Recovery and Compliance Services provided by Tom Bronack


Published on

Presentation on services provided by Tom Bronack for Enterprise Resiliency, Compliance, Systems Management, and Data Center creation / migration / and recovery.

Published in: Business, Technology
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Recovery and Compliance Services provided by Tom Bronack

  1. 1. Achieving Enterprise ResiliencyAndCorporate CertificationByCombining Recovery Operations through a Common Recovery Language and RecoveryTools, while adhering to Domestic and International Compliance StandardsCreated by: Thomas Bronack © Page: 1 Date: 6/14/2013Created by:Thomas Bronack, CBCPBronackt@dcag.comPhone: (718) 591-5553Cell: (917) 673-6992Enterprise Resiliency combines all recovery operations into onediscipline using a common language and tool set that isconstructed via best practices guidelines.Site Infrastructure Management for primary and secondarylocations to ensure infrastructure, sizing, and successful recovery.Corporate Certification guarantees that the company complieswith all laws in the countries they do business in.Security, Salvage and Recovery protects your assets and repairsyour damaged site in preparation for returning to normalproduction operations.Supply Chain Management to guaranty delivery of supplies andmaterials to the appropriate location.Combining disciplineswill insure operations,improve efficiency, andreduce recovery times.Public Advocate willprovide insurancereview, recoverycoordination, andclaims processing.Helping Managementeliminate businessinterruptions, achieveservice and recoveryobjectives, and protectthe company reputation.DCAGService Offering
  2. 2. Created by: Thomas Bronack © Page: 2 Date: 6/14/2013Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comTable of Contents:1. Abstract (Recovery Management is Hard, but Needed)2. Objectives (Protecting your Business & Reputation)3. Protecting your environment4. Our Service Offering5. Business Continuity Management Principles6. Enterprise Resiliency and Corporate Certification7. Disaster Recovery Life Cycle8. People involved in Disaster Events9. Charter10. Goals and Objectives11. Risk Management, Objectives, and Process12. Establishing the Recovery Management Process13. Achieving Enterprise Resiliency and CorporateCertification14. Enterprise Resiliency is built on a Solid Foundation15. Defining Overall Implementation Approach16. COSO (Risk Management Industry Guidelines)17. CobIT (integrating applications in the IT Environment)18. ITIL v3 (Forms Management and Control System)19. Adhering to Compliance Laws20. How do we Comply21. Supply Chain Management22. How is Reporting Accomplished23. Strategies for Eliminating Audit Exceptions24. Achieving Recovery Time Objectives (RTO), RecoveryPoint Objectives (RPO), and Recovery Time Capability(RTC)25. Optimizing Data Protection and Recovery Services26. Data Protection, Maintenance, and Recovery process27. Store and Forward Concept28. Creating Business Recovery Plans29. Continuous Availability (CA) and High Availability(HA)Certification Process30. Testing and Certifying CA / HA Applications31. Systems Development Life Cycle overview32. Migrating Products / Services to the Production Site33. Systems Management Controls34. Job Documentation Requirements and FormsAutomation35. Charge-Back System36. Data Synchronization Using Cloud Based Hosting37. Enterprise Information Technology Environment38. Emergency Management and Incident Management39. Problem Management and Circumvention Techniques40. Fully Integrated Emergency Operations Center (EOC) –Physical View41. Activating and Coordinating Recovery Plans42. Types of Recovery Plans and their Sections43. Responding to Recovery Events44. Fully Integrated Resiliency Operations and Disciplines –Logical View45. Conclusions46. Where Do We Go From Here47. Overview of our Consulting Services48. Overview of our Compliance Services
  3. 3. Created by: Thomas Bronack © Page: 3 Date: 6/14/2013Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comAbstract – Recovery Management is hard and demanding on management• Are you utilizing your recovery personnel to achievemaximum protection?• Have you implemented a common recovery glossary ofterms so that personnel speak the same language andcan best communicate and respond to disaster events?• Is your company utilizing a common recoverymanagement toolset?• Do you want to reduce disaster events, improve riskmanagement, and insure fewer business interruptionsthrough automated tools and procedures?• Does your company adhere to regulatory requirements in the countries that you do business in?• Can you monitor and report on security violations, both physical and data, to best protectpersonnel, control data access, eliminate data corruption, support failover /failback operations,and protect company locations against workplace violence?• Are you protecting data by using access, backup, vaulting, and recovery procedures?• Can you recover operations in accordance to contracted SLA/SLR and RTO/RPO?• Is your supply chain able to continue to provide services and products if a disaster event occursthrough SSAE 16 (Domestic), SSAE 3402 (World)?• Do you coordinate recovery operations with the community and government agencies like OSHA,OEM, FEMA, Homeland Security, local First Responders, etc.?• Do you have appropriate insurance against disaster events?• Can you certify that applications can recover within High Availability (2 hours – 72 hours) orContinuous Availability (immediate) guidelines?• If not, this presentation will help you achieve the above goals and reduce your pain.
  4. 4. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 4 Date: 6/14/2013Protecting your Environment• Define your Business Goals and Procedures, including Information Technology;• Formulate Organizational Structure and personnel Functional Responsibilities;• Create Job Descriptions and Career Path directions;• Develop Standards and Procedures and other required documentation;• Provide personnel Training and Awareness;• Implement a Systems Development Life Cycle (SDLC);• Define Support, Maintenance, and Recovery requirements and procedures;• Implement methods for adhering to required Laws and Regulations, world-wide as needed;• Define and support SLA / SLR and Client Contract requirements;• Conduct periodic Risk Management and Audit Reviews;• Respond to Gaps, Exceptions, and Obstacles impeding production / recovery objectives;• Implement an Emergency Operations Center (EOC) organizational structure;• Achieve Enterprise Resiliency and Corporate Certification to optimize recover and compliancerequirements, both domestically and internationally;• Utilize industry “Best Practices” to achieve goals and objectives and guaranty results;• Utilize Automated Tools and the latest technologies to support goals and objectives;• Create Recovery Plans and procedures, while periodically testing and improving plans;• Integrate Recovery Operations within the everyday functions performed by personnel so thatrecovery operations is synchronized with Version and Release Management;• Communicate with government, local business community, and media when disasters occur;• Achieve an efficient and compliant environment that best supports business objectives andprotects / enhances the company reputation.
