Creating an Integrated Business Continuity / Disaster Recovery (BC/DR) Program. A Hands on Workshop

Creating an Integrated Business Continuity / Disaster Recovery (BC/DR) Program A Hands on Workshop

The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant client relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought.

December 3rd Agenda 8:30 to 9:00 9:00 to 10:00 10:00 to 10:10 10:10 to 11:00 11:00 to 11:30 11:30 to 12:00 12:00 to 1:00 Introduction Key Stages of BC Management Break Planning and Analysis Emergency Procedures Plan Development Lunch 3

December 3rd Agenda 1:00 to 1:30 1:30 to 2:00 2:00 to 2:30 2:30 to 2:40 2:40 to 3:10 3:10 to 3:40 3:40 to 4:10 4:10 to 4:30 Awareness and Training Plan Activation Ongoing maintenance Break Crisis Communication Introduction to Exercises Emerging trends Wrap up 4

What we learn from history is that people don t learn from history Warren Buffet 5

Business Continuity / Disaster Recovery Participant Introductions 6

Introductions Name Organization Existing Role Explain how you became involved in BC/DR Fun Fact / Positive 7

It all starts with you! http://www.ready.gov/ 8

Key Stages of BC Management An Introduction 9

Business Continuity Planning 10

11

The Framework for Crisis Management Landscape Survey Strategic Planning Crisis Management Operational Learning The Internal Landscape Internal Crisis Threats Plan for potential crisis events Managing internal stakeholders during a crisis What can we learn The external Landscape External Crisis Threats External planning that could help Managing external stakeholders during a crisis What learning is taking place outside our organization Crandall, Parnell and Spillan (2014) 12

The Life Cycle of a Crisis Myers Normal Operations Prevention practices Emergency Response Activities during the first hours Interim Processing Temporary procedures are set up Restoration Transition back to normal Pearson and Mitroff (1993) Signal detection Begins with some form of warnings Preparation/prevention Forming the crisis management team and plan of action Containment/Damage limitation Managing the crisis Recovery Attempts to resume activities Learning Reflecting on what can be learned 13

What is a Business Continuity Plan? Business Continuity * A program which develops, exercises and maintains plans to enable the organization to: Respond to a disruption with minimum harm to life and resources; Recover, resume and restore functions within time frames which ensure continuing viability; and Provide crisis communications to all stakeholders. Business Continuity Plan* Process of developing and documenting arrangements and procedures that enable an organization to respond to an even that lasts for an unacceptable period of time and return to performing its critical functions after an interruption. * Disaster Recovery Journal, Definitions can be found at www.disasterrecoveryjournel.com 14

A Business Continuity Program: Is Not a project Is Not a one time task Is Not for a fixed length of time Must be an on going, living program that consists of several interdependent and reiterative projects 15

BC Program Purpose Protect your People Information Operations Organization 16

BC Program Objectives Keep everyone safe Ensure continuity and survival of organization Provide protection of assets Mitigate risks and exposures Provide preventative measures Take control of any business interruption 17

Why is a BCM Program Important? Safeguards human life Minimizes confusion and enables effective decisions in a time of crisis Reduces dependency on specific personnel Minimizes loss of data, revenue, customers Facilitates timely recovery of business functions Maintains public image and reputation 18

A BCM Program Will Answer What is a disaster? When do the impacts begin? How much loss can be tolerated? What are the options? How to reestablish business functions? What will a recovery capability cost? How much is enough? 19

What is a Disaster? Sudden, calamitous event that brings great damage, loss or destruction. (Source: Merriam Webster dictionary) Natural Earthquakes Floods Storms Man Made Power outages Sprinkler system bursts Crime Equipment sabotage Technological Database corruption Viruses Internet worms 20

Business Continuity Definitions Disaster Recovery* The process of returning a business function to a state of normal operations either at an interim minimal survival level and/or re establishing fullscale operations Risk Controls* All methods of reducing the frequency and/or severity of losses including exposure avoidance, loss prevention, loss reduction, segregation of exposure units and non insurance transfer of risk * Disaster Recovery Journal, Definitions can be found at www.disasterrecoveryjournel.com 21

Disaster Response Disaster* A sudden, unplanned calamitous event causing great damage or loss. An event that compromises an organization s ability to provide critical functions, processes, or services for some unacceptable period of time An event where an organization s management invokes their recovery plans. * Disaster Recovery Journal, Definitions can be found at www.disasterrecoveryjournel.com Then Protect the assets IT department Now Protect critical business processes Mission Critical functions 22

Business Continuity Definitions (Cont d) Emergency Response Plan* a documented plan usually addressing the immediate reaction and response to an emergency situation Loss* unrecoverable resources that are redirected or removed as a result of a Business Continuity event. Such losses may be loss of life, revenue, market share, competitive stature, public image, facilities, or operational capability. * Disaster Recovery Journal, Definitions can be found at www.disasterrecoveryjournel.com 23

BC/DR Benefits 24

Key Components of Disaster Recovery 25

Business Continuity Problem Statement Internal or external event interrupts one or more of your business processes Time length of interruption causes situation to become a disaster The financial impact caused by the event What s Important to Your Business? 26

Planning and Analysis 27

What is Risk Assessment? Process of identifying the risks to an organization Assesses the critical functions necessary for an organization to continue business operations Defines the controls in place to reduce organization exposure Evaluates the cost for such controls Often involves an evaluation of the probabilities of a particular event occurring 28

Purpose of Risk Assessment To determine events, probabilities and environmental surroundings that can adversely affect the organization and its facilities with disruption and disaster and the controls needed to prevent or minimize the effects of potential loss To provide a cost benefit analysis to justify investment in controls to mitigate risks 29

