Continuity and Resilience, profile picture
Uploaded byContinuity and Resilience
PDF, PPTX1,924 views

SAMA BCM Framework

The document outlines the BCM framework and consulting services presented at the 8th ME Business & IT Resilience Summit, emphasizing the importance of business continuity management (BCM) and crisis management for member organizations affiliated with SAMA in Saudi Arabia. It details the requirements for implementing BCM practices, roles and responsibilities, necessary training courses, and strategies for crisis and disaster recovery. The framework aims to ensure effective response to disruptions, continuous improvement, and senior management accountability in maintaining operational resilience.

Embed presentation

Download as PDF, PPTX
Continuity & Resilience (CORE) ISO 22301 BCM Consulting Firm Presentations by speakers at the 8th ME Business & IT Resilience Summit March 10, 2019 at The Address Hotel, Duabi Mall, Dubai, UAE
2 SAMA BCM Framework Dhiraj Lal Executive Director Continuity and Resilience Abu Dhabi 8th BC & IT Resilience Summit March 10, 2019, The Address Hotel, Dubai Mall SAMA BCM Framework
About Continuity & Resilience (CORE) Consulting Services (ISO 22301 Certified) â–Ş Cyber Security â–Ş Business Continuity Management â–Ş Crisis Management â–Ş IT Disaster Recovery â–Ş Information Security â–Ş Risk Management Training Services â–Ş NCEMA developed Training (we are trainers for the NCEMA courses at GCAS, NCEMA licensed training entity) â–Ş CORE is an approved Global Training partner for the UK based Business Continuity Institute licensed to conduct BCI trainings anywhere in the Globe 3
Notification and Automation Tools CORE acts as a enabler between the partner & client by providing support for: • Gather requirements • Shortlist Vendors • Subject matter expertise for tool selection • Perform Vendor Demos • Tool installation & implementation support for BC, ITDR & Notification • Assistance during tool testing 4 Benefits
E-learning Development and Deployment • Higher coverage • Consistency in communication • Higher learning retention • Learn at your own pace, anytime and anywhere • Latest and most updated course ware always available • Cost effective as against class room based training • Saves paper reduces carbon foot print 5 Crisis Management 1 Business Continuity 2 ITService Management 6 Sustainability7
Assurance & long term sustainability Validation of documented steps Effective & coordinated response during crisis in order to minimize decision points at the time Identify potential threats & take measures to mitigate impact Focus on high priority items Maturity Assessment Industry Benchmarking Current State Assessment Implementation BC Strategy & Response Risk Assessment Business Impact Analysis Program Management Plan Operationalizethe BCMS Continual Improvement Performance Evaluation Exercising Testing InitialAssessment& Roadmap Assessment Report Implementation Review Documentation Review Interview Senior Management Implementation Operationalize the BCMS Initial Assessment Benefits Our Consulting approach Consulting BCM Consulting Assignment 6
Training • Cyber Attack/ Crisis Simulation Exercise • Senior Management Awareness workshops • ISMS and BCMS coordinators training courses • BCI Courses – CBCI Certification Workshop, BIA, Writing BC Plans workshops • Certification aspirants workshops for CISSP, CISA, CISM and CRISC • ISO 27001 Lead Auditor training • ISO 22301 Lead Implementer/ Auditor training • ISO 31000 (Risk Management) courses • IT Disaster Recovery workshop 7
Training • NCEMA “official” courses – ✓ 1 day awareness ✓ 5 day Lead Implementer ✓ 5 day Lead auditor ✓ 2 day exercising and Testing • Cyber Attack/ Crisis Simulation Exercise • Senior Management Awareness workshops • Coordinator training courses in ISMS and BCMS • BCI Courses – CBCI Certification Workshop, BIA, Writing BC Plans • Lead Auditor training in ISO 27001/ISO 22301 • Certification in Risk Management, IT Disaster Recovery, Crisis Mgt 8
SAMA Framework • Is quite explicit of what is to be done • Mandates many items often left unsaid • Could well be used by non-banks also – key principles are valid for any industry • Can be used as a guidance document for any industry, any geography, any ownership • Makes clear that BCM is a senior management responsibility, typically the board level 9
Mandate • SAMA mandates the BCM framework requirements document to Member Organizations. This document outlines the BCM requirements to be implemented by the Member Organizations. • All Member Organizations are required to comply with these requirements and integrate it formally in their BCM program. • The BCM framework document is applicable to the full scope of the Member Organization, including subsidiaries, employees, subcontractors, third-parties and customers. 10
Member Organisations The BCM Framework document is applicable to following: • All organizations affiliated with SAMA (“the Member Organizations”) • All banks operating in Saudi Arabia • All banking subsidiaries of Saudi banks • Subsidiaries of foreign banks situated in Saudi Arabia 11
Target Audience This document is intended for those, who are responsible for and involved in defining, implementing and reviewing business continuity controls…. • Board of Directors • CEO • Chief Risk Officer • Senior and Executive Management • Business owners • Owners of information assets • CIO/CISO • Business Continuity Managers • Internal Auditors 12
BCM Governance BC governance framework should be monitored by senior management. 1. Board of directors or a delegated executive member should have the ultimate responsibility for the BCM program. 2. Management should allocate sufficient budget to execute the required BCM activities. 3. BCM Committee should be mandated by the board of directors. 4. Senior management, such as CRO, COO, CIO, CISO, BCM Manager and other relevant departments should be represented in the business continuity committee. 5. A business continuity committee charter should reflect: a. Committee objectives b. Roles and responsibilities c. Minimum number of meeting participants d. Meeting frequency (minimum on quarterly basis) 13
Responsibilities A BCM function should be established. The BCM function should be adequately staffed with qualified team members Cross-functional teams, consisting of strategic, tactical and operations team members should contribute in implementation and maintenance of the business continuity and disaster recovery plans. The BCM Manager and BCM coordinators are responsible to maintain and keep the BCPs and arrangements up-to-date. The IT manager should be responsible to maintain and keep the disaster recovery plans and arrangements upto-date with an overall accountability of integration within the BCM Program on the BCM Manager. 14
Business Impact Analysis (BIA) The Member Organization should determine the following but no limited to: a. The potential impact of business disruptions for each prioritized business function and processes, including but not restricted to financial, operational, customer, legal and regulatory impacts b. The recovery time objectives (RTOs), recovery point objectives (RPOs) and maximum Acceptable Outage (MAO) c. The internal and external interdependencies d. Supporting recovery resources The BCM committee should endorse the prioritized list, BIA results, RA and the defined RTOs, RPOs and MAOs. Member Organizations should ensure that RTOs are adequately defined for payment systems, customer related services, etc. considering the high availability of these operations and minimum disruption in the event of disaster. 15
Risk Assessment (RA) Risk assessment results should be communicated to the BCM committee The risk assessment should include risks associated with overall organization as well as data centers (primary and alternative), which are not owned by the Member Organization (e.g., consider the timeframe needed to relocate to a new site and accordingly, it should include a sufficient timeframe in the contractual agreement) Capability of vendors, suppliers and service providers should be assessed at least on a yearly basis Member Organization should ensure that the key service providers (if any) have a BCP in place and their plans tested at least on a yearly basis…. for all critical activities, as determined by the BIA 16
IT Disaster Recovery The Member Organization should define and implement a backup and recovery process. The Member Organization should have offsite location for storing backups. The Member Organization should ensure that critical services, business functions and processes run on reliable and robust infrastructure and software. An IT DRP in alignment with business impact analysis should be defined, approved, implemented and maintained …. to recover and restore technology services and infrastructure components (Data, systems, network, services and applications) 17
