MHA Consulting. Business Continuity Management 101



Similar documents
Business Continuity Management 101. Patrick Potter, CBCP MHA Consulting ISACA November 19, 2009

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

Business Continuity Plan

The Role of Internal Audit In Business Continuity Planning

Temple university. Auditing a business continuity management BCM. November, 2015

CISM Certified Information Security Manager

Business Continuity Planning (800)

The PNC Financial Services Group, Inc. Business Continuity Program

Business Resiliency Business Continuity Management - January 14, 2014

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

2014 NABRICO Conference

State of South Carolina Policy Guidance and Training

Assessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

Overview of how to test a. Business Continuity Plan

The PNC Financial Services Group, Inc. Business Continuity Program

BCM and DRP - RFP Template

External Supplier Control Requirements BCM

ESCB definitions of major business continuity terms in relation to payment and securities settlement systems 1

Why Should Companies Take a Closer Look at Business Continuity Planning?

Evaluating and Improving Your Business Continuity Plan

Business Continuity and Disaster Recovery Planning

How to measure your business resiliency

Business Continuity Planning. Description and Framework. White Paper. Preface. Contents

Business Continuity for the New Professional. Britt Corra Enterprise BCM Erika Voss Senior BCM

Creating a Business Continuity Plan for your Health Center

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

CITY UNIVERSITY OF HONG KONG Business Continuity Management Standard

Meeting FFIEC Requirements: Enterprise-Wide Testing of Your. Business Continuity Plan

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Business Continuity Planning Preparing Your Organization

Unit Guide to Business Continuity/Resumption Planning

Ohio Conference for Payroll Professionals Disaster Recovery

The Disaster Recovery Maturity Framework

Business Continuity and Disaster Recovery Policy

Developing a Business Continuity Plan... More Than Disaster

Company Management System. Business Continuity in SIA

The Business Continuity Maturity Continuum

Proposal for Business Continuity Plan and Management Review 6 August 2008

PBSi Business Continuity Planning

Vendor Management. Outsourcing Technology Services

Table of Contents... 1

BCP and DR. P K Patel AGM, MoF

(Mr. Krirk Vanikkul) Assistant Governor, Financial Institutions Policy Group Governor For

How To Prepare For A Disaster

Business Continuity Planning. Presentation and. Direction

Governance, Risk and Compliance Update & Hot Topics Pittsburgh Chapter IIA December 3, 2012

Business Continuity and Risk Management. Ken Kaberia Principal BCM Officer, Enterprise Risk Safaricom Limited

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd

Business Continuity Planning for Risk Reduction

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

Business Continuity in Healthcare

D2-02_01 Disaster Recovery in the modern EPU

Business Continuity Management Policy

Principles for BCM requirements for the Dutch financial sector and its providers.

Disaster Recovery and Business Continuity Plan

Facilitated By: Ken M. Shaurette, CISSP, CISA, CISM, CRISC FIPCO Director IT Services

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Business Continuity Management Program Development Guide

Business Continuity Management

Best Practices in Developing an IT Disaster Recovery Plan. Vijaykumar Kulkarni AGM Product Management

Business Continuity Overview

Guideline - Business Continuity Plan

Auditing the Unthinkable: Business Continuity and Disaster Recovery. Agenda

NIST SP , Revision 1 Contingency Planning Guide for Federal Information Systems

Business Continuity / Disaster Recovery Context

Business Continuity and Disaster Recovery

Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP).

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

Domain 3 Business Continuity and Disaster Recovery Planning

Desktop Scenario Self Assessment Exercise Page 1

Disaster Recovery Plan Documentation for Agencies Instructions

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

Business Continuity Trends, Requirements and Expectations in Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting

Prudential Standard CPS 232 Business Continuity Management

Business Continuity Management

Business Continuity Planning and Disaster Recovery Planning. Ed Crowley IAM/IEM

Business Continuity Planning and Disaster Recovery Planning

Business Continuity Template

Business Continuity Management

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

Audit of the Disaster Recovery Plan

How To Manage A Disruption Event

Business Continuity Management

BUSINESS CONTINUITY MANAGEMENT POLICY

BUSINESS CONTINUITY PLAN

Business Unit CONTINGENCY PLAN

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

RSA ARCHER BUSINESS CONTINUITY MANAGEMENT AND OPERATIONS Solution Brief

Protecting your Enterprise

Coping with a major business disruption. Some practical advice

Transcription:

