CBCP, CRISC, CISM - Secure360 CRISC, CISM Associations: ISACA, ISSA, FBI InfraGard, BCPA, ISC(2),...
-
Upload
truongminh -
Category
Documents
-
view
231 -
download
0
Transcript of CBCP, CRISC, CISM - Secure360 CRISC, CISM Associations: ISACA, ISSA, FBI InfraGard, BCPA, ISC(2),...
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
Background
Minneapolis based
Founded in 2002
Team Certifications: CISSP, CISA, CBCP, CRISC, CISM
Associations: ISACA, ISSA, FBI InfraGard, BCPA, ISC(2), ICBA, MBA, ICBM
Services
Comprehensive Information Security
Risk / Governance / Compliance
Incident Response
Pen Testing / Vulnerability Assessment
Security Training
Business Continuity / Disaster Recovery
Managed Security / Recovery Services
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
4
CEO “The board of directors
wants to see our DR plan. Put it together!”
CIO: “Boss says we need a DR plan. Get the cost together to
make it happen!”
IT Guy: “Awesome! We’ll need another SAN, 200 new servers, 100MB Fiber, 30 racks in a data center. I’ll call my sales
rep.”
Great! I’ll get my engineers to work on configs, get pricing and schedule demos
of the data center!
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
5
Let’s look at DR again in a couple
years. You need to add $6M to the budget or we need to kill the SAP
rollout!
I need $6M added to the budget
over the next 3 years and 4 FTEs.
“The cost to do what you’ve asked will be $2M in HW/SW and $100k per month.”
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
6
QUOTES FROM THE FIELD
“We recommend BCP every year and it always get put off.” VP-IT Credit Union
“I don’t want management to know we don’t have a DR plan. I’m too busy already.” IT Manager
“Management has a bad taste in its mouth from the last consultant who was counting how many pencils we need in a disaster”
CIO – Law firm
“Our insurance policy is our DR plan” President –Home Healthcare Provider
“I’ve got my resume ready” – IT Director
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
7
AGENDA
• Introduction of Sales Concepts
• Sale 1: DR/BC Initiative Buy-in
• Sale 2: DR/BC Strategy Buy-in
• Summary
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
8
“STRATEGIC SELLING” MILLER-HEIMAN
A Complex Sale is one in which several people must give their approval before the sale can take place.
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
9
THE BUSINESS RECOVERY PLANNING
PUZZLE
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
10
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
11
BUYING INFLUENCES
Economic • Role: FINAL APPROVAL
• Focus: Bottom Line and
Impact on Organization
• Asks: “What is the ROI?”
User • Role: JOB PERFORMANCE
• Focus: The job to be done
• Asks: “How will this work for
me?”
Technical • Role: Evaluator
• Focus: Product/Service per se
• Asks: “Does it meet the
specifications?”
Coach • Role: Guide the sale
• Focus: Your Success
• Asks: “How can we pull this
off?”
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
12
RESPONSE MODES
Growth • Perceived “gap” between
reality and growth objective
• Wants: More, better, faster
and improved
Trouble • Panic end of the Euphoria-
Panic Continuum
• Wants: Quick resolution to
the immediate problem.
Even Keel • No perceived “gap” between
Reality and Results Needed
• Wants: Status Quo
Overconfident • Current situation exceeds
expectations
• Wants: You to go away!
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
13
SALE 1 – INITIATIVE BUY-IN
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
14
INITIATIVE BUY-IN UNDERSTAND APPLICABLE LAWS AND REGULATIONS
• Financial Services • Gramm-Leach-Bliley Act (GLBA) • NASD 3500 • Guidance - www.ffiec.gov
• Health Insurance Portability and Protection Act (HIPAA) – 164.308(a)(7)
• Sarbanes-Oxley Act (SOX) – Section 404
• Government - FISMA: Federal Information Security Management Act of 2002
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
15
LAWS AND REGULATIONS RESOURCE HTTP://WWW.DRJ.COM/RESOURCES/DR-RULES-REGULATIONS.HTML
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
16
INITIATIVE BUY-IN FIND A COACH
• Ideally, accountable for operational risk or would be impacted the most by business interruption • Understand “big picture” • Has the ear of Sr. Management and Board • Respected Internally – Can get it done!!!
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
17
INITIATIVE BUY-IN – USER FEEDBACK UNDERSTAND OBLIGATIONS & CUSTOMER REQUIREMENTS
• Sales / Customer Service Service Level Agreements Warranties
• Finance / Accounting / Risk Mgmt Obligations Business Insurance and Exclusions
• Production Manufacturing commitments Inventory management
• Compliance Previous audit findings Vendor management
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
18
INITIATIVE BUY-IN - USER
• Site Recent Incidents • Area flooding • Power outages • Tornados • Security Breaches • Recent “brush with
disaster”
• Look for Growth / Trouble Mode
• Ask Implication Questions – “5 Why’s”
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
19
5 WHY’S
1. We cannot have any downtime.
2. My people need to access the network.
3. Because they have to use ERP.
4. Without accessing ERP, we cannot fulfill orders.
5. Our brand / reputation would be irreparably damaged, missed deadlines, lose customers, fines/penalties, excessive downtime costs, etc.
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
20
TECHNICAL BUYER UNDERSTAND BC CAPABILITIES UNDER VARIOUS
SCENARIOS AND HAS IT BEEN TESTED?
“Under what circumstances have you had to actually execute your DR plan, either full or in part, excluding tests?”
