• Save
Exec Presentation on Achieving Enterprise Resiliency and Corporate Certification
Upcoming SlideShare
Loading in...5

Exec Presentation on Achieving Enterprise Resiliency and Corporate Certification



Provides an explanation of how Enterprise Resiliency can help your company combine recovery services into one organization speaking the same language and utilizing a common toolset, while adhering to ...

Provides an explanation of how Enterprise Resiliency can help your company combine recovery services into one organization speaking the same language and utilizing a common toolset, while adhering to the Compliance Laws of countries you do business in.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Exec Presentation on Achieving Enterprise Resiliency and Corporate Certification Exec Presentation on Achieving Enterprise Resiliency and Corporate Certification Presentation Transcript

  • Achieving Enterprise ResiliencyAndCorporate CertificationByCombining Recovery Operations through aCommon Recovery Language and Recovery Tools,While adhering toDomestic and International Compliance StandardsCreated by:Thomas Bronack, CBCPBronackt@dcag.comPhone: (718) 591-5553Cell: (917) 673-6992Created by: Thomas Bronack © Page: 1 Date: 25 April 2013
  • Created by: Thomas Bronack © Page: 2 Date: 25 April 2013Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comAbstract• Are you utilizing your recovery personnel to achieve maximum protection?• Have you implemented a common recovery glossary of terms so that personnel speakthe same language and can best communicate and respond to disaster events?• Is your company utilizing a common recovery management toolset?• Want to reduce disaster events, improve risk management, and insure fewer businessinterruptions through automated tools and procedures?• Does your company adhere to regulatory requirements in the countries that you dobusiness in?• Can you monitor and report on security violations, both physical and data, to bestprotect personnel, data access, eliminate data corruption, support failover /failbackoperations, and protect company locations against workplace violence?• Are you protecting data by using backup, vaulting, and recovery procedures?• Can you recover operations in accordance to SLA/SLR and RTO/RPO?• Is your supply chain able to continue to provide services and products if a disasterevent occurs through SSAE 16 (Domestic), SSAE 3402 (World)?• Do you coordinate recovery operations with the community and governmentagencies like OSHA, OEM, FEMA, Homeland Security, etc.?• Do you have appropriate insurance against disaster events?• Can you certify that applications can recover within High Availability (2 hours – 72hours) or Continuous Availability (immediate) guidelines?• If not, this presentation will help you achieve the above goals.
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 3 Date: 25 April 2013What is Enterprise Resiliency and Corporate CertificationThe Road to Achieving Enterprise Resiliency:1. Define Risks (Natural, Man-Made, End-User – refer to CERT RMM and COSO for direction);2. Determine Compliance Requirements (see GLB, HIPAA, Patriot Act, EPA Superfund, OSHA, NFPA 1600, DHS, and OEM, etc.);3. Use “Best Practices” tools and procedures (CobIT, ITIL, etc.);4. Understand road to “Corporate Certification” (DRII, BCI) and domestic and international compliance laws / regulations;5. Locate Certification Firms / Organizations (“Training the Trainers” is available now) for “Checks and Balances” / “Attestation”;6. Develop a Business Plan and formulate a Management Direction within Project Initiation Directive defining Scope and Commitment.7. Perform a Risk Assessment / BIA to define current risks, their costs, and your ability to implement controls to respond to risks;8. Build Business Recovery Plans for Offices and Business Locations;9. Build Disaster Recovery Plans to protect data centers and the IT Infrastructure;10. Build Emergency Response Plans to protect against fires, floods, natural disasters, and man-made disasters;11. Implement Workplace Violence Preventions Plans to protect personnel within business locations and provide a safe workplace;12. Implement Physical Security and an Information Security Management System (ISMS) to protect the workplace and data;13. Define Functional Responsibilities to determine what must be done and by who;14. Create / Expand Job Descriptions to direct personnel in the Recovery Planning process;15. Create / Update / Use Standards and Procedures Manuals, Usage Manuals, and required Documentation; and,16. Provide Awareness and Educational Training, Support, and Maintenance (with Version & Release Management) going forward.Enterprise Resiliency combines all recoveryoperations into one discipline using a commonlanguage and tool set.Corporate Certification guarantees that thecompany complies with all laws in thecountries they do business in.EnterpriseResiliencyEmergency OperationCenter (EOC)EmergencyManagementBusinessContinuityManagementWorkplaceViolencePreventionRisk & CrisisManagementPhysical and DataSecurity View slide