  5. 5. Objective of our Offering (“protecting a Chick in an Alligator Nest”)• Help management protect their business andreputation;• Provide a single source to help fulfill / managerecovery and insurance needs;• Review existing recovery and insurance profile;• Review existing Workplace Safety and Violence Prevention procedures;• Achieve corporate support for service delivery and recovery time objectives;• Use “Best Practices” to achieve compliance and recovery operations;• Help develop and implement recovery operations (all disciplines into one);• Assist management achieve a safeguarded and compliant environment;• Improve insurance profile to gain better financial protection;• Integrate recovery operations within everyday functions performed by staff; and,• Provide ongoing support and maintenance of recovery and insurance safeguards.Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 5 Date: 6/14/2013
  6. 6. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 6 Date: 6/14/2013Business Continuity Management Disciplines and IntegrationContingencyPlanningDisasterRecoveryRiskManagementBusinessRecoveryCharter:Eliminate Business Interruptions;Ensure Continuity of Business;Minimize Financial Impact; andAdhere to Legal / RegulatoryRequirementsInformation TechnologyProtectionCritical Jobs;Data Sensitivity and AccessControls;Vital Records Management;Vaulting and Data Recovery;Recovery Time Objectives;Recovery Point Objectives; andMainframe, Mid-Range, andServers.Risk ManagementExposures (Gaps andExceptions);Insurance;Legal / RegulatoryRequirements;Cost Justification; andVendor Agreements.Corporate AssetProtectionInventory ControlAsset ManagementConfigurationManagementBusiness Continuity; andOffice Recovery.Contingency RecoveryDisciplinesContingencyRecoveryPlanningFacilitiesExecutiveManagementPersonnelGeneralServicesPublicRelationsFinanceAuditingCompanyOperationsInformationTechnology“Contingency Planning affects every part of theorganization and is separated into logical workareas along lines of responsibility”.“These four Contingency PlanningDisciplines allow for logical workseparation and better controls”“Establishing interfaces with keydepartments will allow for the inclusionof corporate-wide recovery procedures(Security, Salvage, and Restoration, etc.)in department specific Recovery Plans”SuppliersSupply Chain safeguardsmust be enforced tomaintain supply deliveryand continued operations
  7. 7. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 7 Date: 6/14/2013Enterprise Resiliency and Corporate CertificationEnterprise Resiliency combines all recoveryoperations into one discipline using a commonlanguage and tool set.Corporate Certification guarantees that thecompany complies with all laws in thecountries they do business in.EnterpriseResiliencyEmergency OperationCenter (EOC)EmergencyManagementBusinessContinuityManagementWorkplaceSafety & ViolencePreventionRisk & CrisisManagementPhysical and DataSecurityCorporate CertificationDomesticComplianceInternationalComplianceSecurity, Salvage,RestorationProcessing Sites andSupply Chain ManagementPrimarySiteSecondarySiteInsurance Needsand Claims
  8. 8. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 8 Date: 6/14/2013Lifecycle of a Disaster Event (Why we create Recovery Plans)Secondary SitePrimary SitePrimary SiteDisaster Event:• Event;• Analyze;• Declare;• Failover.Primary SiteSafeguard:• Evacuate;• Protect Site;• FirstResponders.Primary SiteSalvage:• CleanFacility;• Repair;• Resupply.Primary SiteRestoration:• Restart;• Test;• Success;• Failback.Primary SiteResume:• ReloadData;• Restart;• Continue.Failover Production Recovery ProcessingFailback from Secondary Site after RestorationFailoverStart UpFailbackShut DownHigh Availability(HA) is RTO / SLAbased SwitchContinuousAvailability (CA) isimmediate SwitchRepair Primary Site to Resume Production via FailbackCA HAProduction Production“The goal of Enterprise Resiliency is to achieve ZERO DOWNTIME by implementing Application Recovery Certification for HA andGold Standard Recovery Certification for CA Applications”
  9. 9. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 9 Date: 6/14/2013People Involved with Recovery Planning and Operations“Many people from various departments contribute to the Problem / Incident Response Planning process; frominitial compliance and recovery identification through recovery planning, and Recovery Plan enactment.”Problems &IncidentsHelp DeskOperations:• NCC, ICC ,OCC• ProblemResolvers• Recovery PlanDirectory• SelectRecovery Planand Route toCCCSecurity &FirstRespondersSalvage &RestorationExecutiveManagementEmergencyOperationsCenterContingencyCommandCenterRecovery TeamsPrimary SiteProductionOperationsFailover SecondarySite RecoveryOperationsFailback
  10. 10. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 10 Date: 6/14/20131. Achieve “Enterprise Resilience” to optimize recovery operations;2. Insure “Corporate Certification” in countries where you do business;3. Adhere to Service Level Agreements (SLA / SLR) and Client Contracts;4. Guaranty Data Security and Recovery (RTO / RPO) objectives;5. Protect Personnel through Physical Security and a Workplace Safety;6. Utilize “Best Practices” to achieve goals;7. Achieve “Zero Downtime” through “Certified Recovery” via Failover /Failback for HA applications and Flip / Flop for “Gold Standard Certification”of CA applications8. Integrate Enterprise Resiliency and Corporate Certification World-Wide;9. Update Documentation and adhere to Version and Release Management;10. Provide educational awareness and training programs; and,11. Provide ongoing Support and Maintenance going forward.Charter and Mission Statement
  11. 11. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 11 Date: 6/14/2013Goals and Objectives:Protecting the BusinessProtecting Information TechnologyEliminate / Reduce BusinessInterruptionInsure Continuity of Business bycertifying application recoveryConduct Risk Management andInsurance Protection reviewsProvide Personnel Protections(HRM, Safe Workplace, andEmployee Assistance Programs)Vendors - Supply ChainManagement & Control(ISO 24672 / ISO 27031)Protect Clients (Products /Services) via adherence to SLA /SLR guidelinesLocations / Infrastructure Community / Business / Personnel Lines of BusinessPhysical / Data Security Compliance Recovery ManagementOptimized Operations Insurance ReputationBuild IT Location (Safe Site,HVAC, Water, Electrical, RaisedFloor, etc.)Asset Management (AssetAcquisition, Redeployment, andTermination)Configuration Management /Version and Release ManagementUse Best Practices like CERT /COSO, CobIT, ITIL.v3Mainframe, Mid-Range, Client /Server, and PC safeguardsCommunications (Local, LAN,WAN, Internet, cloud)System Development Life Cycle(SDLC) optimizationProducts and Service SupportDevelopment, EnhancementSupport and Maintenance forproblems and enhancementsData Management (Dedupe/VTL / Snapshots / CDP)Information Security ManagementSystem via ISO27000Data Sensitivity and AccessControls (Applid / Userid / Pswd)Vaulting, Backup, and Recovery Disk / File copy retrieve utilities RTO, RPO, RTC
  12. 12. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 12 Date: 6/14/2013• Define Risk Management and Business Impact Analysis Process;• Define Legal and Regulatory Requirements;• Determine Compliance Requirements;• Perform a Risk Assessment to uncover Obstacles, Gaps, and Exceptions;• Define Mitigations / Mediations;• Calculate cost to Mitigate / Mediate and prioritize responses;• Review Vendor Agreements and possible Supply Chain interruptions;• Obtain Insurance Quotes and select appropriate insurance protection;• Integrate within the everyday functions performed by personnel;• Create “Crisis Response Plans” to respond to Specific Risks;• Develop documentation, awareness, and training materials; and• Provide Support and Maintenance going forward.Risk Management, Objectives and Process
  13. 13. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 13 Date: 6/14/2013• Formulate Recovery Management Business Plan and obtain strong ManagementSupport to implement and maintain the recovery management process;• Identify Stakeholders and Participants, form teams and orientate personnel;• Develop a Project Plan, with resources, delivery dates, costs, and reporting;• Define Recovery Organization Structure and Job Functions;• Implement Recovery Document Library Management;• Identify and Train Recovery Management Coordinators from Business Units;• Develop a Common Recovery Management Language;• Select automated Recovery Management Tools;• Provide documentation, training, and awareness on recovery plans;• Create, Test, Certify, and Implement Recovery Plans;• Integrate Recovery Management, fully document, and Train Staff; and,• Support and Maintain Recovery Management going forward.Establishing the Recovery Management process
  14. 14. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 14 Date: 6/14/2013Achieving Enterprise Resiliency and Corporate Certification1. Review existing Security and Recovery Management Operations;2. Define Domestic and International Compliance Requirements;3. Evaluate Command Centers and their Recovery Operations;4. Define Company Lines of Business (LOB’s);5. Determine Integration Requirements;6. Create Business and Implementation Plan;7. Document Process and provide Training;8. Integrate through Job Descriptions and Workflow Procedures; and,9. Provide ongoing Support and Maintenance.
