Embed Size (px)
Citation preview
BCI North Midlands regional forum Meeting (14/03/2016)
At CGI 2 Trinity Park, Bickenhill Lane, Birmingham B37 7ES
TIME ITEM
10am Arrival, refreshments and networking
10.30am Introductions
10.45amGuest Speaker Chris Needham-Bennett (Managing Director at Needhams1834) : ‘Business Continuity Plans – The good, the bad and the ugly’
11.30am Guest Speaker Jason Bishop (Senior Security Consultant at CGI IT UK) : ‘Building A Business Continuity Plan with Taylor Wimpey’
12 noon Coffee Break
12.20pm Guest Speaker Maxine Bulmer (Cyber Security Manager at CGI IT UK) : ‘Scenario Exercising – lessons from the nuclear sector’
12.50pm Guest Speaker Simon Johnson (Head of Global Security at Uniper) : ‘Security & Resilience’ with Q&A
1.35pm LUNCH
2.10pm Guest Speaker Scott Hughes (Senior Manager, Enterprise Risk and Resilience at PwC) : ‘Understanding your BCM maturity through benchmarking’ with Q&A
2.55pm BCI News – Sue Martin
3.05pm BC Surgery – Group discussion
3.25pm Feedback sheets and close
3.30pm END
Introductions
Guest Speaker Chris Needham-Bennett
‘Business Continuity Plans – The good, the bad and the ugly’
Guest Speaker Jason Bishop
‘Building A Business Continuity Plan with Taylor Wimpey’
6
About the Client• 2007- merger George Wimpey and Taylor Woodrow• One of the largest home builders in the UK £2.5b• Property portfolio UK, Spain, Eire• 24 regional offices across England, Scotland & Wales• Building est. 10,000 homes per year• Work closely with independent housing organisations -
registered providers ensuring affordable housing is integrated effectively into new developments
7
Day to day - Taylor Wimpey
8
Our Approach1. Meeting the clients needs –
minimise input from regional managers
2. Review “As Is”3. Advise how to structure BCP
across the business 4. Help determine critical
business processes5. Consider recovery strategy
options6. Production of BIA, Gold BCP
and Regional BCPs7. Propose exercising plan
9
Risks• Flood
• Fire
• Loss of IT services (network, voice or data)
• Building lockout or denial of access to site
• Widespread data corruption
• Loss of key business functions
• Loss of key staff
• Loss of business partner / supplier
• The unwinnable / unknown situation
10
What we did• Gap Analysis to identify “As Is” within Taylor Wimpey; Identify what
could be re-used where possible• High level requirements scope for BCP programme • Business Continuity Policy• Hierarchy of BCPs across the organisation –
• Gold – Head Office / Corporate functions• Silver – Regional business functions
• “Hand picked” and formed a new BCM Steering Committee• Nominations of local BC Recovery Managers and Co-ordinators • We reviewed “regional” activities
11
How we did it• Senior Management crisis management workshops• Discussed options for improving communication links• Regional workshops to discuss BIA and critical processes with shortest
RTO/RPO/MTPD • Discussion of strategy options • Devised a suite of BCP document templates inc. BIA, BCPs – worked
with one region to identify and agree generic contents• Rolled out templates to other regions with guidance for completion –
• Validity and cost efficiency of strategy options• Explained the required level of exercising to carry out and devised a
project plan to increase intensity pressures on plans year on year
12
Summary of Outputs Title Notes
1 Business Continuity Policy To cover whole estate
2 Crisis Management Plan Local level
3 Communications Plan Media and PR actions in the event of an incident
4 Organisation chart To determine how sites differ
5 Business Continuity Manager Terms of Reference Review the role of the BCM
6 Business Impact Analysis One for each department at each site
7 Business Continuity Plan One per site including any recovery strategy options. Tiered- Gold for HO etc
8 Exercise Plan / schedule Local level
9 Disaster Recovery Including the integration of IT services in the BCP
10 Post incident reports Review of incident response and lessons learnt during invocation of any plans
13
Our plan contents• Immediate action prompt “if you are responding to an incident go directly to page xx”• Policy Statement • Relationship diagram of how BCPs fit together• Recovery team structure – roles and responsibilities• Checklist prompts for recovery team members• List of recovery strategies• BIA details and RTO’s• Invocation actions for in-hours and out of hours• Emergency Control Centre locations and access details• Essential items box contents and locations• Recovery phase actions• Contact lists • Contacts of senior managers• Key suppliers• Incident log sheets• Other information – taxi, coaches, hospital etc.
