The Conference Board Business Continuity: Risk & Recovery Concerns October 3, 2001 847-891-0473
Abstract This presentation of Business Continuity, Risk and Recovery provides background as to the types of Threats organi...
Our Appreciation. <ul><li>We would like to thank the Conference Board and you for allowing us to make this presentation.  ...
Introduction <ul><li>Introduction </li></ul><ul><li>Presentation goals  </li></ul><ul><ul><li>Some interesting facts </li>...
<ul><li>100 McGladrey offices nationwide </li></ul><ul><li>120+ additional McGladrey Network </li></ul><ul><li>offices </l...
Recent BCP Statistics <ul><li>Last summer human risk averages: 20 dead, 162 kidnapped & 9 bombs per month. </li></ul><ul><...
Recent Examples <ul><li>April 2001 – A major electronics firm infected 10,000 customers with an electronic Hybris worm </l...
Is Business Continuity the same as Disaster Recovery? <ul><li>Disaster Recovery is more technology focused and based on re...
Business Continuity Basics <ul><li>Risk Analysis </li></ul><ul><ul><li>Identifying your risks </li></ul></ul><ul><li>Busin...
The Commonly Asked Questions and Concerns of our Clients
How do I begin as an Auditor? <ul><li>Understand the concepts of business continuity </li></ul><ul><li>Identify your key b...
What Risk Analysis Points should be Reviewed? <ul><li>Review what threats were planned for </li></ul><ul><li>Be certain th...
What should be in Mitigation and Strategy Plans? <ul><li>Addresses identified risks and impacts </li></ul><ul><li>Implemen...
What do I look for in the plans? <ul><li>Statements of purpose, assumptions, overview </li></ul><ul><li>Roles, responsibil...
What types of tests? How often? <ul><li>Check list & self audits – Bi-annual </li></ul><ul><li>Structured walk-through/Tab...
What should be Occurring in Training and Awareness? <ul><li>Look for: </li></ul><ul><li>Training occurring for all plan le...
What are some Common Pitfalls? <ul><li>Policies vs. Practice – an alarming gap </li></ul><ul><li>Planning for limited, or ...
What should be done for employees? <ul><li>Employees </li></ul><ul><ul><li>Background checks, non-disclosure agreements </...
What should be done for safety? <ul><li>Check for Evacuation plans </li></ul><ul><li>Succession planning </li></ul><ul><li...
<ul><li>Other Questions? </li></ul>H. Mack Manning RSM McGladrey, Inc. 847-891-0473 [email_address]
Thank You
Upcoming SlideShare
Loading in...5
×

Conference Board Con..

898

Published on

Published in: Business, Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
898
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Attack statistics from only half the countries of the world DSS – 1999 9,859 incidents in 2000 was 21,756 and 15,4776 in the first 2 qrtrs this year
  • Pioneer sent quick alert/apology/fix FBI – I would take that further to mention current employees in that environment or mistakes Nash finch – 111 retail stores, mostly grocery
  • Risk methodology handout – mention terminated employees taking stuff, etc. Intentional or not What – PWC asked the fortune 1000 how often the value info, 1 never and 4 more then yearly, average was 2.3 or rrarely. BIA – loss compt advantage, embarrassment/image, market share issues hard to put $$, increased costs to r&amp;d, legal, insurance, fines, etc
  • Check lists walk through the plans individual based on a scenario, self audits ask questions against the plan.
  • Policies – all have something, most orgs carefully create, how are you measuring compliance. Planning for natural, or only electronic threats
  • Employees - Few employees receive any training beyond new employee Hackers, etc bad people, what is that to me?? Front line see it as important If they stumble when asked, you have a prob Response – what would you do if, who would you call When does legal get called
  • Conference Board Con..

