2014 NABRICO Conference

Similar documents
Temple university. Auditing a business continuity management BCM. November, 2015

Business Continuity Plan

CISM Certified Information Security Manager

New Clerk Academy. August 13, 2015

State of South Carolina Policy Guidance and Training

Why Should Companies Take a Closer Look at Business Continuity Planning?

Business Continuity and Disaster Recovery Planning

NIST SP , Revision 1 Contingency Planning Guide for Federal Information Systems

Continuity of Operations Planning. A step by step guide for business

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

Western Intergovernmental Audit Forum

MHA Consulting. Business Continuity Management 101

Disaster Recovery Planning. By Janet Coggins

Best Practices in Disaster Recovery Planning and Testing

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

Assessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC

Business Continuity Planning for Risk Reduction

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

Domain 3 Business Continuity and Disaster Recovery Planning

STEP-BY-STEP BUSINESS CONTINUITY AND EMERGENCY PLANNING MAY

Business Continuity Overview

a Disaster Recovery Plan

Proposal for Business Continuity Plan and Management Review 6 August 2008

THORNBURG INVESTMENT MANAGEMENT THORNBURG INVESTMENT TRUST. Business Continuity Plan

Disaster Recovery Plan (Business Continuity) Template

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 125. When Disaster Strikes Are You Prepared?

Business Continuity Management

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Protecting your Enterprise

BCP and DR. P K Patel AGM, MoF

Overview of how to test a. Business Continuity Plan

Business Continuity Planning (800)

Evaluating and Improving Your Business Continuity Plan

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

Disaster Recovery Plan (Business Continuity) Template - Version 8.2

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

How To Plan A Crisis Management Program

Ohio Supercomputer Center

Desktop Scenario Self Assessment Exercise Page 1

The PNC Financial Services Group, Inc. Business Continuity Program

Table of Contents... 1

Building and Maintaining a Business Continuity Program

BC / DR Implementation Tying Disaster Recovery Investment to Measurable Business Value

Version Copyright Janco Associates, Inc. - Page 1

Business Unit CONTINGENCY PLAN

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

Interactive-Network Disaster Recovery

How To Manage A Business Continuity Strategy

University Information Technology Services. Information System Contingency Plan Instructions

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

Business Resiliency Business Continuity Management - January 14, 2014

Ohio Conference for Payroll Professionals Disaster Recovery

External Supplier Control Requirements BCM

Loss Control Webcast. Disaster Recovery Planning we re not in Kansas anymore

Disaster Recovery Business Continuity Premium Edition

Creating a Business Continuity Plan for your Health Center

Disaster Recovery Planning

Business Continuity Planning

Company Management System. Business Continuity in SIA

NCUA LETTER TO CREDIT UNIONS

Business Continuity Planning Principles and Best Practices Tom Hinkel and Zach Duke

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS)

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

Business Continuity Planning and Disaster Recovery Planning

IT Disaster Recovery Plan Template

Business Continuity Glossary

Disaster Recovery Policy

IF DISASTER STRIKES IS YOUR BUSINESS READY?

SAMPLE IT CONTINGENCY PLAN FORMAT

BCM and DRP - RFP Template

MANAGEMENT AUDIT REPORT DISASTER RECOVERY PLAN DEPARTMENT OF FINANCE AND ADMINISTRATIVE SERVICES INFORMATION TECHNOLOGY SERVICES DIVISION

How to Design and Implement a Successful Disaster Recovery Plan

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

Business Continuity and Disaster Recovery Planning from an Information Technology Perspective

Business Continuity Management Review

Planning for Disaster Disaster

KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity

Business Continuity Planning Guide

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four

BUSINESS CONTINUITY PLAN

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

CERTIFIED DISASTER RECOVERY ENGINEER

Business Continuity Management AIRM Presentation

Certified Disaster Recovery Engineer

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

Disaster Preparedness & Response

CITY OF RICHMOND CONTINUITY OF OPERATIONS (COOP) DEPARTMENT PLAN TEMPLATE

Business Continuity Management Policy

Business Continuity Planning Preparing Your Organization

Transcription:

Business Continuity Planning 2014 NABRICO Conference September 19, 2014 6 CityPlace Drive, Suite 900 St. Louis, Missouri 63141 314.983.1200 1520 S. Fifth Street, Suite 309 St. Charles, Missouri 63303 636.255.3000 2220 S. State Route 157, Ste. 300 Glen Carbon, IL 62034 618.654.3100 888.279.2792 www.bswllc.com

Presenter Tony Munns Partner IT Risk Advisory Services CISA, FBCS, CITP, CIRM amunns@bswllc.com Tel: 314.983.1297 Cell: 314.614.6582 Leads the Risk IT Audit Services for the firm s clients for the past 11 years. Prior experience includes 3 years with Andersen LLP as Technology Risk Consulting Practice Leader Previous employment experience over 18 years at 3 Fortune 500 companies: Lucent Technologies, Kraft Foods and the Prudential Assurance Company 2014 Brown Smith Wallace All Rights Reserved

Agenda Changing strategies Then and Now Business Impact Analysis Disaster Recovery Planning Business Continuity Planning Questions 2013 Brown Smith Wallace All Rights Reserved

Acronyms BIA Business Impact Analysis TRA Threat and Risk Analysis RTO Recovery Time Objective RPO Recovery Point Objective DRP Disaster Recovery Plan BCP Business Continuity Plan

Changing Strategies External Factors 9/11 Gave Us a Boost to Planning Activities Hurricane Sandy Tornados However: It couldn t happen again syndrome sets in Realities of economy stalling efforts Confusion over emerging regulations occurring Companies Outsourcing More Disaster Recovery Efforts Use of commercial hot-site contracts, moving to multiple datacenters, colocation. Complexity of task overwhelming for many companies Higher Emphasis Placed on Cyber Security perceived as the bigger risk Confusing Standards and Lack of Common Criteria 2013 Brown Smith Wallace All Rights Reserved

Then and Now THEN Few key applications Standalone systems Single platform Local connection Tape backups Office based Slow communications Bricks & mortar In-house systems Big company need NOW Many applications Highly integrated systems Multiple platforms LAN, WAN, remote connection Data replication Remote workers Instant connection e-commerce Remote & outsourced systems Every company s need 2013 Brown Smith Wallace All Rights Reserved

Components of Planned Recovery Executive Sponsorship Business Impact Analysis Disaster Recovery Planning Business Continuity Planning

BCP/DRP Plan Structure Conduct a Business Impact Analysis and Risk Assessment identifies mission critical business functions and processes assess the probability and impact to the business if critical business processes are disrupted identifies recovery requirements Disaster Recovery Plans usually developed using business process data flow diagrams identifies the priorities that infrastructure, systems and applications need to be recovered based upon a hierarchy of dependencies or business needs Crisis Management and Communication Plan provides guidance to management and outlines the necessary steps to execute during a significant business disruption (e.g. definition of a disaster, engaging crisis management team, communication plan, public relationships, etc.) Business Continuity Plans identifies alternate procedures to execute when primary business or work location and resources are unavailable Pandemic Plan Consideration It is necessary to prepare a plan to protect a business s #1 resource (employees) in the event of a wide spread influenza outbreak or chemical contamination Annual testing Encourages continuous process improvement and plan maintenance Continuous Update! 2012 Brown Smith Wallace All Rights Reserved

Templates and Approaches DRII - DRI International ISO International Organization for Standardization ISO 27031:2011 Guidelines for information and communications technology readiness for business continuity ITIL Information Technology Infrastructure Library NIST National Institute of Standards and Technology Special Publication 800-34 Contingency Planning Guide for IT Systems 800-84 Test, Training & Exercise Programs FEMA Template for SMBs FINRA