14
Our commitment to youWe approach every engagement with one objective in mind: to help clients succeed
Coffee Break
Guest Speaker Maxine Bulmer
‘Scenario Exercising – lessons from the nuclear sector’
17
BackgroundDepartment of Energy and Climate Change (DECC) – leads in HMG on securing and safeguarding the UK civil nuclear sites and ensuring that the UK can respond to a nuclear emergency. DECC also works to prevent the proliferation of nuclear, chemical and biological weapons / material and to promote nuclear security and peaceful uses of nuclear power internationally.
The National Security Strategy 2010 identified cyber attacks as one of the top four threats to the UK national security
Different sectors in the UK were considered and civil nuclear cyber has been designated a Tier 1critical national infrastructure (CNI)
CGI conducted a sector wide cyber security risk assessment programme to enable the sector to understand the current state and report to Government and set in place a strategy for improvement
18
Our experience• CGIs proposal to DECC gave the client an alternative way to assess the impact of
organisational security culture on cyber security, rather than a traditional paper / document review
• “Bring the assessment to life” - for a sample of stakeholders in the sector by presenting a scenario for a group to discuss how they might respond? Who would they engage with? What they already know and had access to that would help them, and what they wish they knew.
• Enabling staff to get involved, become engaged and feel consulted.
• HMRC simulation exercise – turned into responding to a real incident – provide support and guidance to business facing their first incident as BC staff – resolved in 48 hrs
• UK Census 2011 – simulation exercise across multiple UK locations to ensure secure transport, receipt, storage, processing, destruction of UK census documents
19
Exercise Objectives1. Provide education, awareness and experience to attendees in the
participation of cyber security scenario exercises 2. Provide an opportunity for outputs of the scenario exercise to be
considered for validation and / or inclusion in DECC’s draft cyber policy and instructions
3. Identify, discuss and share any potential best practice of cyber security incident responses from across the stakeholders, including information sharing by CISP, CERT-UK etc.
4. Provide awareness of potential cyber security incidents which may impact the civil nuclear industry and its ability to operate “business as usual”
5. Provide opportunity to identify areas for recommendations and improvement across the business
20
Facilitating the exercise• CGI facilitators for each group• Mixed groups from across the sector – encourage debate
and discussion away from normal colleagues (Charterhouse rules)
• Blend hand-out injects with audio• Capture thoughts• Summary slides to reiterate ideal discussion points• Make it realistic• Resumption of business – successful restoration is not
always the answer – education, awareness & participation• Capture and record the findings and feedback
21
Exercise Scenarios No Scenario Area of Security
1 External Phishing Culture
2 Laptop compromise External Communication
3 Internal Denial of Service Physical / Personnel
4 External Denial of Service Physical / Personnel
5 Website Hack / News item Legal
6 Organisation Compromise Legal and Regulatory
7 SCADA/CBSIS/CBSI Systems Safety
22
Sample injects -
23
Sample injects
24
Scenario Exercise Findings• Requires improved engagement between IT / security• Improves communication amongst business / operations / SCADA • How do you communicate amongst wider industry / government?• When do you communicate to public / customers?• What support is there from government and agencies?• Useful for education and awareness• Ensure lessons learnt and issues are carried forward• Important link of BCM, security, comms and H&S• Media engagement and training• Resolution of incident v experience of exercise / raise issues• Important to allocate roles and responsibilities• Develop and participate in wider exercise schedules• Participant positive feedback !
