Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SAMA BCM Framework

35 views

Published on

Presented by Dhiraj Lal
About Continuity & Resilience (CORE)
Consulting Services (ISO 22301 Certified)
Cyber Security
Business Continuity Management
Crisis Management
IT Disaster Recovery
Information Security
Risk Management

Training Services
NCEMA developed Training (we are trainers for the NCEMA courses at GCAS, NCEMA licensed training entity)
CORE is an approved Global Training partner for the UK based Business Continuity Institute licensed to conduct BCI trainings anywhere in the Globe

Notification and Automation Tools
CORE acts as a enabler between the partner & client by providing support for:

Gather requirements
Shortlist Vendors
Subject matter expertise for tool selection
Perform Vendor Demos
Tool installation & implementation
support for BC, ITDR & Notification
Assistance during tool testing


Published in: Services
  • Be the first to comment

  • Be the first to like this

SAMA BCM Framework

  1. 1. Continuity & Resilience (CORE) ISO 22301 BCM Consulting Firm Presentations by speakers at the 8th ME Business & IT Resilience Summit March 10, 2019 at The Address Hotel, Duabi Mall, Dubai, UAE
  2. 2. 2 SAMA BCM Framework Dhiraj Lal Executive Director Continuity and Resilience Abu Dhabi 8th BC & IT Resilience Summit March 10, 2019, The Address Hotel, Dubai Mall SAMA BCM Framework
  3. 3. About Continuity & Resilience (CORE) Consulting Services (ISO 22301 Certified) ▪ Cyber Security ▪ Business Continuity Management ▪ Crisis Management ▪ IT Disaster Recovery ▪ Information Security ▪ Risk Management Training Services ▪ NCEMA developed Training (we are trainers for the NCEMA courses at GCAS, NCEMA licensed training entity) ▪ CORE is an approved Global Training partner for the UK based Business Continuity Institute licensed to conduct BCI trainings anywhere in the Globe 3
  4. 4. Notification and Automation Tools CORE acts as a enabler between the partner & client by providing support for: • Gather requirements • Shortlist Vendors • Subject matter expertise for tool selection • Perform Vendor Demos • Tool installation & implementation support for BC, ITDR & Notification • Assistance during tool testing 4 Benefits
  5. 5. E-learning Development and Deployment • Higher coverage • Consistency in communication • Higher learning retention • Learn at your own pace, anytime and anywhere • Latest and most updated course ware always available • Cost effective as against class room based training • Saves paper reduces carbon foot print 5 Crisis Management 1 Business Continuity 2 ITService Management 6 Sustainability7
  6. 6. Assurance & long term sustainability Validation of documented steps Effective & coordinated response during crisis in order to minimize decision points at the time Identify potential threats & take measures to mitigate impact Focus on high priority items Maturity Assessment Industry Benchmarking Current State Assessment Implementation BC Strategy & Response Risk Assessment Business Impact Analysis Program Management Plan Operationalizethe BCMS Continual Improvement Performance Evaluation Exercising Testing InitialAssessment& Roadmap Assessment Report Implementation Review Documentation Review Interview Senior Management Implementation Operationalize the BCMS Initial Assessment Benefits Our Consulting approach Consulting BCM Consulting Assignment 6
  7. 7. Training • Cyber Attack/ Crisis Simulation Exercise • Senior Management Awareness workshops • ISMS and BCMS coordinators training courses • BCI Courses – CBCI Certification Workshop, BIA, Writing BC Plans workshops • Certification aspirants workshops for CISSP, CISA, CISM and CRISC • ISO 27001 Lead Auditor training • ISO 22301 Lead Implementer/ Auditor training • ISO 31000 (Risk Management) courses • IT Disaster Recovery workshop 7
  8. 8. Training • NCEMA “official” courses – ✓ 1 day awareness ✓ 5 day Lead Implementer ✓ 5 day Lead auditor ✓ 2 day exercising and Testing • Cyber Attack/ Crisis Simulation Exercise • Senior Management Awareness workshops • Coordinator training courses in ISMS and BCMS • BCI Courses – CBCI Certification Workshop, BIA, Writing BC Plans • Lead Auditor training in ISO 27001/ISO 22301 • Certification in Risk Management, IT Disaster Recovery, Crisis Mgt 8
  9. 9. SAMA Framework • Is quite explicit of what is to be done • Mandates many items often left unsaid • Could well be used by non-banks also – key principles are valid for any industry • Can be used as a guidance document for any industry, any geography, any ownership • Makes clear that BCM is a senior management responsibility, typically the board level 9
