Building Organizational Resilience Presentation - ISSA Special Interest Group in Security Education...
-
Upload
bryghtpath-llc -
Category
Business
-
view
203 -
download
6
Transcript of Building Organizational Resilience Presentation - ISSA Special Interest Group in Security Education...
Building organizational resilience amidst global uncertainty:An overview of business continuity and crisis management for today’s global leaders
Bryan Strawser, MBCP, MBCI, CISSP, CEMPrincipal Consultant & CEO
Data Breaches
Company Impacted People
Sony Pictures 6,000
Sally Beauty 25,000
Neiman Marcus 1,100,000
Michaels Stores 3,000,000
Community Health Systems 4,500,000
PF Chang’s 7,000,000
Home Depot 56,000,000
Target 70,000,000
JP Morgan 76,000,000
Anthem 80,000,000 (still being evaluated)
eBay 145,000,000
7
The Last 24 Months
Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | [email protected]
Global Standards
Business Continuity
• ISO 22301 (formerly BS25999)
• NFPA 1600
• ASIS Business Continuity Management Standard
• ASIS SPC.1: Organizational Resilience
US Government
• Federal Continuity Directives (FCD 1 / FCD 2)
• Continuity Guidance Circulators (CGC 1 / CGC 2)
8
Business Continuity and Emergency Management
Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | [email protected]
• Formerly BS25999• Adopted globally in 2012• Intersects with other ISO
Standards– Ex: ISO 27001
• Establish and maintain a Business Continuity Management System
• Accreditation• Certification
– Implementer / Lead– Auditor / Lead
9
ISO 22301:2012Societal Security – Business Continuity Management Systems
Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | [email protected]
Professional Certifications
Business Continuity• Disaster Recovery Institute International
– Associate Business Continuity Professional (ABCP)– Certified Business Continuity Professional (CBCP)– Master Business Continuity Professional (MBCP)
• Business Continuity Institute– Member, Business Continuity Institute (MBCI)– Fellow, Business Continuity Institute (FBCI)
Emergency Management• International Association of Emergency Managers
– Associate Emergency Manager (AEM)– Certified Emergency Manager (CEM)
10
Business Continuity and Emergency Management
Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | [email protected]
Business Continuity Regulations
United States
• Federal Financial Institutions Examination Council (FFIEC)
• Securities and Exchange Commission (SEC)
• Financial Industry Regulatory Authority (FINRA)
• Payment Card Industry Standard (PCI)
11
We’re from the government, we’re here to help…
Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | [email protected]
12
Business Continuity LifecycleISO 22301 Business Continuity Management Lifecycle
Business Impact Analysis & Risk
Assessment
Develop BC Strategies
Establish & Implement BC
Procedures
Exercise, Testing,
Maturing
Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | [email protected]
13
Business Impact Analysis & Risk AssessmentIdentifying critical business functions & their risks
Business Impact Analysis• What are the critical business
functions at my company?• How long can they be disrupted?• How quickly can they be recovered
today?• What is the impact from that
disruption to my business?• BIA Methods
Risk Assessment• What are the risks to these
functions?• What are our top enterprise risks?• Risk Assessment Methods
Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | [email protected]
Specific actions to manage your risks and address your
opportunities
• Prepare your business for disruption
• Develop Business Continuity Plans
• Implement Business Continuity Solutions
14
Develop BC StrategiesHow can I recover my critical functions in the time period needed?
Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | [email protected]
Core Components of a BC Plan
• Roles & Responsibilities
• Activation process
• Managing the immediate consequences
• Communication plan
• Recover prioritized activities
• Media response
• Process for standing down
15
Develop BC StrategiesBusiness Continuity Plans
Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | [email protected]
16
Establish & Implement BC ProceduresWhat processes will I follow in a disruption?
Specific defined processes for Business Continuity
Examples:
• Emergency preparedness
• Governance
• Activation
Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | [email protected]
• All plans should be exercisesdat least annually:– Notification– Table Top– Recovery– Fully integrated
• Disaster Recovery– Testing DR plans and strategies
• Defined process for capturing lessons learned and applying to plans and strategies
17
Exercise, Testing, & MaturingHow will I exercise and test my plans? Based on those results, how will I improve?
Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | [email protected]
Awareness
Executive Leaders & Board Members• An understanding of risk across the organization• Broad, strategic overview of the program• Clear understanding of decision making rights and their roles• Metrics & program maturity
Typical Employee• Emergency procedures• High-level understanding of business continuity
Critical Function Leaders• Understanding of how function connects to the broader business strategically• Can describe dependencies on technologies and other functions• Takes ownership of planning process for critical function• Fully understands business continuity & disaster recovery plans for function
18
Connecting to Security Education and Awareness
Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | [email protected]
Crisis Management
The active management of a disruption or escalating situation
Items to consider:
• Clear roles and responsibilities
• Decision making rights pre-defined
• Single source of truth for executive & board communication
• Communication products / messages
• Cross-functional coordination
19
A Component of Business Continuity Management
Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | [email protected]
Crisis Management
Green Team
YellowTeam
Red Team
20
A Simple Framework Example
Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | [email protected]
• “Disaster Recovery” generally pertains to the recoverability of IT systems– Applications– Infrastructure
• Must be closely linked to business continuity capability
• Should heavily utilize the BIA findings to influence a tiered recovery strategy
21
Disaster RecoveryBusiness Continuity for IT Systems
Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | [email protected]
• 2013 Target Corporation HQ Flood
• Primarily impacted non-critical teams
• Flexibility in planning and crisis management framework enabled response despite lack of function specific plans
• Lessons Learned
22
Case StudyWhen a drip becomes a flood…
Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | [email protected]
Advice on Building a BC Program
• Keep things simple
• Establish clear governance up-front
• Pick a standard to guide your implementation
• Select the leader of the program carefully
– Professional certifications / subject matter expertise
– Presence / Communication skills
• Understand local, regional, country level risk
• Bring in experts where needed to augment
• This is not rocket science!
23
Practical tips for success
Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | [email protected]
Contact Information
Contact Bryan:
Bryan Strawser
Principal Consultant & CEO
Phone: +1-612-235-6435E-Mail: [email protected]: @bryanstrawser
Learn more about our services and how we can help you:Website: www.bryghtpath.com
Twitter: @bryghtpath
Facebook: facebook.com/bryghtpathllc
24
Bryghtpath LLC
Copyright © 2015 by Bryghtpath LLC | bryghtpath.com | +1-612-235-6435 | [email protected]
Our Consulting Services Include:Business Continuity
Crisis / Emergency ManagementEnterprise Risk ManagementExercise Design & FacilitationGlobal Intelligence & Security
ISO Training & CertificationTravel Risk & Security
Building organizational resilience amidst global uncertainty:An overview of business continuity and crisis management for today’s global leaders
Bryan Strawser, MBCP, MBCI, CISSP, CEMPrincipal Consultant & CEO