Cause and Effect Relationship Threat Vulnerability Risk Cause Probability Effect Assets 30

Identify Risk Events Low probability High severity Whole building fire Fire Medium probability Medium severity Fire limited to one floor Medium probability High severity Fire in basement mailroom 31

Identify Risk Event Probability Low Medium High Less than once every 25 years This could happen, but it would be a freak event Once every 5 to 25 years I saw something similar in the papers recently I know someone this happened to More than once every 5 years I remember the last time this happened 32

Risk Analysis & Exposure Estimation Risk Level Matrix Low (10) Impact Medium (50) High (100) Threat Likelihood High (1.0) Medium (0.5) Low (0.1) Low 10 x 1.0 = 10 Low 10 x 0.5 = 5 Low 10 x 0.1 = 1 Medium 50 x 1.0 = 50 Medium 50 x 0.5 = 25 Low 50 x 0.5 = 5 High 100 x 1.0 = 100 Medium 100 x 0.5 = 50 Low 100 x 0.1 = 10 Risk Scale: High = 51 to 100 Medium = 11 to 50 Low = 1 to 10 33

Identify Risk Event Impact Low Medium High Availability Periodic reduction in service Intermittent total loss of service, or serious reduction in service No service available at all Duration Service disruption for less than 0.5 days Service disruption for between 0.5 and 3 days Service disruption for more than 3 days Spread Impacts a number of individuals Impacts one business function Impacts many business functions 34

Types of Controls Physical controls Fire suppression/sprinkler systems Access control systems Security guards Procedural controls Hiring and termination policies Clean desk policy Document receipting 35

Business Impact Analysis (BIA) Purpose To help organizations identify the business units, operations and processes essential to the survival of the business. Considerations: Life or death situation Potential for significant loss of revenue Obligations to external parties may be jeopardized RTO Recovery time objective RPO Recovery point objective Critical for determining the order and priority of system recovery 36

What is a BIA? A process designed to Document critical business functions and workflow, Determine the qualitative and quantitative impacts of a disruption, and Prioritize and establish recovery time objectives 37

Role of the BIA Documents potential quantitative and qualitative impacts to the organization should a disaster occur Defines financial impacts and cost per unit of downtime RTO/RPO Identifies interdependencies Defines inputs and outputs for the critical processes Documents legal, regulatory and contractual requirements Determines vital records and documents exposures 38

Recovery Time Objective (RTO) The deadline at which pre defined critical functions or processes must be restored (to defined minimal levels of operation) to prevent severe impact to the business Severe Business Impact or Out of Business 39

RTO (Cont d) 40

Business Impact Analysis (BIA) Identify, categorize & prioritize Critical functions Critical/Vital records 41

BIA (Cont d) Assess impacts and effects of disruptions over time Determine loss exposure over time 42

BIA (Cont d) Identify business processes Interrelationships Dependencies Validate information 43

Purpose of a BIA Defines the reasons for establishing a Business Continuity Program and developing plans Communicates the inherent vulnerabilities of the business units, business processes and systems you are trying to protect Provide information to identify and develop recovery strategies Legal and regulatory compliance 44

Objectives of a BIA Determine when exposures and impacts begin Determine and assess the impacts over time Identify potential financial exposures and impacts Provide financial data to define exposures and determine appropriate levels of BCM investment 45

Objectives of a BIA (Cont d) Establish RTOs Identify resources required to meet RTOs Technology Personnel Infrastructure Vendor support Establish RPOs Determine acceptable data loss Define procedures to recover lost data or transactions 46

Objectives of a BIA (Cont d) Establish BCM time line and recovery objectives Determine order of recovery and acceptable service levels Categorize groupings of recovery priorities Establish the value of each business unit as it relates to the total organization 47

Emergency Procedures 48

Emergency Response Plan

Emergency Response Event Response Recover Normal Life Safety Property Protection/ Physical Security Evacuate Shelter in Place Provide Emergency Care Organization Technology Recover Restore Resume Respond/Stabilize/Manage/Recover Normalize 50

Life Safety Systems Centralized systems and procedures Fire detection systems Smoke or heat sensors Fire suppression systems Gas (Halon 1301, FM 200, Novec 1230) Water (sprinklers, hoses) Procedures Prevention (good housekeeping, welding restrictions, etc.) Notification Public address system Signal lights (strobes) Warning sounds (annunciators, klaxons) 51

Life Safety Procedures Emergency evacuation Run away to safety Pre defined rally points Evacuation outside of established areas Hazardous material spill Flooding/Severe weather Martial Law situations Shelter in place Move to predetermined locations 52

Property Protection/Physical Security Mission: protect Employees Physical plant assets Facilities Equipment Intellectual property of organization Vital records Security measures should be increased during any event that compromises normal operations 53

Property Protection Components Identify all critical operations Utilities Security and alarm systems Manufacturing equipment Pollution control equipment Communication systems Data and voice Transportation systems 54

Property Protection Components (Cont d) Activities during disaster/event Contact emergency response providers Assist employees as needed (i.e. evacuation) Containment activities after disaster Secure Area Facility Stabilization Limit access by non authorized personnel Physical security of entry Storage, roof, and mechanical areas Securing access to the outdoor air intakes of the building HVAC system 55

Property Protection Systems Determine needs for systems to detect abnormal situations, provide warning and protect property Fire protection Lightning protection Water level monitoring Access and monitoring Emergency power Automatic shutoffs Overflow detection 56

