Building organizational resilience amidst global uncertainty:
An overview of business continuity and crisis management for today’s global leaders
Bryan Strawser, MBCP, MBCI, CISSP, CEM
Principal Consultant & CEO
Data Breaches
The Last 24 Months
Company
Impacted People
Sony Pictures
6,000
Sally Beauty
25,000
Neiman Marcus
1,100,000
Michaels Stores
3,000,000
Community Health Systems
4,500,000
PF Chang’s
7,000,000
Home Depot
56,000,000
Target
70,000,000
JP Morgan
76,000,000
Anthem
80,000,000 (still being evaluated)
eBay
145,000,000
Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected]
7
Global Standards
Business Continuity and Emergency Management
Business Continuity
•
•
•
•
ISO 22301 (formerly BS25999)
NFPA 1600
ASIS Business Continuity Management Standard
ASIS SPC.1: Organizational Resilience
US Government
• Federal Continuity Directives (FCD 1 / FCD 2)
• Continuity Guidance Circulators (CGC 1 / CGC 2)
Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected]
8
ISO 22301:2012
Societal Security – Business Continuity Management Systems
• Formerly BS25999
• Adopted globally in 2012
• Intersects with other ISO Standards
– Ex: ISO 27001
• Establish and maintain a Business Continuity Management System
• Accreditation
• Certification
– Implementer / Lead
– Auditor / Lead
Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected]
9
Professional Certifications
Business Continuity and Emergency Management
Business Continuity
• Disaster Recovery Institute International
– Associate Business Continuity Professional (ABCP)
– Certified Business Continuity Professional (CBCP)
– Master Business Continuity Professional (MBCP)
• Business Continuity Institute
– Member, Business Continuity Institute (MBCI)
– Fellow, Business Continuity Institute (FBCI)
Emergency Management
• International Association of Emergency Managers
– Associate Emergency Manager (AEM)
– Certified Emergency Manager (CEM)
Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected]
10
Business Continuity Regulations
We’re from the government, we’re here to help…
United States
• Federal Financial Institutions Examination Council (FFIEC)
• Securities and Exchange Commission (SEC)
• Financial Industry Regulatory Authority (FINRA)
• Payment Card Industry Standard (PCI)
Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected]
11
Business Continuity Lifecycle
ISO 22301 Business Continuity Management Lifecycle
Business Impact Analysis & Risk Assessment
Exercise, Testing, Maturing
Develop BC Strategies
Establish & Implement BC Procedures
Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected]
12
Business Impact Analysis & Risk Assessment
Identifying critical business functions & their risks
Business Impact Analysis
• What are the critical business functions at my company?
• How long can they be disrupted?
• How quickly can they be recovered today?
• What is the impact from that disruption to my business?
• BIA Methods
Risk Assessment
• What are the risks to these functions?
• What are our top enterprise risks?
• Risk Assessment Methods
Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected]
13
Develop BC Strategies
How can I recover my critical functions in the time period needed?
Specific actions to manage your risks and address your opportunities
• Prepare your business for disruption
• Develop Business Continuity Plans
• Implement Business Continuity Solutions
Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected]
14
Develop BC Strategies
Business Continuity Plans
Core Components of a BC Plan
• Roles & Responsibilities
• Activation process
• Managing the immediate consequences
• Communication plan
• Recover prioritized activities
• Media response
• Process for standing down
Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected]
15
Establish & Implement BC Procedures
What processes will I follow in a disruption?
Specific defined processes for Business Continuity
Examples:
• Emergency preparedness
• Governance
• Activation
Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected]
16
Exercise, Testing, & Maturing
How will I exercise and test my plans? Based on those results, how will I improve?
• All plans should be exercisesd
at least annually:
–
–
–
–
Notification
Table Top
Recovery
Fully integrated
• Disaster Recovery
– Testing DR plans and strategies
• Defined process for capturing lessons learned and applying to plans and strategies
Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected]
17
Awareness
Connecting to Security Education and Awareness
Executive Leaders & Board Members
• An understanding of risk across the organization
• Broad, strategic overview of the program
• Clear understanding of decision making rights and their roles
• Metrics & program maturity
Typical Employee
• Emergency procedures
• High-‐level understanding of business continuity
Critical Function Leaders
• Understanding of how function connects to the broader business strategically
• Can describe dependencies on technologies and other functions
• Takes ownership of planning process for critical function
• Fully understands business continuity & disaster recovery plans for function
Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected]
18
Crisis Management
A Component of Business Continuity Management
The active management of a disruption or escalating situation
Items to consider:
• Clear roles and responsibilities
• Decision making rights pre-‐defined
• Single source of truth for executive & board communication
• Communication products / messages
• Cross-‐functional coordination
Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected]
19
Crisis Management
A Simple Framework Example
Green Team
Yellow
Team
Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected]
Red Team
20
Disaster Recovery
Business Continuity for IT Systems
• “Disaster Recovery” generally pertains to the recoverability of IT systems
– Applications
– Infrastructure
• Must be closely linked to business continuity capability
• Should heavily utilize the BIA findings to influence a tiered recovery strategy
Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected]
21
Case Study
When a drip becomes a flood…
• 2013 Target Corporation HQ Flood
• Primarily impacted non-‐
critical teams
• Flexibility in planning and crisis management framework enabled response despite lack of function specific plans
• Lessons Learned
Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected]
22
Advice on Building a BC Program
Practical tips for success
•
•
•
•
Keep things simple Establish clear governance up-‐front Pick a standard to guide your implementation
Select the leader of the program carefully
– Professional certifications / subject matter expertise
– Presence / Communication skills
• Understand local, regional, country level risk
• Bring in experts where needed to augment
• This is not rocket science!
Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected]
23
Contact Information
Bryghtpath LLC
Contact Bryan:
Bryan Strawser
Principal Consultant & CEO
Phone:
+1-‐612-‐235-‐6435
E-‐Mail:
[email protected]
Twitter:
@bryanstrawser
Learn more about our services and how we can help you:
Website:
www.bryghtpath.com
Twitter:
@bryghtpath
Facebook:
facebook.com/bryghtpathllc
Our Consulting Services Include:
Business Continuity
Crisis / Emergency Management
Enterprise Risk Management
Exercise Design & Facilitation
Global Intelligence & Security
ISO Training & Certification
Travel Risk & Security
Copyright © 2 015 by Bryghtpath LLC | bryghtpath.com | +1-‐612-‐235-‐6435 | [email protected]
24
Building organizational resilience amidst global uncertainty:
An overview of business continuity and crisis management for today’s global leaders
Bryan Strawser, MBCP, MBCI, CISSP, CEM
Principal Consultant & CEO