0 MHA Consulting Business Continuity Management 101 Presented by: Michael Herrera Brandon Magestro MHA Consulting

Agenda MHA Consulting Introduction Business Continuity Management (BCM) Defined 2013 Trends The Business Impact Analysis (BIA) Threat & Risk Assessment (TRA) Business Recovery Plans (BRP) IT Disaster Recovery Plans (DRP) Questions? 1

MHA Consulting, Inc. 2 Who We Are Leading boutique consulting firm since 1999 Provider of consulting services to private and public sector companies across the USA Proven cross-industry experience in Business Continuity, Disaster Recovery and IT Optimization What We Do Business Continuity Management Disaster Recovery Planning Training & Awareness Physical Security Consulting Information Technology Optimization & Best Practices Michael Herrera What Makes Us Different Experienced professionals that possess a unique blend of knowledge Experience combines focus, dedication and independence of a specialty firm Proven methodologies and tools Financial and management stability Domestic presence and deep skill-sets of the Big 4 or larger consulting firm

Experience & Qualifications MetroWaterDistrict 3

BCM Defined Development of strategies, plans and actions which provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might otherwise bring about a seriously damaging or potentially fatal loss to the enterprise. Business Continuity Management: The development of key plans and strategies Protection of your organizations operations The identification and protection of your most critical business processes 4

BCM - A Common Language 5 Business Resumption Planning: The process initiated to resume business operations to a level consistent with the business requirements. IT Disaster Recovery Planning: The recovery of information technology processes, systems, applications, databases, and network assets used to support critical business processes. Crisis Management: A series of actions taken to gain control of the event quickly to minimize the affects of an interruption and prepare for recovery. 5

BCM Model 6 Design, Dev, Implementation Testing, Maint., Execution Functional Requirements BRP Testing BIA Project Mgmt Policies & Standards Risk Assessment Recovery Strategy Project Initiation Maint DRP Cont Imp. CMT Execute Disaster Recovery Institute International Model 6

The Business Continuity Lifecycle 7 Executive Management Support & Sponsorship Compliance Monitoring & Auditing Testing & Maintenance Risk Assessment & Business Impact Analysis Continuity Life Cycle Business Continuity Strategy Design Business Alignment Training & Awareness Plan Development & Strategy Implementation 7

Elements of BCM Implementation Process 8 Executive Management sponsorship BCM Governance Program/Team Provide a framework and methodology for understanding, discussing and developing plans Follow a holistic project approach similar to the DRII Model Execute a Threat and Risk Assessment and Business Impact Analysis Research and develop business and IT recovery strategies Develop and formalize crisis management, crisis communication, IT disaster recovery and business recovery plans Institute testing, training and awareness Conduct post-test analysis and make adjustments accordingly Implement a maintenance strategy 8

Learning s from 2013 Business Continuity Management (BCM) is the new Business Continuity Planning (BCP). The majority of organizations are renaming their enterprise continuity programs to Business Continuity Management. Business Continuity staffing in most organizations is not increasing. Many organizations continue to either staff minimally or use outside consultants to augment the program Enterprise Risk Management (ERM) is integrating BCM into its process and utilizing the information gathered through BIAs and Threat & Risk Assessments to support identification of risks and exposures; a good sign. 9

Learning s from 2013 The Business Impact Analysis (BIAs) study remain as the foundational component to drive the development of the BCM program. However, senior management is continually looking for us to refine the BIA process, shorten business unit participation time in the studies and ensure the rigor in the process clearly identifies the most critical activities and dependencies. We see Recovery Time Objectives (RTOs) continue to get shorter and shorter (e.g., no downtime, 1 hour, 4 hours, etc.) in many of the companies we worked at in 2013. The new norm for tolerance for data loss or Recovery Point Objectives (RPOs) across critical business activities is zero or near zero in many companies due to the use of complex technology and automated workflows that virtually eliminate manual workarounds. Business and IT RTO/RPO Alignment Alignment remains a critical gap across a majority of companies whether they are small, medium or large. 10

Learning s from 2013 Emergency Notification Systems The use of ENS is becoming widespread. However, organizations routinely struggle with bad contact data and the processes to effectively and efficiently notify associates. Also, its not good with no electrical power. Companies struggle with Recovery Strategies particularly for the business units of the organization. Our most mature clients (financial, utilities) are holding live Recovery Exercises. 11

BCM Regulatory Requirements & Guidelines NFPA 1600 HIPAA GLBA FFIEC OSHA FCPA SEC ISO 9000, 14000 & 22301 QS 9000 State Insurance Departments Critical Infrastructure Protection Security Standards for Electric Market Participants Sound Practices to Strengthen the Resilience of the US Financial System 12