  15. 15. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 15 Date: 6/14/2013Foundation consist of:Enterprise Resiliency;Risks and Compliance issues;Corporate Certification Guidelines;Best Practices;Available Tools; andCertification Firm.Workplace Violence PreventionThreats;Predators;Violent Events; andEmployee Assistance Programs.Best Practices consist of:COSO / CobIT / ITIL;ISO 27000; andFFIEC, etc.Enterprise Resiliency consist of:Emergency Management;Business Continuity Management;Workplace Violence Prevention;Workflow Management;Functional Responsibilities;Job Descriptions; andStandards and Procedures.Corporate Certification consist of:BS 25999 / ISO 22301;Private Sector Preparedness Act;CERT Enterprise RMM Framework; andNFPA 1600.Physical SecurityandAccess ControlsGlobal Standards include:ISO 22300 – Global Standard;NYSE 446;SS 540 (Singapore);ANZ 5050 (Australia)BC Guidelines (Japan); and more.House of Enterprise ResilienceEnterprise Resiliency must be built upon a Solid Foundation
  16. 16. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 16 Date: 6/14/2013-confidential-Building Your Team & CapabilitiesStaff / Management Awareness & TrainingTraining Matrix & Master PlanShort Training SessionsWorkshops / Awareness SessionsOrganizational RolesIncorporate R&R into JD’sDefining Roles & ResponsibilitiesDefining the Committees & TeamsContinual ImprovementTesting & ReviewUpdateReviewTestingImplementationEmergency ResponseDamageAssessmentLife & SafetyCrisis MgmtPlan DevelopmentProcedure DevelopmentChecklist DevelopmentContact InformationEscalation &NotificationDisaster DeclarationData & RecordRecoveryUnderstanding Your BusinessRequirements & StrategyPolicies Business ImpactRisk AssessmentContinuityStrategiesInitiationProgram ManagementProject StatementTimelineMaturity AssessmentPreventiveMeasuresAssuranceDEFINE OVERALLIMPLEMENTATIONAPPROACH
  17. 17. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 17 Date: 6/14/2013COSO Risk AssessmentCommittee Of Sponsoring Organizations (COSO) was formed to developRisk Management and Mitigation Guidelines throughout the industry.Designed to protect Stakeholders from uncertainty and associated risk that could erode value.A Risk Assessment in accordance with the COSO Enterprise Risk Management Framework, consists of(see for details):• Internal Environment Review,• Objective Setting,• Event Identification,• Risk Assessment,• Risk Response,• Control Activities,• Information and Communication,• Monitoring and Reporting.Creation of Organizational Structure, Personnel Job Descriptions and Functional Responsibilities,Workflows, Personnel Evaluation and Career Path Definition, Human Resource Management.Implementation of Standards and Procedures guidelines associated with Risk Assessment to guarantycompliance to laws and regulations.Employee awareness training, support, and maintenance going forward.
