Upload
lamdiep
View
218
Download
1
Embed Size (px)
Citation preview
Victoria ISACA Chapter –
June 2015 Luncheon
Presented by Steven Taylor & Paul Dittaro
June 17, 2015
Business Continuity Insights
&
Preparing for the Unexpected:
Practical Tools & Guidance
Agenda
2 © Deloitte LLP and aff iliated entities.
• Introductions
• Learning objectives
• Methodology & tools
• Business continuity insights & themes
• Case studies
• Tabletop exercise
• Debrief & lessons learned
• Questions
Learning objectives
3 © Deloitte LLP and aff iliated entities.
An understanding of business continuity leading practices, methodologies,
and tools.
An understanding of recent business continuity trends and organizational
challenges.
Real-life examples highlighting the importance of testing and exercising of
a plan.
How to conduct a successful tabletop exercise within your respective
organizations.
1
2
3
4
Resiliency framework
Methodology & tools
© Deloitte LLP and aff iliated entities. 5
Business Impact
Analysis
Continuous Improvement & Quality Assurance
Program Governance/Project Management
Implement
(Readiness)
Resource
Acquisition &
Implementation
Exercising &
Testing (Integrated/Simulation)
Training &
Awareness
Analyze
(Define & Protect)
Risk Assessment
& Mitigation
Business Impact
Analysis (BIA)
Current State &
Process Definitions
Develop
(Prepare)
Validation (Structured Table Tops)
Resiliency / Availability / Recovery Strategies
Activities / Procedures (Plan) Development
Operational Continuity
Building
(Facilities)
Recov ery
Technology
(Disaster)
Recov ery
Human
Resource
(Workf orce)
Continuity
3rd Party
(Supply
Chain)
Resilience
Equipment
Recov ery
Crisis Management &
Emergency Response
BETH3 (Total Asset Protection)
Methodology & tools
© Deloitte LLP and aff iliated entities. 6
While technology plays a key role,
business continuity encompasses a broad
range of components, including: facilities,
equipment, technology, people, and
suppliers.
Building - Partial
Equipment - Full
Human Resources/ Technology/ 3rd Party -
None
Technology/ 3rd Party -
Full
Human Resources
- Partial
Building/
Equipment - None
3rd Party - Full
Building/
Equipment/
Human Resources -
None
Technology - Partial
• Data corruption affects
critical systems on outsourced IT operations
• Fire at 3rd party location requires additional internal
staff to respond.
• IT vendor has internal
network failure affecting your system availability
• Outsourced call center vendor goes down
taking limited internal
systems with it.
• Internal fire in the
evening at your primary office location – Data
center off-site
• Earthquake hitting the
same facility
3rd Parties (Vendors, Customers,
Service Providers)
Human Resources
Technology
(Application, Data, Infrastructure)
Equipment
Building
(Facilities / Utilities)
Capabilities assessments
Methodology & tools
© Deloitte LLP and aff iliated entities. 7
Optimized
Managed & Measurable
Repeatable & Intuitive
Initial
Non-existent
Assessment areas
Program Management
Process Definitions
Risk Assessment
Business Impact Analysis
Resiliency / Availability /
Recovery Strategies
Plan Development*
Validation
Resource Acquisition & Implementation
Training & Awareness
Exercising & Testing
Continuous Improvement / QA
*Plan Development covers the follow ing areas:
- Emergency Response / Crisis Management
- Business Continuity
- IT Disaster Recovery
Tabletop exercises
Methodology & tools
Recommended
Approach
Table Top Exercise
Description
(What is it?)
• Professionally facilitated event
• A live, free-thinking adversary with representative internal and external stakeholders.
• Realistic - Future scenario stressing participants
and reducing group think
Purpose
(For What Purpose?)
• Address the key issues identified by the client as
the “most likely to occur” and “potentially the “most damaging” to the organization
• Optimizes strategic and operational decision
making by stressing and exploring risk in current and future environments
• Minimum resource expenditure
Format/ Methodology
(How it should be done?)
