MSC October 18th, 2011

366 views

Published on

Topic: Integrating Business Continuity/Resiliency into your Security Program

  • Be the first to comment

  • Be the first to like this

MSC October 18th, 2011

  1. 1. Metropolitan Security Council Oct 18th, 2011 Terri Sinski Strategic Planning Partners, LLC www.GetSPP.com
  2. 2. What is Organizational Resilience?Standards Selection ConsiderationsReview of PS Prep Program & Standards www.GetSPP.com
  3. 3. WHAT IS BUSINESS - ORGANIZATIONAL RESILIENCE? Trends in Corporate Protection & Preparedness Evolution of Planning ApproachesIT-Disaster Recovery - Protection & Redundancy measures for:  Computers  Information Technology  Data Center OperationsBusiness Continuity – More than IT protection…Protection & Recovery strategies to secure the assets of a corporation inthe event of a disaster:  Personnel  Operational Capability  Reputation & Public Image  Customer base and market, supply chain, and profitabilityOrganizational Resilience - Integrated Approach  IT-Disaster Recovery +  Business Continuity Management +  Crisis Management +  Security Management +  Recovery Management = RESILIENCE www.GetSPP.com
  4. 4. WHAT IS ORGANIZATIONAL RESILIENCE?The Adaptive Capacity of an Organization in a Complex - Changing Environment:  Systematic and Coordinated Activates & Practices through which an organization …..manages its Operational Risk, and the associated Potential Threats & Impacts Ongoing management and governance process supported by top management- ….necessary steps are taken to:  Identify the Impact of Potential losses  Maintain viable recovery strategies and plans  Ensure continuity of functions/products/services  Implement Exercises, Rehearsal Tests, Drills, Training, …...Maintenance & Assurance. ASIS SPC.1-2009 Standard - Organizational Resilience: Security Preparedness, and Continuity Management Systems www.GetSPP.com
  5. 5. INTEGRATING ORGANIZATIONAL RESILIENCE INTO YOUR SECURITY PROGRAMWhere to Start? There are a multitude of Standards & Programs out there to incorporate Prevention, Response, Recovery & Resiliency Strategies into your Corporate Organizational StructureSelecting the one most suitable for your Organization/Business Requiresconsidering various factors including: Size & Scope of Organization Existing Procedures & Current Plans Particular Industry Required Industry standards Critical Corporate Customer Requirements Corporate Culture, Mission, Objectives, Management Perspective AND…..DETERMINING HOW PS-PREP MAY AFFECT AND/OR BENEFIT YOUR COMPANY www.GetSPP.com
  6. 6. PS PREP The Voluntary Private Sector Preparedness Accreditation and Certification ProgramThe Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep) is mandated byTitle IX of the Implementing Recommendations of the 9/11 Commission Act of 2007 (the Act.)Congress directed the Department of Homeland Security (DHS) to develop and implement a voluntaryprogram of accreditation and certification of private entities using standards adopted by DHS that promoteprivate sector preparedness, including disaster management, emergency management and businesscontinuity programs. ASIS SPC.1-2009 Organizational Resilience: Security Preparedness, and Continuity Management Systems Written by: American Society for International Security BS 25999-2: 2007 Business Continuity Management Written By: British Standard Institution NFPA 1600: 2007 and 2010 Standard on Disaster/Emergency Management and Business Continuity Programs Written by: National Fire Protection Association www.fema.gov/privatesector/preparedness www.GetSPP.com
  7. 7. PS PREP Goal: To Enhance Nationwide Resilience by Encouraging Private Sector PreparednessProgram Overview:  Provides a method to independently certify the Emergency Preparedness of an Organization  Focuses on businesses and other private-sector organizations  Provides for an independent third-party certification  Voluntary (market-driven) in nature Private sector-led and administered outside of government  Utilizes existing private-sector standards and processes Addresses Operational Risk including Disaster/Emergency Management & Business Continuity …programs Informative Interview with Bill Raisch – Founding Director at the International Center for Enterprise Preparedness (InterCEP) at New York University InterCEP - Academic research center dedicated to private sector risk management & resilience. http://www.continuityinsights.com/articles/are-you-prepared-for-ps-prep www.GetSPP.com