  10. 10. Mandate • SAMA mandates the BCM framework requirements document to Member Organizations. This document outlines the BCM requirements to be implemented by the Member Organizations. • All Member Organizations are required to comply with these requirements and integrate it formally in their BCM program. • The BCM framework document is applicable to the full scope of the Member Organization, including subsidiaries, employees, subcontractors, third-parties and customers. 10
  11. 11. Member Organisations The BCM Framework document is applicable to following: • All organizations affiliated with SAMA (“the Member Organizations”) • All banks operating in Saudi Arabia • All banking subsidiaries of Saudi banks • Subsidiaries of foreign banks situated in Saudi Arabia 11
  12. 12. Target Audience This document is intended for those, who are responsible for and involved in defining, implementing and reviewing business continuity controls…. • Board of Directors • CEO • Chief Risk Officer • Senior and Executive Management • Business owners • Owners of information assets • CIO/CISO • Business Continuity Managers • Internal Auditors 12
  13. 13. BCM Governance BC governance framework should be monitored by senior management. 1. Board of directors or a delegated executive member should have the ultimate responsibility for the BCM program. 2. Management should allocate sufficient budget to execute the required BCM activities. 3. BCM Committee should be mandated by the board of directors. 4. Senior management, such as CRO, COO, CIO, CISO, BCM Manager and other relevant departments should be represented in the business continuity committee. 5. A business continuity committee charter should reflect: a. Committee objectives b. Roles and responsibilities c. Minimum number of meeting participants d. Meeting frequency (minimum on quarterly basis) 13
  14. 14. Responsibilities A BCM function should be established. The BCM function should be adequately staffed with qualified team members Cross-functional teams, consisting of strategic, tactical and operations team members should contribute in implementation and maintenance of the business continuity and disaster recovery plans. The BCM Manager and BCM coordinators are responsible to maintain and keep the BCPs and arrangements up-to-date. The IT manager should be responsible to maintain and keep the disaster recovery plans and arrangements upto-date with an overall accountability of integration within the BCM Program on the BCM Manager. 14
  15. 15. Business Impact Analysis (BIA) The Member Organization should determine the following but no limited to: a. The potential impact of business disruptions for each prioritized business function and processes, including but not restricted to financial, operational, customer, legal and regulatory impacts b. The recovery time objectives (RTOs), recovery point objectives (RPOs) and maximum Acceptable Outage (MAO) c. The internal and external interdependencies d. Supporting recovery resources The BCM committee should endorse the prioritized list, BIA results, RA and the defined RTOs, RPOs and MAOs. Member Organizations should ensure that RTOs are adequately defined for payment systems, customer related services, etc. considering the high availability of these operations and minimum disruption in the event of disaster. 15
  16. 16. Risk Assessment (RA) Risk assessment results should be communicated to the BCM committee The risk assessment should include risks associated with overall organization as well as data centers (primary and alternative), which are not owned by the Member Organization (e.g., consider the timeframe needed to relocate to a new site and accordingly, it should include a sufficient timeframe in the contractual agreement) Capability of vendors, suppliers and service providers should be assessed at least on a yearly basis Member Organization should ensure that the key service providers (if any) have a BCP in place and their plans tested at least on a yearly basis…. for all critical activities, as determined by the BIA 16
  17. 17. IT Disaster Recovery The Member Organization should define and implement a backup and recovery process. The Member Organization should have offsite location for storing backups. The Member Organization should ensure that critical services, business functions and processes run on reliable and robust infrastructure and software. An IT DRP in alignment with business impact analysis should be defined, approved, implemented and maintained …. to recover and restore technology services and infrastructure components (Data, systems, network, services and applications) 17