Property Protection Procedures Establish procedures for Shutting down the building Closing or barricading doors and windows Covering/securing equipment Moving equipment to a safe place Identify & stock backup equipment, parts, and supplies Identify and label all hazardous materials containers 57

Protecting Your Technology Responsible for: Providing automated and technology services to organization Backing up data on a regular basis Recovering lost data and/or services Restoring services if they become impaired 58

Protecting Your Technology (Cont d) Ensure that key technicians, operators and personnel are familiar with all systems Establish orderly shutdown procedures Establish procedures for restoring systems Determine need for backup systems Establish preventative maintenance schedules for all systems and equipment 59

Implementation Procedures Identify command and control requirements Emergency Operations Center Command and decision authority roles Communication options/tools Manage incident command center Establish liaison with external agencies Establish procedures with service providers 60

Implementation Procedures (Cont d) Creating the Emergency Response Plan Purpose of plan: To prevent or limit personnel injury To limit damage to physical assets To protect organizational viability 61

Implementation Procedures (Cont d) Documented emergency response plan Update, publish, and distribute emergency procedures manual to the teams Periodically review and audit the life safety systems and procedures for all properties 62

Implementation Procedures (Cont d) Emergency response plan elements Escalation, notification, and plan activation Emergency response team responsibilities Reporting/Notification procedures Emergency procedures Recovery teams responsibilities and procedures Plan maintenance procedures Recommended testing procedures 63

Plan Development 64

Emergency Response Plan (ERP) Evacuation Workplace Violence Shelter in Place Medical Emergency Bomb Threat Sniper Cyber Attack 65

ERP Elements Purpose Definitions Key contact information Roles/Responsibilities Procedures/Strategies Assembly areas Description/Location of Life Safety Sys. Call Tress Site Schematics 66

Purpose of an ERP To identify the components of the planning process including: Planning methodology Plan organization Implementing the plan Documenting the plan To develop processes to maintain the currency of continuity capabilities and the plan document in accordance with the organization s strategic direction 67

Objectives of an ERP To review terminology, DRI International approved plan definitions, address BCM planning approaches, elements and components, and discuss plan document structure To explore the planner s role in conducting plan audits, plan maintenance programs, and BCM plan document control 68

ERP Contents Objectives & Requirements Teams & Tasks Emergency Procedures Crisis Communication Procedures Coordinating with External Agencies Plan Activation Procedures Plan Documentation 69

Business Continuity Management Plan Elements Employees, visitors, consultants, contractors, vendors, customers, suppliers, etc. Sales, Manufacturing, Distribution, Accounting, Payroll, HR, Customer Service, etc. BCM Plan The site and building which accommodates part or all of the organization, and where some or all of the processes are conducted. 70

Types of Plans Business Continuity Focus on critical process Core competencies Key personnel RTOs & RPOs Alternate location(s) Command & control Vital records protection Data security Workarounds & interim operations Disaster Recovery Focus on restoring technology & business infrastructure Critical systems restoration RTOs & RPOs Vital records recovery Data recovery Recovery sites 71

Types of Plans (Cont d) Crisis Management Focus on strategic leadership Executive protection, response and succession Public relations/legal Employee death or injury Product tampering Hostile take overs Emergency Response Managed by operational personnel Focus on people and property Escalation procedures Notification procedures Life safety procedures Physical security procedures Technology or war room procedures 72

Types of Plans (Cont d) COOP Focused on government bodies Department and agency levels Similar to BCM, inserts COOP for BCP Includes management support policy (PDD 67) Business Unit Focuses on the business unit Identifies critical process/function Defines key personnel/resources Needs to be integrated with overall organizational plan 73

Successful Plans Clear and concise Coordinated with suppliers & vendors Senior management support/organization commitment On going/part of strategic effort Appropriate budget Retention, backups, & off site storage program Fully documented & exercised regularly Risks are managed Vulnerabilities are prioritized Flexible and adaptable 74

Methods of Building Plans Quick plan Initial protection and capabilities Comprehensive plan Fill in the gaps Add capabilities More detailed procedures Maintained plans 75

Document the Plan Who is going to do it? How are you going to do it? Conveying organizational program information Defining specific plan detail Structure of plan document Standardize plan documents 76

Document the Plan (Cont d) Primary writes the plan They do it every day Secondary edits the draft procedures They will question every step they don t understand Tertiary approves draft plan Manager of area 77

Business Continuity Planning Methods In House Contract Turn Key All work is done for you by vendor or consultants Combination Organization and the vendor or consultants work together to develop and maintain plan 78

Outsourcing BC Plan Can someone else perform the service better, more efficiently, or more economically than you? Risks vs. rewards Knowledge transfer Specific expertise Broader BCP experience Focus on strategies and plans Ownership & commitment Availability and response Knowledge of organization Driven by contractual objectives 79

Relationship Between Strategic, Operational, and Tactical Planning 80

Plan Activation 81

Declaration of a Disaster Criteria for invoking the disaster recovery plan Severe disruption to service Potential for major data loss Data security may have been compromised Initiating the call tree process Disaster Recovery Coordinator starts the notification and activates the other teams involved in the recovery effort Business unit managers responsible for notifying their teams Get the word out! (external website & intranet if both available, local media) 82

Crisis Phases Landscape Survey & Strategic Planning Situation Assessment Decision Making Team Coordination Communicating Monitoring Delegating Prioritizing Planning End of the Crisis Organizational Learning 83

Changing Roles Day to Day Operations During a Crisis Normal company organization Business as usual Business Continuity Organization Survival of time sensitive operations Steering Committee Business Managers Emergency Management Committee Team Leaders report to EMT (DRI International 2006) 84

