Victoria ISACA Chapter – June 2015 Luncheon Business Continuity Insights
& Preparing for the Unexpected: Practical Tools & Guidance Presented by Steven Taylor & Paul Dittaro June 17, 2015
Agenda
• Introductions • Learning objectives • Methodology & tools • Business continuity insights & themes • Case studies • Tabletop exercise • Debrief & lessons learned • Questions
© Deloitte LLP and affiliated entities.
2
Learning objectives
1
2 3 4
An understanding of business continuity leading practices, methodologies, and tools. An understanding of recent business continuity trends and organizational challenges. Real-life examples highlighting the importance of testing and exercising of a plan. How to conduct a successful tabletop exercise within your respective organizations.
© Deloitte LLP and affiliated entities.
3
Methodology & tools
Methodology & tools Resiliency framework Program Governance/Project Management Analyze (Define & Protect)
Develop (Prepare)
Implement (Readiness)
Current State & Process Definitions
Resiliency / Availability / Recovery Strategies
Resource Acquisition & Implementation
Activities / Procedures (Plan) Development Crisis Management & Emergency Response
Risk Assessment Business Impact & Mitigation Analysis
Business Impact Analysis (BIA)
Training & Awareness
Operational Continuity Building (Facilities) Recov ery
Equipment Recov ery
Technology (Disaster) Recov ery
Human Resource (Workf orce) Continuity
3rd Party (Supply Chain) Resilience
Validation
Exercising & Testing
(Structured Table Tops)
(Integrated/Simulation)
Continuous Improvement & Quality Assurance
© Deloitte LLP and affiliated entities.
5
Methodology & tools BETH3 (Total Asset Protection) While technology plays a key role, business continuity encompasses a broad range of components, including: facilities, equipment, technology, people, and suppliers.
• Internal fire in the evening at your primary office location – Data center off-site
Building Partial
Human Resources/ Technology/ 3rd Party None
Equipment - Full
Building (Facilities / Utilities)
• Data corruption affects critical systems on outsourced IT operations
Equipment
• Fire at 3rd party location requires additional internal staff to respond.
Technology (Application, Data, Infrastructure) Human Resources
3rd Parties (Vendors, Customers, Service Providers)
3rd Party Full
Technology - Partial © Deloitte LLP and affiliated entities.
Building/ Equipment/ Human Resources None
• Earthquake hitting the same facility
Technology/ 3rd Party Full
Building/ Equipment - None
Human Resources - Partial
• IT vendor has internal network failure affecting your system availability • Outsourced call center vendor goes down taking limited internal systems with it. 6
Methodology & tools Capabilities assessments Assessment areas Program Management
Resiliency / Availability / Recovery Strategies
Optimized Resource Acquisition & Implementation
Training & Awareness
Process Definitions Plan Development* Risk Assessment
Business Impact Analysis
*Plan Development covers the follow ing areas: - Emergency Response / Crisis Management - Business Continuity - IT Disaster Recovery
© Deloitte LLP and affiliated entities.
Managed & Measurable
Validation
Exercising & Testing
Repeatable & Intuitive
Continuous Improvement / QA
Initial
Non-existent
7
Methodology & tools Tabletop exercises Recommended Approach
Table Top Exercise
Description (What is it?)
• Professionally facilitated event • A live, free-thinking adversary with representative internal and external stakeholders. • Realistic - Future scenario stressing participants and reducing group think
Purpose (For What Purpose?)
• Address the key issues identified by the client as the “most likely to occur” and “potentially the “most damaging” to the organization • Optimizes strategic and operational decision making by stressing and exploring risk in current and future environments • Minimum resource expenditure
Format/ Methodology (How it should be done?)
• Diverse participant group • Professionally facilitated discussion • Four hours to two 8 hour days
Outcomes/ Deliverable
• An objective, structured process • Organizational awareness • Participants question, discuss, refine, and evolve solutions through interaction and discourse • Emerging insights “quick look” report
© Deloitte LLP and affiliated entities.