  8. 8. PS PREP The Voluntary Private Sector Preparedness Accreditation and Certification ProgramBackground:•Aug 2007 - Evolved from Title IX of the Implementing Recommendations………………… of the 9/11 Commission Act - Public Law 110-53•July 2008 – DHS announces agreement with ANSI-ASQ National Accreditation Board What is ANSI’s Role? Develop & oversee certification process – issue accreditation to 3rd party certification entities•Oct 2009 - DHS announces intent to Adopt 3 Standards Public Forums- Invite comments & recommendations of additional standards•June 2010 - DHS Secretary Janet Napolitano Announces Formal Adoption of the Standards Comments may be submitted to http://www.regulations.gov or FEMA-POLICY@dhs.gov, in Docket ID FEMA-2008-0017 www.GetSPP.com
  9. 9. PS PREP The Voluntary Private Sector Preparedness Accreditation and Certification Program Private sector-led and administered outside of government Then What is DHS’s Role?While the Process is Administered by Private Sector, DHS is responsible for:1) Selection of the Standards2) Supporting the development of the certification process by designating and funding the accrediting body Note: Certification & Accreditation Process is still in development stage3) Developing and communicating the business case for the program to the private sector. www.GetSPP.com
  10. 10. www.continuitycompliance.org/business- continuity/ps-prep-overview www.GetSPP.com
  11. 11. BS 25999-2:2007 Business Continuity ManagementBS 25999-2:2007• Developed by a broad based group of world class experts representing a…cross-section of industry sectors and the government to establish the process,…principles and terminology of Business Continuity Management.Model based on BCM Best Practice and covers the whole BCM lifecycle.•Designed to keep business going during the most challenging and unexpected...circumstances and interruptions: Protecting your staff Preserving your reputation and Providing the ability to continue to operate and tradewww.bsigroup.com/en/Assessment-and-certification-services/management-systems/Standards-and-Schemes/BS-25999/ www.GetSPP.com
  12. 12. NFPA 1600:2007 and 2010 Standard on Disaster/Emergency Management and Business Continuity ProgramsNFPA 1600:2007 and 2010Provides a conceptual framework for disaster/emergency management andbusiness continuity programs.Five aspects which bring standard into alignment with related disciplines andpractices of risk management, security, and loss prevention process: 1. Prevention 2. Mitigation 3. Preparedness 4. Response 5. RecoveryJune 2011 - FEMA awarded contract to NFPA to update the web-based contentof Ready Business (designed for small to mid sized companies) — which is a partof the Ready.gov website www.GetSPP.com
  13. 13. ASIS SPC-1:2009 Organizational Resilience: Security Preparedness, and Continuity Management SystemsASIS SPC.1-2009 Unique to other Preparedness Standards in that:  The only preparedness standard that is 100% compatible with existing ISO …….management system standards (such as ISO 9000, ISO 14000, ISO27000 and ISO …….28000), thus enabling a cost-saving integrated application.  Awarded Safety Act Certification by DHS – Sept 2011  It is the only preparedness standard that takes an ENTERPRISE-WIDE view of risk …..management- •Considers ALL Departments within the organization = avoids segregating risks •Provides Strategies for prevention, preparation, mitigation, response & recovery www.asisonline.org/guidelines/or.xml www.GetSPP.com
  14. 14. ENTERPRISE RISK MANAGEMENTASIS SPC.1-2009 Program Features Resilience Risk Management Security Risk Management Security Management Emergency Management Physical Asset Protection Crisis Management Disaster ManagementInformation and Network Security Recovery Management Emergency Preparedness Continuity ManagementCritical Infrastructure Protection Incident Response www.GetSPP.com
  15. 15. BUILDS ON THE PDCA MODELASIS SPC.1-2009 Program FeaturesPlan: Define & Analyze a Problem……….Indentify Root CauseDo: Devise Solution- Develop Detailed Action-……..Plan & Implement it SystematicallyCheck: Confirm outcomes against Plan -………….Identify Deviations & IssuesAct: Standardize Solution Cycle of Continual Improvement………Review & Define……...Next Issues www.GetSPP.com
  16. 16. EDUCATIONAL PLANNING RESOURCESASIS FEMA www.asisonline.org www.fema.govBSI NFPA www.bsigroup.com www.nfpa.orgContinuity Insights NYU - InterCep www.continuityinsights.com www.nyu.edu/intercepContinuity Compliance READY.GOV www.continuitycompliance.org www.ready.gov www.GetSPP.com
  17. 17. Strategic Planning Partners, LLC ll A Resident Research Partner at The Morrelly Homeland Security Center 510 Grumman Road West Suite 214 Bethpage, NY 11714 516-390-5281 Strategic Planning Partners (SPP) providesEmergency Preparedness, Maritime Security & Corporate Resiliency Solutions to Private and Public Sector Clientele. TSinski@GetSPP.com ll Terri Sinski Director, Business Continuity Services l www.GetSPP.com

×