• No results found

How To Plan A Crisis Management Program

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "How To Plan A Crisis Management Program"

Copied!
26
0
0

Loading.... (view fulltext now)

Download now ( 26 Page )

Full text

(1)

Building a Security

Conscious Business

Continuity Management

(BCM) Program

Sam Stahl, CBCP, MBCI EMC

Global Professional Services Program Manager

[email protected]

ASIS

(2)

Agenda

 Overview

 ASIS Security Councils / Security Concerns

 Definitions  Recovery Program – Goals – Considerations  BCM Governance – Program – Teams – Methodologies

– Recovery & Response Plans

– Exercises

– Measurements and Reporting

– Standard Documentation and Templates

 Questions to ask

(3)

Overview

Building a Security Conscious Business Continuity (BCM) Program

This presentation illustrates how comprehensive BCM Programs can be developed to include security functions.

Includes key elements of the ASIS Crisis Management and Business Continuity Council’s annual Crisis Management Workshop which strives to illustrate the importance of security functions and organizations within

(4)

ASIS Councils / Security Concerns

• Academic and Training Programs • Banking and Financial Services • Commercial Real Estate

• Crime and Loss Prevention

• Crisis Management and Business Continuity

• Cultural Properties

• Defense and Intelligence • Economic Crime

• Fire and Life Safety

• Food Defense and Agriculture Security

• Gaming and Wagering Protection • Global Terrorism and Political

Instability

• Healthcare Security

• Hospitality, Entertainment and Tourism Security

• Information Asset Protection and Pre-Employment Screening

• Information Technology Security • Investigations

• Law Enforcement Liaison • Leadership and Management

Practices

• Military Liaison

• Petrochemical, Chemical, and Extractive Industry Security • Pharmaceutical Security • Physical Security

• Retail Loss Prevention • School Safety and Security • Security Architecture and

Engineering

• Security Services

• Supply Chain and Transportation Security

(5)

Definitions

 Recovery Program / Continuity Program / Crisis Management Program

 Governance Teams vs. Recovery Teams

 Disaster Recovery

 Business Continuity

 Crisis Management vs. Emergency Management vs. Incident Response

 Emergency Response

 Organizational Resilience

 Business Impact Analysis (BIA)

 Recovery Time Objective (RTO)

 Recovery Point Objective (RPO)

 SLAs, DOUs, Contracts & Regulations

(6)

Recovery Program - Goals

Recovery

Customers Outside Resources Products, Services, & Communications Products, Services, & Communications Sales / Marketing Accounting Helpdesk Manufacturing R&D HR Payroll IT Security Shipping Facilities Legal Communications

(7)

Recovery & Security Considerations

Regulatory

– Local, State, Federal (Homeland Security, Financial regulations, Import / Export regulations, Etc.)

Customer

– Contracts to perform at certain levels

– Guaranteed Sole provider

– Service Level Agreements

– Enterprise Risk Management

Internal

– Meet BC / DR documented goals

– RTOs – RPOs – SLAs – Audits

Security Awareness

– Industry Trends – Industry Conferences  Security  Organization’s Business

– Local & Global

 Politics

 Disasters

(8)
(9)

Governance - Recovery Program Teams

High Level Oversight

Day to Day

Recovery Responsibilities Plan-Build-Maintain

Assist the Plan Owners as needed

Unique Recovery Teams responsible for the

development and

implementation of specific recovery plans

(10)

Methodology: ASIS/BSi BCM.01-2010

BSi: British Standards Institute

(11)

1. Program Initiation and Management

2. Risk Evaluation and Control

3. Business Impact analysis

4. Business Continuity Strategies

5. Emergency Response and Operations

6. Business Continuity Plans

7. Awareness and Training Programs

8. Business Continuity Plan exercise, audit and maintenance

9. Crisis Communications

10. Coordination with external agencies

According to the Disaster Recovery Institute International (DRII), a BC Program should contain have the following areas:

Methodology: Disaster Recovery Institute International (DRII)

(12)

Recovery Methodology Flow

(13)

Recovery & Response Plans

 Emergency Response Plans

– Incident Management

– Evacuation Plans

– Shelter in Place

– Intruder Alert

– Active Shooter, Etc.

 Emergency Management – Organizational

 Emergency Management – Geographical

 Business Continuity – Business unit / Location

 Disaster Recovery – IT, critical resources

 Specialized plans for unique areas

– R&D

– Manufacturing, Etc.

(14)

Governance (Cont.)

Recovery and Response Plans

This is usually the team that “Declares a Disaster” or “Authorizes an Emergency

Response”

People & Property Impacts

This image cannot currently be displayed.

People  People Buildings  Technical Buildings  Retail Stores People Buildings Corporate Emergency Management Team

Network & Infrastructure Impacts

Data Centers DR CTRs Comms

Business Unit Impacts

Critical Business Processes

Outages/Escalations for:  Information Technology  Network Services

 Maintain Product and Services Delivery  Maintain Billing Process

 Fund Bank Accounts/Pay Employees  Manage Reputation and Brand Impact

(15)

Governance: Exercises

 If you don’t test, you don’t really know if it works

– Training, conditioning, & improvement

 Business Continuity – exercise the recovery of business functions

– Business processes – usually ranked by importance

– Emergency response

– Crisis management

 Disaster Recovery – exercise

the recovery of assets

– All assets, not just IT

– Information technology, facilities, manufacturing, personnel, etc.