Alternate Data Centre The Member Organization should establish an alternative data center at an appropriate location. The location should be identified based on a risk assessment to confirm that the location does not share the same risks of the main data center (e.g., geographical threat) Data, system, network and application configurations, and capacities in the alternative data center should be commensurate to such configurations and capacities maintained in the main data center. Member Organization should implement the same logical, physical, environmental and cyber security controls for the alternative data center as for the primary data center. 18
Suppliers and Service Providers • For all critical activities, as determined by the BIA, the Member Organization should ensure that the key service providers (if any) have a BCP in place and their plans tested at least on a yearly basis. • Formal contracts should be signed with third-parties to ensure the continuity of outsourced services or delivery of replacing hardware or software within the agreed timelines in case of a disaster (for IT DR). Include guidelines to ensure that the contracts signed with external service providers are aligned with the BIA and RA outcomes. • Capability of vendors, suppliers and service providers should be assessed at least on a yearly basis… to support and maintain service levels for prioritized activities during disruptive incidents 19
Alternate Locations (RA) • The Member Organization should have sufficient alternative business workspace(s) where it can relocate the required resources to deliver the critical processes required as per predefined recovery objectives in the BIA. • The alternative business workspace(s) should have clear demarcation of the sitting arrangement for different business units. • The Member Organization should implement sufficient logical, physical and environmental security controls in order to support the same level of access and security in case the alternative location needs to be activated. 20
Business Continuity Plans (BCPs) The procedures should collectively include: a. Key resources (e.g., people, equipment, facilities, technologies) b. Defined roles, responsibilities and authorities for stakeholders c. A process to manage the immediate consequences of a disruptive incident and escalation procedures d. A process to continue the critical activities within predetermined recovery objectives (RTO, RPO and MAO) e. A process to resume the Member Organization’s operations to business-as-usual once the incident is resolved f. Guidelines for communicating with employees, relevant third- parties and emergency contacts g. Process for including relevant cyber security requirements, if any, within the business continuity planning 21
Crisis Management Plan (CMP) The Member Organization should document • Criteria for declaring a crisis. • Command center for centralized management and an emergency command center. • Crisis-management team members which include representatives of the critical products, services, functions and processes of the Member Organization (including Communications department, and any third-parties to be involved also) • Communication plan (including rapid communication) including the media response plan, to ensure overall safety and address the communication with the internal and external stakeholders during crisis. • The frequency of crisis management tests 22
Awareness and Training • A training program should be provided on an annual basis to employees involved in BCM to achieve the required level of experience, skills and competences. • The Member Organization should periodically measure the effectiveness of the training and awareness program. • The Member Organization and relevant third-parties, such as providers and suppliers should be: a. Familiar with relevant parts of business continuity policy and plans b. Contractually bound to provide their services or products within the agreed time, in case of disruptive event c. Familiar with their point of contact or their local BCM coordinator in the Member Organization d. Familiar with their roles and responsibilities during disruptive incidents 23
Exercise and Testing The Member Organization should: • Define, approve, implement, execute and monitor regular BCP and DRP tests • Train their employees and third-parties and test the effectiveness of the BC and DR plans. • Ensure that defined test scenarios cover the activation and involvement for crisis management team. • Conduct BCP simulation test exercises (“at least once a year”) • The tests should consider appropriate scenarios that are well planned with clearly defined objectives (e.g., per function, per service, per process, per location, per worst cases scenarios) • The Member Organization should take into consideration to include cyber security scenarios. • Consider conducting an integrated BCM test for all critical services, business processes and functions. 24
IT DR Tests The Member Organization should: • Periodically execute a DR test combined with BCP (“at least once a year”). • Conduct an evaluation of the executed test of IT DR infrastructure that supports the Member Organization’s critical systems • Ensure that the DR test results provide an evaluation and suggestion for improvements • Ensure that tests cover the activation and involvement of the crisis management team. 25
Effectiveness • Internal Audit or a qualified external auditor, should observe the business continuity and disaster recovery testing activities as an independent participant • In case of test failure, the re-testing timelines should not exceed the limit of three (3) months. • All BCP and DRP tests results should be reported to the BCM committee, senior management and the board of directors. • Test results of business continuity and disaster recovery should be shared with SAMA within four weeks after the test. The Member Organization should identify the improvements based on the test performed and provide an action plan to SAMA within two months after the submission of the test results. 26
Summary • If you are struggling with what to do in your BCM program, consider taking guidance from the SAMA framework. • Set up for success your BCM program in line with SAMA principles, focusing on: ▪ Senior Management Accountability (Board level) ▪ Adequate budget ▪ Adequate and competent resources ▪ Full lifecycle implementation ▪ Exercise and Testing ▪ Regular Senior Management Monitoring and support ▪ Continuous Improvement ALL THE BEST!!!! 27
28 Dhiraj Lal Executive Director Landline : +971 2 6594006 Mobile & WhatsApp: +971 52 9263933 Email: dhiraj.l@continuityandresilience.com Skype: dhiraj.lal21
Implementation Approach & Methodology 29
Head Office Continuity & Resilience Level 15,Eros Corporate Tower Nehru Place ,New Delhi-110019, INDIA Tel: +91 11 41055534/ +91 11 41613033 Fax: +91 11 41055535 Email: info@continuityandresilience.com 30 Contact: Padmanabha Bora Director Mobile & WhatsApp: +91 9654870406 Email: pb@continuityandresilience.com Skype: Padmanabha.bora
CORE Cyber Security / Information Security Services 31 Capacity Building & Skill Dvlp • Corporate Instructor Led Trainings • Cyber Attack Simulation Exercise • Customised training for Corporate • Public Certification Aspirants Workshops (CISSP, CISA, CISM, CRISC) Professional Services • Governance, Risk & Compliance • CERT & CSIRT (BOMT Model) • Forensics & Investigations / VAPT • Gap Analysis / Health Checks & Pre Audit Services Managed Security Services • CSIRT as a Service • SOC (remote, BOMT/O&M) • Predictive Security through Threat Hunting & Counter Threat Intelligence • Forensics & Investigation Services Products • Confront & Denial of Operations Area through Smoke Screen • Forensics Workstation & DDoS Protection Tool • Employee Forensics & Monitoring Tool • Mobile Device Management & Mobile Data Security
Trainings Public Programs • Global Certifications like BCI, IRCA • CORE Certifications In-house Workshops • Global Certifications like BCI, IRCA, • CORE Certifications Tailor-made • Customized to clients • Specialized coverage • Awareness Education • Simulated Exercises 32
Sectors • Telecom • Critical Infrastructure • Financial Sector • Banking • Government sector • Oil and Gas • Insurance • Government • Real Estate • Aviation • IT/ ITeS • … Etc 33
How can we help? • Gap Assessment • Training for top management • Implementation Roadmap • Coordinators Orientation training • Policy • Templates • RA Strategies • Vulnerability Assessment • Penetration Testing • Tool Assessment as per your IT setup • Data Centre assessment 34
E-learning Support • Scope The BCM framework document defines principles, objectives and control considerations for initiating, implementing, maintaining, monitoring and improving business continuity controls in member organizations. The BCM framework document has an interrelationship with other corporate policies for related areas, such as enterprise risk management, health, safety and environment (HSE), physical security, cybersecurity (including cyber resilience and incident management). 35
Continuity & Resilience (CORE) ISO 22301 BCM Consulting Firm Presentations by speakers at the 8th ME Business & IT Resilience Summit March 10, 2019 at The Address Hotel, Duabi Mall, Dubai, UAE

