A contingency plan is:
“A plan for emergency response, backup operations, and post-disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation…”
(National Computer Security Center 1988)
This document discusses business continuity planning (BCP). It outlines the key steps in developing an effective BCP, including: project scope and planning, business impact assessment, continuity planning, and approval/implementation. The project scope and planning phase involves analyzing the business organization, selecting a BCP team, assessing resource needs, and analyzing legal requirements. The business impact assessment identifies critical business functions, resources they depend on, risks/vulnerabilities, and calculates downtime tolerances. Continuity planning develops strategies to address identified risks and minimize their impact. The overall goal is to maintain business operations during a disaster through preparedness and recovery planning.
The document discusses business continuity and disaster recovery planning from an information systems auditing perspective. It covers key areas such as developing business continuity plans, evaluating backup and restoration procedures, reviewing disaster recovery plans, and auditing business continuity and disaster recovery processes. The case study describes an organization that needs to update its business continuity and disaster recovery plans given significant growth. The IS auditor needs to evaluate the plans and make recommendations.
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, systems, or external events. It is categorized into people, processes, systems/technology, and external risks. Key risk indicators are metrics used to monitor identified operational risks over time and provide early warnings. Banks use three approaches to operational risk management - the basic indicator approach, standardized approach, and advanced measurement approach - which require banks to hold capital reserves proportional to their operational risk exposure based on business lines and historical loss data.
The document provides information on conducting risk assessments and audits. It discusses key aspects of the audit process including establishing an audit charter, planning audits, assessing risks, and evaluating assets, threats, and vulnerabilities. Some key points:
1) An audit charter outlines the audit's scope, responsibilities, objectives, and authority. It requires senior management approval.
2) Developing an audit plan involves understanding the business, assessing risks, setting objectives and scope, and devising an audit strategy. The biggest challenge is matching resources to the plan.
3) Risk assessment identifies assets, threats, vulnerabilities, and safeguards. It values assets, estimates likelihood of threats, and calculates potential losses to inform risk treatment.
This document discusses information systems operations and infrastructure. It covers topics like IT service management, incident and problem management, change management, capacity management, hardware and software components, network architecture, disaster recovery planning, and the role of auditing. The key points are managing IT operations effectively through proper processes, monitoring infrastructure performance, ensuring adequate capacity, and having disaster recovery plans and testing in place.
This document provides an overview of the key topics covered in the 2016 CISA Review Course, including IS auditor roles and responsibilities, audit planning, risk analysis, internal controls, performing IS audits, and compliance vs substantive testing. The document outlines ISACA standards and guidelines for IS auditing, and frameworks like COBIT 5 that help achieve governance and management objectives for enterprise IT. Methodologies, techniques, and objectives for risk-based auditing are also summarized.
This document outlines how to create an effective business continuity program with the following key points:
1) It discusses why business continuity management is important to minimize potential losses and ensure essential services can resume following a disruption.
2) It provides an overview of the business continuity planning process which includes risk assessment, business impact analysis, solution design, plan implementation, and maintenance.
3) It describes the various components of an effective business continuity plan including identifying risks, assessing impacts, designing alternate response strategies, implementing and testing the plan, and maintaining updated documentation.
This document contains an outline for a CISA review course covering topics such as information security management, logical access controls, network security, and auditing frameworks. It includes sections on inventorying and classifying assets, access permissions, privacy issues, risks from external parties, and incident response. Self-assessment questions test on weaknesses like uncontrolled database passwords, the risks of single sign-on, uses of intrusion detection systems, and effective antivirus controls.
This document discusses business continuity planning (BCP). It outlines the key steps in developing an effective BCP, including: project scope and planning, business impact assessment, continuity planning, and approval/implementation. The project scope and planning phase involves analyzing the business organization, selecting a BCP team, assessing resource needs, and analyzing legal requirements. The business impact assessment identifies critical business functions, resources they depend on, risks/vulnerabilities, and calculates downtime tolerances. Continuity planning develops strategies to address identified risks and minimize their impact. The overall goal is to maintain business operations during a disaster through preparedness and recovery planning.
The document discusses business continuity and disaster recovery planning from an information systems auditing perspective. It covers key areas such as developing business continuity plans, evaluating backup and restoration procedures, reviewing disaster recovery plans, and auditing business continuity and disaster recovery processes. The case study describes an organization that needs to update its business continuity and disaster recovery plans given significant growth. The IS auditor needs to evaluate the plans and make recommendations.
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, systems, or external events. It is categorized into people, processes, systems/technology, and external risks. Key risk indicators are metrics used to monitor identified operational risks over time and provide early warnings. Banks use three approaches to operational risk management - the basic indicator approach, standardized approach, and advanced measurement approach - which require banks to hold capital reserves proportional to their operational risk exposure based on business lines and historical loss data.
The document provides information on conducting risk assessments and audits. It discusses key aspects of the audit process including establishing an audit charter, planning audits, assessing risks, and evaluating assets, threats, and vulnerabilities. Some key points:
1) An audit charter outlines the audit's scope, responsibilities, objectives, and authority. It requires senior management approval.
2) Developing an audit plan involves understanding the business, assessing risks, setting objectives and scope, and devising an audit strategy. The biggest challenge is matching resources to the plan.
3) Risk assessment identifies assets, threats, vulnerabilities, and safeguards. It values assets, estimates likelihood of threats, and calculates potential losses to inform risk treatment.
This document discusses information systems operations and infrastructure. It covers topics like IT service management, incident and problem management, change management, capacity management, hardware and software components, network architecture, disaster recovery planning, and the role of auditing. The key points are managing IT operations effectively through proper processes, monitoring infrastructure performance, ensuring adequate capacity, and having disaster recovery plans and testing in place.
This document provides an overview of the key topics covered in the 2016 CISA Review Course, including IS auditor roles and responsibilities, audit planning, risk analysis, internal controls, performing IS audits, and compliance vs substantive testing. The document outlines ISACA standards and guidelines for IS auditing, and frameworks like COBIT 5 that help achieve governance and management objectives for enterprise IT. Methodologies, techniques, and objectives for risk-based auditing are also summarized.
This document outlines how to create an effective business continuity program with the following key points:
1) It discusses why business continuity management is important to minimize potential losses and ensure essential services can resume following a disruption.
2) It provides an overview of the business continuity planning process which includes risk assessment, business impact analysis, solution design, plan implementation, and maintenance.
3) It describes the various components of an effective business continuity plan including identifying risks, assessing impacts, designing alternate response strategies, implementing and testing the plan, and maintaining updated documentation.
This document contains an outline for a CISA review course covering topics such as information security management, logical access controls, network security, and auditing frameworks. It includes sections on inventorying and classifying assets, access permissions, privacy issues, risks from external parties, and incident response. Self-assessment questions test on weaknesses like uncontrolled database passwords, the risks of single sign-on, uses of intrusion detection systems, and effective antivirus controls.
This document provides an overview of Domain 1 of the CISA exam, which covers auditing information systems. It discusses key concepts including:
- Audit planning, which involves understanding the business, environment, prior work, risk analysis, and developing an audit plan.
- Risk analysis, which is part of audit planning and helps identify risks and vulnerabilities to determine necessary controls.
- Internal controls, which are policies and procedures to reduce risks. They can be preventive, detective, or corrective.
- COBIT, a framework from ISACA for governance and management of enterprise IT. It is based on principles and enablers.
- Risk-based auditing approaches audit risk through understanding
This document provides an overview of project management practices, software development methodologies, and business application systems relevant to IT auditing. It discusses the benefits realization process, portfolio and program management, business case development, and project management structures. Traditional software development lifecycle approaches like waterfall are described along with agile development, prototyping, and rapid application development. Risks in software projects and controls for electronic commerce, EDI, email and banking systems are also summarized.