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 4 Date: 25 April 2013Business Continuity Management Disciplines and IntegrationContingencyPlanningDisasterRecoveryRiskManagementBusinessRecoveryCharter:Eliminate Business Interruptions;Ensure Continuity of Business;Minimize Financial Impact; andAdhere to Legal / RegulatoryRequirementsInformation TechnologyProtectionCritical Jobs;Data Sensitivity and AccessControls;Vital Records Management;Vaulting and Data Recovery;Recovery Time Objectives;Recovery Point Objectives; andMainframe, Mid-Range, andServers.Risk ManagementExposures (Gaps andExceptions);Insurance;Legal / RegulatoryRequirements;Cost Justification; andVendor Agreements.Corporate AssetProtectionInventory ControlAsset ManagementConfigurationManagementBusiness Continuity; andOffice Recovery.Contingency RecoveryDisciplinesContingencyRecoveryPlanningFacilitiesExecutiveManagementPersonnelGeneralServicesPublicRelationsFinanceAuditingCompanyOperationsInformationTechnology“Contingency Planning affects every part of theorganization and is separated into logical workareas along lines of responsibility”.“These four Contingency PlanningDisciplines allow for logical workseparation and better controls”“Establishing interfaces with keydepartments will allow for the inclusionof corporate-wide recovery procedures(Security, Salvage, and Restoration, etc.)in department specific Recovery Plans”SuppliersSupply Chain safeguardsmust be enforced tomaintain supply deliveryand continued operations View slide
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 5 Date: 25 April 2013Lifecycle of a Disaster Event (Why we create Recovery Plans)Secondary SitePrimary SitePrimary SiteDisaster Event:• Event;• Analyze;• Declare;• Failover.Primary SiteSafeguard:• Evacuate;• Protect Site;• FirstResponders.Primary SiteSalvage:• Clean;• Repair;• Resupply.Primary SiteRestoration:• Restart;• Test;• Success;• Failback.Primary SiteResume:• ReloadData;• Restart;• Continue.Failover Production Recovery ProcessingProduction Site Salvage and RestorationResume Productionat Primary SiteFailoverStart UpFailbackShut DownHigh Availability(HA) is RTO / SLAbased SwitchContinuousAvailability (CA) isimmediate SwitchRepair Primary Site to Resume Production via FailbackCA HANormal Productionat Primary SiteProduction ProductionSwitch
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 6 Date: 25 April 2013Charter and Mission Statement:1. Insure Continuity of Business and Eliminate / Reduce Business Interruptions (Enterprise Resilience);2. Assure “Corporate Certification” by complying with Regulatory Requirements for countries that you dobusiness in, through Risk Management and Crisis Management guidelines (CERT / COSO);3. Adhere to Service Level Agreements (SLA) through Service Level Reporting (SLR) and the use of Capacityand Performance Management procedures;4. Implement Enterprise-Wide Recovery Management by combining Business Continuity Management(BCM), Disaster Recovery Planning (DRP), and Emergency Management (EM);5. Utilize “Best Practices” to achieve “Enterprise Resiliency” (CobIT, ITIL, etc.);6. Protect personnel and achieve physical security through Workplace Violence Prevention principals,laws, and procedures;7. Guaranty data security through access controls and vital records management principals andprocedures within an Information Security Management System (ISMS) based on ISO27000;8. Achieve Failover / Failback and data management procedures to insure RTO, RPO, and Continuity ofBusiness within acceptable time lines (Dedupe, VTL, Snapshots, CDP, NSS, RecoverTrak, etc.);9. Integrate recovery management procedures within the everyday functions performed by personnel asdefined within their job descriptions and the Standards and Procedures Manual;10. Embed Recovery Management and ISMS requirements within the Systems Development Life Cycle(SDLC) used to Develop, Test, Quality Assure, Production Acceptance / Implement, Data Management,Support and Problem Management, Incident Management, Recovery Management, Maintenance, andVersion and Release Management for components and supportive documentation;11. Develop and provide educational awareness and training programs to inform personnel on how best toachieve the corporate mission.