What Type of Leadership Style during a Crisis? Autocratic Leadership Participative (democratic) Leadership Free rein Leadership Autocratic Leadership which means making managerial decisions without consulting others. This necessary in situations when absolute followership is needed. IC makes decision and announces it IC sells decision IC presents ideas and invites questions Nickels, McHugh and McHugh, Understanding Business, 9 th edition, McGraw Hill Irwin, 2010 85

7 Lessons for Leading in Crisis* Face Reality, Starting with Yourself Don t be Atlas, Get the World Off Your Shoulders Dig Deep for the Root Cause Get Ready for the Long Haul Never Waste a Good Crisis You re in the Spotlight: Follow True North Go on Offense, Focus on Winning Now *George, Bill, 7 Lessons for Leading in Crisis, Jossey Bass, A Wiley Imprint, San Francisco, CA, 2009 86

Change Management 87

Change Management Evolving business environment Competition, a declining economy, technological change, and pressure to preserve the natural environment Managing change has become a critical managerial function Some organizations have been set up to facilitate management than to please customers Developing rules and regulations to give managers control over employees Change Agent approach CEO/General Managers must create an environment of continual reinvention Short term disturbances: anxiety, confusion, and poorer financial results 88

Change Management (Cont d) Plan, Do, Check, Act continuous improvement Develop a new strategy and implement Understand Porter s Five Forces Identify a Change Manager Communicate, Communicate, Communicate Continually show the vision of the future Meet regularly with stakeholders and beat the drum of change Reward the employees who embrace change 89

Steps to Sizing up any Situation Gather facts Assess Damage Consider Probabilities Assess Your Situation Establish Priorities Make Decisions Develop Plans of Action Take Action Evaluate Progress 90

Emergency Management Functions Command (Direction) and Control Crisis Communications Life Safety Property Protection Community (Stakeholder) Outreach Recovery and Restoration Administration and Logistics 91

Command and Control 92

Function: Command and Control The system for managing resources, analyzing information and making decisions in an emergency is called direction and control. Emergency Management Committee (EMC) Incident Command System (ICS) Emergency Operations Center (EOC) Planning Considerations Security Coordination of Outside Response 93

Command and Control 1. Laws and Authorities 2. Risk Analysis A legal basis for the establishment of the emergency management organization, the implementation of an emergency management program, and continuity of government exists in local law/ordinance and is consistent with State statutes concerning emergency management. The organization has a method for identifying and evaluating natural, technological, and human caused threats within its jurisdiction. 3. Hazard Mitigation 4. Resource Management The organization has established a predisaster hazard mitigation program. The organization has the human resources required to carry out assigned responsibilities. 94

Command and Control 5. Planning 6. Direction, Control, and Coordination 7. Communication 8. Operations and Procedures The organization has developed a comprehensive mitigation plan and an EOP. EOP operating procedures are developed and tested annually. Communications system capabilities are established. The organization has developed procedures for conducting needs and damage assessments, requesting disaster assistance, and conducting a range of response functions 95

Command and Control (Cont d) 9. Logistics and Facilities The primary and alternate EOC have the capabilities to sustain emergency operations for the duration of the emergency and have developed logistics management and operations plans. 10. Training/Safety training 11. Exercises, Evaluations, and Corrective Actions The organization conducts an annual training to all personnel with assigned emergency management responsibilities. The jurisdiction has established an emergency management exercises program, exercises the EOP on an annual basis, and incorporates an evaluation component and corrective action program. 96

Command and Control (Cont d) 12. Public Education and Information An emergency preparedness public education program is established, procedures are established for disseminating and managing emergency public information in a disaster, and procedures are developed for establishing and operating a Joint Information Center (JIC). 13. Finance and Administration The jurisdiction has established an administrative system for day to day operations. 97

Sample Response 98

ERP Activation Levels Incident Monitoring Heightened alert Incident Director assigned Pre Positioning Imminent event with pre warning ID assigned, Logistics and Information Minor Incident Minor adverse impact ID, mobilize additional staff Major Incident High impact to operations or life safety ID, Full activation of ICS 99

Awareness and Training 100

Definitions Awareness Awareness is knowing or reality Awareness implies you have knowledge of something through alertness or observing or interpolating what you see, hear, feel, etc. Training Training is to provide schooling using a process or method Repetition to achieve desired results Train to instruct so as to make proficient or qualified* *from Webster s New World Dictionary of the American Language 101

ERP Training/Awareness Training CPR/AED Training Safety Training Fire Drills Emergency Notifications Awareness Programs Staff Awareness Open House E mail Communications National Preparedness Month (Sept) 102

The Case for Awareness & Training Human error accounts for a significant degree of loss Training employees shows that the organization has taken a standard of due care Supports the mission of the organization Demonstrates organizational commitment 103

The Case for Awareness & Training (Cont d) Reminds people of basic security practices Knowledge of the vulnerabilities and viable risks allows employees to implement better procedures If employees are not aware or trained on these vulnerabilities and risks, they cannot be held expected to demonstrate accountability Orients new employees to BCM program 104

The Case for Awareness & Training (Cont d) Raises awareness of the risks of downtime due to business interruption Visibility lets people know who you are and what you do 105

Purpose of Awareness Programs Increase knowledge and awareness on how to prepare for and respond to emergency situations that impact: The organization A facility or location Employees, contractors & visitors 106

Purpose of Training Programs Knowing how to protect the organization and how to respond to an event will increase the chances for survival Making employees aware of the risks to the organization and the impact of those risks Making employees aware of the plans in place to protect them from a disaster Training employees how to respond during a disaster 107

