How To Plan A Crisis Management Program

Similar documents

BUILDING A SECURITY CONSCIOUS BUSINESS CONTINUITY MANAGEMENT (BCM) PROGRAM

Business Continuity and Risk Management. Ken Kaberia Principal BCM Officer, Enterprise Risk Safaricom Limited

Business Resiliency Business Continuity Management - January 14, 2014

Evaluating and Improving Your Business Continuity Plan

2014 NABRICO Conference

Business Continuity for the New Professional. Britt Corra Enterprise BCM Erika Voss Senior BCM

EXECUTIVE CRISIS MANAGEMENT TRAINING. Presented by Roseanne Rostron, CBCP Raido Response

Loss Control Webcast. Disaster Recovery Planning we re not in Kansas anymore

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

Business Continuity at CME Group

Temple university. Auditing a business continuity management BCM. November, 2015

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd

Business Continuity Management Systems. Protecting for tomorrow by building resilience today

Business Continuity and Disaster Recovery Planning

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

UCF Office of Emergency Management Strategic Plan

Beyond Effective Security. The Art and Science of Business Continuity Planning

Business Continuity and Crisis Management

Business Continuity and Disaster Recovery Policy

Company Management System. Business Continuity in SIA

BUSINESS CONTINUITY: BEST PRACTICE, 2ND EDITION

Incident Management Team The Eight Step Implementation Model. The 8 Step

DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY

Proposal for Business Continuity Plan and Management Review 6 August 2008

BUSINESS CONTINUITY MANAGEMENT SINGAPORE SS540 BCM STANDARDS. LSA Consultants Pte Ltd

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

Business Continuity in Healthcare

Business Continuity and Emergency Preparedness Planning. Vandita Zachariah, MA, MBA, CIA HHSC Internal Audit Division May 21, 2010

a risk- based approach Tom Clark MBCI, CBCP, CHS-III, CBRM

Hospital Emergency Operations Plan

Business Continuity & Recovery Plan Summary

Professional Practice Eight - Business Continuity Plan Exercise, Audit, and Maintenance

PSPSOHS606A Develop and implement crisis management processes

Business Continuity Planning for Water Utilities: Guidance Document [Project #4319]

Recovery Site Evaluation: Finding Viable Alternatives

ESCB definitions of major business continuity terms in relation to payment and securities settlement systems 1

Business Continuity Standards A Primer

Tips and techniques a typical audit programme

Business Continuity. Port environment

Generally Accepted Practices. Business Continuity Practitioners Drafted by: Disaster Recovery Journal And DRI International

The Business Continuity Maturity Continuum

Subject Area 1 Project Initiation and Management

Business Continuity Plan

Business Impact Analysis / Disaster Recovery Strategy C I T Y O F H E N D E R S O N

BC / DR Implementation Tying Disaster Recovery Investment to Measurable Business Value

BT Conferencing Business Continuity Management. Planning to stay in business

DISASTER RECOVERY AND CONTINGENCY PLANNING CHECKLIST FOR ICT SYSTEMS

Business Continuity Policy and Business Continuity Management System

Agenda. Creating a Robust Testing Program. Notification Tests. Overview of Testing. Beverly Schulz, CBCP

Ohio Conference for Payroll Professionals Disaster Recovery

A GUIDE TO Business Continuity Planning and Disaster Recovery Solutions

Page Administrative Summary...3 Introduction Comprehensive Approach Conclusion

Business Continuity Management Software

An Introduction to. Business Continuity Planning

Business Continuity Planning for Schools, Departments & Support Units

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

CISM Certified Information Security Manager

Boost BCM Program Maturity: Arm Your Team with the Right Tools. Jason Zimmerman Vice President Operations

MHA Consulting. Business Continuity Management 101

Principles for BCM requirements for the Dutch financial sector and its providers.

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

Emergency Response Network in Your Community. Paul Haley Emergency Management Coordinator City of Trenton

Contents. About Perpetuuiti. Continuity Vault. Continuity Patrol. Ops Central. Questions & Answers. Section 2. Section 3. Section 4.

NHS 24 - Business Continuity Strategy

BUSINESS CONTINUITY PLAN OVERVIEW

Protecting Your Business

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

BCP and DR. P K Patel AGM, MoF

Table of Contents... 1

Business Continuity Trends and Risk Considerations Financial Executives International Portland Chapter June

PART 2 LOCAL, STATE, AND FEDERAL EMERGENCY RESPONSE SYSTEMS, LAWS, AND AUTHORITIES. Table of Contents

The handouts and presentations attached are copyright and trademark protected and provided for individual use only.