• Diverse participant group
• Professionally facilitated discussion • Four hours to two 8 hour days
Outcomes/ Deliverable • An objective, structured process
• Organizational awareness • Participants question, discuss, refine, and evolve
solutions through interaction and discourse
• Emerging insights “quick look” report
© Deloitte LLP and aff iliated entities. 8
The need for “Enterprise Resilience”
Business continuity insights
© Deloitte LLP and aff iliated entities. 10
While high profile natural disasters are in the news frequently, it is often the extended data
center outages, cyber security events, and cloud disruptions that have dramatic impacts for
companies.
Resilience is the combination of many disciplines
Business continuity insights
© Deloitte LLP and aff iliated entities. 11
Resilience is the coordination of response threads
Business continuity insights
© Deloitte LLP and aff iliated entities. 12
Resilience is a combination of many traditional and new processes. It is the ability of an
organization’s operations to rapidly adapt and respond to internal or external dynamic
changes – opportunities, demands, disruptions, or threats – and continue operations with
limited impact to the business.
Common barriers to achieving Enterprise Resilience
Business continuity insights
Challenges
with BCP
“systems”
Highly
available, but
not testable or
resilient
Superficial
exercising
Too much focus
on plans, not
enough on
education
Nobody
pushing for
executive
buy-in
Lack of transparency between business and
technology
Lack of
analytics and
ability to
monitor risks
Loosely defined
BC governance
and program
policy
© Deloitte LLP and aff iliated entities. 13
Program process & governance
Themes
© Deloitte LLP and aff iliated entities. 15
How are Communication Tools Leveraged?
Social Media: Organizations leverage social media as another channel of communication when corporate systems are unavailable
Employee Devices: Employees are going to use their personal devices; most organizations establish a small reimbursement
approved by a manager
Third Party Tools: 60% of organizations test their notification process at least annually; however, very few use a third party tool
Educate Stakeholders
Integrated sharing from a
program management and plan development perspective
clearly sets expectations and shares recovery limitations.
Engage the C-Suite
Executives have a
clearly defined role in escalation, activation,
oversight of recovery, and communication.
Communicate Across
BC, DR, and Crisis
Management (CM)
There is a role for everyone in
recovery which must be defined and tested.
“We focus on education
of stakeholders for both
BC & DR.”
“Our governance includes
Corporate and Local
Emergency Response
teams that meet regularly.”
“We test with the
Board.”
Maturity assessment
Themes
© Deloitte LLP and aff iliated entities. 16
Category Nonexistent Defined Repeatable & Intuitive Managed &
Measurable Optimized
Recovery Objectives and
Application
RTO / RPO
Exercise Planning & Execution
DR Environment Configuration
BC / DR Recovery Process
DR Organization
Structure
DR Budget & Spending
G
R
R
R
R
R
R
P
P
P
P
P
I B Banking R
Legend
Peer Groupings Energy & Resources P
B
B
B
B
B
B R P
Public Sector
Background
© Deloitte LLP and aff iliated entities. 21
Ministry of Leisure
• Head office location:
Victoria, British Columbia
• Satellite offices: Kamloops,
Kelowna, Prince George, and
Vancouver British Columbia
• Number of employees: 500
• Primary systems: CRM
(SalesForce.com), Oracle
CAS, and Windows Office
Suite
BCM Team
Background
© Deloitte LLP and aff iliated entities. 22
Business Continuity
Management Lead
Business Continuity
Plan Leads
Disaster Recovery
Lead
Evacuation Team
Physical Security
Team
First Response
Team
Crisis Management
Team
Background
BCM program
Business Continuity Management (BCM) Group of processes established to facilitate the functions and services against events that may disrupt
business activities.
Emergency
response A plan of action to commence immediately to prevent
the loss of life and minimize injury and
property damage during workplace emergencies. This plan
involves life safety procedures to protect
the well being of personnel (and visitors).
Crisis
management The overall coordination of an organization's
response to a crisis, in an effective, timely
manner, with the goal of avoiding or minimizing damage to
the organization's profitability, reputation,
or ability to operate.
Disaster
recovery Addresses the restoration of business system software,
hardware and data during an incident.
Business
continuity A component of business continuity management. A
business continuity plan is a
comprehensive written plan of action that sets out the procedures and
systems necessary to continue or restore the
operation of an organization in the event of a disruption.