Business Impact Analysis Step 1 Risk Assessment Perform a Business Impact Analysis (BIA) Risk Assessment to identify: threats and risks, control options and their cost. Approach: Identify and prioritize risk associated with each business unit/area within the company Develop a high level matrix providing management a summary view of the BIAs across the enterprise Identify gaps and provide recommendations to mitigate the identified risks Deliverable: An executive summary accompanied by a high level matrix identifying business processes and the threats and risks that could cause a significant business disruption. In addition, the matrix should include a TRA (Threat and Risk Analysis) that includes risk control options, cost of risk control options, effectiveness of risk control options, and comparison of risk control options cost and effectiveness. 2013 Brown Smith Wallace All Rights Reserved

Business Impact Analysis Step 2 Identify Recovery Requirements For mission critical business functions and processes, interview business owners and document desired recovery time and point objectives. Approach: Identify and prioritize critical business functions and processes associated with each business unit/area within the company including all back office systems For various RTOs and RPOs develop a cost analysis of the architecture required for the desired recovery Identify any potential architectural or process improvements that would facilitate a more cost effective approach to recovery Deliverable: An executive summary accompanied by a high level matrix identifying business processes desired recovery requirements, and the costs associated with each approach. In addition, recommendations should be presented for architecture and process improvements that will mitigate the cost associated with the desired recovery objectives. 2014 Brown Smith Wallace All Rights Reserved

Business Impact Analysis Step 3: Based upon the results of the BIA, identify action steps necessary to develop the Disaster Recovery Plan and Business Continuity Plan. This may include Crisis Management, Continuity, and Disaster Recovery Plan development. Deliverable: Provide management a gap analysis and action plan identifying the necessary steps for completing the Disaster Recovery Planning and Business Continuity process. 2013 Brown Smith Wallace All Rights Reserved

Contents of a Good Plan Definition The IT Disaster Recovery Plan is a written strategy created to facilitate an organization s quick and successful response to severe disasters. Through the division and allocation of pre-defined responsibilities and duties, response times are minimized. With the creation of an IT DR plan, effort is made to provide a dependable and efficient restoration of services in the event of a disaster.

Contents of a Good Plan Objectives know what they are, and limitations Document specific definitions and guidelines for declaring disaster scenarios and corresponding emergency responses. Provide for the continuation of critical IT and related business functions and recovery in the event of a disaster. Maximize the expediency and effectiveness of recovery operations through an established set of strategic plans. Identify the necessary policies, procedures, and resources required to maintain critical Information Technology support services during prolonged interruptions to routine operations. Assign responsibilities and duties to designated personnel for the implementation of disaster recovery procedures. Ensure coordination between appropriate staff concerning disaster contingency planning strategies. Ensure appropriate plans have been created to coordinate external vendors, clients, and contacts in the event of a disaster. Provide standards for testing components of the Disaster Recovery Plan.

Contents of a Good Plan Assumptions document & Validate them Key personnel have been identified and trained in their emergency response and recovery roles. It is also assumed that each person is available to activate and carry out their assigned responsibilities and duties. Current backup media, containing relevant data for applicable critical IT services and components, are available thru designated data library relocation providers. All required IT related hardware is either available, or can be obtained in a timely fashion. All required software is available and current along with appropriate licensing. All required hardware and software vendor support contracts are maintained and are current. Contracted temporary disaster recovery sites will be available at the time of need. Designated management staff will communicate appropriate status information to those applicable personnel, vendors, and agents affected by a declared disaster. All required disaster recovery related documentation is available and current. Most importantly, it is assumed that this Disaster Recovery Plan is reviewed, tested, and updated on an annual basis at a minimum.

Contents of a Good Plan Overview Introduction Scope Objective Assumptions Disaster definitions Disaster likelihood ratings Threat levels Declaration of disaster Preparing for disaster Disaster response budget Disaster response team defined

Contents of a Good Plan Disaster recovery escalation process defined Quick reference guide DR temporary recovery site Updated IT related documentation Dependencies Contact listings Vendor failures Avoiding & minimizing disasters IT recovery details Plan monitoring, review, and testing Continuous Update

Contents of a Good Plan Make sure you include: Wide Area Network Documentation Local Area Network Documentation Server Documentation Password Documentation Network/Software Application Documentation Vendor Contract Documentation Critical System Log Documentation Telecommunications and Voice Infrastructure Documentation

