Victoria ISACA Chapter June 2015 Luncheon · PDF fileVictoria ISACA Chapter – June 2015 Luncheon ... hardware and data during an incident. ... as well as the latest backup media

Victoria ISACA Chapter –

June 2015 Luncheon

Presented by Steven Taylor & Paul Dittaro

June 17, 2015

Business Continuity Insights

&

Preparing for the Unexpected:

Practical Tools & Guidance

Agenda

2 © Deloitte LLP and aff iliated entities.

• Introductions

• Learning objectives

• Methodology & tools

• Business continuity insights & themes

• Case studies

• Tabletop exercise

• Debrief & lessons learned

• Questions

Learning objectives


An understanding of business continuity leading practices, methodologies,

and tools.

An understanding of recent business continuity trends and organizational

challenges.

Real-life examples highlighting the importance of testing and exercising of

a plan.

How to conduct a successful tabletop exercise within your respective

organizations.

1

2

3

4

Methodology & tools

Resiliency framework

Methodology & tools

© Deloitte LLP and aff iliated entities. 5

Business Impact

Analysis

Continuous Improvement & Quality Assurance

Program Governance/Project Management

Implement

(Readiness)

Resource

Acquisition &

Implementation

Exercising &

Testing (Integrated/Simulation)

Training &

Awareness

Analyze

(Define & Protect)

Risk Assessment

& Mitigation

Business Impact

Analysis (BIA)

Current State &

Process Definitions

Develop

(Prepare)

Validation (Structured Table Tops)

Resiliency / Availability / Recovery Strategies

Activities / Procedures (Plan) Development

Operational Continuity

Building

(Facilities)

Recov ery

Technology

(Disaster)

Recov ery

Human

Resource

(Workf orce)

Continuity

3rd Party

(Supply

Chain)

Resilience

Equipment

Recov ery

Crisis Management &

Emergency Response

BETH3 (Total Asset Protection)

Methodology & tools


While technology plays a key role,

business continuity encompasses a broad

range of components, including: facilities,

equipment, technology, people, and

suppliers.

Building - Partial

Equipment - Full

Human Resources/ Technology/ 3rd Party -

None

Technology/ 3rd Party -

Full

Human Resources

- Partial

Building/

Equipment - None

3rd Party - Full

Building/

Equipment/

Human Resources -

None

Technology - Partial

• Data corruption affects

critical systems on outsourced IT operations

• Fire at 3rd party location requires additional internal

staff to respond.

• IT vendor has internal

network failure affecting your system availability

• Outsourced call center vendor goes down

taking limited internal

systems with it.

• Internal fire in the

evening at your primary office location – Data

center off-site

• Earthquake hitting the

same facility

3rd Parties (Vendors, Customers,

Service Providers)

Human Resources

Technology

(Application, Data, Infrastructure)

Equipment

Building

(Facilities / Utilities)

Capabilities assessments

Methodology & tools


Optimized

Managed & Measurable

Repeatable & Intuitive

Initial

Non-existent

Assessment areas

Program Management

Process Definitions

Risk Assessment

Business Impact Analysis

Resiliency / Availability /

Recovery Strategies

Plan Development*

Validation

Resource Acquisition & Implementation

Training & Awareness

Exercising & Testing

Continuous Improvement / QA

*Plan Development covers the follow ing areas:

- Emergency Response / Crisis Management

- Business Continuity

- IT Disaster Recovery

Tabletop exercises

Methodology & tools

Recommended

Approach

Table Top Exercise

Description

(What is it?)

• Professionally facilitated event

• A live, free-thinking adversary with representative internal and external stakeholders.

• Realistic - Future scenario stressing participants

and reducing group think

Purpose

(For What Purpose?)

• Address the key issues identified by the client as

the “most likely to occur” and “potentially the “most damaging” to the organization

• Optimizes strategic and operational decision

making by stressing and exploring risk in current and future environments

• Minimum resource expenditure

Format/ Methodology

(How it should be done?)