 Continuous Improvement

– Find & fix points of failure  Operational Risks

– Identify

– Accept or mitigate

(16)

Exercises - Who Should Participate

Risk

Operations Technology Business • Crisis Management Team • Response Teams • Business Unit Teams • Information Technology Support TeamsOther Support Teams, such as Facilities, HR, Finance, Corporate Communications

 Other Teams / Agencies /

Organizations

 Participation or due diligence  Handicap employees

 Non-recovery team employees  Police: Town, County, State,

DOC, other  Fire  Hospitals  Office of Emergency Management  Military  Regulators  FEMA  Strategic Vendors  Strategic Customers?  Post Office  School officials

(17)

1. Define the objectives

2. Select and prepare the participants

3. Promote the exercise

4. Prepare the scenario and scripts

5. Prepare the exercise timeline

6. Prepare audiovisuals and handouts

7. Plan the logistics

8. Participate or Manage the exercise

9. Conduct debriefings

10. Write the evaluation report

11.Update Plans

Security Assist

 Update the Plans

Steps to a

Successful

Exercise

(18)

Example – Exercise Tracking Chart

Organization / Area Exercised

May 2008 West June 2008 National July 2008 East October 2008 Central Customer Operations C S I C I C S I S

Distribution & Operations C S I C C S I

--ERM Fraud/Risk Control Operations C C C C

Finance C C C S I C S Human Resources C S I -- C S I C S I Information Technology C -- C C Marketing C C C C Physical Security C S -- C S C S All Others C C C S I C Exercise Simulations Bio-terrorism Ö -- Ö Ö Bombing Ö Ö Ö Ö Simulated Injuries Ö Ö Ö Ö Participation

Regional / National Crisis Management

Team 35 35  35

Participation & support teams 53 0  104 Business Continuity Teams 12 5  19 Total Participation 100 40 162 158

C = Crisis Management Team Participation

S = Provided recovery support efforts or participation I = Resources were impacted by the exercise

(19)

Standard Documentation / Templates

 Governance Model

 Program Tracking Mechanism – Overview and detail

 Business Impact Analysis – Process and Report

 Risk Analysis – Process and Report

 Strategy Overview - How you will address

– Responding to a crisis and a recovery (Separate Plans)

– Managing the crisis and the recovery (Separate Plans)

– Continuity of Business Functions

– Recovery of IT and other critical assets and Infrastructure  Training – Technical and general / cultural awareness

 Recovery Plan templates – One for each type of plan.

– These should all work together like a well oiled machine  Exercises – Processes, Scheduling, & Tracking

(20)

Recovery and Response Plans - Checklist

1. Who and what are behind the need for a recovery plan? (Customers, the government, industry rules?)

2. What level of risk can the organization handle? 3. Who is the organization’s crisis leader?

4. Do you have cross-business crisis management teams? 5. Do they meet periodically?

6. What organizations participate in crisis management?

7. Do they utilize internal and external crisis communications plans? 8. Are all the team members trained?

9. Does your crisis management team maintain an up-to-date listing of all business sites, addresses, primary points of contact, etc.?

(21)

Recovery and Response Plans - Checklist

11.Are the crisis management command centers equipped, operationally and routinely tested?

12.Does the organization have written and tested: a. Crisis management plan

b. IT / Asset Recovery Plans

c. Business Continuity Plans, etc.?

13.Does your organization have a defined and tested emergency notification communications system?

14.How often do they test it?

15.Does the organization have a documented and communicated incident reporting procedure?

(22)

Business Co ntinu ity gemen t Pro g ra m Eme rgency

Response & Mana

gement Team Disa ster Rec o ve ry Busi ness Co nti nui ty Bu sin e ss Process Own ers

(23)

Next Steps

Ask the questions

Research your organizations’ efforts in:

– Business Continuity Management

– Continuity of Operations

– Resiliency

– Crisis Management, Etc.

Do you homework

(24)

Questions & Answers

Contact Sam Stahl, at [email protected] Cellular: 303-810-4806

(25)
(26)

Sam Stahl, CBCP, MBCI

Mr. Stahl is an experienced Certified Business Continuity Planner

and has a Master Degree in Project Management. He has developed a number of Business Continuity and Disaster Recovery methodologies. His experience includes developing, implementing, and testing all

phases of industry-accepted Business Continuity methodologies at organizations such as IBM, Dial Corporation, AT&T Wireless, Denver International Airport, the City of Scottsdale (Arizona), Clark County Nevada (Las Vegas), Qwest Communications,

Citizens Bank, First American National Bank, American Express, and others.

References

Download now ( PDF - 26 Page - 1.42 MB )

Related documents

Grants Management - Grantee Workshop. Keith Harmon Product Manager, SAP Labs LLC

Financial Accounting Managerial Accounting Revenue Management Customer Relationship Management Market Research & Analysis Campus & Program Marketing Marketing Program

Be Our Guest

[r]

3GPP TR V ( )

The SD-AV consists of the qop (quality of protection) value, the authentication algorithm, realm, and a hash, called H (A1), of the U_credential, realm, and password. Refer to RFC

funding & finance Charities and Insurance

For insurance purposes, charities are advised to treat volunteers in the same way as they do their employees and to ensure that they are covered by the usual types of insurance

DR-E3. Features & Benefits. E-Series. Technical Overview. Flexible & Modular Hardware Platform. Engineering Support. Advanced Analytics

The DR-E3 system is supplied with current sensors for monitoring of the transformer load, fan currents, pump currents, and OLTC/LTC motor current. These sensors can be supplied

Selling - Joe Vitale - Got Spirit

She had read my latest book, Spiritual Marketing, and wanted to know how. someone "charges an ad" with

SSC CGL Official Answer Key 4th September Shift 1 - Tier I Exam

Question 96.A passage is given with 5 questions following it. Read the passage carefully and choose the best answer to each question out of the four alternatives and