  18. 18. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 18 Date: 6/14/2013CobiT FrameworkControl Objectives for InformationTechnology (CobiT)Is designed to extend COSOcontrols over the IT environment by:• Providing guidelines for Planningand integrating new products andservices into the IT Organization• Integrating new acquisitions;• Delivering new Acquisitions / Mergersand supporting them going forward;• Monitoring IT activity, capacity, andperformance; so that• Management can meet BusinessObjectives, while protectingInformation and IT Resources.CobiTBusinessObjectivesInformationIT ResourcesMonitoringandReportingDelivery andSupportAcquisition andImplementationPlanning andOrganizationIT PlanInformation ArchitectureTechnology DirectionIT Organization andRelationshipsManage IT investmentCommunicate ManagementGoals and DirectionManage Human ResourcesEnsure Compliance withExternal RequirementsAssess RisksManage ProjectsManage QualityManage The ProcessAssess Internal ControlAdequacyObtain IndependentAssuranceProvide for IndependentAuditDefine Service LevelsManage third party servicesManage Performance and CapacityEnsure continuous serviceIdentify and attribute costsEducate and train usersAssist and advise IT customersManage the configurationManage problems and incidentsManage DataManage FacilitiesManage OperationsIdentify Solutions,Acquire and maintain applicationsoftware,Implement Asset Managementprocedures for acquisition,redeployment, and termination ofresources,Develop and maintain ITprocedures,Install and accept systems,Manage change.CobiT Framework and FunctionalityCriteriaEffectivenessEfficiencyConfidentialityIntegrityAvailabilityComplianceReliabilityDataApplication SystemsTechnologyFacilitiesPeople
  19. 19. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 19 Date: 6/14/2013ITIL V3 Overview3. Service Transition• Change Management• Project Management (Transition Planning and Support)• Release and Deployment Management (V & R Mgmnt)• Service Validation and Testing• Application Development and Customization• Service Asset and Configuration Management• Knowledge Management4. Service Operation• Event Management• Incident Management• Request Fulfillment• Access Management• Problem Management• IT Operations Management• Facilities Management1. Service Strategy• Service Portfolio Management (availableServices and Products)• Financial Management (PO, WO, A/R, A/P,G/L, Taxes and Treasury)2. Service Design• Service Catalogue Management• Service Level Management (SLA / SLR)• Risk Management (CERT / COSO)• Capacity and Performance Management• Availability Management (SLA / SLR)• IT Service Continuity Management (BCM)• Information Security Management (ISMS)• Compliance Management (Regulatory)• Architecture Management (AMS, CFM)• Supplier Management (Supply Chain)ITIL Available ModulesITIL Five Phase approach to IT Service Support1. Service Strategy,2. Service Design,3. Service Transition,4. Service Operation, and5. Continual Service Improvement.InformationTechnologyInfrastructureLibrary (ITIL)
  20. 20. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 20 Date: 6/14/2013Adhering to Compliance Laws• Gramm Leach Bliley – Safeguard Act (was Bank Holding Act);• Dodd – Frank – Wall Street Reform and Consumer Protection Act;• HIPAA – Healthcare regulations (including ePHI, HITECH, and Final Ombudsman Rule);• Sarbanes – Oxley Act (sections 302, 404, and 409) on financial assessment and reportingby authorized “Signing Officer”;• EPA and Superfund (how it applies to Dumping and Asset Management Disposal);• Supply Chain Management “Laws and Guidelines” included in ISO 24762 (SSAE 16 forDomestic compliance and SSAE 3402 for International Compliance, and NIST 800-34);• Supply Chain Management “Technical Guidelines” described in ISO 27031;• Patriots Act (Know Your Customer, Money Laundering, etc.);• Workplace Safety and Violence Prevention via OSHA, OEM, DHS, and governmentalregulations (State Workplace Guidelines and Building Requirements);• Income Tax and Financial Information protection via Office of the Comptroller of theCurrency (OCC) regulations (Foreign Corrupt Practices Act, OCC-177 ContingencyRecovery Plan, OCC-187 Identifying Financial Records, OCC-229 Access Controls, andOCC-226 End User Computing).
  21. 21. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 21 Date: 6/14/2013Laws and Regulations concentrate on the VALIDITY of PROVIDED DATA, so westart with a review of how sensitive data is described, created, protected, and used,including:• Identify the lifecycle of data used in financial reporting and compliance;• Where does it come from and who owns it?• What form is it in (Excel, Database, manual, fax, email, etc.),• Who has access to the data and how can they impact data (CRUD - create, read,update, and delete).• Review current Data Sensitivity and IT Security procedures;• Examine Library Management, Backup, Recovery, and Vaulting procedures associatedwith sensitive data;• Review Business Continuity Planning and Disaster Recovery procedures used to protectand safeguard critical Information Technology and Business facilities;• Utilize existing Standards and Procedures to duplicate process and identify errors; and,• Examine the available Employee Awareness and Education programs.As a result of this study, it will be possible to identify weaknesses and developprocedures to overcome weaknesses and improve data efficiency and productivity.How do we comply?
  22. 22. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 22 Date: 6/14/2013VendorDRDRProcessISO 24762EndISO 27031DRTestingSSAE 16DomesticSSAE 3402InternationalNIST 800-34TechnicalEnd User ITDR PlansRiskAssessmentBusiness ImpactAnalysisCertifying Vendor Recovery Plans and Validating“Supply Chain” resiliencyRecognizeDR EventRespondTo EventSalvage &RestorationReturn toPrimary SiteInitialTestingAfterChangeAfterEnhancementAfterGrowthIncludeVendorsUse Primary &Secondary SitesLaws andGuidelinesTechnicalGuidelines
  23. 23. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 23 Date: 6/14/2013How reporting is accomplishedOperationsRisk ManagerOperationsRisk ManagerTechnicalRisk ManagerChief ExecutiveOfficer (CEO)Chief FinancialOfficer (CFO)ComplianceReportsCompany Operations Technical Services Executive Management Compliance ReportingSection 404 of the Sarbanes-Oxley Act (SOX) says that publicly traded companies must establish, document, and maintaininternal controls and procedures for Financial and Compliance reporting. It also requires companies to check theeffectiveness of internal controls and procedures for Financial and Compliance reporting.In order to do this, companies must:• Document existing controls and procedures that relate to financial reporting.• Test their effectiveness.• Report on any gaps or poorly documented areas, then determine if mitigation should be performed.• Repair deficiencies and update any Standards and Procedures associated with the defects.- Extract Information,- Generate Financial Reports,- Ensure Record Safeguards,- Ensure Record Formats,- Generate Compliance Reports,- Validate Information,- Submit Reports.- Protect Information,- Data Security,- Access Controls,- Library Management,- Production Acceptance,- Version and Release Mgmt.,- Business Continuity,- Disaster Recovery,- Emergency Management,- Standards and Procedures.- Validate Information,- Establish Reporting Criteria,- Gather data and report,- Review Reports,- Attest to their accuracy,- Submit Reports.- Report Information,- Submitted Quarterly,- Attested to Annually,- Reviewed by SEC andother agencies to insurecompliance.