  18. 18. Alternate Data Centre The Member Organization should establish an alternative data center at an appropriate location. The location should be identified based on a risk assessment to confirm that the location does not share the same risks of the main data center (e.g., geographical threat) Data, system, network and application configurations, and capacities in the alternative data center should be commensurate to such configurations and capacities maintained in the main data center. Member Organization should implement the same logical, physical, environmental and cyber security controls for the alternative data center as for the primary data center. 18
  19. 19. Suppliers and Service Providers • For all critical activities, as determined by the BIA, the Member Organization should ensure that the key service providers (if any) have a BCP in place and their plans tested at least on a yearly basis. • Formal contracts should be signed with third-parties to ensure the continuity of outsourced services or delivery of replacing hardware or software within the agreed timelines in case of a disaster (for IT DR). Include guidelines to ensure that the contracts signed with external service providers are aligned with the BIA and RA outcomes. • Capability of vendors, suppliers and service providers should be assessed at least on a yearly basis… to support and maintain service levels for prioritized activities during disruptive incidents 19
  20. 20. Alternate Locations (RA) • The Member Organization should have sufficient alternative business workspace(s) where it can relocate the required resources to deliver the critical processes required as per predefined recovery objectives in the BIA. • The alternative business workspace(s) should have clear demarcation of the sitting arrangement for different business units. • The Member Organization should implement sufficient logical, physical and environmental security controls in order to support the same level of access and security in case the alternative location needs to be activated. 20
  21. 21. Business Continuity Plans (BCPs) The procedures should collectively include: a. Key resources (e.g., people, equipment, facilities, technologies) b. Defined roles, responsibilities and authorities for stakeholders c. A process to manage the immediate consequences of a disruptive incident and escalation procedures d. A process to continue the critical activities within predetermined recovery objectives (RTO, RPO and MAO) e. A process to resume the Member Organization’s operations to business-as-usual once the incident is resolved f. Guidelines for communicating with employees, relevant third- parties and emergency contacts g. Process for including relevant cyber security requirements, if any, within the business continuity planning 21
  22. 22. Crisis Management Plan (CMP) The Member Organization should document • Criteria for declaring a crisis. • Command center for centralized management and an emergency command center. • Crisis-management team members which include representatives of the critical products, services, functions and processes of the Member Organization (including Communications department, and any third-parties to be involved also) • Communication plan (including rapid communication) including the media response plan, to ensure overall safety and address the communication with the internal and external stakeholders during crisis. • The frequency of crisis management tests 22
  23. 23. Awareness and Training • A training program should be provided on an annual basis to employees involved in BCM to achieve the required level of experience, skills and competences. • The Member Organization should periodically measure the effectiveness of the training and awareness program. • The Member Organization and relevant third-parties, such as providers and suppliers should be: a. Familiar with relevant parts of business continuity policy and plans b. Contractually bound to provide their services or products within the agreed time, in case of disruptive event c. Familiar with their point of contact or their local BCM coordinator in the Member Organization d. Familiar with their roles and responsibilities during disruptive incidents 23
  24. 24. Exercise and Testing The Member Organization should: • Define, approve, implement, execute and monitor regular BCP and DRP tests • Train their employees and third-parties and test the effectiveness of the BC and DR plans. • Ensure that defined test scenarios cover the activation and involvement for crisis management team. • Conduct BCP simulation test exercises (“at least once a year”) • The tests should consider appropriate scenarios that are well planned with clearly defined objectives (e.g., per function, per service, per process, per location, per worst cases scenarios) • The Member Organization should take into consideration to include cyber security scenarios. • Consider conducting an integrated BCM test for all critical services, business processes and functions. 24