The document discusses key concepts in auditing information systems, including defining internal and external audits, describing the five phases of the audit cycle, and outlining components of an effective internal control system such as preventive, detective, and corrective controls.
Everything You Need To Know About Internal Control ReviewsAdriana Sklencar
This document discusses an internal control review for the public sector presented by Welch LLP. It covers when to consider an internal control review, what to expect from the process, the basic streams or business processes that would be reviewed, and the benefits of conducting such a review. The process involves developing a risk-based strategy, documenting and assessing key financial controls, and drafting a management action plan. Benefits include improving efficiencies at a lower cost than a full audit and gaining a fresh view of the system and environment. Questions from attendees can be tweeted with the hashtag #WelchGov.
The document discusses the planning process for a new IT project, including evaluating its necessity and feasibility. It covers identifying the project based on business needs, determining a project sponsor, analyzing the technical, economic, and organizational feasibility. Technical feasibility involves assessing the team's ability to develop and implement the system. Economic feasibility requires analyzing costs/benefits over time using measures like ROI, BEP, and NPV. Organizational feasibility means determining if users will adopt the new system by examining stakeholder support and how it aligns with business goals. The feasibility study is submitted for approval before full project initiation.
CNIT 160 4b: Security Program Management (Part 2)Sam Bowne
This document provides an overview of topics covered in Part 2 of a lecture on information security program development, including risk management, the risk management process, audits and reviews. Key points discussed are the purpose and components of a risk management program, the risk management lifecycle including identifying assets, threats, vulnerabilities, analyzing risk impact and probability, and treating risk through mitigation, transfer, avoidance or acceptance. The document also summarizes security audit objectives and types, as well as the audit methodology, evidence and reporting process.
The document provides an overview of systems and infrastructure life cycle management processes, including business realization, project management structure, project management practices, business application development, and information systems maintenance practices. It discusses topics like portfolio/program management, the system development life cycle, project planning, and software acquisition. The document is broken into several sections that describe key concepts and processes.
This document provides examples of how data analytics can be used for internal auditing purposes. It discusses using data analytics to:
1) Automate existing journal entry and employee expense testing through the use of scripts in audit software.
2) Create additional automated testing routines as part of continuous controls monitoring, including identifying duplicates, fraudulent patterns, and high-risk journal entries.
3) Perform analyses of journal entry and employee expense data such as general data overviews, population analyses to identify anomalies, and testing of specific expense types or journal accounts deemed high-risk.
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Sreekanth Narendran
The full version of the ppt is available in www.lifein01.com
Systems development is the procedure of defining, designing, testing, and implementing a new software application or program. It comprises of the internal development of customized systems, the establishment of database systems or the attainment of the third-party developed software.
1. The document discusses the objectives, methodologies, and phases of performing an information systems audit.
2. Key methodologies discussed include the top-down and bottom-up approaches, with the top-down being business and risk focused and the bottom-up focusing on control objectives.
3. The phases of an audit include pre-engagement work, data collection through testing, interviews and documentation, data analysis to identify findings and risks, developing recommendations, and reporting results.
The document discusses planning for IT projects, including project selection, creating a project plan, staffing the project, and managing/controlling the project. Project selection involves considering all projects within the organization's project portfolio and prioritizing based on organizational needs. The project plan defines tasks, time estimates, and other details. Staffing includes developing a staffing plan and coordinating project activities. Managing the project encompasses scope management, time-boxing, and risk assessment.
This document discusses the systems development life cycle (SDLC) for developing health information systems. It describes the main phases of SDLC as planning, analysis, design, and implementation. It then provides more details on the steps within each phase, including identifying business needs in planning, gathering requirements and creating system proposals in analysis, and designing the system architecture, databases, and programs in design. The implementation phase includes constructing the system, installing it, and creating a support plan. It also outlines the key roles and responsibilities of systems analysts in managing each stage of the process.
The document provides an overview of the CISA (Certified Information Systems Auditor) certification. It discusses that CISA is offered by ISACA and does not require prior qualifications. It also outlines the eligibility requirements including 5 years of work experience, maintenance requirements of 20 CPE hours annually, and details of the 150 question, 4 hour exam including a passing score of 450. The document recommends study materials and strategies for exam preparation.
Mobile EHS and Quality Auditing - Lessons LearnedNimonik
Smart phones and tablets are becoming commonplace in our offices. With this new technology, it is possible to improve efficiency during an audit, allowing more audits to be conducted with fewer resources. There are opportunities and pitfalls that all companies should be aware of before embarking on a mobile software project. This talk will cover lessons learned at L’Oreal, FedEx and Grupo Bimbo about deploying mobile technology and conducting compliance audits in the workplace.
Leveraging Primavera to Fulfill Financial Management StrategiesJeffrey Finkiel
Guardian Life Insurance seeks to improve its financial management strategies by leveraging Primavera P6 and EcoSys Financial Manager software. EcoSys and Guardian representatives will discuss how Guardian can expand its use of Financial Manager to integrate project management data from Primavera with financial reporting, budgeting, software capitalization, IT chargebacks, and past period cost adjustments. Financial Manager provides flexible reporting and visualization tools to help Guardian strengthen financial controls and oversight of its $41 billion portfolio.
This document discusses ISO 27001 certification, which provides a framework for information security management. It outlines the certification process, including conducting a gap assessment, risk assessment, and setting up an information security management system (ISMS). The stages of certification include a preliminary Stage 1 audit by a certification body (CB) to review the ISMS setup, then a Stage 2 audit after 1-6 months to certify the system. Certification is valid for 3 years and requires annual surveillance audits to maintain it, with re-certification needed every 3 years. The presentation aims to help organizations understand how ISO 27001 certification can improve security, reduce risks, and build customer trust and market share.
3 focus areas for any organisation's IT & Security department Sandeep S Jaryal
This presentation is focus on 3 areas - Improving the overall security posture of the company, Effective management of outsource service providers and work prioritization. Hope some of these ideas will help someone...
The document provides an overview of assessing information systems security controls. It discusses the NIST Risk Management Framework process, which includes assessing security controls, producing a security assessment report, and conducting remediation actions. The document also covers developing a security control assessment plan, selecting assessors, developing assessment procedures, and the overall assessment lifecycle from planning to reporting.
Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...Alexander Larsen
The document provides an overview of business continuity management based on the BS25999 standard. It discusses the key aspects of a BCM program including understanding the organization, determining strategy, developing response plans, exercising and reviewing plans, and embedding BCM in the organizational culture. The BS25999 standard provides a framework for organizations to identify risks, prioritize critical activities, develop response strategies, and ensure resilience through ongoing maintenance and testing of business continuity plans.
This document provides an overview of Domain 1 of the CISA exam, which covers auditing information systems. It discusses key concepts including:
- Audit planning, which involves understanding the business, environment, prior work, risk analysis, and developing an audit plan.
- Risk analysis, which is part of audit planning and helps identify risks and vulnerabilities to determine necessary controls.
- Internal controls, which are policies and procedures to reduce risks. They can be preventive, detective, or corrective.
- COBIT, a framework from ISACA for governance and management of enterprise IT. It is based on principles and enablers.
- Risk-based auditing approaches audit risk through understanding
This document provides an overview of project management practices, software development methodologies, and business application systems relevant to IT auditing. It discusses the benefits realization process, portfolio and program management, business case development, and project management structures. Traditional software development lifecycle approaches like waterfall are described along with agile development, prototyping, and rapid application development. Risks in software projects and controls for electronic commerce, EDI, email and banking systems are also summarized.
The document discusses key concepts in auditing information systems, including defining internal and external audits, describing the five phases of the audit cycle, and outlining components of an effective internal control system such as preventive, detective, and corrective controls.