• June 21 (Wednesday Morning): Government officials have indicated that an earthquake
has hit off the coast of Port Angeles, WA.
• June 21 (Wednesday Afternoon): After shocks from the earthquake can be felt in Victoria
and the surrounding areas.
• June 21 (Wednesday Afternoon): State of local emergency has been declared, 30
neighbourhoods in the metro Victoria area are placed under mandatory evacuation order.
Event
© Deloitte LLP and aff iliated entities. 24
•Create 4 groups of 5 people
•We will provide each team with the following materials
Activities
Plans
Actors
Activity
© Deloitte LLP and aff iliated entities. 25
Scenario
1
Actors Activities
Plans
Report damage
assessment status
Crisis
management plan
Crisis
Management Team (Crisis
Comm. Lead)
Actors
Activities
Plans
First Response
Team ( Evacuation Team, Physical
Security Team)
Actors Emergency
response plan
Plans
Tabletop Exercise - Example
© Deloitte LLP and aff iliated entities. 26
Wednesday, June 21, 9:05 AM
A Mandatory Evacuation order has been declared. The Ministry of Leisure needs to evacuate all
personnel working at their head office located in downtown Victoria and activate the business
continuity plan.
Activities
1. Identify and organize the activities of evacuation, relocation and recovery according to their
priority
2. Identify the role/teams that participate during the activities of evacuation, relocation and
recovery.
3. Identify the plans and procedures that are required during the activities of evacuation,
relocation and recovery.
© Deloitte LLP and aff iliated entities. 27
Scenario 1
Wednesday, June 21, 9:56 AM
As a result of the employee accounting process the Evacuation Team has detected that 8 people
from the IT department are missing.
Activities
1. What activities must be executed to resolve this event?
2. Identify the role/teams that participate needs to participate during this event?
3. Identify plans and procedures should be use during this event?
4. What pieces of information are key to resolve this event?
© Deloitte LLP and aff iliated entities. 28
Scenario 2
Wednesday, June 21, 2:34 PM
The Business Continuity Management Lead has been informed that a potentially damaging
unofficial report about the business continuity procedures status has been spreading through social
media (Twitter / Facebook). This report could generate a negative reputational impact for the
Ministry of Leisure.
Activities
1. What activities must be executed to resolve this incident?
2. Identify the role/teams that participate needs to participate during this incident?
3. Identify plans and procedures should be use during this incident?
4. What pieces of information are key to resolve this event?
© Deloitte LLP and aff iliated entities. 29
Scenario 3
Wednesday, June 21, 5:34 PM
As the Evacuation Team is wrapping up the search and evacuation of the last few employees, and the
Physical Security Team is locking up the office floors, an alert was received from the building
management executives, stating that, due to the rising levels of water in the downtown area, the main
and alternate power grids that supply power to the Ministry of Leisure are being shut off to mitigate fire
and safety risks.
The IT team has not yet fully completed the relocation of a newly installed critical business process
only running out of the PDC at this time, as well as the latest backup media containing the last 6 hours
of data for this process and other vital transactional data. Power will be shut down 2 hours before their
work has been completed.
Activities
1. What activities must be executed to resolve this incident?
2. Identify the role/teams that participate needs to participate during this incident?
3. Identify plans and procedures should be use during this incident?
4. What pieces of information are key to resolve this event?
© Deloitte LLP and aff iliated entities. 30
Scenario 4
After action review
Lessons learned
• Did you believe that this exercise was a valuable use of your time, and
did it help to improve the readiness for your area?
• What are the three most significant takeaways from this exercise?
• What are our key action items coming out of this exercise?
• What would you like to have seen done differently during this exercise?
© Deloitte LLP and aff iliated entities. 32
Contact details
34 © Deloitte LLP and aff iliated entities.
Manager
Victoria, BC Direct: (250) 978-4476 Mobile: (604) 347-6067
Steven Taylor, CBCP, CISM, CRISC, CGEIT,
CRM
Consultant
Victoria, BC Direct: (250) 978-4426 Mobile: (778) 676-4953
Paul Dittaro