ISACA Business Continuity Management Lifecycle

3,907 views

Published on

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,907
On SlideShare
0
From Embeds
0
Number of Embeds
25
Actions
Shares
0
Downloads
422
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

ISACA Business Continuity Management Lifecycle

  1. 1. ISACA Business Continuity Management Lifecycle Deloitte & Touche LLP
  2. 2. Agenda Introductions 12:00 – 12:05 Overview of Business Continuity 12:05 – 12:20 Business Continuity Lifecycle 12:20 – 12:35 Module 1: Analyze 12:35 – 1:05 Break 1:05 – 1:10 Module 2: Develop 1:10 – 1:30 Module 3: Implement 1:30 – 1:50 Issues 1:50 – 2:55 Q&A 2:55 – 2:05 Copyright © 2009 Deloitte Development LLC. All rights reserved. 1
  3. 3. OVERVIEW OF BUSINESS CONTINUITY 2
  4. 4. What is Business Continuity Management (BCM)? • Business Continuity Management: – “The ability and readiness to manage business interruptions, in order to provide continuity of services at a minimum acceptable level and to safeguard the financial and competitive position in the short and longer term. It includes the organization in place to determine the continuous adaptation to changing risks, changing environment, and coordination of regular training and testing.” • Viability – Keeping the company in business • Earnings/Profit Protection Business – Protecting the Enterprise’s Financial Commitments Continuity • Continuing New Business – Preserving the ability to sell in the marketplace Objectives • Brand Protection – Avoiding public embarrassment and loss of credibility Copyright © 2009 Deloitte Development LLC. All rights reserved. 3
  5. 5. What is BCM? (cont.) • Elements include – Principles of Risk Management – Design and implementation of Crisis Management and Emergency Operations Programs – Planning for recovery and continued availability of operations during disruptive events – Designing and implementing business process manual procedures for use during a disruption – Designing and implementing secure, fail-proof (fault-tolerant) systems for continuous availability – Designing and implementing threat prevention and detection systems – Encompasses development of procedures, acquisition of resources, testing, and maintenance Copyright © 2009 Deloitte Development LLC. All rights reserved. 4
  6. 6. Crisis event timeline Incident Emergency Response T The Th T T T h imag e h h h e e im e e e i cann ag i m ot be e i i m a displ ca m m a g ay ed nn a a g e . ot g g e c Your be e e c a com dis a n put… pla c c n The image cannot be display ed. The image cannot be display ed. The The The image The image The image The The The T The The T Th T The The The T The T Th T The T T T T The T T T T Th T T T The T T T T The The The T The The The The T The The The image The The The T image The The image cannot be The The The The Your computer may not hav e Your computer may not hav e ima ima cannot be cannot be cannot be image ima image h image ima h e h ima ima ima h ima h e h ima h h h h ima h h h h e h h h ima h h h h ima ima h ima ima image image ima h image ima ima cannot be ima h cannot be ima image ed. Yourima display ima image enough memory to open the enough memory to open the ge ge display ed. Your display ed. display ed. cannot ge cannot e cannot ge e ima e ge ge ge e ge e ima e ge e e e e ge e e e e ima e e e ge e e e e ge ge e ge ge cannot cannot ge e cannot be ge gedisplay ed. ge e display ed. Your ge cannot computer may not ge ge cannot image, or the image may hav e image, or the image may hav e can can computer may Your Your be can be be can ge can can can can ge can can ge can can can can can be be can display ed. can can Your can computer may can be e enough memory hav can can be Crisis Management Plan activated been corrupted. Restart y our been corrupted. Restart y our not not not hav e computer computer display not display e i display not i can i not not not i not i can i not i i i i not i i i i can i i i not i i i i not not i not not display display not i Your not not computer not i not hav e not display the image, or to open not not display e computer, and then open the file computer, and then open the be be enough may not may not ed. be d. Your m ed. be m not m be be be m be m not m be m m m m be m m m m not m m m be m m m m be be be m be ed. ed. be m computer be bemay not be enough memory m be ed. image may hav e the be be d. Your again. If the red x still appears, file again. If the red x still dis dis memory to hav e hav e Your dis comput a Your dis a be a dis dis dis a dis a be a dis a a a a dis a a a a be a a a dis a a a a dis disp disp a dis Your Your dis a may not dis dis have dis to open the dis a Your corrupted. been dis dis comput you may have to delete the image appears, y ou may hav e to pla pla open the enough enough comput pla er may g comput pla g dis g pla pla pla g pla g dis g pla g g g g pla g g g g dis g g g pla g g g g pla lay e lay g e pla compu compu pla g hav e pla pla enough pla image, or the g pla comput y our Restart pla pla er may and then insert it again. delete the image and then yed yed image, or the memory to memory to er may yed not e er may yed e pla e yed yed yed e yed e pla e yed e e e e yed e e e e pla e e e yed e e e e yed d. d. e yed ter ter yed e enoughyed yed memory yed image may hav e e yed er may computer, and thenyed yed not insert it again. . . image may open the open the not . hav e not . yed . . . . yed . . yed . . You You . may may . memory. . to open . been corrupted.. not the file again. If open . . hav e You You have been image, or image, or hav e You enough c hav e You c . c You You You c You c . c You c c c c You c c c c . c c c You c c c c You r r c You not not You c to open You You the You Restart y our You c have the red x still appears, You You enough r r corrupted. the image the image enough r memor a enough r a Yo a r r r a r a Yo a r a a a a r a a a a Yo a a a r a a a a r co co a r have have r a the r r image, or r computer, and a r enough have to you may r r memor co co Restart y our may hav e may hav e memor co y to n memor co n ur n co co co n co n ur n co n n n n co n n n n ur n n n co n n n n co mp mp n co enoug enoug co n image, or co co image co the thennopen the co memor the image and delete co co y to mp mp computer, and been been y to mp open n y to mp n co n mp mp mp n mp n co n mp n n n n mp n n n n co n n n mp n n n n mp uter uter n mp h hmp n the image mp mpmay hav e mp file again. If the n mp ythen insert it again. to mp mp open ute ute then open the corrupted. corrupted. open ute the o open ute o mp o ute ute ute o ute o mp o ute o o o o ute o o o o mp o o o ute o o o o ute ma ma o ute memor memor ute o may hav e ute ute been ute red x still o ute open ute ute the r r file again. If Restart Restart the r image, t the r t ute t r r r t r t ute t r t t t t r t t t t ute t t t r t t t t r y y t r y to y to r t been r r corrupted. r appears, y ou t r the r r image, ma ma the red x still your your image, ma or the image, ma r ma ma ma ma r ma ma r ma ma not not ma open open ma corrupted. ma maRestart ma may hav e toma image, ma ma or the hav hav y the the b Restart y your delete the y Restoration y y appears, y ou computer, computer, or the y image b or the y b ma b y y y b y b ma b y b b b b y b b b b ma b b b y b b b b y b y y y b or the y y image not not may hav e to and then and then image not may e image not e y e not not not e not e y e not e e e e not e e e e y e e e not e e e e not e e not image, image, not e your not not computer, not image and then e not image not not may hav hav delete the open the open the may hav hav e may hav not hav hav hav hav not hav hav not hav hav eno eno hav or the or the hav computer, hav hav then hav and insert it again. hav may hav hav hav e e e image and then file again. If file again. If hav e e been d hav e e d hav d e e e d e d hav d e d d d d e d d d d hav d d d e d d d d e ugh ugh d e image image e d and then e e open the e d e have e e been eno eno insert it again. the red x the red x been eno corrupt i been eno i e i eno eno eno i eno i e i eno i i i i eno i i i i e i i i eno i i i i eno me me i eno may may eno i open eno the eno again. eno file i eno been eno eno corrupt Response Period Recovery Period still still ed. R have have file agai If the re ed. R Period Normal Operations Damage Business Continuity Plans activated Assessment IT-DR Plans activated The T The T T T T Th image h image h h h h e cannot e cannot e e e e im be be ag display ed i display e i i i i e . Your m d. Your m m m m ca computer a compute a a a a nn may not g r may g g g g ot hav e e not hav e e e e e be enough enough dis memor … c memo … c c c c pla Hour “0” Recovery Recovery in Back to Time Begins Place Normal Copyright © 2009 Deloitte Development LLC. All rights reserved. 5
  7. 7. EVOLUTION OF BCM 6
  8. 8. Evolution of BCM • The future towards a “Resilient Enterprise” – Companies are seeking a paradigm shift in their business continuity program – from a responsible organization to one that is able to predict and isolate events before adverse effects occur. Predictive Modeling Anticipating the effects of emergencies before Business they happen Continuity Management Building availability into Disaster Business management Recovery Continuity processes Plan Plan Business Value Plan for the Plan for recovery of data recovering Contingency processing Business facilities operations Plan Procedures to Resilience follow after operational mishaps Hardening the enterprise Backups against many foreseeable Making exact emergencies copies of electronic data Continuous Availability Automatic rollover of information systems Vision Copyright © 2009 Deloitte Development LLC. All rights reserved. 7
  9. 9. Evolution of BCM (cont.) • A Model of Risk to Business Continuity – Companies are seeking an approach that is business oriented focusing on the business process instead of applications. Companies are seeking measures based on business risk instead of event External Sources Internal Sources Continuous Threat Monitoring Empirical Data Company Activities Subject Matter • Risk analysis • Legal and regulatory Skilled • Investment analysis • Political and economic • Geo-political risk skilled • Interviews with key leaders/management • State of affairs • Economists • Focus Groups • Industry-wide insights • Forums • Process subject matter experts • Geo-political risk • Executives from • Company strategy • Assessment • Diverse industries • Known weaknesses • Networks Scenarios and Threats • People • Technology • Partners • Process • Infrastructure • Market and Economic Reality Check • Enhanced monitoring and mitigation Impacts of Scenarios • Assess response and mitigation plans technique • Redefine/Bolster test criteria • More preventive and responsive plans • Reevaluate priorities of risk Copyright © 2009 Deloitte Development LLC. All rights reserved. 8