Plan Development Getting from Principles to Paper

Business Continuity Management Planning Methodology

Appendix 3 Disaster Recovery Plan

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

UNION COLLEGE INCIDENT RESPONSE PLAN

The PNC Financial Services Group, Inc. Business Continuity Program

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

How to measure your business resiliency

RSA ARCHER BUSINESS CONTINUITY MANAGEMENT AND OPERATIONS Solution Brief

The ABC s of BCP. Jeremy Sucharski Governance Risk and Compliance G31

A BCP Tale: From Theory to Practice

Meeting FFIEC Requirements: Enterprise-Wide Testing of Your. Business Continuity Plan

Transcription:

Building a Security Conscious Business Continuity Management (BCM) Program Sam Stahl, CBCP, MBCI EMC Global Professional Services Program Manager stahl_samuel@emc.com ASIS Singapore, 2014

Agenda Overview ASIS Security Councils / Security Concerns Definitions Recovery Program Goals Considerations BCM Governance Program Teams Methodologies Recovery & Response Plans Exercises Measurements and Reporting Standard Documentation and Templates Questions to ask Next Steps 2

Overview Building a Security Conscious Business Continuity (BCM) Program This presentation illustrates how comprehensive BCM Programs can be developed to include security functions. Includes key elements of the ASIS Crisis Management and Business Continuity Council s annual Crisis Management Workshop which strives to illustrate the importance of security functions and organizations within recovery programs. 3

ASIS Councils / Security Concerns Academic and Training Programs Banking and Financial Services Commercial Real Estate Crime and Loss Prevention Crisis Management and Business Continuity Cultural Properties Defense and Intelligence Economic Crime Fire and Life Safety Food Defense and Agriculture Security Gaming and Wagering Protection Global Terrorism and Political Instability Healthcare Security Hospitality, Entertainment and Tourism Security Information Asset Protection and Pre-Employment Screening Information Technology Security Investigations Law Enforcement Liaison Leadership and Management Practices Military Liaison Petrochemical, Chemical, and Extractive Industry Security Pharmaceutical Security Physical Security Retail Loss Prevention School Safety and Security Security Architecture and Engineering Security Services Supply Chain and Transportation Security Utilities Security 4

Definitions Recovery Program / Continuity Program / Crisis Management Program Governance Teams vs. Recovery Teams Disaster Recovery Business Continuity Crisis Management vs. Emergency Management vs. Incident Response Emergency Response Organizational Resilience Business Impact Analysis (BIA) Recovery Time Objective (RTO) Recovery Point Objective (RPO) SLAs, DOUs, Contracts & Regulations Hierarchical Criticality Categorizations 5

Recovery Program - Goals Recovery Of Critical Functions & Assets & Infrastructure Customers Products, Services, & Communications Sales / Marketing Manufacturing Shipping HR Legal Communications Security Accounting Facilities Helpdesk R&D IT Payroll Outside Resources Products, Services, & Communications 6

Recovery & Security Considerations Regulatory Local, State, Federal (Homeland Security, Financial regulations, Import / Export regulations, Etc.) Customer Contracts to perform at certain levels Guaranteed Sole provider Service Level Agreements Enterprise Risk Management Internal Meet BC / DR documented goals RTOs RPOs SLAs Audits Security Awareness Industry Trends Industry Conferences Security Organization s Business Local & Global Politics Disasters News 7

BCM Governance 8

Governance - Recovery Program Teams High Level Oversight Program Delivery Day to Day Recovery Responsibilities Plan-Build-Maintain Assist the Plan Owners as needed Unique Recovery Teams responsible for the development and implementation of specific recovery plans 9

Governance (Cont.) Methodology: ASIS/BSi BCM.01-2010 BSi: British Standards Institute 10

Governance (Cont.) Methodology: Disaster Recovery Institute International (DRII) According to the Disaster Recovery Institute International (DRII), a BC Program should contain have the following areas: 1. Program Initiation and Management 2. Risk Evaluation and Control 3. Business Impact analysis 4. Business Continuity Strategies 5. Emergency Response and Operations 6. Business Continuity Plans 7. Awareness and Training Programs 8. Business Continuity Plan exercise, audit and maintenance 9. Crisis Communications 10. Coordination with external agencies 11

Governance (Cont.) Recovery Methodology Flow 12

Governance (Cont.) Recovery & Response Plans Emergency Response Plans Incident Management Evacuation Plans Shelter in Place Intruder Alert Active Shooter, Etc. Emergency Management Organizational Emergency Management Geographical Business Continuity Business unit / Location Disaster Recovery IT, critical resources Specialized plans for unique areas R&D Manufacturing, Etc. 13

This image cannot currently be displayed. This image cannot currently be displayed. Governance (Cont.) Recovery and Response Plans Corporate Emergency Management Team This is usually the team that Declares a Disaster or Authorizes an Emergency Response People & Property Impacts Network & Infrastructure Impacts Business Unit Impacts People Buildings People Data Centers DR CTRs Comms Critical Business Processes People Buildings Technical Buildings Retail Stores Outages/Escalations for: Information Technology Network Services Data Distribution Data Replication Maintain Product and Services Delivery Maintain Billing Process Fund Bank Accounts/Pay Employees Manage Reputation and Brand Impact Manage Internal and External Communications 14