25
Overall project report
Number 4 in Top 5 Recommendations –
Scenario Exercises – increase preparedness in responding to cyber incidents, link to business continuity planning, increase information sharing and improve communications
26
Our commitment to youWe approach every engagement with one objective in mind: to help clients succeed
Guest Speaker Simon Johnson
‘Security & Resilience’ with Q&A
Simon’s presentation is available by contacting him on [email protected]
LUNCH
Guest Speaker Scott Hughes
‘Understanding your BCM maturity through
benchmarking’ with Q&A
BCI News
Sue Martin
www.thebci.org 31
BCI update
Business Continuity Awareness Week (BCAW) 2016
• New date – 16th – 20th May 2016• #BCAW2016• Theme is ‘return on investment’• All who blog on the BC Eye blog site will be entered
into a prize draw to win £250 worth of Amazon vouchers – send to [email protected]
• http://www.thebci.org/index.php/posters
BCI Position Statement on Organisational Resilience
• In recent years, there has been a significant amount of attention given to the concept of organizational resilience. Much of the debate has focused on the principles and practice and how this relates to the established business continuity management discipline.
• The aim of this position statement, which has been produced and ratified by the Board of the Business Continuity Institute, is to add clarity regarding the position of business continuity in the context of organizational resilience. It also provides the BCI’s perspective on how the development of resilience concepts may impact on the practice of business continuity.
• The BCI believes that this position statement will contribute to our stated purpose to "promote a more resilient world”. We also hope that it helps to move forward the future development of organizational resilience concepts, beyond definitional debates, towards a collaborative understanding between participants across many management disciplines.
BCI Position Statement on Organisational Resilience
Key Points:
• Business continuity is not the same as organizational resilience.• The effective enhancement of organizational resilience will require a collaborative effort between many
management disciplines.• No single management discipline or member association can credibly claim ‘ownership’ of organizational
resilience, and organizational resilience cannot be described as a subset of another management discipline or standard.
• Business continuity principles and practices are an essential contribution for an organization seeking to develop and enhance effective resilience capabilities.
• The wide range of activities required to develop and enhance organizational resilience capabilities provide an opportunity for business continuity practitioners to broaden their skills and knowledge, building on the foundation of their business continuity experience and credentials.
• The BCI, working with related partners and industry groups where appropriate, will develop relevant knowledge resources and training to support members who wish to advance their organizational resilience knowledge and skills.
BCI Position Statement on Organisational Resilience
Full statement available here http://goo.gl/OzJfdF
Feedback requested to [email protected]
BCI World 2016
• London 8th and 9th November 2016• Call for papers open until 20th March 2016• Details and link to submit http
://www.bciworld2016.com/
BCI European Awards 2016
• Submissions now open until 1st April 2016• Submit via http://
www.bci-awards.com/index.php/european • Ceremony to be held in Dublin on 2nd June 2016
Working paper series – contributions needed
Papers can come in the form of best practice articles, case studies, empirical research, quantitative/qualitative analysis, or a meta-analysis of available literature in the field, among others.
a. capture the state of knowledge in business continuity (BC) and related fields; b. track current and emerging BC trends; c. provide inputs that may influence the profession; and d. discuss the future of BC as a discipline.
Papers can range from 2,500-5,000 words.
Submissions and enquiries to [email protected]
Appeal for tools and templates
Have you developed business continuity tools or templates that you are willing to share with the business continuity community?
• Do you have tried and tested exercise scenarios? • Examples of effective ways to demonstrate return on BC investment?• A BIA questionnaire that has never let you down? • A way of evaluating how you are performing against Standards? • Model BC plans?• Checklists for procedures?
All submissions will be quality assured before publication with authors being credited. Submissions and questions to [email protected]
Questions?
This presentation was delivered at a BCI forum event. For details of upcoming events please click here.
For details of BCI membership please click here.
