-life simulation of defined disaster scenario Deploys personnel, equipment, to specified location(s) Use of injects and external stakeholders Incorporates as many functions as possible for test of complete business continuity plan Expensive, time-consuming 31 Business Continuity Management Objectives (What) Components of Business Continuity (How) Assuring Success (Why) Standards and Best Practices 32

Business Continuity Standards & Best Practices PS-Prep: Born of Tragedy 33 Business Continuity Standards & Best Practices Public Law 110-53 Implementing Recommendations of the 9/11 Commission Act of 2007 Title IX: Private Sector Preparedness PS-Prep Voluntary Private Sector Preparedness Accreditation and Certification Program Collaboration between Department of Homeland Services and the Private Sector Mandated by Title IX of PL 110-53 (24 Titles) 34

Business Continuity Standards & Best Practices Approved Standards ASIS SPC.1-2009 ASIS International (free) NFPA 1600: 2010 (2013 just released) National Fire Protection Association (free) BS 25999 British Standards Institute (nominal charge) ISO 22301 (replaces BS 25999, under consideration in USA) (Links to approved standards are available from ANAB website) http://www.anab.org/accreditation/preparedness.aspx 35 Business Continuity Standards & Best Practices New International Standard ISO 22301 Requirements (auditable) ISO 22313 Guidance Societal Security Business continuity management systems http://www.ansi.org 36

Business Continuity Standards & Best Practices Standards tell you What to do Methods tell you How to do it Professional Certification Orgs (Methods) DRII: Disaster Recovery Institute International 10 Professional Practices https://www.drii.org/ BCI: Business Continuity Institute 6 Professional Practices, 6 Phases of Business Continuity http://www.thebci.org/ 37 Business Continuity Management - Review Objectives (What) Components of Business Continuity (How) Assuring Success (Why) Standards and Best Practices 38

Business Continuity Management QUESTIONS? 39 Business Continuity Management Lawrence (Larry) E. Cowen (lcowen@usa.net) L E Cowen & Associates, LLC Larry is DRII certified business continuity professional (CBCP), certified ISO Lead Auditor, PMI project management professional (PMP), certified SCRUM master (CSM), and management consultant. He has 10 years experience in business continuity management (BCM) and 20 years as an information technology executive in the insurance industry. In addition to his BCM and project management consulting company, L E Cowen & Associates LLC, Larry directs product development for METRIX411, a software as a service (SaaS) platform for authoring, delivering, and managing business assessments. Larry is an active volunteer, leading long term recovery teams after major disasters, and as a member of the board of directors for the American Red Cross in New Hampshire, engaged in volunteer development. 40