Program Outline Who will develop the BCM awareness and training program for your organization? What are the organizational BCM awareness and training needs? Define a target audience 108

Program Outline (Cont d) Create the Vision To minimize the impact of emergencies and natural disasters on the organization and its employees. Define the Mission To provide the organization and its employees with the training and resources to meet this vision. 109

Program Outline, (Cont d) Set goals and objectives Identify specific actions individuals will be encouraged to take Identify the existing organizational capabilities and determine the need for modifications 110

Program Outline (Cont d) Develop key message Logo & slogan Implementing the program Match activities with target audience How will it be funded? Identify challenges Measure progress 111

BCM Awareness Program Topics 1. Components of Business Continuity Plan 2. Importance of Business Continuity Plans 3. Who are the Business Continuity Plan coordinators 4. Where BC plan information can be found 5. When the BC plan is exercised / invoked 6. How the BC plan is exercised / invoked 112

Types of Awareness Activities Kick off day Annual presentation to senior management on state of program Orientation for new employees BCM Awareness Week Design a website Videos/DVD 113

Promoting Awareness Print materials Newsletters Posters, Signs, Stickers Personal Memo from CEO, CIO, or Director Pamphlets and brochures Pay check inserts Information packages Surveys Calendars Safety Kits Display booths 114

BCM Training Program Topics All personnel should be responsible for: Recognizing and reporting an emergency Warning other employees in the area Taking security and safety measures Location and use of common emergency equipment DRI 115

BCM Training Program Topics Role in execution of BC plan Function specific training Hazardous materials Safety & security Emergency response procedures Pre exercise training BCM software training 116

BCM Training Program Topics Individual roles and responsibilities Notification procedures Escalation procedures Evacuation, shelter, and accountability procedures 117

Types of Training Activities Computer Classroom Exercise based External to organization Organization wide campaign 118

Types of Training Activities Exercise based Tabletop exercises Walk through drills Functional drills Evacuation drills Full scale exercises 119

Ongoing Maintenance 120

BCM Maintenance Activities Exercise Plan Review & Updates Business Technology Awareness Project Training 121

Maintenance Objective To evaluate consistency within the plan, between the plan and other aspects of the overall program, and between the plans and the current characteristics of the organization 122

Plan Review & Audit Methodology Audits Business continuity planner responsibilities Assist auditor Auditor responsibilities Set audit objectives and scope Assess and select audit method Audit administrative aspects of the BCM program Audit plan structure, content, and action sections Audit plan documentation control procedures 123

Plan Review & Audit Methodology (Cont d) A plan review should involve Key staff of that plan Participants becoming familiar with the plan document Participants validate that the plan represents strategies and objectives Participants revealing gaps, oversights, and mistakes 124

Plan Review & Audit Methodology (Cont d) Should address (minimum) Personnel and assigned recovery tasks Personnel and contact numbers Text (recovery procedure) changes Back up process and what is included Periodic reviews with known deadlines Where input can be made to review process 125

Goals Efficient or effective? Is your goal to be efficient? Maintaining the plan by doing the job on time and as expected Is your goal to be effective? Doing the right thing vs doing the job right 126

Objectives Does your plan measure up? Is it accurate, thorough, and complete? Is it logical and make suitable assumptions? Does it support the resumption of necessary information systems and business processes within appropriate timeframes? Are management, personnel, and other stakeholders capable of executing plan? 127

Objectives (Cont d) Is the structure of plan correct? Is plan and supporting documentation valid? Do the assumptions and scope match the contents? Is the team structure and members current? Are the roles, responsibilities, and tasks current and executable? Is the plan integrated and does it support any dependent plans and the overall organizational objectives? 128

Maintenance Responsibilities Who should review plan? Business continuity staff Auditors Plan owners/dept. chair Teams Senior management Other 129

Maintenance Responsibilities (Cont d) Examples BCM planner directs and controls plan maintenance Team members are responsible for team sections Department heads are responsible for detail relating to their department Senior management review and approve plan Internal audit examines plan to determine if it satisfies recovery objectives of organization, is accurate, and up todate 130

Maintenance Schedule Develop plan maintenance schedule Scheduled Time driven Scheduled at decided time intervals Unscheduled Event driven Result of major changes to organization Personnel Responsibilities Equipment 131

Maintaining Plans Maintain the plan Select tools Monitor activities Establish update process Audit and control 132

Sources of Change Information Exercise results Organization directives, announcements, internal messages, strategic business meetings Regularly scheduled meetings with recovery team leaders Change management meetings 133

Change Factors Changes in Procedure Organizational structure Personnel Physical Technology Recovery requirements Testing issues 134

Change Factors (Cont d) Tracking changes helps to Carry out more effective reviews Hold more effective exercises Point to areas of plan that need closer attention Develop scenarios for exercises 135

Updating Plans Generate change management items from incident logs Assign updating task to accountable individual Set due date for update Validate that update is completed Ensure changes required by exercise results are implemented Ensure next exercise includes issues indicated by previous results 136

Plan Document Control Procedures Establish procedures for plan document control Version control of all documents Assign document ownership Assign numbers to each recovery document Assign each numbered document to specific team member 137

Plan Document Control Procedures (Cont d) Page replacement Chapter replacement Plan replacement Old materials should be returned and destroyed 138

Plan Document Control Procedures (Cont d) Confidential information Security and control Master distribution list Version identification number Record recipient on distribution list Full copies to all team managers Partial copies to others 139

Date Team Name Document Control Log Business Continuity Plan Control List Member Name Plan Number Storage Location Signature 140