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 7 Date: 25 April 2013Goals and Objectives:Protecting the BusinessProtecting Information TechnologyEliminate / Reduce BusinessInterruptionInsure Continuity of Business bycertifying application recoveryConduct Risk Management andInsurance Protection reviewsProvide Personnel Protections(HRM, Safe Workplace, andEmployee Assistance Programs)Vendors - Supply ChainManagement & Control(ISO 24672 / ISO 27031)Protect Clients (Products /Services) via adherence to SLA /SLR guidelinesLocations / Infrastructure Community / Business / Personnel Lines of BusinessPhysical / Data Security Compliance Recovery ManagementOptimized Operations Insurance ReputationBuild IT Location (Safe Site,HVAC, Water, Electrical, RaisedFloor, etc.)Asset Management (AssetAcquisition, Redeployment, andTermination)Configuration Management /Version and Release ManagementUse Best Practices like CERT /COSO, CobIT, ITIL.v3Mainframe, Mid-Range, Client /Server, and PC safeguardsCommunications (Local, LAN,WAN, Internet, cloud)System Development Life Cycle(SDLC) optimizationProducts and Service SupportDevelopment, EnhancementSupport and Maintenance forproblems and enhancementsData Management (Dedupe/VTL / Snapshots / CDP)Information Security ManagementSystem via ISO27000Data Sensitivity and AccessControls (Applid / Userid / Pswd)Vaulting, Backup, and Recovery Disk / File copy retrieve utilities RTO, RPO, RTC
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 8 Date: 25 April 2013Risk Management:• Define Risk Management Process in accordance with COSO / CERT guidelines, including:• Internal Environment Review;• Objective Setting;• Event Identification;• Risk Assessment and Response Definitions;• Control Activities;• Information and Communications; and• Monitoring and Reporting.• Define Legal and Regulatory Requirements (Domestic and International as needed);• Determine OCC, Tax, and Industry compliance requirements;• Perform an IT Audit / Risk Assessment to uncover Gaps and Exceptions;• Define Mitigations and their Costs, along with data gathering and reporting guidelines;• Calculate cost of Mitigation against cost of Gap / Exception to prioritize responses;• Review Vendor Agreements for primary and secondary sites to eliminate / minimize Supply Chaininterruptions ISO 24762, (SSAE 16, SSAE 3402, NIST 800-34) ISO 27031;• Obtain Insurance Quotes and select appropriate insurance protection;• Integrate within the everyday functions performed by personnel as outlines in their jobdescriptions and the Standards and Procedures Manual; and,• Develop documentation, awareness, and training materials.
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 9 Date: 25 April 2013• Formulate Recovery Management Business Plan, including:• Charter, Mission Statement, Scope and Deliverables;• Project Plan, Goals and Objectives, Functional Requirements and Skills, Task Descriptions, Timeline;• Management Support, Funding, and Announcement, with their “Strong Backing”.• Develop a Project Plan, Organization Structure, Job Functions;• Work Flow and Systems Development Life Cycle (SDLC);• Problem / Incident Management and Help Desk (Command Centers and EOC);• Change Management and Version and Release Management to repair problems and add enhancements;• Asset and Configuration Management;• Access Control and Library Management (Security, Backup / Recovery);• Service Level Agreements (SLA) / Service Level Reporting (SLR); and,• Recovery Time Objective (RTO) / Recovery Point Objective (RPO), and Recovery Time Capability (RTC).• Implement Recovery Document Library Management, including:• Private Personal and Group Drive for developing / sharing recovery information;• Public Drive containing: Recovery Plans , Training Materials, Glossary of Terms, and Continuity of BusinessPublic Documents;• Backup / Recovery, VTL, Dedupe, Snapshots, Forward Recovery, Virtualization, and WAN optimization.• Identify and Train Recovery Management Coordinators from Business Units;• Subject Matter Experts supporting Business Units; and• Stakeholders and Participants.• Select automated Recovery Management and Integration Tools:• Risk Management Assessment, Business Impact Analysis;• Recovery Plan creations, and Recovery Plan testing from Table-Top to Recovery Certification;• Mitigate any Gaps & Exceptions;• Mediate any Obstacles Impeding Recovery Testing;• Repeat Testing – Repair – Testing Cycle until Recovery Certified;• Repeat testing until Gold Standard is reached via Flip / Flop ability (can run at Primary or Secondary site);• Integrate process within everyday functions performed by personnel.Establishing the Recovery Management and Enterprise Resiliency process
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 10 Date: 25 April 2013Achieving Enterprise Resiliency and Corporate Certification Process1. Review existing Recovery Operations, including:• Emergency Management Preparedness;• Business Continuity and Disaster Recovery Management;• Workplace Violence Prevention; and,• Enterprise Security (Physical / Data).2. Evaluate Command Centers and how they interact with Recovery Operations, including:• Emergency Operations Center (EOC);• Incident Command Center (ICC);• Help Desk (HD);• Network Command Center (NCC); and,• Operations Command Center (OCC).3. Define Company Lines of Business (LOB’s), including:• Business Functions, Products, and Services provided;• Locations and Personnel;• Customers and Suppliers;• Applications and Business Processes; and,• Existing Evacuation, Crisis Management, and Recovery Operations.4. Document Integration Requirements, including:• Service Level Agreements (SLA) and Service Level Reporting (SLR);• Systems Development Life Cycle (SDLC) and Workflow Management;• Use of Best Practices Tools and Procedures like COSO, CobIT, and ITIL;• Ensure adherence to Regulatory Requirements, and Security Requirements (Domestic & International); and• Define Functional Responsibilities, Job Descriptions, Standards and Procedures.5. Create Business and Implementation Plan, including:• Mission Statement, Goals and Objectives, Assumptions, and Scope and Deliverables;• Gain Management approval through written report and presentation, then initiate project;• Develop a Detailed Project Plan with tasks, deliverables, time frame, costs, and resource requirements;• Define Functional Responsibilities, Standards and Procedures, and Job Descriptions for personnel;• Establish Support, Maintenance, Change Management, and Version and Release Management procedures; and,• Provide Oversight, Awareness, and Training.