Everything You Need To Know About Internal Control ReviewsAdriana Sklencar
This document discusses an internal control review for the public sector presented by Welch LLP. It covers when to consider an internal control review, what to expect from the process, the basic streams or business processes that would be reviewed, and the benefits of conducting such a review. The process involves developing a risk-based strategy, documenting and assessing key financial controls, and drafting a management action plan. Benefits include improving efficiencies at a lower cost than a full audit and gaining a fresh view of the system and environment. Questions from attendees can be tweeted with the hashtag #WelchGov.
The document discusses the planning process for a new IT project, including evaluating its necessity and feasibility. It covers identifying the project based on business needs, determining a project sponsor, analyzing the technical, economic, and organizational feasibility. Technical feasibility involves assessing the team's ability to develop and implement the system. Economic feasibility requires analyzing costs/benefits over time using measures like ROI, BEP, and NPV. Organizational feasibility means determining if users will adopt the new system by examining stakeholder support and how it aligns with business goals. The feasibility study is submitted for approval before full project initiation.
CNIT 160 4b: Security Program Management (Part 2)Sam Bowne
This document provides an overview of topics covered in Part 2 of a lecture on information security program development, including risk management, the risk management process, audits and reviews. Key points discussed are the purpose and components of a risk management program, the risk management lifecycle including identifying assets, threats, vulnerabilities, analyzing risk impact and probability, and treating risk through mitigation, transfer, avoidance or acceptance. The document also summarizes security audit objectives and types, as well as the audit methodology, evidence and reporting process.
The document provides an overview of systems and infrastructure life cycle management processes, including business realization, project management structure, project management practices, business application development, and information systems maintenance practices. It discusses topics like portfolio/program management, the system development life cycle, project planning, and software acquisition. The document is broken into several sections that describe key concepts and processes.
This document provides examples of how data analytics can be used for internal auditing purposes. It discusses using data analytics to:
1) Automate existing journal entry and employee expense testing through the use of scripts in audit software.
2) Create additional automated testing routines as part of continuous controls monitoring, including identifying duplicates, fraudulent patterns, and high-risk journal entries.
3) Perform analyses of journal entry and employee expense data such as general data overviews, population analyses to identify anomalies, and testing of specific expense types or journal accounts deemed high-risk.
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Sreekanth Narendran
The full version of the ppt is available in www.lifein01.com
Systems development is the procedure of defining, designing, testing, and implementing a new software application or program. It comprises of the internal development of customized systems, the establishment of database systems or the attainment of the third-party developed software.
1. The document discusses the objectives, methodologies, and phases of performing an information systems audit.
2. Key methodologies discussed include the top-down and bottom-up approaches, with the top-down being business and risk focused and the bottom-up focusing on control objectives.
3. The phases of an audit include pre-engagement work, data collection through testing, interviews and documentation, data analysis to identify findings and risks, developing recommendations, and reporting results.
The document discusses planning for IT projects, including project selection, creating a project plan, staffing the project, and managing/controlling the project. Project selection involves considering all projects within the organization's project portfolio and prioritizing based on organizational needs. The project plan defines tasks, time estimates, and other details. Staffing includes developing a staffing plan and coordinating project activities. Managing the project encompasses scope management, time-boxing, and risk assessment.
This document discusses the systems development life cycle (SDLC) for developing health information systems. It describes the main phases of SDLC as planning, analysis, design, and implementation. It then provides more details on the steps within each phase, including identifying business needs in planning, gathering requirements and creating system proposals in analysis, and designing the system architecture, databases, and programs in design. The implementation phase includes constructing the system, installing it, and creating a support plan. It also outlines the key roles and responsibilities of systems analysts in managing each stage of the process.
The document provides an overview of the CISA (Certified Information Systems Auditor) certification. It discusses that CISA is offered by ISACA and does not require prior qualifications. It also outlines the eligibility requirements including 5 years of work experience, maintenance requirements of 20 CPE hours annually, and details of the 150 question, 4 hour exam including a passing score of 450. The document recommends study materials and strategies for exam preparation.
Mobile EHS and Quality Auditing - Lessons LearnedNimonik
Smart phones and tablets are becoming commonplace in our offices. With this new technology, it is possible to improve efficiency during an audit, allowing more audits to be conducted with fewer resources. There are opportunities and pitfalls that all companies should be aware of before embarking on a mobile software project. This talk will cover lessons learned at L’Oreal, FedEx and Grupo Bimbo about deploying mobile technology and conducting compliance audits in the workplace.
Leveraging Primavera to Fulfill Financial Management StrategiesJeffrey Finkiel
Guardian Life Insurance seeks to improve its financial management strategies by leveraging Primavera P6 and EcoSys Financial Manager software. EcoSys and Guardian representatives will discuss how Guardian can expand its use of Financial Manager to integrate project management data from Primavera with financial reporting, budgeting, software capitalization, IT chargebacks, and past period cost adjustments. Financial Manager provides flexible reporting and visualization tools to help Guardian strengthen financial controls and oversight of its $41 billion portfolio.
This document discusses ISO 27001 certification, which provides a framework for information security management. It outlines the certification process, including conducting a gap assessment, risk assessment, and setting up an information security management system (ISMS). The stages of certification include a preliminary Stage 1 audit by a certification body (CB) to review the ISMS setup, then a Stage 2 audit after 1-6 months to certify the system. Certification is valid for 3 years and requires annual surveillance audits to maintain it, with re-certification needed every 3 years. The presentation aims to help organizations understand how ISO 27001 certification can improve security, reduce risks, and build customer trust and market share.
3 focus areas for any organisation's IT & Security department Sandeep S Jaryal
This presentation is focus on 3 areas - Improving the overall security posture of the company, Effective management of outsource service providers and work prioritization. Hope some of these ideas will help someone...
The document provides an overview of assessing information systems security controls. It discusses the NIST Risk Management Framework process, which includes assessing security controls, producing a security assessment report, and conducting remediation actions. The document also covers developing a security control assessment plan, selecting assessors, developing assessment procedures, and the overall assessment lifecycle from planning to reporting.
Business Continuity Management (BCM, BCP) Smaple (Animations don't work in Sl...Alexander Larsen
The document provides an overview of business continuity management based on the BS25999 standard. It discusses the key aspects of a BCM program including understanding the organization, determining strategy, developing response plans, exercising and reviewing plans, and embedding BCM in the organizational culture. The BS25999 standard provides a framework for organizations to identify risks, prioritize critical activities, develop response strategies, and ensure resilience through ongoing maintenance and testing of business continuity plans.
Prescriptive analytics can provide 7-17% cost savings for asset management planning by optimizing investment decisions. Electricity North West piloted prescriptive analytics to understand benefits and answer "what if" scenarios, like minimizing expenditure while maintaining risk levels or finding the lowest risk score within a budget. Their dashboards and reports visualized optimized investment plans across asset classes under different constraints. The presentation encouraged attendees to identify their own useful "what if" questions and assess their ability to implement analytics.
The document discusses business continuity planning (BCP) and disaster recovery planning (DRP). It describes the five phases of creating a BCP: project management and initiation, business impact analysis, recovery strategies, plan design and development, and testing, maintenance, awareness and training. The goal of a BCP is to allow timely recovery of critical business operations following a disaster, and to minimize loss. Key aspects include identifying time-critical business functions, defining maximum tolerable downtimes, selecting appropriate technical and organizational recovery strategies, developing a detailed recovery plan, and ongoing testing and maintenance of the plan.
This document discusses disaster management and disaster recovery planning. It begins with defining what constitutes a disaster and provides examples of past disasters. It then discusses what a disaster recovery plan is and the key components of developing a plan, including assessing risks, developing recovery strategies, creating detailed recovery plans, and testing plans through training and exercises. The overall approach involves scoping, planning, implementing, and maintaining a disaster recovery plan on an ongoing basis.