8
Business continuity insights
Business continuity insights The need for “Enterprise Resilience” While high profile natural disasters are in the news frequently, it is often the extended data center outages, cyber security events, and cloud disruptions that have dramatic impacts for companies.
© Deloitte LLP and affiliated entities.
10
Business continuity insights Resilience is the combination of many disciplines
© Deloitte LLP and affiliated entities.
11
Business continuity insights Resilience is the coordination of response threads Resilience is a combination of many traditional and new processes. It is the ability of an organization’s operations to rapidly adapt and respond to internal or external dynamic changes – opportunities, demands, disruptions, or threats – and continue operations with limited impact to the business.
© Deloitte LLP and affiliated entities.
12
Business continuity insights Common barriers to achieving Enterprise Resilience Challenges with BCP “systems”
Superficial exercising
Too much focus on plans, not enough on education Loosely defined BC governance and program policy © Deloitte LLP and affiliated entities.
Highly available, but not testable or resilient
Lack of analytics and ability to monitor risks
Nobody pushing for executive buy-in
Lack of transparency between business and technology
13
Themes
Themes Program process & governance “We focus on education of stakeholders for both BC & DR.”
“We test with the Board.”
Educate Stakeholders
Engage the C-Suite
Integrated sharing from a program management and plan development perspective clearly sets expectations and shares recovery limitations.
Executives have a clearly defined role in escalation, activation, oversight of recovery, and communication.
“Our governance includes Corporate and Local Emergency Response teams that meet regularly.”
Communicate Across BC, DR, and Crisis Management (CM) There is a role for everyone in recovery which must be defined and tested.
How are Communication Tools Leveraged?
Social Media: Organizations leverage social media as another channel of communication when corporate systems are unavailable Employee Devices: Employees are going to use their personal devices; most organizations establish a small reimbursement approved by a manager Third Party Tools: 60% of organizations test their notification process at least annually; however, very few use a third party tool
© Deloitte LLP and affiliated entities.
15
Themes Maturity assessment Category
Nonexistent
Defined
Managed & Measurable
Repeatable & Intuitive
Recovery Objectives and Application RTO / RPO
R
Exercise Planning & Execution
B
P
P
DR Environment Configuration
P
BC / DR Recovery Process
P
B
R
R
B
R
DR Organization Structure
B
R
DR Budget & Spending
Optimized
B
P
R
B
P
Legend Peer Groupings
© Deloitte LLP and affiliated entities.
R
R Energy & Resources
I
P G
Public Sector
B
Banking
16
Case study
Case study RAPID 7 – 2013 Boston Marathon Bombings
© Deloitte LLP and affiliated entities.
18
Case study Morgan Stanley – Rick Rescorla
© Deloitte LLP and affiliated entities.
19
Tabletop exercise
Background Ministry of Leisure • Head office location: Victoria, British Columbia • Satellite offices: Kamloops, Kelowna, Prince George, and Vancouver British Columbia • Number of employees: 500 • Primary systems: CRM (SalesForce.com), Oracle CAS, and Windows Office Suite
© Deloitte LLP and affiliated entities.
21
Background BCM Team Business Continuity Plan Leads Business Continuity Management Lead
Disaster Recovery Lead Crisis Management Team Evacuation Team
First Response Team Physical Security Team
© Deloitte LLP and affiliated entities.
22
Background BCM program Business Continuity Management (BCM) Group of processes established to facilitate the functions and services against events that may disrupt business activities.
Emergency response
Crisis management
Disaster recovery
Business continuity
A plan of action to commence immediately to prevent the loss of life and minimize injury and property damage during workplace emergencies. This plan involves life safety procedures to protect the well being of personnel (and visitors).
The overall coordination of an organization's response to a crisis, in an effective, timely manner, with the goal of avoiding or minimizing damage to the organization's profitability, reputation, or ability to operate.
Addresses the restoration of business system software, hardware and data during an incident.
A component of business continuity management. A business continuity plan is a comprehensive written plan of action that sets out the procedures and systems necessary to continue or restore the operation of an organization in the event of a disruption.