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 11 Date: 25 April 2013Foundation consist of:Enterprise Resiliency;Risks and Compliance issues;Corporate Certification Guidelines;Best Practices;Available Tools; andCertification Firm.Workplace Violence PreventionThreats;Predators;Violent Events; andEmployee Assistance Programs.Best Practices consist of:COSO / CobIT / ITIL;ISO 27000; andFFIEC, etc.Enterprise Resiliency consist of:Emergency Management;Business Continuity Management;Workplace Violence Prevention;Workflow Management;Functional Responsibilities;Job Descriptions; andStandards and Procedures.Corporate Certification consist of:BS 25999 / ISO 22301;Private Sector Preparedness Act;CERT Enterprise RMM Framework; andNFPA 1600.Physical SecurityandAccess ControlsGlobal Standards include:ISO 22300 – Global Standard;NYSE 446;SS 540 (Singapore);ANZ 5050 (Australia)BC Guidelines (Japan); and more.House of Enterprise ResilienceEnterprise Resiliency must be built upon a Solid Foundation
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 12 Date: 25 April 2013-confidential-Building Your Team & CapabilitiesStaff / Management Awareness & TrainingTraining Matrix & Master PlanShort Training SessionsWorkshops / Awareness SessionsOrganizational RolesIncorporate R&R into JD’sDefining Roles & ResponsibilitiesDefining the Committees & TeamsContinual ImprovementTesting & ReviewUpdateReviewTestingImplementationEmergency ResponseDamageAssessmentLife & SafetyCrisis MgmtPlan DevelopmentProcedure DevelopmentChecklist DevelopmentContact InformationEscalation &NotificationDisaster DeclarationData & RecordRecoveryUnderstanding Your BusinessRequirements & StrategyPolicies Business ImpactRisk AssessmentContinuityStrategiesInitiationProgram ManagementProject StatementTimelineMaturity AssessmentPreventiveMeasuresAssuranceDEFINE OVERALLIMPLEMENTATIONAPPROACH
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 13 Date: 25 April 2013COSO Risk AssessmentCommittee Of Sponsoring Organizations (COSO) was formed to developRisk Management and Mitigation Guidelines throughout the industry.Designed to protect Stakeholders from uncertainty and associated risk that could erode value.A Risk Assessment in accordance with the COSO Enterprise Risk Management Framework, consists of(see www.erm.coso.org for details):• Internal Environment Review,• Objective Setting,• Event Identification,• Risk Assessment,• Risk Response,• Control Activities,• Information and Communication,• Monitoring and Reporting.Creation of Organizational Structure, Personnel Job Descriptions and Functional Responsibilities,Workflows, Personnel Evaluation and Career Path Definition, Human Resource Management.Implementation of Standards and Procedures guidelines associated with Risk Assessment to guarantycompliance to laws and regulations.Employee awareness training, support, and maintenance going forward.