This document discusses Horizon Utilities Corporation's health and safety practices and implementation of the IFS Applications software. Horizon Utilities is an electricity distribution company serving over 200,000 customers. It prioritizes health and safety as its top priority, with over 2.5 million hours worked without a lost time incident. The IFS Applications software allows Horizon Utilities to track over 1,800 health and safety incidents over 5 years, conduct investigations and inspections, develop training programs, and generate reports and dashboards to monitor incidents and key performance indicators. The benefits of the software include immediate incident awareness, compliance with regulations, enhanced training, and increased productivity and reporting capabilities.
Bcp coop training taxpayer services 1-15-09Richard Turner
The document provides an introduction to business continuity planning and the Incident Command System (ICS). It discusses the importance of having continuity plans in place using examples like the response to 9/11. It also explains that the ICS, developed for coordinating emergency responses, provides a standardized organizational structure and operating principles that can help effectively manage any type of incident. Key aspects of the ICS include its modular structure, management of span of control, and other principles for coordination between responding agencies.
A construction safety program has several key elements: assigning responsibilities; identifying and controlling hazards; providing training; documenting safety rules and enforcement. The program aims to maintain safe work conditions, set performance goals, reward safety, and review incidents to take corrective actions. Establishing safety objectives and including safety in performance reviews helps measure effectiveness. Benefits include reduced injuries, expenses, absenteeism and increased productivity and morale. Developing project-specific safety activities includes planning, defining roles, and identifying typical safety programs and top violations. Formulating a comprehensive safety plan requires a team effort to identify hazards and controls. Implementing and continually improving the work plan is essential to reducing injuries and maintaining a safe work environment.
OPERATOR ANALYTICS FROM IMPLEMENTING AN OPERATE BY EXCEPTION STRATEGYwle-ss
Vermilion Energy is an international oil and gas company that operates in North America, Europe, and Australia. The presentation discusses Vermilion's strategy to implement an "operate by exception" model using remote monitoring and analytics. This approach aims to optimize resources like personnel, equipment, time and costs through collecting time-series production data and using artificial intelligence/machine learning. Basic analytics would provide metrics on safety, production and costs, while advanced analytics could enable automatic pumpjack optimization, predictive maintenance, and optimized field routes. The goal is to efficiently manage operations through data-driven insights.
For offshore industries such as renewables and oil and gas, meteorological and oceanographic (metocean) conditions have a major impact on the design of facilities and their subsequent operations.
Knowledge of wind, wave, current, water level and weather conditions is essential to contribute to optimum design and efficient operations. Sound use of metocean data and information can assist with improved safety and reduced costs. This 2 or 3 day course takes place in several locations throughout the world.
Willem A. Hoekstra Business Continuity Management in Banking Industry World C...BCM Institute
This document discusses business continuity management (BCM) in the banking industry. It begins with key BCM concepts like having crisis management teams, conducting business impact analyses to determine priorities, creating business continuity plans, building alternative facilities, testing plans through exercises, and embedding BCM into the organization. It then discusses Nomura's BCM methodology in more detail, including establishing a crisis management team and emergency response plan. The document emphasizes that while BCM aims to prepare for consequences of disruptions, the causes themselves may be unpredictable. It also notes that disruptions can impact a bank's buildings, people, IT systems, suppliers, capital, and clients.
Fire alarm ppt_presentation_to_suppliers_november_2015MuhamedAshraf4
This document provides an overview of the best value procurement process for selecting a supplier for a fire alarm monitoring project at Arizona State University. It discusses evaluating suppliers based on their risk assessment plans, value assessment plans, interviews, and past performance to identify the highest value proposal. The evaluation committee will anonymously score risk and value assessments. Purchasing services will collect cost proposals and survey responses separately. The process involves proposal evaluation, clarification, and contracting before project management and metrics tracking.
This document provides an overview of a presentation on essential project management topics. The presentation covers 7 topics: 1) project management fundamentals, 2) time management, 3) cost management, 4) risk management, 5) integrated time and cost management, 6) contractual issues, and 7) additional tips. For each topic, it outlines key concepts and methods in project planning, scheduling, estimating, risk analysis, and performance tracking. It encourages taking a systematic approach to project management.
Lloyd's Register is a global certification, compliance and engineering consulting company with over 250 years of history. It has four business divisions including energy. Lloyd's Register introduced its Knowledge Based Asset Integrity (KBAITM) approach which uses risk assessments to optimize maintenance plans for wind farm assets. Case studies on port cranes and oil refinery piping found the approach improved reliability and reduced costs. Lloyd's Register is seeking partners for a KBAITM pilot on a wind farm to capture asset data and facilitate knowledge transfer.
Managing complex projects requires an approach that embraces uncertainty. Traditional project management methods focused on planning and certainty are ill-suited for knowledge work which involves evolving requirements and technologies. Effective approaches gather consensus, prioritize based on business value and risk reduction, use short build and feedback cycles, provide results-oriented reporting, and respect and empower team members. Historical examples that successfully managed uncertainty, such as the Manhattan Project and Polaris missile project, demonstrate these principles.
Reliability Engineering in Biomanufacturing - Presentation by Michael AndrewsWPICPE
Reliability engineering in biomanufacturing aims to identify, manage, and mitigate risks that could negatively impact plant or business operations through a focus on risk management, loss elimination, and life cycle asset management. The need for reliability engineering has grown as manufacturing costs rise, regulations expand, and skills shortages emerge. However, many companies struggle with reliability due to a lack of culture and vision connecting it to business strategy, insufficient dedication of resources, and an inability to overcome myths. Effective reliability principles can reduce costs by avoiding unnecessary expenses and improving asset utilization, but they must be applied throughout the entire asset life cycle starting in the design phase.
Andy Smith presented on a project to improve engineering department efficiencies at Rodgers Leask Ltd using the DMAIC methodology. In the Define phase, key stakeholders were identified and processes reviewed to develop a problem statement. In the Measure phase, current processes were mapped and data collected to establish a baseline. The Analyze phase found inconsistencies in procedures, documentation, and training. Recommendations in the Improve phase included new training, templates, and documentation procedures. The Control phase implemented audits, tracking, and reviews to sustain the improvements. The project successfully changed processes to benefit quality and reduce safety and financial risks.
The document discusses risk management for the 2012 London Olympics. It outlines the goals of controlling contingency and limiting surprises. Key aspects of the risk management approach included:
- Maintaining sufficient contingency funds while limiting free funds
- Strictly controlling contingency use through governance and approval processes
- Regularly re-calculating contingency requirements and measuring performance
- Integrating risk management into core activities and reporting risks as part of regular updates
The approach aimed to ensure sufficient resources were available to complete the Olympics on time and within budget, while minimizing unnecessary spending.
Collaborate 2012: Environmental Accounting and ReportingAngela Miller
Presentation on the implementation of Oracle's Environmental Accounting and Reporting (EAR) module in JD Edwards. As more entities desire to self-report to The Climate Registry and the Global Reporting Initiative, tools like EAR will become imperative for their organizations to automate the data collection.
Similar to Cissp business continuity planning (20)
Vrlo često u Hrvatkoj riječ poduzetnik iza sebe krije mnoga značenja. Od onog osnovnog i uobičajenog te u svijetu opće prihvaćenog, da je to osoba koja svojim radom stvara nove vrijednosti, do pojedinačnih tumačenja i definicija da je poduzetnik onaj koji obavlja poslove prema programu i ugovoru,ili je pak vlasnik poduzeća.
Gledajući svoje okruženje sasvim sigurno se ne možemo složiti s gore navedenom definicijom poduzetnika (jer nam se već na prvi pogled čini prejednostavna), a pogotovo ne onda kada krećemo u poduzetničke vode ili smo već u njima . Iz ovakve perspektive sasvim nam je jasno da biti poduzetnik u RH zahtjeva mnogo više vještina, truda, znanja da bi se netko mogao smatrati poduzetnikom u pravom smislu te riječi.