• Diverse participant group

• Professionally facilitated discussion • Four hours to two 8 hour days

Outcomes/ Deliverable • An objective, structured process

• Organizational awareness • Participants question, discuss, refine, and evolve

solutions through interaction and discourse

• Emerging insights “quick look” report


Business continuity insights

The need for “Enterprise Resilience”



While high profile natural disasters are in the news frequently, it is often the extended data

center outages, cyber security events, and cloud disruptions that have dramatic impacts for

companies.

Resilience is the combination of many disciplines



Resilience is the coordination of response threads



Resilience is a combination of many traditional and new processes. It is the ability of an

organization’s operations to rapidly adapt and respond to internal or external dynamic

changes – opportunities, demands, disruptions, or threats – and continue operations with

limited impact to the business.

Common barriers to achieving Enterprise Resilience


Challenges

with BCP

“systems”

Highly

available, but

not testable or

resilient

Superficial

exercising

Too much focus

on plans, not

enough on

education

Nobody

pushing for

executive

buy-in

Lack of transparency between business and

technology

Lack of

analytics and

ability to

monitor risks

Loosely defined

BC governance

and program

policy


Themes

Program process & governance

Themes


How are Communication Tools Leveraged?

Social Media: Organizations leverage social media as another channel of communication when corporate systems are unavailable

Employee Devices: Employees are going to use their personal devices; most organizations establish a small reimbursement

approved by a manager

Third Party Tools: 60% of organizations test their notification process at least annually; however, very few use a third party tool

Educate Stakeholders

Integrated sharing from a

program management and plan development perspective

clearly sets expectations and shares recovery limitations.

Engage the C-Suite

Executives have a

clearly defined role in escalation, activation,

oversight of recovery, and communication.

Communicate Across

BC, DR, and Crisis

Management (CM)

There is a role for everyone in

recovery which must be defined and tested.

“We focus on education

of stakeholders for both

BC & DR.”

“Our governance includes

Corporate and Local

Emergency Response

teams that meet regularly.”

“We test with the

Board.”

Maturity assessment

Themes


Category Nonexistent Defined Repeatable & Intuitive Managed &

Measurable Optimized

Recovery Objectives and

Application

RTO / RPO

Exercise Planning & Execution

DR Environment Configuration

BC / DR Recovery Process

DR Organization

Structure

DR Budget & Spending

G

R

R

R

R

R

R

P

P

P

P

P

I B Banking R

Legend

Peer Groupings Energy & Resources P

B

B

B

B

B

B R P

Public Sector

Case study

RAPID 7 – 2013 Boston Marathon Bombings

Case study


Morgan Stanley – Rick Rescorla

Case study


Tabletop exercise

Background


Ministry of Leisure

• Head office location:

Victoria, British Columbia

• Satellite offices: Kamloops,

Kelowna, Prince George, and

Vancouver British Columbia

• Number of employees: 500

• Primary systems: CRM

(SalesForce.com), Oracle

CAS, and Windows Office

Suite

BCM Team

Background


Business Continuity

Management Lead

Business Continuity

Plan Leads

Disaster Recovery

Lead

Evacuation Team

Physical Security

Team

First Response

Team

Crisis Management

Team

Background

BCM program

Business Continuity Management (BCM) Group of processes established to facilitate the functions and services against events that may disrupt

business activities.

Emergency

response A plan of action to commence immediately to prevent

the loss of life and minimize injury and

property damage during workplace emergencies. This plan

involves life safety procedures to protect

the well being of personnel (and visitors).

Crisis

management The overall coordination of an organization's

response to a crisis, in an effective, timely

manner, with the goal of avoiding or minimizing damage to

the organization's profitability, reputation,

or ability to operate.

Disaster

recovery Addresses the restoration of business system software,

hardware and data during an incident.