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 14 Date: 25 April 2013CobiT FrameworkControl Objectives for InformationTechnology (CobiT)Is designed to extend COSOcontrols over the IT environment by:• Providing guidelines for Planningand integrating new products andservices into the IT Organization• Integrating new acquisitions;• Delivering new Acquisitions / Mergersand supporting them going forward;• Monitoring IT activity, capacity, andperformance; so that• Management can meet BusinessObjectives, while protectingInformation and IT Resources.CobiTBusinessObjectivesInformationIT ResourcesMonitoringandReportingDelivery andSupportAcquisition andImplementationPlanning andOrganizationIT PlanInformation ArchitectureTechnology DirectionIT Organization andRelationshipsManage IT investmentCommunicate ManagementGoals and DirectionManage Human ResourcesEnsure Compliance withExternal RequirementsAssess RisksManage ProjectsManage QualityManage The ProcessAssess Internal ControlAdequacyObtain IndependentAssuranceProvide for IndependentAuditDefine Service LevelsManage third party servicesManage Performance and CapacityEnsure continuous serviceIdentify and attribute costsEducate and train usersAssist and advise IT customersManage the configurationManage problems and incidentsManage DataManage FacilitiesManage OperationsIdentify Solutions,Acquire and maintain applicationsoftware,Implement Asset Managementprocedures for acquisition,redeployment, and termination ofresources,Develop and maintain ITprocedures,Install and accept systems,Manage change.CobiT Framework and FunctionalityCriteriaEffectivenessEfficiencyConfidentialityIntegrityAvailabilityComplianceReliabilityDataApplication SystemsTechnologyFacilitiesPeople
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 15 Date: 25 April 2013ITIL V3 Overview3. Service Transition• Change Management• Project Management (Transition Planning and Support)• Release and Deployment Management (V & R Mgmnt)• Service Validation and Testing• Application Development and Customization• Service Asset and Configuration Management• Knowledge Management4. Service Operation• Event Management• Incident Management• Request Fulfillment• Access Management• Problem Management• IT Operations Management• Facilities Management1. Service Strategy• Service Portfolio Management (availableServices and Products)• Financial Management (PO, WO, A/R, A/P,G/L, Taxes and Treasury)2. Service Design• Service Catalogue Management• Service Level Management (SLA / SLR)• Risk Management (CERT / COSO)• Capacity and Performance Management• Availability Management (SLA / SLR)• IT Service Continuity Management (BCM)• Information Security Management (ISMS)• Compliance Management (Regulatory)• Architecture Management (AMS, CFM)• Supplier Management (Supply Chain)ITIL Available ModulesITIL Five Phase approach to IT Service Support1. Service Strategy,2. Service Design,3. Service Transition,4. Service Operation, and5. Continual Service Improvement.
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 16 Date: 25 April 2013Compliance Laws that must be adhered• Gramm Leach Bliley – Safeguard Act (was Bank Holding Act);• Dodd – Frank – Wall Street Reform and Consumer Protection Act;• HIPAA – Healthcare regulations (including ePHI, HITECH, and Final Ombudsman Rule);• Sarbanes – Oxley Act (sections 302, 404, and 409) on financial assessment and reportingby authorized “Signing Officer”;• EPA and Superfund (how it applies to Dumping and Asset Management Disposal);• Supply Chain Management “Laws and Guidelines” included in ISO 24762 (SSAE 16 forDomestic compliance and SSAE 3402 for International Compliance, and NIST 800-34);• Supply Chain Management “Technical Guidelines” described in ISO 27031;• Patriots Act (Know Your Customer, Money Laundering, etc.);• Workplace Safety and Violence Prevention via OSHA, OEM, DHS, and governmentalregulations (State Workplace Guidelines and Building Requirements);• Income Tax and Financial Information protection via Office of the Comptroller of theCurrency (OCC) regulations (Foreign Corrupt Practices Act, OCC-177 ContingencyRecovery Plan, OCC-187 Identifying Financial Records, OCC-229 Access Controls, andOCC-226 End User Computing).
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 17 Date: 25 April 2013Laws and Regulations concentrate on the VALIDITY of PROVIDED DATA, sowe start with a review of how sensitive data is described, created, protected,and used, including:• Identify the lifecycle of data used in financial reporting and compliance;• Where does it come from and who owns it?• What form is it in (Excel, Database, manual, fax, email, etc.),• Who has access to the data and how can they impact data (CRUD - create, read,update, and delete).• Review current Data Sensitivity and IT Security procedures;• Examine Library Management, Backup, Recovery, and Vaulting procedures associatedwith sensitive data;• Review Business Continuity Planning and Disaster Recovery procedures used to protectand safeguard critical Information Technology and Business facilities;• Utilize existing Standards and Procedures to duplicate process and identify errors; and,• Examine the available Employee Awareness and Education programs.As a result of this study, it will be possible to identify weaknesses and developprocedures to overcome the weaknesses, thereby improving data efficiency andproductivity.How do we comply?
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 18 Date: 25 April 2013VendorDRDRProcessISO 24762EndISO 27031DRTestingSSAE 16DomesticSSAE 3402InternationalNIST 800-34TechnicalEnd User ITDR PlansRiskAssessmentBusiness ImpactAnalysisCertifying Vendor Recovery Plans and ValidatingSupply Chain resiliencyRecognizeDR EventRespondTo EventSalvage &RestorationReturn toPrimary SiteInitialTestingAfterChangeAfterEnhancementAfterGrowthIncludeVendorsUse Primary &Secondary SitesLaws andGuidelinesTechnicalGuidelines
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 19 Date: 25 April 2013How reporting is accomplishedOperationsRisk ManagerOperationsRisk ManagerTechnicalRisk ManagerChief ExecutiveOfficer (CEO)Chief FinancialOfficer (CFO)ComplianceReportsCompany Operations Technical Services Executive Management Compliance ReportingSection 404 of the Sarbanes-Oxley Act (SOX) says that publicly traded companies must establish, document, and maintaininternal controls and procedures for Financial and Compliance reporting. It also requires companies to check theeffectiveness of internal controls and procedures for Financial and Compliance reporting.In order to do this, companies must:• Document existing controls and procedures that relate to financial reporting.• Test their effectiveness.• Report on any gaps or poorly documented areas, then determine if mitigation should be performed.• Repair deficiencies and update any Standards and Procedures associated with the defects.- Extract Information,- Generate Financial Reports,- Ensure Record Safeguards,- Ensure Record Formats,- Generate Compliance Reports,- Validate Information,- Submit Reports.- Protect Information,- Data Security,- Access Controls,- Library Management,- Production Acceptance,- Version and Release Mgmt.,- Business Continuity,- Disaster Recovery,- Emergency Management,- Standards and Procedures.- Validate Information,- Establish Reporting Criteria,- Gather data and report,- Review Reports,- Attest to their accuracy,- Submit Reports.- Report Information,- Submitted Quarterly,- Attested to Annually,- Reviewed by SEC andother agencies to insurecompliance.