Ipak, i pored svih tih razloga, jedan poduzetnik ima još i “ono nešto”, onaj poduzetnički “ živac “, sposobnost preuzimanja rizika. I oni, uvjereni u sebe, svoju ideju i svoje sposobnosti,“slijede svoju zvijezdu” na poduzetničkom putu, prelaze taj težak i strašno naporan put, pun bitaka i ratova, neuspjeha i neizvjesnosti, do poduzetnika, od ideje do tržišta.
The ClearVue Presentation viewer allows users to view and run Microsoft PowerPoint presentations on Windows CE devices. It supports animation effects, transitions, fonts, images, charts and graphs. The viewer has a menu bar and action buttons that allow ordering and viewing slides individually or as thumbnails. It can also crop or omit images in slides.
DVA GRIJEHA
1. ŽELJETI A NE DJELOVATI
2. DJELOVATI BEZ CILJA
VIZIONIRANJE STVARI- AKO ŽELIMO IMATI CILJ MORAMO VIZIONIRATI
VIZIJA – MISIJA
JE AKT BALANSIRANJA IZMEĐU UTOPIJE I REALITETA
IZ VIZIJE SE IZRAĐUJU DUGOROČNI CILJEVI /10-30 GOD./
ODREĐIVANJE CILJEVA IZ VIZIJE JE ZADAĆA MENADŽMENTA
REZULTAT TOGA JE FILOZOFIJA /poduzeća;destinacije i sl/
Imalo dugoročniji poslovni plan, imalo većeg poduzeča mora sagledati i utjecaj globalnih kretanja
Promjene se događaju strelovitom brzinom
Nekadašnje prednosti zaštićenog “domaćeg” tržišta su nepovratno izgubljene
Bankarski sektor je u pretežitom vlasništvu stranaca
Univerzalno bankarstvo
Sektor osiguranja još uvijek je u pretežito domačem vlasništvu
Učešće sektora osiguranja na financijskom tržištu je još uvijek slabo
Tržište kapitala institucionalno je dobro razvijeno a trgovanje slabo
Dominantne su financijske grupe
Proizvodi koji se nude sve više imaju karakteristike svih sektora financijskog tržišta
Informacije o tržištu stižu prekasno i nesistematski
Najviše rukovodstvo ima premalo izravnih kontakata s kupcima
Učinci nisu uvijek i u svim detaljima u suglasju s tržištem
Konkurencija “otima” dobre kupce
Vlastita mjesta vođenja tržišta postaju nesigurna
Gubi se % tržišnog udjela
Kupci odugovlače rasprave o cijenama
Proizvodi s izvornom uporabnom vrijednosti postaju malobrojni
Prihodi padaju iako su popusti uobičajeni
Naglašava se važnost troškova, štednja je adut
Mladi, perspektivni kadrovi napuštaju poduzeće
Smanjivanje proračuna za istraživanje i razvoj
Trgovci energično traže nove proizvode
Izostaju investicije za obnovu pogona
Uvodi se analiza općih troškova
Ograničavaju se proslave radi štednje
Zapošljava se “jeftinija” radna snaga
Prikrivaju se napetosti u poduzeću, “guranje pod tepih”
Osporavaju se troškovi unapređenja prodaje
Nema obnove rukovodstva
Na svim područjima vlada “osrednjost”
Banke zahtijevaju visoke garancije
Visoke kamate za tuđi kapital premašuju snagu zarade
Banke otkazuju dosadašnju politiku odgode plaćanja
Poduzeće je slučaj za sanaciju
This document discusses key finance and accounting concepts including assets, liabilities, stakeholders, and various ratios used for analyzing profitability, liquidity, and investments. Specifically, it covers fixed and current assets, shareholders and other stakeholders, gross and net profit margins, current and acid test ratios, gearing ratio, earnings per share, and other ratios for evaluating performance.
Total Costs (TC) = Fixed Costs (FC)+ Variable Costs (VC)
Average Costs = TC/Output (Q)
AC (unit costs) show the amount it costs to produce one unit of output on average
Marginal Costs (MC) – the cost of producing one extra or one fewer units of production
MC = TCn – TCn-1
This document discusses interpreting company accounts, including window dressing, depreciation methods, and calculating depreciation. It outlines two common depreciation methods - straight line, which calculates depreciation as the historic cost minus the residual value divided by the useful life, and declining balance, which depreciates assets at a constant rate each year.
This document discusses key aspects of human resource management including recruitment, selection, employment legislation, discipline, development, training, rewards systems, trade unions, and productivity. It describes the recruitment and selection process, highlights the importance of complying with employment legislation especially regarding discrimination and disability, and outlines different approaches to employee development, training, discipline, and performance evaluation.
Communication in business involves transferring information from one part of a business to another to produce outcomes or changes. There are formal communication channels that are established procedures and informal channels like gossip. Communication is a process with a sender, channel, receiver, and potential feedback. It can be verbal, written, electronic, visual, or audio. The choice of communication medium depends on needs like needing a record, the direction of information flow, the audience size, confidentiality, and information complexity and cost. Successful communication depends on the sender's understanding, the content clarity, the method suitability, the receiver's skills and attitude, and organizational and cultural factors. Barriers include lack of ability, unclear content, inappropriate methods, receiver skills, and technical
Purpose:
To identify aspects of a businesses performance to aid decision making
Quantitative process – may need to be supplemented by qualitative factors to get a complete picture
5 main areas:
Best practices for project execution and deliveryCLIVE MINCHIN
A select set of project management best practices to keep your project on-track, on-cost and aligned to scope. Many firms have don't have the necessary skills, diligence, methods and oversight of their projects; this leads to slippage, higher costs and longer timeframes. Often firms have a history of projects that simply failed to move the needle. These best practices will help your firm avoid these pitfalls but they require fortitude to apply.
Company Valuation webinar series - Tuesday, 4 June 2024FelixPerez547899
This session provided an update as to the latest valuation data in the UK and then delved into a discussion on the upcoming election and the impacts on valuation. We finished, as always with a Q&A
❼❷⓿❺❻❷❽❷❼❽ Dpboss Matka Result Satta Matka Guessing Satta Fix jodi Kalyan Final ank Satta Matka Dpbos Final ank Satta Matta Matka 143 Kalyan Matka Guessing Final Matka Final ank Today Matka 420 Satta Batta Satta 143 Kalyan Chart Main Bazar Chart vip Matka Guessing Dpboss 143 Guessing Kalyan night
[To download this presentation, visit:
https://www.oeconsulting.com.sg/training-presentations]
This presentation is a curated compilation of PowerPoint diagrams and templates designed to illustrate 20 different digital transformation frameworks and models. These frameworks are based on recent industry trends and best practices, ensuring that the content remains relevant and up-to-date.
Key highlights include Microsoft's Digital Transformation Framework, which focuses on driving innovation and efficiency, and McKinsey's Ten Guiding Principles, which provide strategic insights for successful digital transformation. Additionally, Forrester's framework emphasizes enhancing customer experiences and modernizing IT infrastructure, while IDC's MaturityScape helps assess and develop organizational digital maturity. MIT's framework explores cutting-edge strategies for achieving digital success.
These materials are perfect for enhancing your business or classroom presentations, offering visual aids to supplement your insights. Please note that while comprehensive, these slides are intended as supplementary resources and may not be complete for standalone instructional purposes.