  24. 24. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 24 Date: 6/14/2013• Review of Compliance Requirements (Business and Industry)• Ensure Data Sensitivity, IT Security and Vital Records Management,• Eliminate Data Corruption and Certify HA / CA Application recovery,• Adhere to Systems Development Life Cycle (SDLC),• Utilize Automated Tools whenever practical,• Elimination of Single-Point-Of-Failure concerns,• Create Inventory / Configuration / Asset Management guidelines,• Develop Incident / Problem and Crisis Management procedures,• Integrate Work-Flow automation through Re-Engineering processes,• Implement and conduct Training and Awareness programs.Strategies for Eliminating Audit Exceptions
  25. 25. Achieving Recovery Time Objective (RTO) / Recovery PointObjective (RPO) and Recovery Time Capability (RTC)DisasterEventRecoveryPointObjective(RPO)RecoveryTimeObjective(RTO)RecoveryTimeCapability(RTC)Production ProcessingCA Immediate switch to Secondary SiteHA Certified Recovery to Secondary SiteReload LastBackupOr SnapshotProductionProcessingInterruptedDataForwardRecoveryPlannedRecoveryTimeTime neededtoRecoverData savedin last goodBackup orSnapshot(RestoreDuration willvary)Actual Timeneeded toRecoverExtendedLossProduction ProcessingResumedSecondary Site must contain synchronized data and infrastructurePrimary Site recovers data and infrastructure within RTOOther Terms include:RTE – Recovery Time Expectation;RPE – Recovery Point Expectation; andSRE – Service Recovery Expectation.Loss equals Actual Time needed toRecover, costs for staff, loss ofclient productivity, and damage tocorporate reputation.Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 25 Date: 6/14/2013CA GoldStandardHA RecoveryCertification
  26. 26. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 26 Date: 6/14/2013Optimized Data Protection / Recovery ServicesSnapshotsData De-duplication eliminatesduplicate data files and network trafficto a Virtual Tape Library (VTL)Real backup tapes can becreated directly from the VTL.Forward Recoverybetween Snapshots
  27. 27. Data Protection, Maintenance, and RecoveryMaintenanceServerRecoveryServerApplications can be tested by loading aSnapshop from the SIR which loads like anactive environment.This can support Quality Assurance andenvironment maintenance withoutinterrupting normal operationsFailover / Failback recovery operations can betested by loading a Snapshop from the SIR andexercising recovery plans.Test results can be used to identify problemswith recovery plans which can be used toupdate the recovery plan.Created by: Thomas Bronack © Page: 27 Date: 6/14/2013Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack
  28. 28. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 28 Date: 6/14/2013Store and Forward concept for safe data transmission /reception and achieving “Zero Downtime”DataEnd UserApplicationPrimarySystemAccessMethodNCNOSystemApplicationSecondarySystemAccessMethodTelcoDataModem SwitchLine SwitchExchange SwitchTelco Tests:• Internal Modem Test;• End-to-End Continuity Test; and,• Data Transmission Testing.Because Data stays in “Originating” buffer until a “Positive Acknowledgement” is received, it is protected from loss. If failureoccurs, data is not transmitted and error message generated so that recovery and corrective actions can be performed. Youshould eliminate any “Single Points of Failure” to achieve an alternate path should the primary path fail.SwitchHA / CA Availability,Failover / Failback“Certification”, And Flip/ Flop “Gold Standard”“Zero Downtime” can be achieved through “Recovery Certification” for HA Applications and “GoldStandard Recovery Certification” for CA Applications. Using the “Store and Forward” concepts shownhere and eliminating any “Single Points of Failure” will help you achieve the goals.
  29. 29. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comManagementCommitmentRiskManagementBusinessImpact AnalysisBIASelectBCM ToolsRecognize theNeed for Recovery(Business Loss)Initiate RecoveryExecutiveCommitteeDefine GoalsAnd ObjectivesObtainFundingCompliance &Regulatory NeedsAuditControlsSupplyChainGaps &ExceptionsSLA’s/ SLRInsurance Cost toRepairMediate /MitigateLocation &ApplicationsRateCriticalityRTO, RPO,RTCRate Ability to AchieveRecovery GoalsGaps &ExceptionsCost toRepairAutomatedBCM Tool?BIA & PlanCreationTrainStaffCreate, Test, &Implement BCM PlansStartACreating Business Recovery PlansMediate /MitigateImpedingObstaclesCreated by: Thomas Bronack © Page: 29 Date: 6/14/2013
  30. 30. ADefine CriticalApplicationsSubstantiationRecoveryTestingMediation /MitigationHigh AvailabilityAnd ContinuousAvailabilityIdentifyStakeholders andContributorsDesign MeetingAgenda andDeliverablesSchedule &ConductMeetingsValidateApplicationCriticality (SLA)Use Artifacts tosupport criticalityand RTO / RPOAny Gaps &Exceptionsfound?ArchitecturalAssessment tolocate ObstaclesMediate / Mitigate Impeding Obstacles, Gaps &Exceptions until application is able to be TestedTest Applications &Secondary SiteCertify HA Recovery orCA Gold StandardDefine ObstaclesThat ImpedeGaps &Exceptions?FailedApplicationsObstacles &ImpedimentsDefine RepairCostsRe-Test Application untilCertified, if possibleEndRe-Test ApplicationUntil CertifiedAttestationLetterHigh Availability and Continuous Availability CertificationMediate /MitigateMitigate /MitigateOKOKOKOKAchieving Enterprise Resiliency and Corporate Certification © Thomas Bronack process should be performed periodically to insure recoverability after changes)Created by: Thomas Bronack © Page: 30 Date: 6/14/2013
  31. 31. Compliance toCountry Laws andRegulationsInfrastructure &Suppliers capable ofsupporting needsHardware capable ofsupporting workloadprocessingSoftware capable ofsupporting workloadprocessingRecovery Plans andPersonnel Proceduresneed improvementGaps & ExceptionsMitigateObstacles & ImpedimentsMediateTestHA RecoveryCertificationFailureSuccessTesting High Availability (HA) and Continuous Availability (CA) for RecoveryCertification and ability to Flip / Flop between Primary and Secondary SitesAchieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comReady forTestingReady forRe-TestingProblemRepairedThe Road to Successful Recovery CertificationTesting Failure Loop, until Successful Recovery CertificationCreated by: Thomas Bronack © Page: 31 Date: 6/14/2013CA GoldStandard
  32. 32. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 32 Date: 6/14/2013Development TestingReleaseAndVersionControlBusinessRecoveryFacilityDisasterRecoveryFacilityOff-SiteVaultEnd-UserRequest forNew ProductOr ServiceOn-LineData FilesBKUPUnit andSystemTestingQualityAssuranceNaming,Documents,andPlacementSecurity,Vital Records,Back-up,Recovery,Audit.Production AcceptanceOn-LineData FilesBKUPSecurity,Vital Records,Back-up,Recovery,Audit.ProductionOn-LineData FilesBKUPVendor SiteVendor SiteChangeManagementMaintenanceEnhanceAndRepairPeriodicReal-TimeEnd-User Defines:• Business Purpose,• Business Data,• Ownership,• Sensitivity,• Criticality,• Usage,• Restrictions,• Back-Up, and• Recovery.Company orClient SiteEnd-UserLocationUpdateRecoveryNewSystems Development Life Cycle (SDLC), Components and flow
  33. 33. CreateServiceRequestPerformTechnicalAssessmentPerformBusinessAssessmentPerformRequestedWorkApplicationGroupTestingCP#1SuccessfulReturntoSubmitterCreate QATurnoverPackageTesting and QATurnover Package ComponentsService Form and results fromAssessmentChange and Release Notes.Application Group Testing ResultsTest Scenarios and ScriptsMessages, Codes, and RecoveriesData for Regression and NormalTesting,DocumentationNo YesError LoopQA ReviewAndAcceptScheduleRequestQAReviewMeetingPerformRequestedWorkPerformPost-MortemPerformUserAcceptanceTestingCreateProductionAcceptanceTurnoverPackageSubmit toProductionAcceptanceSuccessfulPRODUCTION ACCEPTANCETurnover Package Components:Explanation and Narrative;Files to be released;Predecessor Scheduling;Special Instructions;Risk Analysis;Vital Records Management; andIT Security and Authorizations.CP#3CP#2Error LoopNoYesQuality Assurance and SDLC CheckpointsInterfaces between Applications, QA, and Production GroupsAPPLICATIONS GROUPQUALITY ASSURANCE GroupMigrating products / services to the Production EnvironmentCreated by: Thomas Bronack © Page: 33 Date: 6/14/2013Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCheckpoints are used to review progress andmake go / no-go decisions, or modifications.