More Related Content

PDF
What is ISO 27001 ISMS
byBusiness Beam
 
PDF
ISO 27005:2022 Overview 221028.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
ISO 27001:2022 What has changed.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
27001 awareness Training
byDr Madhu Aman Sharma
 
PDF
Cybersecurity Frameworks for DMZCON23 230905.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
Iso27001- Nashwan Mustafa
byFahmi Albaheth
 
PDF
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
Building a Security Operations Center (SOC).pdf
byTapOffice
 
What is ISO 27001 ISMS
byBusiness Beam
 
ISO 27005:2022 Overview 221028.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001:2022 What has changed.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
27001 awareness Training
byDr Madhu Aman Sharma
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Iso27001- Nashwan Mustafa
byFahmi Albaheth
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Building a Security Operations Center (SOC).pdf
byTapOffice
 

What's hot

PDF
2022 Webinar - ISO 27001 Certification.pdf
byControlCase
 
PPTX
Project plan for ISO 27001
bytechnakama
 
PDF
A to Z of Information Security Management
byMark Conway
 
PDF
NQA ISO 27001 Implementation Guide
byNQA
 
PDF
Introduction to QRadar
byPencilData
 
PDF
ISO 27001 checklist - Leadership and Commitment - clause 5.1 - 70 checklist Q...
byhimalya sharma
 
PPTX
Information security
byavinashbalakrishnan2
 
PPTX
Secure SDLC Framework
byRishi Kant
 
PPTX
Iso iec 27032 foundation - cybersecurity training course
byMart Rovers
 
PPTX
Iso 27001 isms presentation
byMidhun Nirmal
 
PPTX
Itil,cobit and ıso27001
byBurcu Pelin TELLÄ°
 
PDF
ISO 27001 2002 Update Webinar.pdf
byControlCase
 
PPTX
Cissp- Security and Risk Management
byHamed Moghaddam
 
PDF
Information Security Management System with ISO/IEC 27000:2018
byGoutama Bachtiar
 