Event • June 21 (Wednesday Morning): Government officials have indicated that an earthquake has hit off the coast of Port Angeles, WA. • June 21 (Wednesday Afternoon): After shocks from the earthquake can be felt in Victoria and the surrounding areas. • June 21 (Wednesday Afternoon): State of local emergency has been declared, 30 neighbourhoods in the metro Victoria area are placed under mandatory evacuation order.
© Deloitte LLP and affiliated entities.
24
Activity •Create 4 groups of 5 people •We will provide each team with the following materials
Activities
Actors
Plans
© Deloitte LLP and affiliated entities.
25
Tabletop Exercise - Example Activities
Actors
Plans
Scenario
Actors
1
Activities
© Deloitte LLP and affiliated entities.
Report damage assessment status
Actors
Crisis Management Team (Crisis Comm. Lead) First Response Team ( Evacuation Team, Physical Security Team)
Plans
Crisis management plan
Plans
Emergency response plan
26
Scenario 1 Wednesday, June 21, 9:05 AM A Mandatory Evacuation order has been declared. The Ministry of Leisure needs to evacuate all personnel working at their head office located in downtown Victoria and activate the business continuity plan.
Activities 1. Identify and organize the activities of evacuation, relocation and recovery according to their priority
2. Identify the role/teams that participate during the activities of evacuation, relocation and recovery. 3. Identify the plans and procedures that are required during the activities of evacuation, relocation and recovery.
© Deloitte LLP and affiliated entities.
27
Scenario 2 Wednesday, June 21, 9:56 AM As a result of the employee accounting process the Evacuation Team has detected that 8 people from the IT department are missing.
Activities
1. What activities must be executed to resolve this event? 2. Identify the role/teams that participate needs to participate during this event? 3. Identify plans and procedures should be use during this event?
4. What pieces of information are key to resolve this event?
© Deloitte LLP and affiliated entities.
28
Scenario 3 Wednesday, June 21, 2:34 PM The Business Continuity Management Lead has been informed that a potentially damaging unofficial report about the business continuity procedures status has been spreading through social media (Twitter / Facebook). This report could generate a negative reputational impact for the Ministry of Leisure. Activities 1. What activities must be executed to resolve this incident?
2. Identify the role/teams that participate needs to participate during this incident? 3. Identify plans and procedures should be use during this incident? 4. What pieces of information are key to resolve this event?
© Deloitte LLP and affiliated entities.
29
Scenario 4 Wednesday, June 21, 5:34 PM As the Evacuation Team is wrapping up the search and evacuation of the last few employees, and the Physical Security Team is locking up the office floors, an alert was received from the building management executives, stating that, due to the rising levels of water in the downtown area, the main and alternate power grids that supply power to the Ministry of Leisure are being shut off to mitigate fire and safety risks. The IT team has not yet fully completed the relocation of a newly installed critical business process only running out of the PDC at this time, as well as the latest backup media containing the last 6 hours of data for this process and other vital transactional data. Power will be shut down 2 hours before their work has been completed. Activities
1. What activities must be executed to resolve this incident? 2. Identify the role/teams that participate needs to participate during this incident? 3. Identify plans and procedures should be use during this incident?
4. What pieces of information are key to resolve this event?
© Deloitte LLP and affiliated entities.
30
Debrief
Lessons learned After action review • Did you believe that this exercise was a valuable use of your time, and did it help to improve the readiness for your area? • What are the three most significant takeaways from this exercise? • What are our key action items coming out of this exercise? • What would you like to have seen done differently during this exercise?
© Deloitte LLP and affiliated entities.
32
Closing remarks
Contact details Steven Taylor, CBCP, CISM, CRISC, CGEIT, CRM Manager Victoria, BC Direct: (250) 978-4476 Mobile: (604) 347-6067
[email protected]
Paul Dittaro Consultant Victoria, BC Direct: (250) 978-4426 Mobile: (778) 676-4953
[email protected]
© Deloitte LLP and affiliated entities.
34
Questions
© Deloitte LLP and affiliated entities.
35