ISSA SEAG - Building Organizational Resilience - March
Building organizational resilience amidst global uncertainty: An overview of business continuity and crisis management for today’s global leaders Bryan Strawser, MBCP, MBCI, CISSP, CEM Principal Consultant & CEO Data Breaches The Last 24 Months Company Impacted People Sony Pictures 6,000 Sally Beauty 25,000 Neiman Marcus 1,100,000 Michaels Stores 3,000,000 Community Health Systems 4,500,000 PF Chang’s 7,000,000 Home Depot 56,000,000 Target 70,000,000 JP Morgan 76,000,000 Anthem 80,000,000 (still being evaluated) eBay 145,000,000 Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected] 7 Global Standards Business Continuity and Emergency Management Business Continuity • • • • ISO 22301 (formerly BS25999) NFPA 1600 ASIS Business Continuity Management Standard ASIS SPC.1: Organizational Resilience US Government • Federal Continuity Directives (FCD 1 / FCD 2) • Continuity Guidance Circulators (CGC 1 / CGC 2) Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected] 8 ISO 22301:2012 Societal Security – Business Continuity Management Systems • Formerly BS25999 • Adopted globally in 2012 • Intersects with other ISO Standards – Ex: ISO 27001 • Establish and maintain a Business Continuity Management System • Accreditation • Certification – Implementer / Lead – Auditor / Lead Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected] 9 Professional Certifications Business Continuity and Emergency Management Business Continuity • Disaster Recovery Institute International – Associate Business Continuity Professional (ABCP) – Certified Business Continuity Professional (CBCP) – Master Business Continuity Professional (MBCP) • Business Continuity Institute – Member, Business Continuity Institute (MBCI) – Fellow, Business Continuity Institute (FBCI) Emergency Management • International Association of Emergency Managers – Associate Emergency Manager (AEM) – Certified Emergency Manager (CEM) Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected] 10 Business Continuity Regulations We’re from the government, we’re here to help… United States • Federal Financial Institutions Examination Council (FFIEC) • Securities and Exchange Commission (SEC) • Financial Industry Regulatory Authority (FINRA) • Payment Card Industry Standard (PCI) Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected] 11 Business Continuity Lifecycle ISO 22301 Business Continuity Management Lifecycle Business Impact Analysis & Risk Assessment Exercise, Testing, Maturing Develop BC Strategies Establish & Implement BC Procedures Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected] 12 Business Impact Analysis & Risk Assessment Identifying critical business functions & their risks Business Impact Analysis • What are the critical business functions at my company? • How long can they be disrupted? • How quickly can they be recovered today? • What is the impact from that disruption to my business? • BIA Methods Risk Assessment • What are the risks to these functions? • What are our top enterprise risks? • Risk Assessment Methods Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected] 13 Develop BC Strategies How can I recover my critical functions in the time period needed? Specific actions to manage your risks and address your opportunities • Prepare your business for disruption • Develop Business Continuity Plans • Implement Business Continuity Solutions Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected] 14 Develop BC Strategies Business Continuity Plans Core Components of a BC Plan • Roles & Responsibilities • Activation process • Managing the immediate consequences • Communication plan • Recover prioritized activities • Media response • Process for standing down Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected] 15 Establish & Implement BC Procedures What processes will I follow in a disruption? Specific defined processes for Business Continuity Examples: • Emergency preparedness • Governance • Activation Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected] 16 Exercise, Testing, & Maturing How will I exercise and test my plans? Based on those results, how will I improve? • All plans should be exercisesd at least annually: – – – – Notification Table Top Recovery Fully integrated • Disaster Recovery – Testing DR plans and strategies • Defined process for capturing lessons learned and applying to plans and strategies Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected] 17 Awareness Connecting to Security Education and Awareness Executive Leaders & Board Members • An understanding of risk across the organization • Broad, strategic overview of the program • Clear understanding of decision making rights and their roles • Metrics & program maturity Typical Employee • Emergency procedures • High-‐level understanding of business continuity Critical Function Leaders • Understanding of how function connects to the broader business strategically • Can describe dependencies on technologies and other functions • Takes ownership of planning process for critical function • Fully understands business continuity & disaster recovery plans for function Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected] 18 Crisis Management A Component of Business Continuity Management The active management of a disruption or escalating situation Items to consider: • Clear roles and responsibilities • Decision making rights pre-‐defined • Single source of truth for executive & board communication • Communication products / messages • Cross-‐functional coordination Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected] 19 Crisis Management A Simple Framework Example Green Team Yellow Team Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected] Red Team 20 Disaster Recovery Business Continuity for IT Systems • “Disaster Recovery” generally pertains to the recoverability of IT systems – Applications – Infrastructure • Must be closely linked to business continuity capability • Should heavily utilize the BIA findings to influence a tiered recovery strategy Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected] 21 Case Study When a drip becomes a flood… • 2013 Target Corporation HQ Flood • Primarily impacted non-‐ critical teams • Flexibility in planning and crisis management framework enabled response despite lack of function specific plans • Lessons Learned Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected] 22 Advice on Building a BC Program Practical tips for success • • • • Keep things simple Establish clear governance up-‐front Pick a standard to guide your implementation Select the leader of the program carefully – Professional certifications / subject matter expertise – Presence / Communication skills • Understand local, regional, country level risk • Bring in experts where needed to augment • This is not rocket science! Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected] 23 Contact Information Bryghtpath LLC Contact Bryan: Bryan Strawser Principal Consultant & CEO Phone: +1-‐612-‐235-‐6435 E-‐Mail: [email protected] Twitter: @bryanstrawser Learn more about our services and how we can help you: Website: www.bryghtpath.com Twitter: @bryghtpath Facebook: facebook.com/bryghtpathllc Our Consulting Services Include: Business Continuity Crisis / Emergency Management Enterprise Risk Management Exercise Design & Facilitation Global Intelligence & Security ISO Training & Certification Travel Risk & Security Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected] 24 Building organizational resilience amidst global uncertainty: An overview of business continuity and crisis management for today’s global leaders Bryan Strawser, MBCP, MBCI, CISSP, CEM Principal Consultant & CEO
© Copyright 2024