Frameworks/Models included:
Microsoft’s Digital Transformation Framework
McKinsey’s Ten Guiding Principles of Digital Transformation
Forrester’s Digital Transformation Framework
IDC’s Digital Transformation MaturityScape
MIT’s Digital Transformation Framework
Gartner’s Digital Transformation Framework
Accenture’s Digital Strategy & Enterprise Frameworks
Deloitte’s Digital Industrial Transformation Framework
Capgemini’s Digital Transformation Framework
PwC’s Digital Transformation Framework
Cisco’s Digital Transformation Framework
Cognizant’s Digital Transformation Framework
DXC Technology’s Digital Transformation Framework
The BCG Strategy Palette
McKinsey’s Digital Transformation Framework
Digital Transformation Compass
Four Levels of Digital Maturity
Design Thinking Framework
Business Model Canvas
Customer Journey Map
The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...APCO
The Radar reflects input from APCO’s teams located around the world. It distils a host of interconnected events and trends into insights to inform operational and strategic decisions. Issues covered in this edition include:
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...my Pandit
Explore the fascinating world of the Gemini Zodiac Sign. Discover the unique personality traits, key dates, and horoscope insights of Gemini individuals. Learn how their sociable, communicative nature and boundless curiosity make them the dynamic explorers of the zodiac. Dive into the duality of the Gemini sign and understand their intellectual and adventurous spirit.
SATTA MATKA SATTA FAST RESULT KALYAN TOP MATKA RESULT KALYAN SATTA MATKA FAST RESULT MILAN RATAN RAJDHANI MAIN BAZAR MATKA FAST TIPS RESULT MATKA CHART JODI CHART PANEL CHART FREE FIX GAME SATTAMATKA ! MATKA MOBI SATTA 143 spboss.in TOP NO1 RESULT FULL RATE MATKA ONLINE GAME PLAY BY APP SPBOSS
Storytelling is an incredibly valuable tool to share data and information. To get the most impact from stories there are a number of key ingredients. These are based on science and human nature. Using these elements in a story you can deliver information impactfully, ensure action and drive change.
3 Simple Steps To Buy Verified Payoneer Account In 2024SEOSMMEARTH
Buy Verified Payoneer Account: Quick and Secure Way to Receive Payments
Buy Verified Payoneer Account With 100% secure documents, [ USA, UK, CA ]. Are you looking for a reliable and safe way to receive payments online? Then you need buy verified Payoneer account ! Payoneer is a global payment platform that allows businesses and individuals to send and receive money in over 200 countries.
If You Want To More Information just Contact Now:
Skype: SEOSMMEARTH
Telegram: @seosmmearth
Gmail: seosmmearth@gmail.com
Digital Marketing with a Focus on Sustainabilitysssourabhsharma
Digital Marketing best practices including influencer marketing, content creators, and omnichannel marketing for Sustainable Brands at the Sustainable Cosmetics Summit 2024 in New York
B2B payments are rapidly changing. Find out the 5 key questions you need to be asking yourself to be sure you are mastering B2B payments today. Learn more at www.BlueSnap.com.
Brian Fitzsimmons on the Business Strategy and Content Flywheel of Barstool S...Neil Horowitz
On episode 272 of the Digital and Social Media Sports Podcast, Neil chatted with Brian Fitzsimmons, Director of Licensing and Business Development for Barstool Sports.
What follows is a collection of snippets from the podcast. To hear the full interview and more, check out the podcast on all podcast platforms and at www.dsmsports.net
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesHolger Mueller
Holger Mueller of Constellation Research shares his key takeaways from SAP's Sapphire confernece, held in Orlando, June 3rd till 5th 2024, in the Orange Convention Center.
How are Lilac French Bulldogs Beauty Charming the World and Capturing Hearts....Lacey Max
“After being the most listed dog breed in the United States for 31
years in a row, the Labrador Retriever has dropped to second place
in the American Kennel Club's annual survey of the country's most
popular canines. The French Bulldog is the new top dog in the
United States as of 2022. The stylish puppy has ascended the
rankings in rapid time despite having health concerns and limited
color choices.”
How are Lilac French Bulldogs Beauty Charming the World and Capturing Hearts....
Cissp business continuity planning
1. CBK REVIEW - August
1999 1E
Business Continuity Planning
• Note: these are slides that were part of a CISSP
prep course that I partly developed and taught while I
was with Ernst and Young.
• While these slides are dated – August 1999 - the
core information is still relevant.
• Contact me w/ any questions or comments –
• Ben Rothke, CISSP brothke@hotmail.com
2. CBK REVIEW - August
1999 2E
Introduction
• The Problem - Reasons for BCP
• Principles of BCP
• Doing BCP
– The steps
– What is included
– The stages of an incident
3. CBK REVIEW - August
1999 3E
Definitions
A contingency plan is:
“A plan for emergency response, backup operations, and post-
disaster recovery maintained by an activity as a part of its
security program that will ensure the availability of critical
resources and facilitate the continuity of operations in an
emergency situation…”
(National Computer Security Center 1988)
1997-98 survey >35% of companies have no plans
4. CBK REVIEW - August
1999 4E
Definitions of BCP
• Disaster Recovery
• Business Continuity Planning
• End-user Recovery Planning
• Contingency Planning
• Emergency Response
• Crisis Management
The goal is to assist the organization/business to continue
functioning even though normal operations are disrupted
Includes steps to take
– Before a disruption
– During a disruption
– After a disruption
5. CBK REVIEW - August
1999 5E
Reasons for BCP
• It is better to plan activities ahead of time rather than
to react when the time comes
– “Proactive” rather than “Reactive”
– Take the correct actions when needed
– Allow for experienced personnel to be absent
6. CBK REVIEW - August
1999 6E
Reasons for BCP
• It is better to plan activities ahead of time rather than
to react when the time comes
“Proactive” rather than “Reactive”
• Maintain business operations
– Saves time, mistakes, stress and $$
– Keep the money coming in
– Short and long term loss of business
– Have necessary materials, equipment, information on hand
– Planning can take up to 3 years
7. CBK REVIEW - August
1999 7E
Reasons for BCP
• It is better to plan activities ahead of time rather than
to react when the time comes
“Proactive” rather than “Reactive”
• Maintain business operations
– Keep the money coming in
– Short and long term loss of business
• Effect on customers
– Public image
– Loss of life
8. CBK REVIEW - August
1999 8E
Reasons for BCP
• It is better to plan activities ahead of time rather than
to react when the time comes
“Proactive” rather than “Reactive”
• Maintain business operations
– Keep the money coming in
– Short and long term loss of business
• Effect on customers
• Legal requirements
– ‘77 Foreign Corrupt Practices Act/protection of stockholders
• Management criminally liable
9. CBK REVIEW - August
1999 9E
Reasons for BCP
• It is better to plan activities ahead of time rather than
to react when the time comes
“Proactive” rather than “Reactive”
• Maintain business operations
– Keep the money coming in
– Short and long term loss of business
• Effect on customers
• Legal requirements
– ‘77 Foreign Corrupt Practices Act/protection of stockholders
– Federal Financial Institutions Examination Council (FFIEC)
– FCPA SAS30 Audit Standards
– Defense Investigative Service
– Legal and Regulatory sanctions, civil suits
10. CBK REVIEW - August
1999 10E
Definitions
• Due Care
– minimum and customary practice of responsible protection
of assets that reflects a community or societal norm
• Due Diligence
– prudent management and execution of due care
11. CBK REVIEW - August
1999 11E
The Problem
• Utility failures
• Intruders
• Fire/Smoke
• Water
• Natural disasters (earthquakes, snow/hail/ice,
lightning, hurricanes)
• Heat/Humidity
• Electromagnetic emanations
• Hostile activity
• Technology failure
12. CBK REVIEW - August
1999 12E
Recent Disasters
• Bombings
– ‘92 London financial district
– ‘93 World Trade Center, NY
– ‘93 London financial district
– ‘95 Oklahoma City
• Earthquakes
– ‘89 San Francisco
– ‘94 Los Angeles
– ‘95 Kobe, JP
• Fires
– ‘95 Malden Mills, Lawrence, MA
– ‘96 Credit Lyonnais, FR
– ‘97 Iron Mountain Record Center, Brunswick, NJ
13. CBK REVIEW - August
1999 13E
Recent Disasters
• Power
– ‘92 AT&T
– ‘96 Orrville, OH
– ‘99 East coast heat/drought brownouts
• Floods
– ‘97 Midwest floods
• Storms
– ‘92 Hurricane Andrew
– ‘93 Northeast Blizzard
– ‘96 Hurricanes Bertha, Fran
– ‘98 Florida tornados
• Hardware/Software
– Year 2000
14. CBK REVIEW - August
1999 14E
The Problem
• Utility failures
• Intruders
• Fire/Smoke
• Water
• Natural disasters (earthquakes, snow/hail/ice, lightning, hurricanes)
• Heat/Humidity
• Electromagnetic emanations