PPS
ISO 27001 2013 isms final overview
byNaresh Rao
 
PDF
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
byWAJAHAT IQBAL
 
PDF
ISO 27001 Implementation_Documentation_Mandatory_List
bySriramITISConsultant
 
PPT
ISO 27001 - Information Security Management System
byMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
PDF
Building A Security Operations Center
bySiemplify
 
PDF
NIST cybersecurity framework
byShriya Rai
 
2022 Webinar - ISO 27001 Certification.pdf
byControlCase
 
Project plan for ISO 27001
bytechnakama
 
A to Z of Information Security Management
byMark Conway
 
NQA ISO 27001 Implementation Guide
byNQA
 
Introduction to QRadar
byPencilData
 
ISO 27001 checklist - Leadership and Commitment - clause 5.1 - 70 checklist Q...
byhimalya sharma
 
Information security
byavinashbalakrishnan2
 
Secure SDLC Framework
byRishi Kant
 
Iso iec 27032 foundation - cybersecurity training course
byMart Rovers
 
Iso 27001 isms presentation
byMidhun Nirmal
 
Itil,cobit and ıso27001
byBurcu Pelin TELLÄ°
 
ISO 27001 2002 Update Webinar.pdf
byControlCase
 
Cissp- Security and Risk Management
byHamed Moghaddam
 
Information Security Management System with ISO/IEC 27000:2018
byGoutama Bachtiar
 
ISO 27001 2013 isms final overview
byNaresh Rao
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
byWAJAHAT IQBAL
 
ISO 27001 Implementation_Documentation_Mandatory_List
bySriramITISConsultant
 
ISO 27001 - Information Security Management System
byMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Building A Security Operations Center
bySiemplify
 
NIST cybersecurity framework
byShriya Rai
 

Similar to SAMA BCM Framework

PDF
Business Continuity & Disaster Recovery Planning, 23 - 25 February 2016 Kuala...
by360 BSI
 
PDF
HOW TO PLAN AND MANAGE A BCM AND IT DR PROJECT
byContinuity and Resilience
 
PDF
How to plan and manage a BCM and IT DR project
byCORE Consulting
 
PDF
Willem A. Hoekstra Business Continuity Management in Banking Industry World C...
byBCM Institute
 
PDF
How to Plan and Manage a BCM and IT DR Project
byContinuity and Resilience
 
PPTX
Building Organizational Resilience Presentation - ISSA Special Interest Group...
byBryghtpath LLC
 
PDF
Resus Advisory Profile - Resilience services Nov 15
byDavid John Bollaert
 
PDF
Business Continuity & Disaster Recovery Planning, 30 November - 02 December 2...
by360 BSI
 
PPT
AssessyourBusinessContinuityManagementProcess-12364645135-phpapp01 (1).ppt
byNeenaRawat
 
PDF
Business Continuity & Disaster Recovery Planning 02 - 04 December 2013 Kuala ...
by360 BSI
 
PDF
Business Continuity Management System: How, Why and for What?
byAlvin Integrated Services [AIS]
 
PPTX
Business Continuity Management
byLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
PDF
Business Continuity, Disaster Recovery Planning & Leadership, 16 - 19 Februar...
by360 BSI
 
PPTX
Keynote Address: Robbie Atabaigi, Manager Advisory Information Protection, KP...
byNICSA
 
PDF
Business Continuity and Information Security- An Excellent Fit!
byContinuity and Resilience
 
PDF
Business Continuity Strategy Benchmarking April 8th, 2009
byMauro Giorgi
 
PPT
Business Continuity Planning
byDipankar Ghosh
 
PDF
ISO 22301 2019 Checklist InfosecTrain.pdf
byinfosec train
 
PPTX
ICTD Material PowerPoint Presentation Format.pptx
byMahmoudElmahdy32
 
PPTX
Business-Continuity-Management-Ensuring-Organizational-Resilience1.pptx
byMahmoudElmahdy32
 
Business Continuity & Disaster Recovery Planning, 23 - 25 February 2016 Kuala...
by360 BSI
 
HOW TO PLAN AND MANAGE A BCM AND IT DR PROJECT
byContinuity and Resilience
 
How to plan and manage a BCM and IT DR project
byCORE Consulting
 
Willem A. Hoekstra Business Continuity Management in Banking Industry World C...
byBCM Institute
 
How to Plan and Manage a BCM and IT DR Project
byContinuity and Resilience
 
Building Organizational Resilience Presentation - ISSA Special Interest Group...
byBryghtpath LLC
 
Resus Advisory Profile - Resilience services Nov 15
byDavid John Bollaert
 
Business Continuity & Disaster Recovery Planning, 30 November - 02 December 2...
by360 BSI
 
AssessyourBusinessContinuityManagementProcess-12364645135-phpapp01 (1).ppt
byNeenaRawat
 
Business Continuity & Disaster Recovery Planning 02 - 04 December 2013 Kuala ...
by360 BSI
 
Business Continuity Management System: How, Why and for What?
byAlvin Integrated Services [AIS]
 
Business Continuity Management
byLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Business Continuity, Disaster Recovery Planning & Leadership, 16 - 19 Februar...
by360 BSI
 
Keynote Address: Robbie Atabaigi, Manager Advisory Information Protection, KP...
byNICSA
 
Business Continuity and Information Security- An Excellent Fit!
byContinuity and Resilience
 
Business Continuity Strategy Benchmarking April 8th, 2009
byMauro Giorgi
 
Business Continuity Planning
byDipankar Ghosh
 
ISO 22301 2019 Checklist InfosecTrain.pdf
byinfosec train
 
ICTD Material PowerPoint Presentation Format.pptx
byMahmoudElmahdy32
 
Business-Continuity-Management-Ensuring-Organizational-Resilience1.pptx
byMahmoudElmahdy32
 