    1. 1. The Conference Board Business Continuity: Risk & Recovery Concerns October 3, 2001 847-891-0473
    2. 2. Abstract This presentation of Business Continuity, Risk and Recovery provides background as to the types of Threats organizations are facing. The methodology to develop a Continuity program is discussed. If an organization already has a program, then a series of questions are presented to evaluate the quality the program.
    3. 3. Our Appreciation. <ul><li>We would like to thank the Conference Board and you for allowing us to make this presentation. We hope that the information provided was of value and will help you with keeping your company prepared for the future. </li></ul><ul><li>I again would encourage you to call us if you have questions, we would be happy to provide you with information or assistance. You can contact me at 847-891-0473 or by e-mail at [email_address] . </li></ul><ul><li>I look forward to meeting some of you at the December meeting. </li></ul><ul><li>Mack Manning </li></ul><ul><li>Sr. Managing Director </li></ul><ul><li>RSM McGladrey, Inc. </li></ul>
    4. 4. Introduction <ul><li>Introduction </li></ul><ul><li>Presentation goals </li></ul><ul><ul><li>Some interesting facts </li></ul></ul><ul><ul><li>Business Continuity basics </li></ul></ul><ul><ul><li>Common questions & concerns </li></ul></ul>
    5. 5. <ul><li>100 McGladrey offices nationwide </li></ul><ul><li>120+ additional McGladrey Network </li></ul><ul><li>offices </li></ul><ul><li>Internationally; 8 th largest accounting </li></ul><ul><li>& consulting organization in the world </li></ul><ul><li>80 Member firms, 20,000 employees, located in 74 countries </li></ul>Who are we?
    6. 6. Recent BCP Statistics <ul><li>Last summer human risk averages: 20 dead, 162 kidnapped & 9 bombs per month. </li></ul><ul><li>497 company facilities experienced terrorist attacks in 2000 (only 17 government facilities) </li></ul><ul><li>Recently released major report estimates 1.39 Trillion in lost revenue from security breaches </li></ul><ul><li>Defense Security Service – 63 countries targeting information theft against US firms </li></ul><ul><li>However, 80% of compromised security is internal </li></ul>
    7. 7. Recent Examples <ul><li>April 2001 – A major electronics firm infected 10,000 customers with an electronic Hybris worm </li></ul><ul><li>May 2001 - FBI warns of layoff revenge in USA Today </li></ul><ul><li>August 2001 – 2 Employees of one of the Nation’s largest 2 banks indicted for information theft </li></ul><ul><li>August 2001 – Another Fortune 500 company’s trade secrets revealed on Yahoo </li></ul><ul><li>September 2001 – Nation’s worst terrorist attack </li></ul>
    8. 8. Is Business Continuity the same as Disaster Recovery? <ul><li>Disaster Recovery is more technology focused and based on rebuilding. </li></ul><ul><li>Business Continuity maps survival of your critical business processes. </li></ul><ul><li>Business Continuity Management controls all aspects: plans, communication, training, etc. </li></ul>
    9. 9. Business Continuity Basics <ul><li>Risk Analysis </li></ul><ul><ul><li>Identifying your risks </li></ul></ul><ul><li>Business Impact Analysis </li></ul><ul><ul><li>What is critical to your organization </li></ul></ul><ul><ul><li>How could they be impacted </li></ul></ul><ul><li>Mitigation & Strategies </li></ul><ul><ul><li>What short & long term goals help prevent this </li></ul></ul><ul><li>Business Continuity Plans </li></ul><ul><ul><li>For all departments </li></ul></ul><ul><li>Testing and Auditing </li></ul><ul><ul><li>Checklists, tabletop, live drills </li></ul></ul><ul><li>Training and Awareness </li></ul><ul><ul><li>For everyone, and often </li></ul></ul>
    10. 10. The Commonly Asked Questions and Concerns of our Clients
    11. 11. How do I begin as an Auditor? <ul><li>Understand the concepts of business continuity </li></ul><ul><li>Identify your key business continuity resources, (internal & external) </li></ul><ul><li>Do a Business Continuity quick review </li></ul><ul><li>Review all stages of the Business continuity process </li></ul>