  34. 34. Development TestingMaintenanceQualityAssuranceProductionAcceptanceProductionDisasterRecoveryVitalRecordsOff-SiteVaultDisaster Recovery FacilityMainframe and Office RecoveryChange ManagementService Level Management,Project Life Cycle,Walk Thru’s,Unit Testing,System Testing,Scenarios,Scripts,Recovery Tests,Regression,Benchmarks,Post Mortem.Test Validation,Components,Naming,Placement,Functionality,Process.Batch,On-Line,EDP Security,Operations,Recovery,EDP Audit.Project Life Cycle,Component & Release Management,Standards & Procedures,User Guides & Vendor Manuals,Training (CBT & Classroom), etc...Service Level Reporting, Capacity Management, Performance Management, Problem Management,Inventory Management, Configuration Management.Service Level Management,Project Life Cycle,Batch and On-LineManagementA Forms Management & Control System, used to originatework requests and track work until completed, will facilitateoptimum staff productivity and efficiency.Systems Management Controls and WorkflowAchieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 34 Date: 6/14/2013
  35. 35. Job Documentation Requirements and Forms AutomationDevelopment Request FormPhase: DateUser Information _____________Business Justification _____________Technical Justification _____________Build or Buy _____________Development (Build / Modify) _____________Test: _____________Unit Testing _____________System Testing _____________Regression Testing _____________Quality Assurance _____________Production Acceptance _____________Production _____________Support (Problem / Change) _____________Maintenance (Fix, Enhancement) _____________Documentation _____________Recovery _____________Awareness and Training _____________DocumentationDevelopment Request Form NumberBusiness NeedApplication OverviewAudience (Functions and Job Descriptions)Business / Technical Review DataCost JustificationBuild or Buy DecisionInterfaces (Predecessor / Successor)Request ApprovalData Sensitivity & Access ControlsIT Security Management SystemEncryptionVital Records ManagementData SynchronizationBackup and RecoveryVaulting (Local / Remote)Disaster RecoveryBusiness RecoveryApplication OwnerDocumentation & TrainingApplication Support PersonnelEnd User CoordinatorsVendors and SuppliersRecovery CoordinatorsTesting ResultsApplication SetupInput / Process / OutputMessages and CodesCircumventions and RecoveryRecovery Site InformationTravel InstructionsDocuments are Linked to from Date FieldLink toDocumentsNew Product / Service Development Request Form Life CycleDocumentationDocumentationDocumentationDevelopment:Testing:Quality Assurance:Production AcceptanceMain Documentation Menu Sub-Documentation MenusAchieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 35 Date: 6/14/2013
  36. 36. Information Accounting and Charge-Back System ConceptBy utilizing Work Order (WO) and Purchase Order (PO) concepts, it is possible to track and bill clients fortheir use of Information Technology services associated with development and maintenance services. Thisconcept is presented below:User Name: ____________________ User Division: ___________ User Identifier _______Work Order #: __________________ Date: ___________ For: _________________________PO for: Development Cost: $ _____________PO for: Testing Cost: $ _____________PO for: Quality Assurance Cost: $ _____________PO for: Production Acceptance Costs $ ____________PO for: Production (on-going) Cost: $ _____________PO for: Vital Records Management Cost: $ _____________PO for: Asset Management (Acquisition, Redeployment, Termination) Cost: $ _____________PO for: Inventory and Configuration Management Cost: $ _____________PO for: Information and Security Management Cost: $ _____________PO for: Safe Workplace Violence Prevention Cost: $ _____________PO for: Recovery Management Cost: $ _____________PO for: Documentation and Training Cost: $ _____________PO for: Support and Problem Management Cost: $ _____________PO for: Change Management Cost: $ _____________PO for: Version and Release Management Cost: $ _____________Total Cost: $ _____________Bill can be generated via Forms Management, Time Accounting, or Flat Cost for Services. This system canbe used to predict costs for future projects and help control expenses and personnel time management.Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 36 Date: 6/14/2013
  37. 37. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 37 Date: 6/14/2013Real Time Data ReplicationSynchronized Recovery DataHostingCloudInternetRouterPrimaryServersReplicatedServersRemote UsersLocalUsersFirewall FirewallData Synchronization and Recovery Operations using Cloud Based HostingRecoverySiteUsers are normally connected to the Primary Site, while data is synchronized in real-time with Cloud Hosting site. Whendisaster event occurs, users can access the replication site without interruption or loss of data.