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 20 Date: 25 April 2013• Review of Compliance Requirements (Business and Industry)• Ensure Data Sensitivity, IT Security and Vital Records Management,• Eliminate Data Corruption and Certify HA / CA Application recovery,• Adhere to Systems Development Life Cycle (SDLC),• Utilize Automated Tools whenever practicle,• Elimination of Single-Point-Of-Failure concerns,• Create Inventory / Configuration / Asset Management guidelines,• Develop Incident / Problem and Crisis Management procedures,• Integrate Work-Flow automation through Re-Engineering processes,• Implement and conduct Training and Awareness programs.Strategies for Eliminating Audit Exceptions
  • Achieving Recovery Time Objective (RTO) / Recovery PointObjective (RPO) and Recovery Time Capability (RTC)DisasterEventRecoveryPointObjective(RPO)RecoveryTimeObjective(RTO)RecoveryTimeCapability(RTC)Production ProcessingCA Immediate switch to Secondary SiteHA Certified Recovery to Secondary SiteReload LastBackupOr SnapshotProductionProcessingInterruptedDataForwardRecoveryPlannedRecoveryTimeTime neededtoRecoverData savedin last goodBackup orSnapshot(RestoreDuration willvary)Actual Timeneeded toRecoverExtendedLossProduction ProcessingResumedSecondary Site must contain synchronized data and infrastructurePrimary Site recovers data and infrastructure within RTOOther Terms include:RTE – Recovery Time Expectation;RPE – Recovery Point Expectation; andSRE – Service Recovery Expectation.Loss equals Actual Time needed toRecover, costs for staff, loss ofclient productivity, and damage tocorporate reputation.Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 21 Date: 25 April 2013CA GoldStandardHA RecoveryCertification
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 22 Date: 25 April 2013Optimized Protection / Recovery Data ServicesSnapshotsData De-duplication eliminatesduplicate data files and network trafficto a Virtual Tape Library (VTL)Real backup tapes can becreated directly from the VTL.Forward Recoverybetween Snapshots
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 23 Date: 25 April 2013Store and Forward concept for data transmission / reception andachieving Recovery Certification and the Flip / Flop Gold StandardDataEnd UserApplicationPrimarySystemAccessMethodNCNOSystemApplicationSecondarySystemAccessMethodSwitchTelcoDataModem SwitchLine SwitchExchange SwitchTelco Tests:• Internal Modem Test;• End-to-End Continuity Test; and,• Data Transmission Testing.Data is Transmitted viaRead / Write or Get / Putcommand and placed inoriginating data buffer.Data is safeguarded viabackup / recover withinRTO time framerequired. Use of Dedupe,VTL, CDS, and High SpeedWAN can speed datarecovery to withindictated recovery timeframes.If Primary System failsyou should be able to“Failover” to a SecondarySystem and return via“Failback” operation.Flip / Flop is when youcan run operations fromeither site if desired.Data is passed through theSystem to the Access Methodfor transmission.Data Buffer is maintained until a“Positive Acknowledgement” isreceived. Retries occur when“Negative Acknowledgements”are received. If retry thresholdis reached, error message ispresented and corrective actionscan be taken.Because Data stays in “Originating” buffer until a “Positive Acknowledgement” is received, it is protected from loss. If failureoccurs, data is not transmitted and error message generated so that recovery and corrective actions can be performed.Switches are used to selectsecondary paths when errorsoccur, so elimination of“Single Point of Failure” is acritical issue.NCNOSwitchHA / CA Availability,Failover / Failback“Certification”, And Flip/ Flop “Gold Standard”
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comManagementCommitmentRiskManagementBusinessImpact AnalysisBIASelectBCM ToolsRecognize theNeed for Recovery(Business Loss)Initiate RecoveryExecutiveCommitteeDefine GoalsAnd ObjectivesObtainFundingCompliance &Regulatory NeedsAuditControlsSupplyChainGaps &ExceptionsSLA’s/ SLRInsurance Cost toRepairMediate /MitigateLocation &ApplicationsRateCriticalityRTO, RPO,RTCRate Ability to AchieveRecovery GoalsGaps &ExceptionsCost toRepairAutomatedBCM Tool?BIA & PlanCreationTrainStaffCreate, Test, &Implement BCM PlansStartACreating Business Recovery PlansMediate /MitigateImpedingObstaclesCreated by: Thomas Bronack © Page: 24 Date: 25 April 2013