More from Continuity and Resilience

PDF
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - AWS
byContinuity and Resilience
 
PDF
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - John Davison
byContinuity and Resilience
 
PDF
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Sunil Mehta
byContinuity and Resilience
 
PDF
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Murphy -Dat...
byContinuity and Resilience
 
PDF
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Shakti Moha...
byContinuity and Resilience
 
PDF
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Dr.Carlotta...
byContinuity and Resilience
 
PDF
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Megan James...
byContinuity and Resilience
 
PDF
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Vijay - 4 B...
byContinuity and Resilience
 
PDF
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Zhanar Tuke...
byContinuity and Resilience
 
PDF
The Business Conference and IT Resilience Summit Abu Dhabi, UAE Paul Gant - A...
byContinuity and Resilience
 
PDF
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Abdelmoaty Ali
byContinuity and Resilience
 
PDF
🌟 Join Resilience Expert Dhiraj Lal in this FREE Career Upgrade Session! 🌟
byContinuity and Resilience
 
PDF
Celebrating Success: Transformative BCM Specialist Training for the Water & P...
byContinuity and Resilience
 
PPTX
The Business Continuity Conference, 25th October 2023 in Riyadh - Mr. Atiq Bajwa
byContinuity and Resilience
 
PPTX
The Business Continuity Conference, 25th October 2023 in Riyadh - Nuha Eltinay
byContinuity and Resilience
 
PPTX
The Business Continuity Conference, 25th October 2023 in Riyadh - Paul Gant
byContinuity and Resilience
 
PPTX
The Business Continuity Conference, 25th October 2023 in Riyadh - David Boll...
byContinuity and Resilience
 
PPTX
The Business Continuity Conference, 25th October 2023 in Riyadh - Abdulrahma...
byContinuity and Resilience
 
PDF
DEFLUFFING RESILIENCE
byContinuity and Resilience
 
PDF
CREATING AND MAINTAINING A BCM PROGRAM
byContinuity and Resilience
 
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - AWS
byContinuity and Resilience
 
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - John Davison
byContinuity and Resilience
 
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Sunil Mehta
byContinuity and Resilience
 
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Murphy -Dat...
byContinuity and Resilience
 
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Shakti Moha...
byContinuity and Resilience
 
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Dr.Carlotta...
byContinuity and Resilience
 
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Megan James...
byContinuity and Resilience
 
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Vijay - 4 B...
byContinuity and Resilience
 
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Zhanar Tuke...
byContinuity and Resilience
 
The Business Conference and IT Resilience Summit Abu Dhabi, UAE Paul Gant - A...
byContinuity and Resilience
 
The Business Conference and IT Resilience Summit Abu Dhabi, UAE - Abdelmoaty Ali
byContinuity and Resilience
 
🌟 Join Resilience Expert Dhiraj Lal in this FREE Career Upgrade Session! 🌟
byContinuity and Resilience
 
Celebrating Success: Transformative BCM Specialist Training for the Water & P...
byContinuity and Resilience
 
The Business Continuity Conference, 25th October 2023 in Riyadh - Mr. Atiq Bajwa
byContinuity and Resilience
 
The Business Continuity Conference, 25th October 2023 in Riyadh - Nuha Eltinay
byContinuity and Resilience
 
The Business Continuity Conference, 25th October 2023 in Riyadh - Paul Gant
byContinuity and Resilience
 
The Business Continuity Conference, 25th October 2023 in Riyadh - David Boll...
byContinuity and Resilience
 
The Business Continuity Conference, 25th October 2023 in Riyadh - Abdulrahma...
byContinuity and Resilience
 
DEFLUFFING RESILIENCE
byContinuity and Resilience
 
CREATING AND MAINTAINING A BCM PROGRAM
byContinuity and Resilience
 

Recently uploaded

PDF
How to Track Link Clicks and Improve Your Online Marketing
byMiniurly
 
PDF
MSP Toolkit
bySyncMonkey
 
PPTX
What Are the Safest Upgrades for a Photocopier in UAE?
byVRS Technologies LLC
 
PPTX
Managed Document Review | Legal Document Review | Aeren LPO
byAeren LPO
 
PPTX
The Benefits of Hiring A Video Production team in Chicago
byThe Michael Group
 
PDF
Burger Delivery App Development Company.
byOn Demand Clone
 
PPTX
17th sunday in ordinary time. holy mass to jesus our god
byjosemarcelo41810
 
PDF
Five Essential Steps for Creating an Outstanding Website
byConcept Infoway Pvt. Ltd
 
PDF
Sewer Backup Plan, From First Call to Full Fix (2).pdf
byGotMedia
 
PDF
Ethernet Servers Hosting: Explore Features
byEthernet Servers
 
PPTX
Custom Web & Mobile App Development Company
byNiotechone Software Solution Pvt. Ltd.
 