  38. 38. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 38 Date: 6/14/2013DisasterRecovery SiteDevelopment MaintenanceTesting andQualityAssuranceDevelopment And Maintenance EnvironmentsCompanyDataElectronicTransmissionElectronicTransmissionSystems Development Life Cycle (SDLC)NewApplicationsEnd User“Work Order”to create a newProduct orServiceOpen NetworkWithMultiple Access PointsRemoteLocationsProductionSite #2Customers;Credit Bureaus;Feed-Files; and,Other Locations.Physically TransportedUsing TapeOnly EncryptionProblem ResolutionAndEnhancementsSend ApprovedApplicationsTo ProductionAcceptanceCloudComputingLocalSitesLocalTape / DataVaultLocalTape / DataVaultRemoteTape / DataVaultProductionSite #1Electronic Vaulting;Incremental Vaulting; and,Electronic transmission toDisaster Recovery SiteLocalSitesEncryption of “Data at Rest”to Provide Total ProtectionOverview of the Enterprise Information Technology EnvironmentEncrypting Data-In-Movement will protectdata being transmitted toremote sitesBusiness LocationsIT LocationsPhysical /CloudPhysical/ Virtual
  39. 39. Emergency Operations Group (EOG)Emergency Management Group (EMG)Facility ManagerEmergency DirectorAffected Area / UnitManager / SupervisorSecurity CoordinatorSafety and HealthCoordinatorMaintenanceCoordinatorHuman ResourcesCoordinatorPlanning & LogisticsCoordinatorEnvironmentalCoordinatorPublic RelationsCoordinatorEmergency MedicalTechnicians TeamFire / HazmatFire BrigadeOperations OfficersSafety OfficersIncident ManagerRelationship between EMG and EOG during an emergencyEvacuate site if necessary;Assess Damage and report to Emergency Director;Provide First Aid to personnel;Coordinate activities with First Responders and follow their lead;Initiate Salvage procedures;Perform site restoration and coordinate return to site; andRecommend improvements going forward.Provide specific support activities for disaster events;Coordinate information with Personnel, Customers, and Suppliers; andOptimize Recovery Operations and Minimize Business Interruptions.Central / Corporate Incident Management Local Incident ManagementEmergency Management Operations EnvironmentAchieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 39 Date: 6/14/2013
  40. 40. Problem Management and Circumvention TechniquesAchieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 40 Date: 6/14/2013
  41. 41. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 41 Date: 6/14/2013Fully Integrated Recovery Operations and Disciplines (Physical End Goal)Business ContinuityManagementEmergencyOperations Center(EOC)EmergencyResponseManagementNetworkCommandCenterOperationsCommandCenterHelpDeskRiskManagementDisaster andBusinessRecoveryCrisisManagementWorkplaceViolencePreventionIncidentCommandCenterFirst Responders(Fire, Police & EMT)Department ofHomeland Security(DHS)State and LocalGovernmentOffice of EmergencyManagement(OEM)Lines ofBusinessLocationsEmployeesCustomersSuppliersContingencyCommandCenterCommandCentersCorporateCertificationPrivate SectorPreparedness Act(DomesticStandard)BS 25999 / ISO22301(InternationalStandard)National FirePreventionAssociationStandard 1600BusinessIntegrationService LevelAgreements andReportingSystemsDevelopmentLife CycleSix Sigma /Standards andProceduresCOSO / CobIT /ITIL / FFIECWorkplaceViolence PreventionCERT ResiliencyEngineeringFrameworkInformation SecurityManagement System (ISMS)based on ISO 27000ISO2700SecurityStandardsOSHA,DHS, OEM,WorkplaceSafetyA fully integrated recovery organization will includethe components shown in this picture.Corporate Certification is achieved through thecompliance laws and regulations used to providedomestic and international guidelines thatenterprises must adhere to before they can dobusiness in a country.Workplace Violence Prevention and InformationSecurity is adhered to by implementing guidelinesto protect personnel and data by following thelatest guidelines related to these topics.Internal command centers responsible formonitoring operations, network, help desk, andthe contingency command center will provide vitalinformation to the Emergency Operations Centerstaff.Organizational departments, locations, andfunctions are identified and connections providedto the EOC so that communications andcoordination can be achieved in the most accurateand speedy manner.Using this structure will help organizations bettercollect recovery information and develop recoveryoperations to lessen business interruptions andprotect the company’s reputation.
  42. 42. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 42 Date: 6/14/2013Activating and Coordinating Disaster Recovery PlansNCC OCC ICCHelp DeskContingencyCommand CenterEmergencyOperations CenterLevel1Level2Level3Level“D”LocalHDRepairLocalSMERepairVendorRepairSelectRecoveryPlanNetworkProblemsProductionOperationsProblemsMajorIncidents &ProblemsProblems &IncidentsNotified by Help Desk of Recovery Need:• Verify Problem and Match to Recovery Plan;• Notify Contingency Plan Coordinator;• Activate Plan and Perform Tasks;• Operate at Contingency Site;• Coordinate Production Site Protection,Salvage and Restoration;• Return to Production Site; and,• Continue Production Operations.CoordinateRecoveryTeamsCoordinateCompanyOperationsCommunicate Recovery Operations with:• Executive Management;• Lines of Business, Personnel, Clients,Vendors, Supply Chain, and Workplaces;• Command Centers;• First Responders and Community Agencies;• Companies close-by and the News.Site Protection, Salvage, & RestorationProblemLibraryRecoveryLibrary
  43. 43. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 43 Date: 6/14/2013Types of Recovery Plans and their SectionsRecovery Plan Sections:• Coordinator Leads Operation;• Validate & Accept Assignment;• Declaration & Notification;• Initiate Call Tree;• Formulate Recovery Teams;• Activate Recovery Plans;• Monitor and Track RecoveryTasks and Status;• Report;• Complete Recovery Operations;• Process at Secondary Site;• Coordinate Primary SiteProtection, Salvage, andRecovery;• Return to Primary Site;• Resume Processing at PrimarySite;• De-Activate Secondary Site; and• Perform Post-Mortem and makeneeded corrections.Incident Recovery PlanDisaster Recovery PlanBusiness Recovery PlanApplication Recovery PlanSupplier Recovery PlanPrimary Site Recovery Plan:• Protection,• Salvage and Restoration,• Process Resumption.Alternate Site Recovery Plan:• Travel and Activate Start-Up,• Assume Production,• Return to Primary Site,• De-Activate.ContingencyCommandCenterSecuritySalvageRestoration
  44. 44. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 44 Date: 6/14/2013Responding to Disaster EventsDisaster EventDisasterEventFirstRespondersSite Salvage Site RestorationReturnto SiteResumeOperationsDeclareDisasterActivate Recovery Plan andgo to secondary siteProcess atSecondary SiteReturnto SiteCoordinating recovery operations with the First Responders, Security, Salvage, andRestoration is a critical factor in recovery planning and should be included in all recoveryplanning procedures.Additional considerations include Insurance and Claim Processing, mediacommunications, and coordination with government organizations and companies nearyour facility that may be affected by the disaster event.Being a good neighbor is important to protect your reputation and show good will.