Business Continuity Planning Business Continuity Planning is the next step after Disaster Recovery Planning. DRP provides the technology infrastructure for the company to continue to function BCP provides procedures for operation of the organization and business units during a disaster

What is Business Continuity Planning? Business Continuity Planning is a planning process that identifies an organization s exposure to internal and external threats and identifies key processes that need to be protected to sustain business operations and maintain a competitive advantage in the event of a significant business disruption. Key Objectives: Minimize the possibility of interruptions to business operations Maintain a competitive advantage Prevent the company from becoming a business closure statistic due lack of planning

Business Continuity Planning Address all business functional areas (HR, Sales, Accounting, etc.) Address non-it related items Office supplies Desks/workspaces Business forms (check stock, purchase orders, sales orders, etc.) Reference material Supply chain management Communications Employees and stakeholders Media Legal and regulatory Customers Incident response planning and handling

BCP Lifecycle

Plan Contents Program Administration Define the scope, objectives, and assumptions of the business continuity plan. Business Continuity Organization Define the roles and responsibilities for team members. Identify the lines of authority, succession of management, and delegation of authority. Address interaction with external organizations including contractors and vendors.

Plan Contents Organization Chart Include a schedule of team member contact information, role, alternatives

Plan Contents Business Impact Analysis Insert results of Business Impact Analysis Identify Recovery Time Objectives for business processes and information technology Identify Recovery Point Objective for data restoration Business Continuity Strategies & Requirements Insert detailed procedures, resource requirements, and logistics for execution of all recovery strategies Insert detailed procedures, resource requirements, and logistics for relocation to alternate worksites Insert detailed procedures, resource requirements, and data restoration plan for the recovery of information technology (networks and required connectivity, servers, desktop/laptops, wireless devices, applications, and data)

Plan Contents Manual Workarounds Document all forms and resource requirements for all manual workarounds Incident Management Define procedures: Incident detection and reporting Alerting and notifications Business continuity plan activation Emergency operations center activation Damage assessment (coordination with emergency response plan) and situation analysis Development and approval of an incident action plan

Plan Contents Training, Testing & Exercising Training curriculum for business continuity team members Testing schedule, procedures, and forms for business recovery strategies and information technology recovery strategies Orientation, tabletop, and full-scale exercises Program Maintenance and Improvement Schedule, triggers, and assignments for the periodic review of the business continuity plan Details of corrective action program to address deficiencies

Plan Contents Also include references to related Policies & Procedures Emergency Response Plan Information Technology Disaster Recovery Plan (if not included in the business continuity plan) Vendors, Suppliers and Partners Contact Information Crisis Communications Plan Employee Assistance Plan

Consequences Due to Lack of DRP/BCP Lost data Longer data recovery time No contingency procedures during recovery process Damage to company reputation Employee downtime Dependence on a few key people who have required system/organizational knowledge

Closing Quotes Bob Clark CEO Clayco I don t want to become a Katrina statistic; like some of my competitors in Louisiana CBS MoneyWatch Big, disruptive events like the BP oil spill, Hurricane Katrina, and the California wildfires make the news, but it's more often the smaller, unexpected disasters that wreak havoc on a company's ability to function. Unknown An organization that fails to provide a minimum level of service to its clients following a disastrous event may not have a business to recover. Protect all to protect one in order to protect any single business function, the enterprise must be protected. 2012 Brown Smith Wallace All Rights Reserved

Questions 2013 All Rights Reserved Brown Smith Wallace LLC 31

Presenter Tony Munns Partner IT Risk Advisory Services CISA, FBCS, CITP, CIRM amunns@bswllc.com Tel: 314.983.1297 Cell: 314.614.6582 Leads the Risk IT Audit Services for the firm s clients for the past 11 years. Prior experience includes 3 years with Andersen LLP as Technology Risk Consulting Practice Leader Previous employment experience over 18 years at 3 Fortune 500 companies: Lucent Technologies, Kraft Foods and the Prudential Assurance Company 2014 Brown Smith Wallace All Rights Reserved

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information