Assessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC



Similar documents
Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

Business Continuity Planning Principles and Best Practices Tom Hinkel and Zach Duke

Domain 3 Business Continuity and Disaster Recovery Planning

Business Continuity Plan

Business Continuity Planning and Disaster Recovery Planning. Ed Crowley IAM/IEM

Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP).

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning MARCH 2003 IT EXAMINATION H ANDBOOK

Business Resiliency Business Continuity Management - January 14, 2014

Business Continuity Planning for Risk Reduction

Business Continuity Planning Preparing Your Organization

Business Continuity Planning and Disaster Recovery Planning

The PNC Financial Services Group, Inc. Business Continuity Program

CISSP Common Body of Knowledge: Business Continuity & Disaster Recovery Planning Domain Version: 5.9.2

Business Continuity Management

Meeting FFIEC Requirements: Enterprise-Wide Testing of Your. Business Continuity Plan

Table of Contents... 1

Why Should Companies Take a Closer Look at Business Continuity Planning?

Business Continuity and Disaster Recovery Planning

CISM Certified Information Security Manager

Temple university. Auditing a business continuity management BCM. November, 2015

Business Continuity Planning

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

BCP and DR. P K Patel AGM, MoF

Plan Development Getting from Principles to Paper

The PNC Financial Services Group, Inc. Business Continuity Program

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

BUSINESS CONTINUITY PLAN OVERVIEW

MHA Consulting. Business Continuity Management 101

DISASTER RECOVERY AND CONTINGENCY PLANNING CHECKLIST FOR ICT SYSTEMS

Guideline on Business Continuity Management

State of South Carolina Policy Guidance and Training

2014 NABRICO Conference

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

Ohio Supercomputer Center

Business Continuity Planning (800)

Information Security Management: Business Continuity Planning. Presentation by Stanislav Nurilov March 9th, 2005 CS 996: Info. Sec. Mgmt.

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

Business Continuity Planning. Donna Curran, Director Audit and Risk Management February, 2014

BUSINESS CONTINUITY PLANNING GUIDELINES

Interactive-Network Disaster Recovery

DRAFT Disaster Recovery Policy Template

Disaster Recovery Plan (DRP) / Business Continuity Plan (BCP)

Disaster Preparedness & Response

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Building and Maintaining a Business Continuity Program

IT Disaster Recovery Plan Template

Vendor Management. Outsourcing Technology Services

Appendix J: Strengthening the Resilience of Outsourced Technology Services

Business Continuity Planning and Disaster Recovery Planning

Western Intergovernmental Audit Forum

Business Continuity Template

NIST SP , Revision 1 Contingency Planning Guide for Federal Information Systems

Unit Guide to Business Continuity/Resumption Planning

Ohio Conference for Payroll Professionals Disaster Recovery

National Check Payments Certification. Fraud, Risk, and Risk Mitigation Part II. Copyright 2015 by the Electronic Check Clearing House Organization

Creating a Business Continuity Plan for your Health Center

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

Pandemic Planning. Presented by: Ron Wagner, IT Examiner with FDIC & Dana Lavey, Supervision Analyst with NCUA

How To Build A Disaster Recovery Testing Program

Business Continuity Glossary

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

Assessment of natural hazards, man made hazards, technical and societal related risks and associated impact.

How to Design and Implement a Successful Disaster Recovery Plan

Offsite Disaster Recovery Plan

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

D2-02_01 Disaster Recovery in the modern EPU

Business Continuity Planning for Schools, Departments & Support Units

Business continuity plan

Business Continuity Planning in IT

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery

Statement of Guidance

What is Business Continuity Planning (BCP) / Disaster Recovery Plan(DRP)?

Q uick Guide to Disaster Recovery Planning An ITtoolkit.com White Paper

Evaluating and Improving Your Business Continuity Plan

Toronto Public Library Disaster Recovery recommended safeguards and controls

Certified Disaster Recovery Engineer

Disaster Recovery Plan Checklist

Disaster Recovery Planning Process

Section A: Introduction, Definitions and Principles of Infrastructure Resilience

An Introduction to. Business Continuity Planning

Fundamentals of Business Continuity Planning Have a Plan!