7%
26%
26%
33%
34%
36%
37%
39%
41%
45%
53%
54%
59%
0% 10% 20% 30% 40% 50% 60% 70%
Never
Configuration Issues (storage, database)
Configuration Issues
Man Made Disaster (war, terrorism)
Configuration / Change Mgmt Issues
Malicious Employee Behavior
Data Leakage or Loss
IT Problem Management
User / Operator Error
Power Outage
Natural Disaster
External Computer Threats (virus, hackers)
Computer Systems Failure
Source: Symantec Disaster Recovery Global
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
21
THE BUSINESS RECOVERY PLANNING
PUZZLE
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
22
ECONOMIC BUYER SELL IT –SPIN SELLING APPROACH (AUTHOR: NEIL RACKHAM)
S – Situation Revenue dependency on availability laws/regulations, client
commitments
P – Problem We’re at risk; capabilities unknown; untested
I – Implication Customer confidence, Shareholding loss, compliance
violations, damaged reputation
N – Need / Payoff Identify requirements; evaluate alternatives
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
23
DOWNTIME COSTS ARE EXPONENTIAL
--NOT LINEAR
$0 $200,000 $400,000 $600,000 $800,000 $1,000,000
48
24
12
8
4
1
Impact Cost/Hour
Ou
tag
e D
ura
tio
n H
ou
rs
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
24
TIP: REVIEW RISK FACTORS IN 10K
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
25
“WE FACE RISKS RELATED TO SYSTEM INTERRUPTION
AND LACK OF REDUNDANCY”
Our computer and communications systems and operations could be damaged or interrupted by fire, flood, power loss, telecommunications failure, earthquakes, acts of war or terrorism, acts of God, computer viruses, physical or electronic break-ins, and similar events or disruptions. Any of these events could cause system interruption, delays, and loss of critical data, and could prevent us from accepting and fulfilling customer orders and providing services, which could make our product and service offerings less attractive and subject us to liability. Our systems are not fully redundant and our disaster recovery planning may not be sufficient. In addition, we may have inadequate insurance coverage to compensate for any related losses. Any of these events could damage our reputation and be expensive to remedy.
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
26
GLOBAL PAYMENTS, INC. 1.5 MILLION CREDIT CARD RECORDS BREACHED APRIL 1, 2012
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
27
RECOMMEND A PROCESS
Facility Risk Assessment
Preventive Measures
Recoverability Assessment
Impact Analysis
Potential Loss
RECOVER
Y PLAN
Strategy Selection
Plan Development Test / Update / Maintain
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
28
SALE 2 – STRATEGY BUY-IN
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
29
I. BUSINESS IMPACT ANALYSIS (BIA)
A Business Impact Analysis (BIA) sets realistic recovery goals and priorities based on impact to the business.
• Define business requirements
• What functions are critical to the business? • What resources are needed? • How would interruption impact the company • When would the functionality need to be
restored?
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
30
BIA PURPOSE
• Quantifies Losses Over Time
• Identifies Operational Impacts Over Time
Time To Recovery
$
8 hrs
24 hrs
48 hrs
Days Days 72 hrs
Impact
Long Term Financial Impact /
Customer Base Lost
Determine The Impact
Productivity / Quality Losses
Short Term Financial Impact / Customer Base
Affected
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission. 31
CONTINUITY RISK MANAGEMENT
31
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
32
BUSINESS PROCESS PRIORITIES – 1-3
DAYS S
olu
tio
n C
ost
s
Time to Recover
Low
High
Hours-
Data Replication
Days/Weeks –
Tape Restore
Customer Service •Comm to Distributors, End
Users, DM •Order Entry / Pricing &
Availability •Switchboard IMS •Customer Service Service Parts •Inventory Control /
Receiving / Stocking •Order Entry •Purchasing •Shipping
Electrical Components •Manufacturing / Shipping Service Parts •Maint of Item / Customer
Master Lists
1 Days
Electrical Components •Production of Rate Card Facilities •Door Access Security IMS •Finished Goods
Engineering
4 hours 3 Days
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
33
MATCH STRATEGY TO IT SERVICE
CLASSIFICATION--TECHNICAL
Time to Recover
No Recovery Option
30 Min.
Rapid Recovery (Mirrored)
Mobile Site / Equipment Drop Ship
Data Electronic Vaulting
Vendor Contracted Hot Site
8-24 Hours
1-4 Days
5-8 Days
9-15 Days
16+ Days
Cold / Warm Site
$ C
ost
to
Rec
ov
er $
Recovery Solutions
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
3 4
Cold Site Recovery Process
OUTAGE EMERGENCY RECOVERY TASKS
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
35
TIMELINE AT TIME OF DISASTER
Week 1 Week 2 Week 3 Week 4 Week 5 Week 6
Find Alternate Site
Order Equipment
Start up iSeries w/ Remote Access
Prepare Data Center Space
Move Disk Backups to Alt Site
Order Internet
Order Communication Lines
Install Hardware, Build Servers,
Restore Data
iSeries Connectivity at
Verify Communications for Users
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
36
STRATEGY BUY-IN FINANCIAL JUSTIFICATION – ECONOMIC
Annualized Loss Expectancy (ALE) • Risk = Probability x Impact
Threat Probability Impact ALE Mitigation
Options
Cost Disposition
Facility
Disaster
5% $10M $500k Redundant Data
Center
$2M $1.5M
Facility
Disaster
5% $10M $500k Hot-site for
critical services
$200k $300k
Hardware
Failure
50% $100k $50k Replication /
Hot Spare
$50k $20k
Power
Outage
100% $150k $150k Diesel
Generator
$100k $50k
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
37
FINAL THOUGHTS
• Identify Buying Influences (E, U, T, C)
• Do Your Homework!
• Target Growth and Trouble Response Modes
• Build Case with USER Input - IMPLICATIONS
• Match Solutions to Business Requirements
• Identify Additional Benefits
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
38
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
39
Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.
40
THANK YOU!
Jeff Olejnik, CEO
952-230-6488
www.assurityriver.com
@assurityriver