141

BCM Program Maintenance Should incorporate all levels of the organization and include Policies Guidelines Standards & procedures Awareness/Training Testing/Exercising Plan review & updates Multi-year schedule Multi-year budget Evaluation criteria & measures 142

Crisis Communication Communicate, Communicate, Communicate 143

What is Crisis Communication? Effective and managed communication about an event or occurrence that can impact people, organizations, and communities Simple Direct Honest 144

Crisis Communication Objectives To identify crisis communication plan elements To identify strategies to effectively communicate with all groups 145

Communication Plan Elements During a crisis How will you communicate with different audiences? Who will communicate with the different audiences? What needs to be communicated to the different audiences? 146

Communication Plan Elements Public relations policy and procedures Organizational profile with detail on core offerings Reference files on potential crises Call & emergency contact lists Designated spokesperson(s) Media directory Media contact log 147

Audiences Affected by Crises Community Public, neighbors, special interest groups External Agencies Government, regulators, emergency response organizations External Groups Customers, vendors, contractors, suppliers, unions Internal Groups BoD, senior management, steering committee, spokesperson, employees, stakeholders, retirees 148

Identify Your Audience How do I select what to say to whom? Who needs to know? What do they need to know? When do they need to know it? 149

Establish Spokesperson(s) Match target audience with appropriate spokesperson Senior management Employees Stakeholders Media External groups/agencies Community 150

Sources of Information Facilities Structure and plant issues Business units Data processing equipment Business related issues Level of damage Risk management / insurance Cost estimates to repair Insurance adjustor Damage assessment team Report of condition of facility and contents Security Building contents Life safety issues Human Resources Injuries Employee issues Special services 151

Key Messages Clear and easy to comprehend Repeated constantly Integrated with messages sent to other audiences Consistent Be up front regarding confidential information Speak to the specific audiences concerns Use personal language and acknowledge emotions Appreciate the individuality of responses 152

Key Messages Have answers to: What happened? Were there deaths or injuries? What is the extent of the damage? Why did it happen? Who or what is responsible? What is being done? When will it be over? What would you say to those affected? 153

Methods of Communication Direct mailings Telephone calls 1 800 hotlines Newsletters Web sites Conference calls to investors Email Employee meetings Public meetings Paid advertisements Prepared statements Press briefings & releases 154

Prepared Statements 5 w s Clear and concise Name of organization Date Time Number sequence For more information 155

Mistakes to Avoid Don t Be timid Guess or speculate Stick to a story if it has changed Wear sunglasses, chew gum, or smoke Get trapped into making predictions Lie 156

Introduction to Exercise 157

Why Exercise? Exercises give entities, communities, and regions a set of essential tools to prevent, prepare for, respond to and recover from disasters. Exercising encompasses people handling the following activities: 1) evacuation procedures, 2) incident notification, 3) familiarity with alternate locations, interim procedures and manual processes Testing, not to be confused with Exercises, involves equipment, technologies and durable goods 158

Reasons for Conducting Exercises Key Concept: Exercise (n) Something performed or practiced in order to develop, improve, or display a specific power skill. (v) To practice in order to train, strengthen, or develop Merriam Webster s Dictionary Exercises improve readiness by: Providing a way to evaluate operations and plans Reinforce teamwork Demonstrating a community s resolve to prepare for disastrous and catastrophic events. 159

Exercise Main Goals Exercises help: Test and evaluate plans, policies and procedures Identify strengths and shortfalls Improve organizational coordination and communications Find resource gaps Train personnel in roles and responsibilities Improve individual (and team) performance Satisfy regulatory requirements 160

The Building Block Approach There are seven types of exercises in the building block approach. Discussion Seminar involves brief discussion of preparedness strategies and goals. Workshops is a formal discussion based exercise led by a facilitator or presenter, used to build or achieve a product. Tabletop Exercise involves senior staff or other key personnel in a informal group discussion centered on a hypothetical scenario. Games a simulation of operations using rules, data, and procedures designed to depict an actual or assumed real life situation. Operations Drills is a supervised activity that tests a specific operation or function of a single agency. Full Scale Exercise (FES) is a high stress multi entities, multi jurisdictional activity involving actual deployment of resources in a coordinated response, as if a real incident had occurred. 161

Planning the Exercise 162

Incident Command System (ICS) Federal Emergency Management Agency (FEMA) defines the Incident Command System (ICS) as a standardized, on scene, all hazards incident management approach that: Allows for the integration of facilities, equipment, personnel, procedures, and communications. Enables a coordinated response among various groups, both public and private. Establishes common processes for planning and managing resources. 163

ICS (Cont d) Can be used to manage an emergency incident or non emergency event Can be used for both small and large events or situations System has considerable internal flexibility System can grow or shrink to meet differing needs Cost effective & efficient management system 164

ICS (Cont d) ICS is flexible and can be used for incidents of any type, scope, and complexity. ICS is used by all levels of government, nongovernmental organizations and the private sector. As a system, ICS is extremely useful; not only does it provide an organizational structure for incident management, but it also guides the process for planning, building, and adapting that structure. 165

ICS Structure Incident Command Public Information Officer Safety Officer Liaison Officer Command Staff: The Command Staff provide Information, Safety, and Liaison services for the entire organization. Operations Section Planning Section Logistics Section Finance/ Administration Section General Staff: The General Staff are assigned functional authority for Operations, Planning, Logistics, and Finance/Administration. 166

ICS App for Smart Phones 167

FEMA Training https://training.fema.gov/emi/ 168

FEMA Independent Study Courses IS 100: Introduction to ICS IS 200: ICS for Single Resources and Initial Action Incidents IS 700: Introduction to the National Incident Management System IS 800 B: National Response Framework ICS 300, 400: Advance ICS (Classroom only) 169