Cisco Disaster Recovery: Best Practices White Paper

Company Management System. Business Continuity in SIA

BUSINESS CONTINUITY POLICY

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

Disaster Recovery & Business Continuity Dell IT Executive Learning Series

HA / DR Jargon Buster High Availability / Disaster Recovery

Business Continuity Planning. Presentation and. Direction

CERTIFIED DISASTER RECOVERY ENGINEER

Transcription:

Assessing Your Disaster Recovery Plans Gregory H. Soule, CPA, CISA, CISSP, CFE Andrews Hooper Pavlik PLC Andrews Hooper Pavlik PLC

Agenda Business Continuity Concepts Impact Analysis Risk Assessment Risk Management Testing Annual Review Resources

Agenda Business Continuity Concepts

Concepts Business Continuity vs. Disaster Recovery Broader than just technology Emergency response planning Crisis management Pandemic planning Incident response planning

Concepts Sources: Federal Financial Institution Examination Council (FFIEC) Business Continuity Planning Booklet National Institute of Standards and Technology (NIST) SP 800-34 rev 1 Contingency Planning Guide

Concepts FFIEC BCP Booklet Specifies a cyclical, process-oriented approach to Business Continuity Planning Business Impact Analysis Risk Assessment Risk Management Risk Monitoring and Testing

Concepts NIST SP 800-34 rev 1 Specifies a seven-step lifecycle Develop contingency planning policy statement Conduct business impact analysis Identify preventative controls Create contingency strategies Develop an info system contingency plan Ensure plan testing, training, and exercises Ensure plan maintenance

Concepts Business Impact Analysis Risk Assessment Risk Management Interdependencies BCP Components Plan Testing Annual Review

Agenda Business Impact Analysis \

Business Impact Analysis Purpose: Determine the impact that t a disruptive event would have on the bank. Goals: Determine Criticality Estimate Maximum Downtime Evaluate Resource Requirements

Business Impact Analysis Determine Criticality: Inventory of business functions and processes Assign priority ratings to business functions and processes Identify interdependencies among processes Identify the impact of non-specific disruptions on business processes Consider legal and regulatory requirements

Business Impact Analysis Estimate Maximum Downtime Maximum tolerable downtime while still maintaining viability How long can the business process be disrupted before recovery becomes impossible? Consider dependencies and critical path Recovery Time Objectives (RTOs) Recovery Point Objectives (RPOs)

Business Impact Analysis Evaluate Resource Requirements What is required to resume critical operations (and interdependencies) Facilities Personnel Equipment Software / Data Files Third Parties

Business Impact Analysis Four Cyclical Steps Gather information Perform vulnerability assessment Analyze information Document results

Business Impact Analysis Gather Information Who does what and how? Departmental and Enterprise-wide Interrelationships Critical operations / processes Start to establish processing priorities Start to establish alternate procedures

Business Impact Analysis Vulnerability Assessment Potential impact of disruptive events Loss criteria: Quantitative or Qualitative Identify internal and external threats Estimate likelihood Assess impact Assess internal and external resources available to handle the threatst

Business Impact Analysis Analysis Consider all information gathered Estimate max downtime for each function/process Nonessential 30 days Normal 7 days Important 72 hours Urgent 24 hours Critical minutes to hours

Business Impact Analysis Analysis Identify highest priority business functions Establish RTOs and RPOs Establish recovery priorities Consider the impact of an event, rather than an event itself

Business Impact Analysis Results Summarize all activity performed Report to board and senior management

Agenda Risk Assessment \

Risk Assessment Evaluate BIA assumptions against various threats Assess impact and probability Assess resulting severity Align assessed threats with prioritized business processes Perform gap analysis for recovery Current state vs. needed state

Risk Assessment Threat Categories Malicious activity Fraud, theft, blackmail, sabotage, vandalism, terrorism Natural disasters Fire, floods, water damage, weather, air contaminants, hazardous spill

Risk Assessment Threat Categories Technical disasters Communications failure, customers, employees, electronic payment system providers, third parties, affiliates, power failure, equipment and software failure, transportation system disruptions, water system disruptions