Governance: Exercises You need to know that you can REALLY recover! If you don t test, you don t really know if it works Training, conditioning, & improvement Business Continuity exercise the recovery of business functions Business processes usually ranked by importance Emergency response Crisis management Disaster Recovery exercise the recovery of assets All assets, not just IT Information technology, facilities, manufacturing, personnel, etc. Continuous Improvement Find & fix points of failure Operational Risks Identify Accept or mitigate 15

Exercises - Who Should Participate Crisis Management Team Response Teams Business Unit Teams Operations Business Technology Other Teams / Agencies / Organizations Participation or due diligence Handicap employees Non-recovery team employees Police: Town, County, State, DOC, other Fire Hospitals Office of Emergency Management Military Regulators FEMA Strategic Vendors Strategic Customers? Post Office School officials Other private companies Other Support Teams, such as Facilities, HR, Finance, Corporate Communications Risk Information Technology Support Teams 16

Exercises 1. Define the objectives 2. Select and prepare the participants 3. Promote the exercise 4. Prepare the scenario and scripts 5. Prepare the exercise timeline 6. Prepare audiovisuals and handouts 7. Plan the logistics 8. Participate or Manage the exercise 9. Conduct debriefings 10. Write the evaluation report 11. Update Plans Update the Plans Steps to a Successful Exercise Security Assist 17

Example Exercise Tracking Chart Organization / Area Exercised May 2008 West June 2008 National July 2008 East October 2008 Central Customer Operations C S I C I C S I S Distribution & Operations C S I C C S I -- ERM Fraud/Risk Control Operations C C C C Finance C C C S I C S Human Resources C S I -- C S I C S I Information Technology C -- C C Marketing C C C C Physical Security C S -- C S C S All Others C C C S I C Exercise Simulations Bio-terrorism Ö -- Ö Ö Bombing Ö Ö Ö Ö Simulated Injuries Ö Ö Ö Ö Participation Regional / National Crisis Management Team 35 35 35 Participation & support teams 53 0 104 Business Continuity Teams 12 5 19 Total Participation 100 40 162 158 C = Crisis Management Team Participation S = Provided recovery support efforts or participation I = Resources were impacted by the exercise 18

Standard Documentation / Templates Governance Model Program Tracking Mechanism Overview and detail Business Impact Analysis Process and Report Risk Analysis Process and Report Strategy Overview - How you will address Responding to a crisis and a recovery (Separate Plans) Managing the crisis and the recovery (Separate Plans) Continuity of Business Functions Recovery of IT and other critical assets and Infrastructure Training Technical and general / cultural awareness Recovery Plan templates One for each type of plan. These should all work together like a well oiled machine Exercises Processes, Scheduling, & Tracking Considerations from contracts, SLAs, and government regulations Glossary 19

Recovery and Response Plans - Checklist 1. Who and what are behind the need for a recovery plan? (Customers, the government, industry rules?) 2. What level of risk can the organization handle? 3. Who is the organization s crisis leader? 4. Do you have cross-business crisis management teams? 5. Do they meet periodically? 6. What organizations participate in crisis management? 7. Do they utilize internal and external crisis communications plans? 8. Are all the team members trained? 9. Does your crisis management team maintain an up-to-date listing of all business sites, addresses, primary points of contact, etc.? 10.Do you have a designated crisis management command center? 20

Recovery and Response Plans - Checklist 11.Are the crisis management command centers equipped, operationally and routinely tested? 12.Does the organization have written and tested: a. Crisis management plan b. IT / Asset Recovery Plans c. Business Continuity Plans, etc.? 13.Does your organization have a defined and tested emergency notification communications system? 14.How often do they test it? 15.Does the organization have a documented and communicated incident reporting procedure? 16.When do the employees receive crisis management training? 21

BCM Program Drivers Pocket Guide 22 Business Continuity Management Program Emergency Response & Management Team Disaster Recovery Business Continuity Business Process Owners

Next Steps Ask the questions Research your organizations efforts in: Business Continuity Management Continuity of Operations Resiliency Crisis Management, Etc. Do you homework Strive to get involved 23

Questions & Answers Contact Sam Stahl, at Sam.stahl@emc.com Cellular: 303-810-4806 24

25

BIOGRAPHY Sam Stahl, CBCP, MBCI Mr. Stahl is an experienced Certified Business Continuity Planner and has a Master Degree in Project Management. He has developed a number of Business Continuity and Disaster Recovery methodologies. His experience includes developing, implementing, and testing all phases of industry-accepted Business Continuity methodologies at organizations such as IBM, Dial Corporation, AT&T Wireless, Denver International Airport, the City of Scottsdale (Arizona), Clark County Nevada (Las Vegas), Qwest Communications, Citizens Bank, First American National Bank, American Express, and others. 26