  • ADefine CriticalApplicationsSubstantiationRecoveryTestingMediation /MitigationHigh AvailabilityAnd ContinuousAvailabilityIdentifyStakeholders andContributorsDesign MeetingAgenda andDeliverablesSchedule &ConductMeetingsValidateApplicationCriticality (SLA)Use Artifacts tosupport criticalityand RTO / RPOAny Gaps &Exceptionsfound?ArchitecturalAssessment tolocate ObstaclesMediate / Mitigate Impeding Obstacles, Gaps &Exceptions until application is able to be TestedTest Applications &Secondary SiteCertify HA Recovery orCA Gold StandardDefine ObstaclesThat ImpedeGaps &Exceptions?FailedApplicationsObstacles &ImpedimentsDefine RepairCostsRe-Test Application untilCertified, if possibleEndRe-Test ApplicationUntil CertifiedAttestationLetterHigh Availability and Continuous Availability CertificationMediate /MitigateMitigate /MitigateOKOKOKOKAchieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.com(This process should be performed periodically to insure recoverability after changes)Created by: Thomas Bronack © Page: 25 Date: 25 April 2013
  • Compliance toCountry Laws andRegulationsInfrastructure &Suppliers capable ofsupporting needsHardware capable ofsupporting workloadprocessingSoftware capable ofsupporting workloadprocessingRecovery Plans andPersonnel Proceduresneed improvementGaps & ExceptionsMitigateObstacles & ImpedimentsMediateTestHA RecoveryCertificationFailureSuccessTesting High Availability (HA) and Continuous Availability (CA) for RecoveryCertification and ability to Flip / Flop between Primary and Secondary SitesAchieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comReady forTestingReady forRe-TestingProblemRepairedThe Road to Successful Recovery CertificationTesting Failure Loop, until Successful Recovery CertificationCreated by: Thomas Bronack © Page: 26 Date: 25 April 2013CA GoldStandard
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 27 Date: 25 April 2013Development TestingReleaseAndVersionControlBusinessRecoveryFacilityDisasterRecoveryFacilityOff-SiteVaultEnd-UserRequest forNew ProductOr ServiceOn-LineData FilesBKUPUnit andSystemTestingQualityAssuranceNaming,Documents,andPlacementSecurity,Vital Records,Back-up,Recovery,Audit.Production AcceptanceOn-LineData FilesBKUPSecurity,Vital Records,Back-up,Recovery,Audit.ProductionOn-LineData FilesBKUPVendor SiteVendor SiteChangeManagementMaintenanceEnhanceAndRepairPeriodicReal-TimeEnd-User Defines:• Business Purpose,• Business Data,• Ownership,• Sensitivity,• Criticality,• Usage,• Restrictions,• Back-Up, and• Recovery.Company orClient SiteEnd-UserLocationUpdateRecoveryNewSystems Development Life Cycle (SDLC), Components and flow
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 28 Date: 25 April 2013DisasterRecovery SiteDevelopment MaintenanceTesting andQualityAssuranceDevelopment And Maintenance EnvironmentsCompanyDataElectronicTransmissionElectronicTransmissionSystems Development Life Cycle (SDLC)NewApplicationsEnd User“Work Order”to create a newProduct orServiceOpen NetworkWithMultiple Access PointsRemoteLocationsProductionSite #2Customers;Credit Bureaus;Feed-Files; and,Other Locations.Physically TransportedUsing TapeOnly EncryptionProblem ResolutionAndEnhancementsSend ApprovedApplicationsTo ProductionAcceptanceCloudComputingLocalSitesLocalTape / DataVaultLocalTape / DataVaultRemoteTape / DataVaultProductionSite #1Electronic Vaulting;Incremental Vaulting; and,Electronic transmission toDisaster Recovery SiteLocalSitesEncryption of “Data at Rest”to Provide Total ProtectionOverview of the Enterprise Information Technology EnvironmentEncrypting Data-In-Movement will protectdata being transmitted toremote sitesBusiness LocationsIT LocationsPhysical /CloudPhysical/ Virtual