Business

continuity A component of business continuity management. A

business continuity plan is a

comprehensive written plan of action that sets out the procedures and

systems necessary to continue or restore the

operation of an organization in the event of a disruption.

• June 21 (Wednesday Morning): Government officials have indicated that an earthquake

has hit off the coast of Port Angeles, WA.

• June 21 (Wednesday Afternoon): After shocks from the earthquake can be felt in Victoria

and the surrounding areas.

• June 21 (Wednesday Afternoon): State of local emergency has been declared, 30

neighbourhoods in the metro Victoria area are placed under mandatory evacuation order.

Event


•Create 4 groups of 5 people

•We will provide each team with the following materials

Activities

Plans

Actors

Activity


Scenario

1

Actors Activities

Plans

Report damage

assessment status

Crisis

management plan

Crisis

Management Team (Crisis

Comm. Lead)

Actors

Activities

Plans

First Response

Team ( Evacuation Team, Physical

Security Team)

Actors Emergency

response plan

Plans

Tabletop Exercise - Example


Wednesday, June 21, 9:05 AM

A Mandatory Evacuation order has been declared. The Ministry of Leisure needs to evacuate all

personnel working at their head office located in downtown Victoria and activate the business

continuity plan.

Activities

1. Identify and organize the activities of evacuation, relocation and recovery according to their

priority

2. Identify the role/teams that participate during the activities of evacuation, relocation and

recovery.

3. Identify the plans and procedures that are required during the activities of evacuation,

relocation and recovery.


Scenario 1

Wednesday, June 21, 9:56 AM

As a result of the employee accounting process the Evacuation Team has detected that 8 people

from the IT department are missing.

Activities

1. What activities must be executed to resolve this event?

2. Identify the role/teams that participate needs to participate during this event?

3. Identify plans and procedures should be use during this event?

4. What pieces of information are key to resolve this event?


Scenario 2

Wednesday, June 21, 2:34 PM

The Business Continuity Management Lead has been informed that a potentially damaging

unofficial report about the business continuity procedures status has been spreading through social

media (Twitter / Facebook). This report could generate a negative reputational impact for the

Ministry of Leisure.

Activities

1. What activities must be executed to resolve this incident?

2. Identify the role/teams that participate needs to participate during this incident?

3. Identify plans and procedures should be use during this incident?



Scenario 3

Wednesday, June 21, 5:34 PM

As the Evacuation Team is wrapping up the search and evacuation of the last few employees, and the

Physical Security Team is locking up the office floors, an alert was received from the building

management executives, stating that, due to the rising levels of water in the downtown area, the main

and alternate power grids that supply power to the Ministry of Leisure are being shut off to mitigate fire

and safety risks.

The IT team has not yet fully completed the relocation of a newly installed critical business process

only running out of the PDC at this time, as well as the latest backup media containing the last 6 hours

of data for this process and other vital transactional data. Power will be shut down 2 hours before their

work has been completed.

Activities

1. What activities must be executed to resolve this incident?

2. Identify the role/teams that participate needs to participate during this incident?

3. Identify plans and procedures should be use during this incident?



Scenario 4

Debrief

After action review

Lessons learned

• Did you believe that this exercise was a valuable use of your time, and

did it help to improve the readiness for your area?

• What are the three most significant takeaways from this exercise?

• What are our key action items coming out of this exercise?

• What would you like to have seen done differently during this exercise?


Closing remarks

Contact details


Manager

Victoria, BC Direct: (250) 978-4476 Mobile: (604) 347-6067

[email protected]

Steven Taylor, CBCP, CISM, CRISC, CGEIT,

CRM

Consultant

Victoria, BC Direct: (250) 978-4426 Mobile: (778) 676-4953

[email protected]

Paul Dittaro

mailto:[email protected]




Questions


Documents

Victoria ISACA Chapter June 2015 Luncheon · PDF fileVictoria ISACA Chapter – June 2015 Luncheon ... hardware and data during an incident. ... as well as the latest backup media