  45. 45. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 45 Date: 6/14/2013Fully Integrated Resiliency Operations and Disciplines (Logical End Goal)• State and LocalGovernment,• First Responders (Fire,Police, & EMT),• Department ofHomeland Security(DHS),• Office of EmergencyManagement (OEM),• Local Community.• Risk Management (COSO),• Disaster Recovery,• Business Continuity,• Crisis Management,• Emergency Management,• Workplace ViolencePrevention,• Failover / Failback,• Protection, Salvage &Restoration.Private SectorPreparedness Act(DomesticStandard)CERT ResiliencyEngineeringFramework, ITILand COSOISO22313 andISO22318(InternationalStandard)National FirePreventionAssociation1600 StandardContingencyCommandCenter (CCC)IncidentCommandCenter (IC)Help Desk(HD)OperationsCommandCenter (OCC)NetworkCommandCenter (NCC)CorporateCertificationCommandCentersInformation SecurityManagement System (ISMS)based on ISO27000WorkplaceViolencePrevention Emergency OperationsCenter (EOC)Lines ofBusinessEmergencyResponseManagementBusinessContinuityManagementBusinessIntegration• Locations,• Employees,• Infrastructure,• Equipment,• Systems,• Applications,• Services,• Supplies,• Customers,• RTO, RPO, andRTC.• Service Level Agreements (SLA)& Reporting (SLR),• Systems Development Life Cycle(SDLC),• CobIT, ITIL, and FFIEC,• ISO Guidelines,• Audit and Human Resources,• Six Sigma or Equivalent forPerformance and WorkflowManagementOffice of theController ofthe CurrencyOSHA, OEM,DHS
  46. 46. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 46 Date: 6/14/2013Conclusions• Enterprise Resiliency and Corporate Certification will build an efficient and safeguardedenvironment that best supports continued business operations and the company reputation.• Many people are involved with planning and implementing, so awareness is high and trainingcan be easily achieved.• A well trained and loyal staff will best support retention and recruitment of personnel andclients, while supporting future growth and an industry reputation as an excellent company.• SLA / SLR and Client Contract management will be more easily achieved, thereby producing ahappier client and support for future growth through references.• Use of “Best Practices” will better guaranty success, while protecting management’s decisionto implement a state-of-the-art production, compliant, and recoverable environment.• Use of the latest Data Management technology will support recovery time requirements,while allowing for off-line testing of maintenance and recovery operations.• Integration of Systems Management, Workflow Management, and a Charge-Back System willprovide monitor and control over costs, while developing a repository or accomplished workthat can be referenced when planning similar projects.• Integration of the Emergency Operations Center (EOC) with Command Centers, Lines ofBusiness, and Recovery Operations will enhance the information provided to ExecutiveManagement and allow them to better communicate with clients and assist with expeditingresumption of business operations.
  47. 47. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 47 Date: 6/14/2013Where do we go from here• Presentation to your management and technical staffs.• Agree that you want to achieve Enterprise Resiliency and Corporate Certification.• Perform a Risk Assessment that will define your needs.• Obtain management approval to initiate the project with their strong support.• Identify Stakeholders and Participants.• Formulate teams and train them on the goals and objectives of this project.• Create a detailed Project Plan and start teams working.• Develop, Test, Implement “Proof of Concept”, and gain approval to go forward.• “Rollout” Enterprise Resiliency and Corporate Certification to all locations.• Fully document and Integrate within the everyday staff functions performed.• Deliver Awareness and Training services.• Provide Support and Maintenance services going forward.
  48. 48. ServicesComplianceConsulting PlacementProjectManagementRiskAssessmentsSecurity(Physical / IT)ProductivityOptimizationEnterpriseResiliency• Project Definition & Scope,• Goals and Objectives,• Team identification,• Team Assignment,• Team Training,• Project Plan Creation,• Project Management &Status Reporting,• Analysis of Results,• Improvements and ProblemManagement formulation,• Conclusions,• Recommendations,• Management Report,• Management Presentation,• Lessons Learned,• Improvements going forward.We provide Consulting, Compliance, andPersonnel Placement Services to assist clientsachieve a safeguarded and efficient Businessenvironment that adheres to domestic andinternational laws and regulations and able torecover business operations within time frameobligations.Overview of our Services• COSO Format, including:• Internal Environment,• Objective Setting,• Event Identification,• Risk Assessment,• Risk Responses,• Control Activities,• Information andCommunications,• Monitoring and Reporting,• Cost Benefit Analysis.• Management Report.• Management Presentation.• Implementing ManagementRecommendations and Direction.• Physical Security, including:• Workplace Safety &Violence Prevention,• Perimeter and Guards,• Access Controls,• Surveillance & Reporting,• Fire Safety Protection.• IT Security, including:• Data Sensitivity,• Encryption,• Access Controls,• Vital Records,• Backup & Restoration.• Data Management Tools,• Mirror and IncrementalData Backup / Recovery.• Disaster Recovery,• Business Continuity,• Emergency Management,• Enterprise Resiliency &Corporate Certification,• Business Impact Analysis,• Contingency & EmergencyCommand Center,• Team Selection,• Team Training,• Plan Building & Testing,• Documentation,• Training and Awareness,• Support and Maintenance,• Version & Release Management,• Security, Salvage, and Restoration,• Insurance and Claims Processing.• Organizational Structure,• Systems & WorkflowManagement,• Forms Management,• Functional Responsibilities,• Job Descriptions,• Personnel AssistancePrograms,• SLA / SLR / Contracts,• Standards & Procedures,• Personnel Training.Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 48 Date: 6/14/2013(Part 1 of 2 - Consulting)
  49. 49. Achieving Enterprise Resiliency and Corporate Certification © Thomas Bronack bronackt@dcag.comCreated by: Thomas Bronack © Page: 49 Date: 6/14/2013ServicesComplianceConsulting PlacementSarbanes OxleyGramm LeachBlileyHIPAA EPA / SuperfundThe Patriot ActAll Public Companies over$75 Million in Revenue:• Sections 302, 404, and 409• Risk Assessment• Checks & Balances• IT Security• Systems DevelopmentLife Cycle• Systems Management• Recovery• Standards & Procedures• Documentation & Training• Support• MaintenanceAll Financial OrganizationsThat possess, process, orTransmit private customerdata:• Risk Assessment• Responsible EmployeeSelection• IT Security• Oversight of “ServiceProviders”• Testing and Monitoring• Evaluation & Reporting tomanagement• Standards & ProceduresAll Companies that possess,Process, or transmit ElectronicProtected Health Information:• Risk Assessment• Standards & Procedures• IT Security• BCP and DR Planning• Security Officer & BCPOfficer• Documentation & Training• Periodic Audits• Agreement with Businessassociates to adhere to policies•Ongoing Testing &MaintenanceTerrorism Act to protectAmericans from attack:• Risk Assessment• Customer ScreeningProcedures• Customer InformationProgram (CIP)• Protecting Confidentiality,while aiding investigations• Foreign IntelligenceInvestigations• Money Laundering• Standards & Procedures• Documentation & TrainingProtecting the environmentAnd cleaning up land fills:• Risk Assessment• Toxic Materials• Protect Employees• Protect people in area• Waste Removal Procedures• Standards & Procedures• Documentation & Training• Support & MaintenanceOverview of our Compliance Services (Part 2 of 2)We provide compliance services for alldomestic and international laws andregulations in order to support CorporateCertification for all countries that the firm doesbusiness in. Compliance also includes: Dodd-Frank, Basel II / III, and all OCC regulations andother new laws and regulations as enacted.