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 29 Date: 25 April 2013Fully Integrated Recovery Operations and Disciplines (Physical End Goal)Business ContinuityManagementEmergencyOperations Center(EOC)EmergencyResponseManagementNetworkCommandCenterOperationsCommandCenterHelpDeskRiskManagementDisaster andBusinessRecoveryCrisisManagementWorkplaceViolencePreventionIncidentCommandCenterFirst Responders(Fire, Police & EMT)Department ofHomeland Security(DHS)State and LocalGovernmentOffice of EmergencyManagement(OEM)Lines ofBusinessLocationsEmployeesCustomersSuppliersContingencyCommandCenterCommandCentersCorporateCertificationPrivate SectorPreparedness Act(DomesticStandard)BS 25999 / ISO22301(InternationalStandard)National FirePreventionAssociationStandard 1600BusinessIntegrationService LevelAgreements andReportingSystemsDevelopmentLife CycleSix Sigma /Standards andProceduresCOSO / CobIT /ITIL / FFIECWorkplaceViolence PreventionCERT ResiliencyEngineeringFrameworkInformation SecurityManagement System (ISMS)based on ISO 27000ISO2700SecurityStandardsOSHA,DHS, OEM,WorkplaceSafetyA fully integrated recovery organization will includethe components shown in this picture.Corporate Certification is achieved through thecompliance laws and regulations used to providedomestic and international guidelines thatenterprises must adhere to before they can dobusiness in a country.Workplace Violence Prevention and InformationSecurity is adhered to by implementing guidelinesto protect personnel and data by following thelatest guidelines related to these topics.Internal command centers responsible formonitoring operations, network, help desk, andthe contingency command center will provide vitalinformation to the Emergency Operations Centerstaff.Organizational departments, locations, andfunctions should be identified and connectionsprovided to the EOC so that communications andcoordination can be achieved in a more accurateand speedy manner.Using this structure will help organizations bettercollect recovery information and develop recoveryoperations to lessen business interruptions andprotect the company’s reputation.
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 30 Date: 25 April 2013Fully Integrated Resiliency Operations and Disciplines (Logical End Goal)• State and LocalGovernment,• First Responders (Fire,Police, & EMT),• Department ofHomeland Security(DHS),• Office of EmergencyManagement (OEM),• Local Community.• Risk Management (COSO),• Disaster Recovery,• Business Continuity,• Crisis Management,• Emergency Management,• Workplace ViolencePrevention,• Failover / Failback,• Protection, Salvage &Restoration.Private SectorPreparedness Act(DomesticStandard)CERT ResiliencyEngineeringFramework, ITILand COSOISO22313 andISO22318(InternationalStandard)National FirePreventionAssociation1600 StandardContingencyCommandCenter (CCC)IncidentCommandCenter (IC)Help Desk(HD)OperationsCommandCenter (OCC)NetworkCommandCenter (NCC)CorporateCertificationCommandCentersInformation SecurityManagement System (ISMS)based on ISO27000WorkplaceViolencePrevention Emergency OperationsCenter (EOC)Lines ofBusinessEmergencyResponseManagementBusinessContinuityManagementBusinessIntegration• Locations,• Employees,• Infrastructure,• Equipment,• Systems,• Applications,• Services,• Supplies,• Customers,• RTO, RPO, andRTC.• Service Level Agreements (SLA)& Reporting (SLR),• Systems Development Life Cycle(SDLC),• CobIT, ITIL, and FFIEC,• ISO Guidelines,• Audit and Human Resources,• Six Sigma or Equivalent forPerformance and WorkflowManagementOffice of theController ofthe CurrencyOSHA, OEM,DHS
  • Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 31 Date: 25 April 2013Where do we go from here• Allow us to present to your management and technical staffs to review the subject anddetermine your needs.• Agree that you want to achieve Enterprise Resiliency and Corporate Certification.• Allow us to work with your staff to perform a Risk Assessment that will define yourneeds, which we will deliver to management as a written report and presentation.• Obtain management approval to initiate the project with their strong support.• Identify Stakeholders and Participants.• Formulate teams and train them on the goals and objectives of this project.• Create a detailed Project Plan and have teams work towards achieving the deliverablesdescribed in the document, within the stated time frame and costs.• Develop, Test, Implement “Proof of Concept”, gain approval and then: “Rollout”Enterprise Resiliency and Corporate Certification to all locations.• Fully document and Integrate the Standards and Procedures associated with EnterpriseResiliency and Corporate Certification, Functional Responsibilities, Job Descriptions,Security Procedures, and Recovery Plans within the everyday functions performed.• Deliver Awareness and Training services.• Provide Support and Maintenance services going forward.