  10. 10. Business Impact to Regulatory Requirements 9
  11. 11. Impact of regulatory requirements Industry Regulation Impact on Business Continuity Management Sarbanes-Oxley • Guidelines for corporate governance and oversight of accounting and audit practices as well as financial record retention SEC Policy • Regulates self-regulatory organizations operating trading markets, ECNs and Many Publicly important "shared systems" such as market data feeds Traded • Mandates recovery/resumption by next business day Companies • Business continuity plans, geographic diversity, and industry wide test of capacity and connectivity with counterparties ISO 17799 • Require a BCM process implementation and implementation of a acceptable level of preventative and recovery controls HIPAA • Requires data backup, DR and emergency mode operation plan Healthcare • Requires reasonable and appropriate measures relative to the size, complexity and resources of the organization FDA • Establishes the requirements for electronic records and electronic signatures FISMA and Executive Order • Mostly emphasizes data security rather than BC and DR on Critical Infrastructure An important need to be addressed is the requirement that government is open Protection in the Information and running during a crisis Age, 16 October 2001 Government COOP and COG • Establishes minimum planning considerations for federal government operations NIST and Contingency • Defines detailed recommendations from NIST, requiring contingency, DR and Planning Guide for COOP plans Information Technology • Mandatory security controls will become a federal standard by the end of 2005. Systems NIST 800-53A will provide assessment guidelines that are closely aligned to the controls listed in NIST 800-53 Sources: Deloitte Research – Prospecting in the Security Economy, September 2004; Gartner Research, July 2005 As used in this document, “Deloitte” means Deloitte LLP. Please see www.deloitte.com/us/about Copyright © 2009 Deloitte Development LLC. All rights reserved. for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. 10
  12. 12. Business impact to regulatory requirements (cont.) Industry Regulation Impact on Business Continuity Management FFIEC • Specifies that directors and managers are accountable for organization-wide contingency planning and for “timely resumption of operations in the event of a disaster” Gramm Leach Bliley • Requires banks, insurance companies, brokerages, and other financial institutions to establish administrative, technological, and physical safeguards to determine the confidentiality and integrity of customer records and information. Financial institutions are required to establish measure to monitor and manage security systems Basel II, Basel Committee • Requires that banks put in place BC and DR plans to determine continuous on Banking Supervision, operation and to limit losses Finance Sound Practices for Management and Supervision, 2003 Interagency Paper on Sound • More focused on systemic risk than individual enterprise recovery. Requires Practices to Strengthen the BCP to be upgraded and tested to incorporate risks discovered as a result of Resilience of the U.S. the World Trade Center disaster Financial System, 2003 EFA • Requires federally chartered financial institutions to have a demonstrable BCP to determine prompt availability of funds NASD 3510/3520 and NYSE • Mandates securities firms to establish Business Continuity Plans for critical Rule 446 systems and to determine compliance with many aspects of the regulation including senior management review and approval, customer disclosure, and maintenance of Business Continuity Plans SEC Rule 17a4 • Requires securities firms to preserve electronic records in a non-rewriteable, non-erasable format with a focus on archival practices for email systems and instant messaging Sources: Deloitte Research – Prospecting in the Security Economy, September 2004; Gartner Research, July 2005 Copyright © 2009 Deloitte Development LLC. All rights reserved. 11
  13. 13. Business impact to regulatory requirements (cont.) Industry Regulation Impact on Business Continuity Management GASB • Requires a BCP to determine that agency mission continues in time of crisis. NERC • Recovery plans currently voluntary. Includes BC in information security standards for the industry-government partnership (guided by Critical Infrastructure Protection Committee [CIPC]). FERC • Mandates recovery plans. RUS 7 CFR Part 1730, 2005 • Emergency restoration plan required as condition of continued borrowing. Utilities Telecommunications Act of • Requires the Federal Communications Commission (FCC) to establish 1996, Section 256, procedures to oversee coordinated network planning by carriers and other Coordination for providers. Interconnectivity Chemical Facilities Security • Mandate chemical operators to craft vulnerability assessments and site Act security plans and grants authority to the Department of Homeland Security to regulate those plans and oversee security at the nation's chemical plants. Chemical Facilities Security • Mandate chemical operators to craft vulnerability assessments and site Act security plans and grants authority to the Department of Homeland Security to regulate those plans and oversee security at the nation's chemical plants. Sources: Deloitte Research – Prospecting in the Security Economy, September 2004; Gartner Research, July 2005 Copyright © 2009 Deloitte Development LLC. All rights reserved. 12