170

Emerging Trends 171

The State of Business Continuity Preparedness* Risk officers are finally getting involved with BC/DR BC Programs do not always report to C Level BC funding will stay the same, IT departments are receiving more dollars Most conduct Threat Assessments and BIAs BC are becoming Scenario based *Market Study done by Forrester Research and Disaster Recovery Journal in 2014. 172

The State of Business Continuity Preparedness* (Cont d) Exercising is not occurring regularly BC is not taking an active role throughout the organization Companies use a mix of strategies Invocations are frequent Everyone wants to know if you re ready *Market Study done by Forrester Research and Disaster Recovery Journal in 2014. 173

Wrap Up 174

Questions/Answers Contact: Dennis V. Rose, MBA, CBCP 512 652 7731 dennis.rose@mossadams.com 175

Resources Disaster Recovery Journal drj.com DRII the Institute for Continuity Management drii.org Moss Adams BC/DR Consulting Group www.mossadams.com 176

Creating an Integrated Business Continuity / Disaster Recovery (BC/DR) Program A Hands on Workshop 177

December 4th Agenda 8:30 to 9:00 9:00 to 10:00 9:40 to 10:00 10:00 to 10:10 10:10 to 11:30 11:30 to 11:50 11:50 to 12:00 Overview from the first day Cyber Security Introduction Introduction to Exercises Break Mock Exercise Hot Wash Wrap Up 178

Overview from the First Day 179

Lessons Learned Understand the risks and business impact facing your organization Establish Command and Control through ICS Stay ahead of Crisis Communications Establish before hand communication with the department heads open communication Provide After Action reports Provide Awareness and Training Exercise, Exercise, Exercise 180

Summary Prepare yourself and your family visit ready.gov Crises have life cycles, and understanding what occurs before a crisis commences is important to helping preventing it. This information you have been presented has provided you with a general background on ICS. Be the change you want to happen in the organization Business Continuity is Strategic Planning 181

Cyber Security Introduction 182

Introductions Kevin Villanueva, CISA, CISSP, PCI QSA Senior Manager Moss Adams Advisory Services IT Security and Infrastructure Practice Leader 18+ years of IT consulting and cybersecurity experience BS, Business Administration, Pepperdine University Certified Information Systems Auditor (CISA) Certified Information Systems Security Professional (CISSP) Payment Card Industry Qualified Security Assessor (PCI QSA) Practice areas include cybersecurity assessments; penetration testing; PCI DSS and HIPAA compliance auditing; strategic technology planning; disaster recovery and business continuity planning, policy and procedure development Dozens of IT Security Assessments over the years for large and small clients, including Microsoft, RingCentral, ESCO Corporation, Multnomah County, Portland State University, Sound Transit, King County, STRATA Networks, among others. 183

Agenda Cybersecurity Framework Basics Attacks Against Critical Infrastructure Entities Cybersecurity Framework Key Controls Conclusion and Questions 184

Cybersecurity framework basics Executive Order 13636 Improving Critical Infrastructure Cybersecurity (2013) National Institute of Standards and Technology (NIST) Over 3,000 individuals from various sectors contributed Definition: Guidance based on best practices, standards, and guidelines for critical infrastructure to manage and reduce cybersecurity risk. Currently in version 1.0, issued in February 2014 Three tiers: Core, Profile, and Implementation Not intended to be a one size fits all framework. Technology neutral. Purely voluntary 185

Critical infrastructure Definition: Sectors whose assets, systems, networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. Dept. of Homeland Security Includes the following 16 sectors: 1) Chemical 2) Commercial Facilities 3) Communication 4) Critical Manufacturing 5) Dams 6) Defense Industrial Base 7) Emergency Services 8) Energy 9) Financial Services 10) Food and Agriculture 11) Government Facilities 12) Healthcare and Public Health 13) Information Technology 14) Nuclear Reactors, Materials, and Waste 15) Transportation Systems 16) Water and Wastewater Systems 186

Attacks against critical infrastructure Entities SCADA or ICS networks are common targets Cyber attacks doubled in 2014 to 675,186 Most common attack type is buffer overflow Motivation is frequently political, but also financial Common against older equipment that is not as secure Communications Sector Breaches o Cox Communications (April 2014): customer database hacked; FCC fined company $595,000 o TerraCom and YourTel America (March 2013): PII of 300,000 customers; FCC fined both $3.5MM 187

CYBERSECURITY FRAMEWORK KEY CONTROLS

Functions and categories Function Unique Identifier Function Category Unique Identifier Category ID.AM Asset Management ID.BE Business Environment ID Identify ID.GV Governance ID.RA Risk Assessment ID.RM Risk Management Strategy PR.AC Access Control PR.AT Awareness and Training PR Protect PR.DS PR.IP Data Security Information Protection Processes and Procedures PR.MA Maintenance PR.PT Protective Technology 189

Functions and categories (cont.) Function Unique Identifier Function Category Unique Identifier Category DE.AE Anomalies and Events DE Detect DE.CM Security Continuous Monitoring DE.DP Detection Processes RS.RP Response Planning RS.CO Communications RS Respond RS.AN Analysis RS.MI Mitigation RS.IM Improvements RC.RP Recovery Planning RC Recover RC.IM Improvements RC.CO Communications 190

Risk Assessment (ID.RA) and risk management strategy (ID.RM) Goal/Definition: The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. ID.RA 1: Asset vulnerabilities are identified and documented. ID.RA 5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk. ID.RM 1: Risk management processes are established, managed, and agreed to by organizational stakeholders. 191