PPTX
Fibromyalgia – Symptoms, Causes, and Treatment .pptx
byClinical Massage MK
 
PDF
HVAC and Indoor Air Quality Checks for Bay Area Homes.pdf
byGotMedia
 
PDF
Social Media Marketing Services That Grow Brands & Drive Real Results, GetRan...
byGet Rank Digital
 
PPTX
CHARCHIL PPTsjsjdjdjkrkekemekfkrkejskjdndndndj
bypicsdeco
 
PDF
Household shifting services in Noida.pdf
byhepexa4332
 
DOCX
Content Automation Strategies That Save Time and Multiply Output.docx
byjenwhite023
 
PPTX
BEST IPTV 2026: Why IPTVGREAT is Currently Dominating the Market
byslides55373
 
PPTX
Front office management chapter 4 lecture
byannejo20
 
PDF
Dubai 3PL Insights: Warehousing & Distribution Simplified
byS A G Logistic
 
How to Track Link Clicks and Improve Your Online Marketing
byMiniurly
 
MSP Toolkit
bySyncMonkey
 
What Are the Safest Upgrades for a Photocopier in UAE?
byVRS Technologies LLC
 
Managed Document Review | Legal Document Review | Aeren LPO
byAeren LPO
 
The Benefits of Hiring A Video Production team in Chicago
byThe Michael Group
 
Burger Delivery App Development Company.
byOn Demand Clone
 
17th sunday in ordinary time. holy mass to jesus our god
byjosemarcelo41810
 
Five Essential Steps for Creating an Outstanding Website
byConcept Infoway Pvt. Ltd
 
Sewer Backup Plan, From First Call to Full Fix (2).pdf
byGotMedia
 
Ethernet Servers Hosting: Explore Features
byEthernet Servers
 
Custom Web & Mobile App Development Company
byNiotechone Software Solution Pvt. Ltd.
 
Fibromyalgia – Symptoms, Causes, and Treatment .pptx
byClinical Massage MK
 
HVAC and Indoor Air Quality Checks for Bay Area Homes.pdf
byGotMedia
 
Social Media Marketing Services That Grow Brands & Drive Real Results, GetRan...
byGet Rank Digital
 
CHARCHIL PPTsjsjdjdjkrkekemekfkrkejskjdndndndj
bypicsdeco
 
Household shifting services in Noida.pdf
byhepexa4332
 
Content Automation Strategies That Save Time and Multiply Output.docx
byjenwhite023
 