  14. 14. Business Continuity Management Life Cycle 13
  15. 15. Business Continuity Management Life Cycle The Deloitte & Touche Approach to Business Continuity Management The Deloitte & Touche Approach to Business Continuity Management Analyze Analyze Develop Develop Implement Implement Resource Current State Governance Acquisition/ Assessment Implementation Availability/ Risk Recoverability Training Assessment Strategies Business Procedures Testing Impact Analysis Continuous Improvement / Quality Continuous Improvement / Quality Assurance Copyright © 2009 Deloitte Development LLC. All rights reserved. 14
  16. 16. Module 1 ANALYZE 15
  17. 17. Current State Assessment Analyze Objective To assess the organization’s current BCM program status including identifying any existing gaps and provide a quick, high-level report card based on observations and interviews. 1Current State Assessment Overview  A current state assessment examines each major component important to a BCM program. It includes the following: 2Risk • Evaluate the current BCM program Assessment • Determine where the organization is currently on a “lagging” to “leading edge” maturity scale • Compare with industry peer status (optional depending on scope and availability of information) 3Business Impact Analysis • Align BCM program objectives with management’s goals and objectives Copyright © 2009 Deloitte Development LLC. All rights reserved. 16
  18. 18. Current State Assessment Key Considerations Analyze The current state assessment framework could be organized into the following 15 components. • Leadership/Governance 1Current State • Regulatory/Industry Compliance Assessment • Crisis Management • Business Process/Work Recovery Plans • Centralized IT Recovery Plans 2Risk Assessment • Distributed IT Recovery Plans • Desktop-Technology Plans • Data Communications • Voice Communications 3Business Impact • Data/Vital Records Analysis • Facilities/Infrastructure • Third-Party Continuity • Testing • Training • Life Safety Copyright © 2009 Deloitte Development LLC. All rights reserved. 17
  19. 19. Current State Assessment Partial Sample Current State Assessment Summary 3 – Partial Category 1 – Lagging 2 – Awareness 4 – Implemented 5 – Leading Implementation Many single points of Risk analysis performed. Recovery plans address Leading technologies failure. Redundancy built in for Technology Assessment many aspects of IT. implemented providing IT Disaster Recovery Limited awareness of power, some redundancy full. Mitigation of risk. IT Examining electronic data and system the impact of full in place for key Recovery sites identified vaulting, journaling, redundancy from technology outage technology components data replication solutions separate locations Single telecomm Leading provider. Recovery strategy Recovery strategy Recovery plans address telecommunications Limited awareness of addresses partial addresses partial many telecomm Telecommunications technologies such as telecomm redundancy telecomm redundancy requirements and are Technology the impact of full Internet, cellular, and telecomm outage with with incorporated into annual radio frequency are built limited recoverability limited recoverability testing into recovery plans Data backups taken for Leading technologies Data backups stored Examining methods for Inconsistent data many platforms: such as elect. vaulting, offsite. Frequencies and minimizing potential data Data / Vital Records retention and offsite operating sys apps and journaling, mirroring are methods driven by IT loss and providing Storage program in data and tested at implemented. Duplicate system and application duplicate copies of data place. remote site. Imaging copies of all data is requirements at multiple sites program in place maintained. Awareness of need to Facilities plans in Facilities plans Exploration and support Building security/ development. Utilities implemented to support implementation of Public Facilities / Infrastructure alternate workspace, safety plans exist; limited backup/ resiliency. UPS, and / relocation, and utilities business requirements recovery planned, not diesel generators. Annual Private response backup/ recovery fully implemented testing. cooperation Annual testing of Integrated evacuation Absence of Life Periodically conduct evacuation and medical and medical testing Safety measures. No Evacuation routes and evacuation drills and emergency procedures. between Crisis Life Safety evacuation routes emergency medical medical emergency Drills and Emergency Management, Business posted or evacuation procedures posted training. Floor wardens Response coordinated Units, IT, Facilities, and People drills performed established with local authorities external parties Regular BCP Training BCP Training program Pro-active BCP Training IT Department and sessions conducted. established includes Process including Training and Absence of BCP Training Business Unit are Awareness BCP training manuals regular employee contact factoring in BCP / BCM and Awareness Program trained to execute distributed to key and continuous into design and recovery plan activities employees improvement implementation Copyright © 2009 Deloitte Development LLC. All rights reserved. 18

×