Access control (PR.AC) Goal/Definition: Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. PR.AC 4: Access permissions are managed, incorporating the principles of least privilege and separation of duties. PR.AC 5: Network integrity is protected, incorporating network segregation where appropriate. 192

Awareness and training (PR.AT) Goal/Definition: The organization s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security related duties and responsibilities consistent with related policies, procedures, and agreements. PR.AT 3: Third party stakeholders (e.g., suppliers, customers, partners) understand roles and responsibilities. PR.AT 4: Senior executives understand roles and responsibilities. 193

Data security (PR.DS) Goal/Definition: Information and records (data) are managed in a way that is consistent with the organization s risk strategy to protect the confidentiality, integrity, and availability of information. PR.DS 1: Data at rest is protected. PR.DS 2: Data in transit is protected. 194

Protective technology (PR.PT) Goal/Definition: Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. PR.PT 2: Removable media is protected and its use restricted according to policy. 195

Anomalies and events (DE.AE) Goal/Definition: Anomalous activity is detected in a timely manner and the potential impact of events is understood. DE.AE 3: Event data are aggregated and correlated from multiple sources and sensors. DE.CM 6: External service provider activity is monitored to detect potential cybersecurity events. 196

Response planning (RS.RP) Goal/Definition: Response processes and procedures are executed and maintained, to ensure a timely response to detected cybersecurity events. RS.RP 1: Response plan is executed during or after an event. 197

Improvements (RC.IM) Goal/Definition: Recovery planning and processes are improved by incorporating lessons learned into future activities. RC.IM 1: Recovery plans incorporate lessons learned. RC.IM 2: Recovery strategies are updated. 198

SUMMARY The amount and frequency of breaches will continue Security responsibilities flow downstream to third party service providers Leverage the Cybersecurity Framework (or other framework) for a strategic advantage Prepare, be vigilant, and continually evolve and improve your approach toward protecting critical information assets 199

QUESTIONS? Kevin Villanueva, Senior Manager kevin.villanueva@mossadams.com 206 302 6542

Exercise Recap 201

Why Exercise? Exercises give entities, communities, and regions a set of essential tools to prevent, prepare for, respond to and recover from disasters. Exercising encompasses people handling the following activities: 1) evacuation procedures, 2) incident notification, 3) familiarity with alternate locations, interim procedures and manual processes Testing, not to be confused with Exercises, involves equipment, technologies and durable goods 202

Reasons for Conducting Exercises Key Concept: Exercise (n) Something performed or practiced in order to develop, improve, or display a specific power skill. (v) To practice in order to train, strengthen, or develop Merriam Webster s Dictionary Exercises improve readiness by: Providing a way to evaluate operations and plans Reinforce teamwork Demonstrating a community s resolve to prepare for disastrous and catastrophic events. 203

Exercise Main Goals Exercises help: Test and evaluate plans, policies and procedures Identify strengths and shortfalls Improve organizational coordination and communications Find resource gaps Train personnel in roles and responsibilities Improve individual (and team) performance Satisfy regulatory requirements 204

The Building Block Approach There are seven types of exercises in the building block approach. Discussion Seminar involves brief discussion of preparedness strategies and goals. Workshops is a formal discussion based exercise led by a facilitator or presenter, used to build or achieve a product. Tabletop Exercise involves senior staff or other key personnel in a informal group discussion centered on a hypothetical scenario. Games a simulation of operations using rules, data, and procedures designed to depict an actual or assumed real life situation. Operations Drills is a supervised activity that tests a specific operation or function of a single agency. Full Scale Exercise (FES) is a high stress multi entities, multi jurisdictional activity involving actual deployment of resources in a coordinated response, as if a real incident had occurred. 205

Planning the Exercise 206

Incident Command System (ICS) Federal Emergency Management Agency (FEMA) defines the Incident Command System (ICS) as a standardized, on scene, all hazards incident management approach that: Allows for the integration of facilities, equipment, personnel, procedures, and communications. Enables a coordinated response among various groups, both public and private. Establishes common processes for planning and managing resources. 207

ICS (Cont d) Can be used to manage an emergency incident or non emergency event Can be used for both small and large events or situations System has considerable internal flexibility System can grow or shrink to meet differing needs Cost effective & efficient management system 208

ICS (Cont d) ICS is flexible and can be used for incidents of any type, scope, and complexity. ICS is used by all levels of government, nongovernmental organizations and the private sector. As a system, ICS is extremely useful; not only does it provide an organizational structure for incident management, but it also guides the process for planning, building, and adapting that structure. 209

ICS Structure Incident Command Public Information Officer Safety Officer Liaison Officer Command Staff: The Command Staff provide Information, Safety, and Liaison services for the entire organization. Operations Section Planning Section Logistics Section Finance/ Administration Section General Staff: The General Staff are assigned functional authority for Operations, Planning, Logistics, and Finance/Administration. 210

Mock Exercise 211

Table Top Exercises 212

Exercise Documents Situation Manual (SitMan) Lessons Learned Evaluation After Action Report (AAR) 213

Tabletop Exercise Instructions: 1. Working in two teams, review the SITMAN and the resource list provided 2. Identify the Incident Commander and roles and responsibilities necessary to respond 3. Answer the questions Identify the roles and responsibilities utilizing the ICS organization How will you employ your utility crews? How will your group respond? What safety measure will be utilized? 214

215

216

Hot Wash 217

Questions/Answers Contact: Dennis V. Rose, MBA, CBCP 512 652 7731 dennis.rose@mossadams.com 218