    12. 12. What Risk Analysis Points should be Reviewed? <ul><li>Review what threats were planned for </li></ul><ul><li>Be certain they were: </li></ul><ul><ul><li>Scored & ranked (likelihood, speed, forewarning, etc.) </li></ul></ul><ul><ul><li>Encompassing </li></ul></ul><ul><ul><li>Recently updated </li></ul></ul><ul><ul><li>Separate for each location </li></ul></ul><ul><li>Verify that all risk categories were thoroughly reviewed </li></ul><ul><ul><li>Administrative, Electronic, Human, Natural, Operational and (for internationals) Country risks </li></ul></ul>
    13. 13. What should be in Mitigation and Strategy Plans? <ul><li>Addresses identified risks and impacts </li></ul><ul><li>Implemented on a benefit basis </li></ul><ul><ul><li>Hard and soft costs against benefits </li></ul></ul><ul><li>Identifies immediate and long term needs </li></ul><ul><li>Includes technical and business strategies </li></ul><ul><li>Is reviewed as system and environments change </li></ul>
    14. 14. What do I look for in the plans? <ul><li>Statements of purpose, assumptions, overview </li></ul><ul><li>Roles, responsibilities, job descriptions </li></ul><ul><li>Physical & human resource needs </li></ul><ul><li>Emergency communication and reporting structures </li></ul><ul><li>Emergency & evacuation procedures for multiple scenarios </li></ul><ul><li>Team structures, responsibilities, authority </li></ul><ul><li>Response plans for all departments </li></ul><ul><li>Recovery procedures for all departments </li></ul><ul><li>Maintenance, distribution & testing guidelines </li></ul>
    15. 15. What types of tests? How often? <ul><li>Check list & self audits – Bi-annual </li></ul><ul><li>Structured walk-through/Table top drills – Annual </li></ul><ul><li>Live tests – annual (evacuations, hot sites, employee violence, should be based on risks) </li></ul><ul><li>3 rd party plan reviews - annual </li></ul>
    16. 16. What should be Occurring in Training and Awareness? <ul><li>Look for: </li></ul><ul><li>Training occurring for all plan leaders </li></ul><ul><li>Response training being performed yearly for all employees </li></ul><ul><ul><li>Evacuation, emergency responses to violence, etc. </li></ul></ul><ul><li>Annual awareness training for all employees or interested 3 rd parties </li></ul><ul><li>Training/awareness programs that are tailored to the audiences and regularly performed </li></ul><ul><li>Ongoing throughout the year, not only once </li></ul>
    17. 17. What are some Common Pitfalls? <ul><li>Policies vs. Practice – an alarming gap </li></ul><ul><li>Planning for limited, or the wrong, threats </li></ul><ul><li>Employees - a company’s sleeping sentries </li></ul><ul><ul><li>Need a new way of thinking </li></ul></ul><ul><ul><li>Workable plans, not endless rules </li></ul></ul><ul><li>This is NOT an IT issue </li></ul><ul><li>Boilerplate, done once and soon outdated </li></ul><ul><li>No testing, training or awareness regularly performed. </li></ul>
    18. 18. What should be done for employees? <ul><li>Employees </li></ul><ul><ul><li>Background checks, non-disclosure agreements </li></ul></ul><ul><ul><li>Training relevant to them </li></ul></ul><ul><ul><li>Lessons in social engineering </li></ul></ul><ul><ul><li>Re-humanize the threat, no ‘scold school of training’ or monitoring without explanation </li></ul></ul><ul><ul><li>Ask management – what are you doing? </li></ul></ul>
    19. 19. What should be done for safety? <ul><li>Check for Evacuation plans </li></ul><ul><li>Succession planning </li></ul><ul><li>Employee Response Training </li></ul><ul><ul><li>Medical </li></ul></ul><ul><ul><li>Violence, threats </li></ul></ul><ul><ul><li>Emergency </li></ul></ul>
    20. 20. <ul><li>Other Questions? </li></ul>H. Mack Manning RSM McGladrey, Inc. 847-891-0473 [email_address]
    21. 21. Thank You
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×