• Hostile activity
• Technology failure
• Failure to keep operating
Fortune 1000 study
– Average loss $78K, up to $500K
– 65% failing over 1 week never reopen
– Loss of market share common
15. CBK REVIEW - August
1999 15E
Threats
• From Data Pro reports
– Errors & omissions 50%
– Fire, water, electrical 25%
– Dishonest employees 10%
– Disgruntled employees 10%
– Outsider threats 5%
16. CBK REVIEW - August
1999 16E
The Controls
• Least Privilege
– Information security
• Redundancy
– Backed up data
– Alternate equipment
– Alternate communications
– Alternate facilities
– Alternate personnel
– Alternate procedures
17. CBK REVIEW - August
1999 17E
The Steps in a BCP - Initiation
• Project initiation
– Executive commitment and support MOST CRITICAL
– Business case to obtain support
– Sell the need for DRP (price vs benefit)
– Build and maintain awareness
– On-going testing & maintenance
– Top down approach
– Project planning, staffing
• Local support/responsibility
18. CBK REVIEW - August
1999 18E
The Steps in a BCP - 1
• Impact Assessment (Impact Analysis/Vulnerability
Assessment/Current State Assessment/Risk
Assessment )
Purpose
– Identify risks
– Identify business requirements for continuity
– Quantify impact of potential threats
– Balance impact and countermeasure cost
– Establish recovery priorities
19. CBK REVIEW - August
1999 19E
Benefits
• Relates security objectives to organization mission
• Quantifies how much to spend on security measures
• Provides long term planning guidance
– Site selection
– Building design
– HW configuration
– SW
– Internal controls
– Criteria for contingency plans
– Security policy
• Protection requirements
• Significant threats
• Responsibilities
20. CBK REVIEW - August
1999 20E
The Steps in a BCP - 1
• Risk Assessment
– Potential failure scenarios
– Likelihood of failure
– Cost of failure (loss impact analysis)
• Dollar losses
• Additional operational expenses
• Violation of contracts, regulatory requirements
• Loss of competitive advantage, public confidence
– Assumed maximum downtime (recovery time frames)
• Rate of losses
• Periodic criticality
• Time-loss curve charts
21. CBK REVIEW - August
1999 21E
The Steps in a BCP - 1
• Risk Assessment/Analysis
– Potential failure scenarios (risks)
– Likelihood of failure
– Cost of failure, quantify impact of threat
– Assumed maximum downtime
– Annual Loss Expectancy
– Worst case assumptions
– Based on business process model? Or IT model?
– Identify critical functions and supporting resources
– Balance impact and countermeasure cost
• Key -
– Potential damage
– Likelihood
22. CBK REVIEW - August
1999 22E
Definitions
• Threat
– any event which could have an undesirable impact
• Vulnerability
– absence or weakness of a risk-reducing safeguard, potential
to allow a threat to occur with greater frequency, greater
impact, or both
– Exposure
– a measure of the magnitude of loss or impact on the value of
the asset
• Risk
– the potential for harm or loss, including the degree of
confidence of the estimate
23. CBK REVIEW - August
1999 23E
Definitions
• Quantitative Risk Analysis
– quantified estimates of impact, threat frequency, safeguard
effectiveness and cost, and probability
– Powerful aid to decision making
– Difficult to do in time and cost
• Qualitative Risk Analysis
– minimally quantified estimates
– Exposure scale ranking estimates
– Easier in time and money
– Less compelling
• Risk Analysis is performed as a continuum from fully
qualitative to less than fully quantitative
24. CBK REVIEW - August
1999 24E
Results
• Loss impact analysis
• Recovery time frames
– Essential business functions
– Information systems applications
• Recommended recovery priorities & strategies
• Goals
– Understand economic & operational impact
– Determine recovery time frame (business/DP/Network)
– Identify most appropriate strategy
– Cost/justify recovery planning
– Include BCP in normal decision making process
25. CBK REVIEW - August
1999 25E
Risk Management Team
• Management - Support
• DP Operations
• Systems Programming
• Internal Audit
• Physical Security
• Application owners
• Application programmers
28. CBK REVIEW - August
1999 28E
Threats
• Unauthorized access
• Hardware failure
• Utility failure
• Natural disasters
• Loss of key personnel
• Human errors
• Neighborhood hazards
• Tampering
• Disgruntled employees
• Emanations
• Safety
• Improper use of technology
• Repetition of errors
• Cascading of errors
• Illogical processing
• Translation of user needs
(technical requirements)
• Inability to control technology
• Equipment failure
• Incorrect entry of data
• Concentration of data
• Inability to react quickly
• Inability to substantiate
processing
• Concentration of
responsibilities
• Erroneous/falsified data
• Misuse
29. CBK REVIEW - August
1999 29E
Threats
• Uncontrolled system access
• Ineffective application security
• Operations procedural errors
• Program errors
• Operating system flaws
• Communications system failure
• Utility failure
30. CBK REVIEW - August
1999 30E
Risk Analysis Steps
• 1 - Identify essential business functions
– Dollar losses or added expense
– Contract/legal/regulatory requirements
– Competitive advantage/market share
– Interviews, questionnaires, workshops
• 2 - Establish recovery plan parameters
– Prioritize business functions
• 3 - Gather impact data/Threat analysis
– Probability of occurrence, source of help
– Document business functions
– Define support requirements
– Document effects of disruption
– Determine maximum acceptable outage period
– Create outage scenarios
31. CBK REVIEW - August
1999 31E
Risk Analysis Steps
• 4 - Analyze and summarize
– Estimate potential losses
• Destruction/theft of assets
• Loss of data
• Theft of information
• Indirect theft of assets
• Delayed processing
• Consider periodicity
– Combine potential loss & probability
– Magnitude of risk is the ALE (Annual Loss
Expectancy)
– Guide to security measures and how much to spend
32. CBK REVIEW - August
1999 32E
Results
• Significant threats & probabilities
• Critical tasks & loss potential by threat
• Remedial measures
– Greatest net reduction in losses
– Annual cost
33. CBK REVIEW - August
1999 33E
Information Valuation
• Information has cost/value
– Acquire/develop/maintain
– Owner/Custodian/User/Adversary
• Do a cost/value estimate for
– Cost/benefit analysis
– Integrate security in systems
– Avoid penalties
– Preserve proprietary information
– Business continuity
• Circumstances effect valuation timing
• Ethical obligation to use justifiable tools/techniques
34. CBK REVIEW - August
1999 34E
Conditions of Value
• Exclusive possession
• Utility
• Cost of creation/recreation
• Liability
• Convertibility/negotiability
• Operational impact
• Market forces
• Official value
• Expert opinion/appraisal
• Bilateral agreement/contract
35. CBK REVIEW - August
1999 35E
Scenario
• A specific threat (potential event/act) in which assets are subject
to loss
• Write scenario for each major threat
• Credibility/functionality review
• Evaluate current safeguards
• Finalize/Play out
• Prepare findings
36. CBK REVIEW - August
1999 36E
The Steps in a BCP - 2
• Strategy Development (Alternative Selection)
– Management support
– Team structure
– Strategy selection
• Cost effective
• Workable
37. CBK REVIEW - August
1999 37E
The Steps in a BCP - 3
• Implementation (Plan Development)
– Specify resources needed for recovery
– Make necessary advance arrangements
– Mitigate exposures
38. CBK REVIEW - August
1999 38E
The Steps in a BCP - 3
• Risk Prevention/Mitigation
– Risk management program
– Security - physical and information (access)
– Environmental controls
– Redundancy - Backups/Recoverability
• Journaling, Mirroring, Shadowing
• On-line/near-line/off-line
– Insurance
– Emergency response plans
– Procedures
– Training
39. CBK REVIEW - August
1999 39E
The Steps in a BCP - 3
• Decision Making
– Cost effectiveness
• Total cost
– Human intervention requirements
• Manual functions are weakest
– Overrides and defaults
• Shutdown capability
• Default to no access
– Design openness
– Least Privilege
• Minimum information
• Visible safeguards
– Entrapment
• Selected vulnerabilities made attractive
40. CBK REVIEW - August
1999 40E
The Steps in a BCP - 3
• Decision Making
– Independence of controller and subject
– Universality
– Compartmentalization, defense in depth
– Isolation
– Completeness
– Instrumentation
– Acceptance
– Sustainability
– Auditability
– Accountability
– Recovery
42. CBK REVIEW - August
1999 42E
Remedial Measures
• Fire
– Detection, suppression
• Water
– Detection, equipment covers, positioning
• Electrical
– UPS, generators
• Environmental
– Backups
• Good housekeeping
• Backup procedures
• Emergency response procedures
43. CBK REVIEW - August
1999 43E
The Steps in a BCP - 3
• Plan Development
– Specify resources needed for recovery
– Team-based
– Recovery plans
– Mitigation steps
– Testing plans
– Prepared by those who will carry them out
44. CBK REVIEW - August
1999 44E
Included in a BCP
• Off-site storage
– Trip there - secure? Timely?