Agenda Risk Management \

Risk Management Develop, implement, maintain the BCP Critical BCP success factors: Based on BIA and risk assessment Documented in a written program Reviewed by board and management annually Disseminated to applicable employees Specific implementation parameters Focused on impact vs. specific events

Risk Management Example of impact vs. specific events Citi Critical personnel are not available and cannot be contacted vs. airplane crash Buildings are not accessible vs. tornado Equipment has malfunctioned vs. flood damage Utilities are not available vs. ice storm Assumptions Access to buildings, personnel, technical staff, communication systems

Risk Management External Components Heightened importance Reliance on third parties Coordination Mitigation Strategies Redundancy, backups, alternate power sources Additional inventory supplies, equipment, etc

Interdependencies Telecommunications Single point of failure (SPOF) Multiple vendors, subcontract Vendor reliance Vendor BCP Contracted BCP Staffing, supplies Facilities, hardware, software

Interdependencies Internal Dependencies Departments t and processes Workflow analysis Technology dependencies Network Database Personnel Records and data

Agenda BCP Components \

BCP Components Strategy definition Personnel, Communication, Technology, Facilities, Liquidity, etc Identify goals of BCP Short term vs. long term BCP goals

BCP Components Personnel Preparing employees Management decision making Employee / family matters Communications / contact trees Vendor contact Security

BCP Components Personnel Employee training i documentation ti Staffing Creation of BCP Teams Communication Communication systems redundancy External communications Media relations

BCP Components Technology Hardware, Software, Data files, operations equipment Split operations (active/active) Hot site (mirroring) Virtualization Warm site Cold site Tertiary (back up of the back up)

BCP Components Technology Service bureaus Consider ability to provide services during widespread disasters dsases Reciprocal agreements Due diligence

BCP Components Technology Backups Structure t and strategy t Network data Core files Operating system software, application software Databases, utilities Primary location vs. branch locations Documented procedures and testing Off-site storage

BCP Components Facilities Relocate employees and workspaces Electronic banking systems Internet banking, cash management, mobile Off-site storage Purchase authority Manual procedures

Agenda Testing \

Plan Testing Board and Senior Management involvement Departmental testing Department managers Information technology Facilities Crisis management Continuous cycle Planned vs. Unplanned

Plan Testing Testing strategy and plan Staffing Succession Technology Backup integrity it System restoration Facilities Power, HVAC, relocation

Plan Testing Communications Test scripts Assumptions Staff availability Objectives Procedures

Plan Testing Types of tests Tabletop exercise Simulation test Parallel test Full-scale test Documentation!

Agenda Annual Review \

Annual Review At least annually Based on test results, changes to environment Issue tracking Changes to BCP and test program Distribution

Agenda Resources \

Resources National Institute of Standards and Technology Computer Security Resource Center http://csrc.nist.gov Federal Emergency Management Agency http://www.fema.gov

Resources Ready Campaign http://www.ready.gov/business FFIEC http://ithandbook.ffiec.gov

Questions? \

Contact Information Gregory H. Soule CPA, CISA, CISSP, CFE Senior Manager Andrews Hooper Pavlik PLC 691 N. Squirrel Road, Suite 280 Auburn Hills, MI 48326 p: 248-340-6050 f: 248-340-6104 e: gregory.soule@ahpplc.com com www.ahpplc.com

Thank You \ This presentation was produced in connection with an educational and informational program. It represents the statements and views of the author(s) alone and does not necessarily represent the official policies or positions of Andrews Hooper Pavlik PLC, its partners, or any sponsor of this program. This presentation is not intended to be, nor should it be construed as constituting tax, accounting, auditing, security, or consulting advice with regard to specific cases, transactions, or situations used by the author(s). Any specific products, services, or organizations mentioned are provided purely for example purposes and do not represent specific endorsement. As required by IRS rules although this presentation may address certain tax issues the presenter did not intend nor design the As required by IRS rules, although this presentation may address certain tax issues, the presenter did not intend nor design the advice to be used to avoid any penalty imposed by a taxing authority, nor may the user/recipient of this presentation use this presentation s tax advice for that purpose. Nor may it be used to promote, market or recommend to another party any transaction or matter addressed herein.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information