  25. 25. IT DR Tests The Member Organization should: • Periodically execute a DR test combined with BCP (“at least once a year”). • Conduct an evaluation of the executed test of IT DR infrastructure that supports the Member Organization’s critical systems • Ensure that the DR test results provide an evaluation and suggestion for improvements • Ensure that tests cover the activation and involvement of the crisis management team. 25
  26. 26. Effectiveness • Internal Audit or a qualified external auditor, should observe the business continuity and disaster recovery testing activities as an independent participant • In case of test failure, the re-testing timelines should not exceed the limit of three (3) months. • All BCP and DRP tests results should be reported to the BCM committee, senior management and the board of directors. • Test results of business continuity and disaster recovery should be shared with SAMA within four weeks after the test. The Member Organization should identify the improvements based on the test performed and provide an action plan to SAMA within two months after the submission of the test results. 26
  27. 27. Summary • If you are struggling with what to do in your BCM program, consider taking guidance from the SAMA framework. • Set up for success your BCM program in line with SAMA principles, focusing on: ▪ Senior Management Accountability (Board level) ▪ Adequate budget ▪ Adequate and competent resources ▪ Full lifecycle implementation ▪ Exercise and Testing ▪ Regular Senior Management Monitoring and support ▪ Continuous Improvement ALL THE BEST!!!! 27
  28. 28. 28 Dhiraj Lal Executive Director Landline : +971 2 6594006 Mobile & WhatsApp: +971 52 9263933 Email: dhiraj.l@continuityandresilience.com Skype: dhiraj.lal21
  29. 29. Implementation Approach & Methodology 29
  30. 30. Head Office Continuity & Resilience Level 15,Eros Corporate Tower Nehru Place ,New Delhi-110019, INDIA Tel: +91 11 41055534/ +91 11 41613033 Fax: +91 11 41055535 Email: info@continuityandresilience.com 30 Contact: Padmanabha Bora Director Mobile & WhatsApp: +91 9654870406 Email: pb@continuityandresilience.com Skype: Padmanabha.bora
  31. 31. CORE Cyber Security / Information Security Services 31 Capacity Building & Skill Dvlp • Corporate Instructor Led Trainings • Cyber Attack Simulation Exercise • Customised training for Corporate • Public Certification Aspirants Workshops (CISSP, CISA, CISM, CRISC) Professional Services • Governance, Risk & Compliance • CERT & CSIRT (BOMT Model) • Forensics & Investigations / VAPT • Gap Analysis / Health Checks & Pre Audit Services Managed Security Services • CSIRT as a Service • SOC (remote, BOMT/O&M) • Predictive Security through Threat Hunting & Counter Threat Intelligence • Forensics & Investigation Services Products • Confront & Denial of Operations Area through Smoke Screen • Forensics Workstation & DDoS Protection Tool • Employee Forensics & Monitoring Tool • Mobile Device Management & Mobile Data Security
  32. 32. Trainings Public Programs • Global Certifications like BCI, IRCA • CORE Certifications In-house Workshops • Global Certifications like BCI, IRCA, • CORE Certifications Tailor-made • Customized to clients • Specialized coverage • Awareness Education • Simulated Exercises 32
  33. 33. Sectors • Telecom • Critical Infrastructure • Financial Sector • Banking • Government sector • Oil and Gas • Insurance • Government • Real Estate • Aviation • IT/ ITeS • … Etc 33
  34. 34. How can we help? • Gap Assessment • Training for top management • Implementation Roadmap • Coordinators Orientation training • Policy • Templates • RA Strategies • Vulnerability Assessment • Penetration Testing • Tool Assessment as per your IT setup • Data Centre assessment 34
  35. 35. E-learning Support • Scope The BCM framework document defines principles, objectives and control considerations for initiating, implementing, maintaining, monitoring and improving business continuity controls in member organizations. The BCM framework document has an interrelationship with other corporate policies for related areas, such as enterprise risk management, health, safety and environment (HSE), physical security, cybersecurity (including cyber resilience and incident management). 35
  36. 36. Continuity & Resilience (CORE) ISO 22301 BCM Consulting Firm Presentations by speakers at the 8th ME Business & IT Resilience Summit March 10, 2019 at The Address Hotel, Duabi Mall, Dubai, UAE

×