BEST IPTV 2026: Why IPTVGREAT is Currently Dominating the Market
byslides55373
 
Front office management chapter 4 lecture
byannejo20
 
Dubai 3PL Insights: Warehousing & Distribution Simplified
byS A G Logistic
 

SAMA BCM Framework

  • 1.
    Continuity & Resilience(CORE) ISO 22301 BCM Consulting Firm Presentations by speakers at the 8th ME Business & IT Resilience Summit March 10, 2019 at The Address Hotel, Duabi Mall, Dubai, UAE
  • 2.
    2 SAMA BCM Framework DhirajLal Executive Director Continuity and Resilience Abu Dhabi 8th BC & IT Resilience Summit March 10, 2019, The Address Hotel, Dubai Mall SAMA BCM Framework
  • 3.
    About Continuity &Resilience (CORE) Consulting Services (ISO 22301 Certified) â–Ş Cyber Security â–Ş Business Continuity Management â–Ş Crisis Management â–Ş IT Disaster Recovery â–Ş Information Security â–Ş Risk Management Training Services â–Ş NCEMA developed Training (we are trainers for the NCEMA courses at GCAS, NCEMA licensed training entity) â–Ş CORE is an approved Global Training partner for the UK based Business Continuity Institute licensed to conduct BCI trainings anywhere in the Globe 3
  • 4.
    Notification and AutomationTools CORE acts as a enabler between the partner & client by providing support for: • Gather requirements • Shortlist Vendors • Subject matter expertise for tool selection • Perform Vendor Demos • Tool installation & implementation support for BC, ITDR & Notification • Assistance during tool testing 4 Benefits
  • 5.
    E-learning Development andDeployment • Higher coverage • Consistency in communication • Higher learning retention • Learn at your own pace, anytime and anywhere • Latest and most updated course ware always available • Cost effective as against class room based training • Saves paper reduces carbon foot print 5 Crisis Management 1 Business Continuity 2 ITService Management 6 Sustainability7
  • 6.
    Assurance & longterm sustainability Validation of documented steps Effective & coordinated response during crisis in order to minimize decision points at the time Identify potential threats & take measures to mitigate impact Focus on high priority items Maturity Assessment Industry Benchmarking Current State Assessment Implementation BC Strategy & Response Risk Assessment Business Impact Analysis Program Management Plan Operationalizethe BCMS Continual Improvement Performance Evaluation Exercising Testing InitialAssessment& Roadmap Assessment Report Implementation Review Documentation Review Interview Senior Management Implementation Operationalize the BCMS Initial Assessment Benefits Our Consulting approach Consulting BCM Consulting Assignment 6
  • 7.
    Training • Cyber Attack/Crisis Simulation Exercise • Senior Management Awareness workshops • ISMS and BCMS coordinators training courses • BCI Courses – CBCI Certification Workshop, BIA, Writing BC Plans workshops • Certification aspirants workshops for CISSP, CISA, CISM and CRISC • ISO 27001 Lead Auditor training • ISO 22301 Lead Implementer/ Auditor training • ISO 31000 (Risk Management) courses • IT Disaster Recovery workshop 7
  • 8.
    Training • NCEMA “official”courses – ✓ 1 day awareness ✓ 5 day Lead Implementer ✓ 5 day Lead auditor ✓ 2 day exercising and Testing • Cyber Attack/ Crisis Simulation Exercise • Senior Management Awareness workshops • Coordinator training courses in ISMS and BCMS • BCI Courses – CBCI Certification Workshop, BIA, Writing BC Plans • Lead Auditor training in ISO 27001/ISO 22301 • Certification in Risk Management, IT Disaster Recovery, Crisis Mgt 8
  • 9.
    SAMA Framework • Isquite explicit of what is to be done • Mandates many items often left unsaid • Could well be used by non-banks also – key principles are valid for any industry • Can be used as a guidance document for any industry, any geography, any ownership • Makes clear that BCM is a senior management responsibility, typically the board level 9
  • 10.
    Mandate • SAMA mandatesthe BCM framework requirements document to Member Organizations. This document outlines the BCM requirements to be implemented by the Member Organizations. • All Member Organizations are required to comply with these requirements and integrate it formally in their BCM program. • The BCM framework document is applicable to the full scope of the Member Organization, including subsidiaries, employees, subcontractors, third-parties and customers. 10
  • 11.
    Member Organisations The BCMFramework document is applicable to following: • All organizations affiliated with SAMA (“the Member Organizations”) • All banks operating in Saudi Arabia • All banking subsidiaries of Saudi banks • Subsidiaries of foreign banks situated in Saudi Arabia 11
  • 12.
    Target Audience This documentis intended for those, who are responsible for and involved in defining, implementing and reviewing business continuity controls…. • Board of Directors • CEO • Chief Risk Officer • Senior and Executive Management • Business owners • Owners of information assets • CIO/CISO • Business Continuity Managers • Internal Auditors 12
  • 13.
    BCM Governance BC governanceframework should be monitored by senior management. 1. Board of directors or a delegated executive member should have the ultimate responsibility for the BCM program. 2. Management should allocate sufficient budget to execute the required BCM activities. 3. BCM Committee should be mandated by the board of directors. 4. Senior management, such as CRO, COO, CIO, CISO, BCM Manager and other relevant departments should be represented in the business continuity committee. 5. A business continuity committee charter should reflect: a. Committee objectives b. Roles and responsibilities c. Minimum number of meeting participants d. Meeting frequency (minimum on quarterly basis) 13
  • 14.
    Responsibilities A BCM functionshould be established. The BCM function should be adequately staffed with qualified team members Cross-functional teams, consisting of strategic, tactical and operations team members should contribute in implementation and maintenance of the business continuity and disaster recovery plans. The BCM Manager and BCM coordinators are responsible to maintain and keep the BCPs and arrangements up-to-date. The IT manager should be responsible to maintain and keep the disaster recovery plans and arrangements upto-date with an overall accountability of integration within the BCM Program on the BCM Manager. 14
  • 15.
    Business Impact Analysis(BIA) The Member Organization should determine the following but no limited to: a. The potential impact of business disruptions for each prioritized business function and processes, including but not restricted to financial, operational, customer, legal and regulatory impacts b. The recovery time objectives (RTOs), recovery point objectives (RPOs) and maximum Acceptable Outage (MAO) c. The internal and external interdependencies d. Supporting recovery resources The BCM committee should endorse the prioritized list, BIA results, RA and the defined RTOs, RPOs and MAOs. Member Organizations should ensure that RTOs are adequately defined for payment systems, customer related services, etc. considering the high availability of these operations and minimum disruption in the event of disaster. 15
  • 16.
    Risk Assessment (RA) Riskassessment results should be communicated to the BCM committee The risk assessment should include risks associated with overall organization as well as data centers (primary and alternative), which are not owned by the Member Organization (e.g., consider the timeframe needed to relocate to a new site and accordingly, it should include a sufficient timeframe in the contractual agreement) Capability of vendors, suppliers and service providers should be assessed at least on a yearly basis Member Organization should ensure that the key service providers (if any) have a BCP in place and their plans tested at least on a yearly basis…. for all critical activities, as determined by the BIA 16
  • 17.
    IT Disaster Recovery TheMember Organization should define and implement a backup and recovery process. The Member Organization should have offsite location for storing backups. The Member Organization should ensure that critical services, business functions and processes run on reliable and robust infrastructure and software. An IT DRP in alignment with business impact analysis should be defined, approved, implemented and maintained …. to recover and restore technology services and infrastructure components (Data, systems, network, services and applications) 17
  • 18.
    Alternate Data Centre TheMember Organization should establish an alternative data center at an appropriate location. The location should be identified based on a risk assessment to confirm that the location does not share the same risks of the main data center (e.g., geographical threat) Data, system, network and application configurations, and capacities in the alternative data center should be commensurate to such configurations and capacities maintained in the main data center. Member Organization should implement the same logical, physical, environmental and cyber security controls for the alternative data center as for the primary data center. 18