– Physical layout of site
– Fire protection
– Climate controls
– Security access controls
– Backup power
45. CBK REVIEW - August
1999 45E
Included in a BCP
• Off-site storage
• Alternate site
– Hot/Warm/Cold(Shell) sites
– Reciprocal agreements/Multiple sites/Service bureaus
– Trip there - secure? Timely?
– Physical layout of site
– Fire protection
– Climate controls
– Security access controls
– Backup power
– Agreements
46. CBK REVIEW - August
1999 46E
Included in a BCP
• Off-site storage
• Alternate site
• Backup processing
– Compatibility
– Capacity
– Journaling - maintaining audit records
• Remote journaling - to off-site location
– Shadowing - remote journaling and delayed mirroring
– Mirroring - maintaining realtime copy of data
– Electronic vaulting - bulk transfer of backup files
47. CBK REVIEW - August
1999 47E
Included in a BCP
• Off-site storage
• Alternate site
• Backup processing
• Communications
– Compatibility
– Accessibility
– Capacity
– Alternatives
48. CBK REVIEW - August
1999 48E
Included in a BCP
• Off-site storage
• Alternate site
• Backup processing
• Communications
• Work space
– Accessibility
– Capacity
– Environment
49. CBK REVIEW - August
1999 49E
Included in a BCP
• Off-site storage
• Alternate site
• Backup processing
• Communications
• Work space
• Office equipment/supplies/documentation
• Security
• Critical business processes/Management
• Testing
• Vendors - Contact info, agreements
• Teams - Contact info, transportation
• Return to normal operations
• Resources needed
51. CBK REVIEW - August
1999 51E
The Steps in a BCP - Finally
• Plan Testing
– Proves feasibility of recovery process
– Verifies compatibility of backup facilities
– Ensures adequacy of team procedures
• Identifies deficiencies in procedures
– Trains team members
– Provides mechanism for maintaining/updating the plan
– Upper management comfort
52. CBK REVIEW - August
1999 52E
The Steps in a BCP - Finally
• Plan Testing
– Desk checks/Checklist
– Structured Walkthroughs
– Life exercises/Simulations
– Periodic off-site recovery tests/Parallel
– Full interruption drills
53. CBK REVIEW - August
1999 53E
The Steps in a BCP - Finally
• Test
– Hardware
– Software
– Personnel
– Communications
– Procurement
– Procedures
– Supplies/forms
– Documentation
– Transportation
– Utilities
– Alternate site processing
– Security
54. CBK REVIEW - August
1999 54E
The Steps in a BCP - Finally
• Test
– Purpose (scenario)
– Objectives/Assumptions
– Type
– Timing
– Schedule
– Duration
– Participants
• Assignments
– Constraints
– Steps
55. CBK REVIEW - August
1999 55E
The Steps in a BCP - Finally
• Alternate Site Test
– Activate emergency control center
– Notify & mobilize personnel
– Notify vendors
– Pickup and transport
– tapes
– supplies
– documentation
– Install (Cold and Warm sites)
– IPL
– Verify
– Run
– Shut down/Clean up
– Document/Report
56. CBK REVIEW - August
1999 56E
The Steps in a BCP - Finally
• Plan Update and Retest cycle (Plan Maintenance)
– Critical to maintain validity and usability of plan
• Environmental changes
• HW/SW/FW changes
• Personnel
– Needs to be included in organization plans
• Job description/expectations
• Personnel evaluations
• Audit work plans
57. CBK REVIEW - August
1999 57E
BCP by Stages
• Initiation
• Current state assessment
• Develop support processes
• Training
• Impact Assessment
• Alternative selection
• Recovery Plan development
• Support services continuity plan development
• Master plan consolidation
• Testing strategy development
• Post transition transition plan development
58. CBK REVIEW - August
1999 58E
BCP by Stages
• Implementation planning
• Quick Hits
• Implementation, testing, maintenance
59. CBK REVIEW - August
1999 59E
End User Planning
• DP is critical to end users
• Difficult to use manual procedures
• Recovery is complex
• Need to plan
– manual procedures
– recovery of data/transactions
– procedures for alternate site operation
– procedures to return to normal
60. CBK REVIEW - August
1999 60E
The Real World
• DR plans normally involve
– Essential DP platforms/systems only
– A manual on the shelf written 2-3 years ago
– Little or no user involvement
– No provision for business processes
– No active testing
– Resource lists and contact information that do not match
current realities
61. CBK REVIEW - August
1999 61E
Stages in an Incident
• Disaster
– interruption affecting user operations significantly
62. CBK REVIEW - August
1999 62E
Stages in an Incident
• Disaster
• Initial/Emergency response
– Purpose
• Ensure safety of people
• Prevent further damage
– Activate emergency response team
– Covers emergency procedures for expected hazards
– Safety essential
– Emergency supplies
– Crisis Management plan - decision making
63. CBK REVIEW - August
1999 63E
Stages in an Incident
• Disaster
• Initial response
• Impact assessment
– Activate assessment team
– Determine situation
• What is affected?
– Decide whether to activate plan
64. CBK REVIEW - August
1999 64E
Stages in an Incident
• Disaster
• Initial response
• Impact assessment
• Initial recovery
– Initial recovery of key areas at alternate site
– Detailed procedures
– Salvage/repair - Clean up
65. CBK REVIEW - August
1999 65E
Stages in an Incident
• Disaster
• Initial response
• Impact assessment
• Initial recovery
• Return to normal/Business resumption
– Return to operation at normal site
– “Emergency” is not over until you are back to normal
– Requires just as much planning - Parallel operations
66. CBK REVIEW - August
1999 66E
Special Cases
• Y2K
– Incidents will happen in a particular time frame
– Alternate sites won’t help
– Redundant equipment won’t help
– Backups won’t help
– Involves automated equipment and services
67. CBK REVIEW - August
1999 67E
Final Thoughts
• Do you really want to activate a DR/BCP plan?
– Prevention
– Planning
Editor's Notes
Vulnerabilities?
Improper access to data - controls not granular enough
Invalid data -
Update permitted to the wrong/too many people