Conducting the BIA 13 Business Impact Analysis Defined: The careful study of individual business activities and support functions, as well as the system of business processes in their entirety, to better understand objectives regarding continuity of operations. Methodologies and Approaches Relationship between the BIA and Risk Assessment Objectives: Quantify the loss potential Qualify other types of loss Establish Recovery Time Objective Establish Recovery Point Objective 13

Threat & Risk Assessment 14 Natural/Environmental Threats Technological Threats Man-made Threats (Accidental and Intentional) Business Process-related Risks Single Points of Failure Personnel Supply Chain Information Technology Availability Risks Third Parties / Vendors 14

A Common Ailment 15 A rigorous Business Impact Analysis (BIA), including an analysis of recovery options, helps address the gap between Business Requirements and IT Capabilities currently experienced by many organizations 15

Business Recovery Plans 16 Business Recovery Plans (BRPs) are developed to ensure recovery of the critical activities identified in the BIA. At a minimum, the BRP contains the following information. Purpose, scope, assumptions, etc. Activation procedures Listing of critical business activities and priority of recovery Roles and responsibilities Emergency procedures to ensure safety of all affected staff members Response, recovery and resumption procedures Coordination procedures with public authorities Communication procedures Critical information on continuity teams, staff, customers, suppliers, etc. Off-site storage of critical records, documentation and other pertinent resources Copies of the BRP at various secure locations 16

Business Recovery Testing 17 Business recovery testing reduces risk that an organization could incur given a disruption of critical business activities that are required to maintain the mission and operations of the organization. Business recovery testing options: Tabletop Exercise / Structured Walkthrough - A tabletop exercise/structured walk-through test is conducted as preliminary step in the overall testing process; however, it is not a preferred testing method. Its objective is to ensure that critical personnel are familiar with the recovery plan and it accurately reflects the organization's ability to recover. Walk Through Drill / Simulation Test - A walk-through drill/simulation test is a secondary step in the overall testing process and is more involved than a tabletop exercise/structured walk-through test because the participants choose a specific event scenario and apply the Business Recovery Plan to it. Functional Drill/Parallel Testing- Test involves the actual mobilization of personnel to other sites in an attempt to establish communications and perform actual recovery processing as set forth in the Plan. TREND: Majority of organizations only perform Tabletop Exercises, few perform Walk through and only a very small number perform functional drills. 17

Disaster Recovery Plans 18 The DRP includes all the recovery steps, technology processes, systems, applications, databases and network assets used to support the recovery of the systems and applications required by the critical business activities of the organization. Disaster recovery plans are developed for each critical IT system/application and identifies: Alternative equipment/facilities adequate to recover critical systems Prioritization of recovering critical and non-critical applications Recovery and validation steps for each system and application Personnel requirements/skills in the event of a disaster Critical application programs, third-party services, operating systems, databases, data files, supplies and timeframes needed for recovery Off-site storage of critical back-up media, documentation and other pertinent resources Copies of the DRP at various secure locations 18

Disaster Recovery Testing 19 Disaster recovery testing reduces risk that an organization could incur given a severe disruption of business if the computing center and system custodians are unable to recover processing or key technology infrastructure in the event of a disaster. Disaster recovery testing options: Standalone Testing Perform recovery of individual systems and applications. This is a good first step. Integrated Testing Perform recovery of multiple systems and applications that are dependent on each other (upstream and downstream) and see how they work together in the recovered state. Business Activity Testing Perform recovery of a critical business activity from end to end using all of the upstream and downstream systems and applications needed. TREND: Majority of organizations perform standalone and integrated testing but and very few if any perform business activity testing. Unless you have a mature and tested recovery capability, integrated and business activity testing is difficult to achieve by most organizations. 19

BCM Metrics Purpose The BCMMETRICS secure, web based self-assessment tool is designed to evaluate the compliance of an enterprise Business Continuity Management (BCM) program to accepted industry best practices and standards. Consistency with Industry Best Practices BCMMETRICS.com uses the leading BCM industry best practices, standards and guidelines as its basis for evaluating the compliance of a program. The tool will comply with a number of widely accepted best practices and standards that include, but are not limited to: ISO 22301 BCI Good Practices National Fire Protection Act 1600 (NFPA 1600) Federal Financial Institution Examination Council (FFIEC) BCM Standards 20

BCM Metrics 21

BCM Metrics 22

BCM Metrics 23

Questions. 24 If you have questions regarding the information presented today and/or any other DR/BCP questions, please call or email: Brandon Magestro Director of Operations MHA Consulting,Inc. magestro@mha-it.com www.mha-it.com Mobile: (907) 748-4024

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information