  • 19.
    Suppliers and ServiceProviders • For all critical activities, as determined by the BIA, the Member Organization should ensure that the key service providers (if any) have a BCP in place and their plans tested at least on a yearly basis. • Formal contracts should be signed with third-parties to ensure the continuity of outsourced services or delivery of replacing hardware or software within the agreed timelines in case of a disaster (for IT DR). Include guidelines to ensure that the contracts signed with external service providers are aligned with the BIA and RA outcomes. • Capability of vendors, suppliers and service providers should be assessed at least on a yearly basis… to support and maintain service levels for prioritized activities during disruptive incidents 19
  • 20.
    Alternate Locations (RA) •The Member Organization should have sufficient alternative business workspace(s) where it can relocate the required resources to deliver the critical processes required as per predefined recovery objectives in the BIA. • The alternative business workspace(s) should have clear demarcation of the sitting arrangement for different business units. • The Member Organization should implement sufficient logical, physical and environmental security controls in order to support the same level of access and security in case the alternative location needs to be activated. 20
  • 21.
    Business Continuity Plans(BCPs) The procedures should collectively include: a. Key resources (e.g., people, equipment, facilities, technologies) b. Defined roles, responsibilities and authorities for stakeholders c. A process to manage the immediate consequences of a disruptive incident and escalation procedures d. A process to continue the critical activities within predetermined recovery objectives (RTO, RPO and MAO) e. A process to resume the Member Organization’s operations to business-as-usual once the incident is resolved f. Guidelines for communicating with employees, relevant third- parties and emergency contacts g. Process for including relevant cyber security requirements, if any, within the business continuity planning 21
  • 22.
    Crisis Management Plan(CMP) The Member Organization should document • Criteria for declaring a crisis. • Command center for centralized management and an emergency command center. • Crisis-management team members which include representatives of the critical products, services, functions and processes of the Member Organization (including Communications department, and any third-parties to be involved also) • Communication plan (including rapid communication) including the media response plan, to ensure overall safety and address the communication with the internal and external stakeholders during crisis. • The frequency of crisis management tests 22
  • 23.
    Awareness and Training •A training program should be provided on an annual basis to employees involved in BCM to achieve the required level of experience, skills and competences. • The Member Organization should periodically measure the effectiveness of the training and awareness program. • The Member Organization and relevant third-parties, such as providers and suppliers should be: a. Familiar with relevant parts of business continuity policy and plans b. Contractually bound to provide their services or products within the agreed time, in case of disruptive event c. Familiar with their point of contact or their local BCM coordinator in the Member Organization d. Familiar with their roles and responsibilities during disruptive incidents 23
  • 24.
    Exercise and Testing TheMember Organization should: • Define, approve, implement, execute and monitor regular BCP and DRP tests • Train their employees and third-parties and test the effectiveness of the BC and DR plans. • Ensure that defined test scenarios cover the activation and involvement for crisis management team. • Conduct BCP simulation test exercises (“at least once a year”) • The tests should consider appropriate scenarios that are well planned with clearly defined objectives (e.g., per function, per service, per process, per location, per worst cases scenarios) • The Member Organization should take into consideration to include cyber security scenarios. • Consider conducting an integrated BCM test for all critical services, business processes and functions. 24
  • 25.
    IT DR Tests TheMember Organization should: • Periodically execute a DR test combined with BCP (“at least once a year”). • Conduct an evaluation of the executed test of IT DR infrastructure that supports the Member Organization’s critical systems • Ensure that the DR test results provide an evaluation and suggestion for improvements • Ensure that tests cover the activation and involvement of the crisis management team. 25
  • 26.
    Effectiveness • Internal Auditor a qualified external auditor, should observe the business continuity and disaster recovery testing activities as an independent participant • In case of test failure, the re-testing timelines should not exceed the limit of three (3) months. • All BCP and DRP tests results should be reported to the BCM committee, senior management and the board of directors. • Test results of business continuity and disaster recovery should be shared with SAMA within four weeks after the test. The Member Organization should identify the improvements based on the test performed and provide an action plan to SAMA within two months after the submission of the test results. 26
  • 27.
    Summary • If youare struggling with what to do in your BCM program, consider taking guidance from the SAMA framework. • Set up for success your BCM program in line with SAMA principles, focusing on: ▪ Senior Management Accountability (Board level) ▪ Adequate budget ▪ Adequate and competent resources ▪ Full lifecycle implementation ▪ Exercise and Testing ▪ Regular Senior Management Monitoring and support ▪ Continuous Improvement ALL THE BEST!!!! 27
  • 28.
    28 Dhiraj Lal Executive Director Landline: +971 2 6594006 Mobile & WhatsApp: +971 52 9263933 Email: dhiraj.l@continuityandresilience.com Skype: dhiraj.lal21
  • 29.
  • 30.
    Head Office Continuity &Resilience Level 15,Eros Corporate Tower Nehru Place ,New Delhi-110019, INDIA Tel: +91 11 41055534/ +91 11 41613033 Fax: +91 11 41055535 Email: info@continuityandresilience.com 30 Contact: Padmanabha Bora Director Mobile & WhatsApp: +91 9654870406 Email: pb@continuityandresilience.com Skype: Padmanabha.bora
  • 31.
    CORE Cyber Security/ Information Security Services 31 Capacity Building & Skill Dvlp • Corporate Instructor Led Trainings • Cyber Attack Simulation Exercise • Customised training for Corporate • Public Certification Aspirants Workshops (CISSP, CISA, CISM, CRISC) Professional Services • Governance, Risk & Compliance • CERT & CSIRT (BOMT Model) • Forensics & Investigations / VAPT • Gap Analysis / Health Checks & Pre Audit Services Managed Security Services • CSIRT as a Service • SOC (remote, BOMT/O&M) • Predictive Security through Threat Hunting & Counter Threat Intelligence • Forensics & Investigation Services Products • Confront & Denial of Operations Area through Smoke Screen • Forensics Workstation & DDoS Protection Tool • Employee Forensics & Monitoring Tool • Mobile Device Management & Mobile Data Security
  • 32.
    Trainings Public Programs • Global Certifications like BCI,IRCA • CORE Certifications In-house Workshops • Global Certifications like BCI, IRCA, • CORE Certifications Tailor-made • Customized to clients • Specialized coverage • Awareness Education • Simulated Exercises 32
  • 33.
    Sectors • Telecom • CriticalInfrastructure • Financial Sector • Banking • Government sector • Oil and Gas • Insurance • Government • Real Estate • Aviation • IT/ ITeS • … Etc 33
  • 34.
    How can wehelp? • Gap Assessment • Training for top management • Implementation Roadmap • Coordinators Orientation training • Policy • Templates • RA Strategies • Vulnerability Assessment • Penetration Testing • Tool Assessment as per your IT setup • Data Centre assessment 34
  • 35.
    E-learning Support • ScopeThe BCM framework document defines principles, objectives and control considerations for initiating, implementing, maintaining, monitoring and improving business continuity controls in member organizations. The BCM framework document has an interrelationship with other corporate policies for related areas, such as enterprise risk management, health, safety and environment (HSE), physical security, cybersecurity (including cyber resilience and incident management). 35
  • 36.
    Continuity & Resilience(CORE) ISO 22301 BCM Consulting Firm Presentations by speakers at the 8th ME Business & IT Resilience Summit March 10, 2019 at The Address Hotel, Duabi Mall, Dubai, UAE