Key Considerations for Business Resiliency

Embed Size (px)



Text of Key Considerations for Business Resiliency

  • Key Considerations for Business Resiliency Steve Suther, Product Manager, CISM March 18, 2010
  • Agenda Business Resiliency, what is it? Crisis Management Incident Response Business Continuance Disaster Recovery Testing Methods Return To Normal Heterogeneous Approach Final Thoughts
  • Business Resiliency What is It? Consolidation of multiple common elements into a single program Command and Control Incident Response Business Continuance Disaster Recovery Provides organization the ability to deal with business impacting events in a structured and organized fashion Proactive instead of reactive approach
  • Crisis Management Umbrella for all other capabilities Comprised of senior leadership and key stakeholders Responsible for crisis identification, classification, management, and resolution Uses pre-determined scenarios for guideline development Utilizes generic and specific guidelines for activities
  • Crisis Management Command and Control People, processes, procedures, and facilities to identify analyze and react appropriately to business impacting events Formulates action plans for pre-determined and unidentified scenarios Addresses critical initial 72 hours Requires the most advanced and prescriptive planning
  • Crisis Management Leadership Identification and Availability Identify key leaders and stakeholders and their functional knowledge Documentation, responsibilities, financial and signature authority, contacts, etc. Do not assume senior leadership will be available in a crisis Validate or develop delegation of authority Ensure multiple backups are identified and briefed Geographically separated whenever possible
  • Crisis Management Communication Plan Initial Everyone will want to know what happened and what is being done to resolve the situation Misinformation will run rampant if clear communication plan is not established and utilized Rumors perceived as reality Zero hour communications should be pre-established and approved Generic language for initial communications Include when and how future updates will provided
  • Crisis Management Communication Plan - Ongoing Communication should be performed through multiple platforms Web, blog, telephone, press release, and in-person briefings Update schedule should be structured Initial updates more frequent then future updates Updates should be provided on schedule even if there are no updates Provides confidence in organizations capability to resolve issue No update introduces mistrust and perception of possible deception Consistency for both internal and external communications Information will leak Internal updates should include authentication layer for accountability and traceability Interactive updates important at least once every 24 hours during initial 72 hours
  • Crisis Management Communication Plan - External Assistance Critical to have an external entity assist in crisis management activities Do not use regular public relations firm Establish retainer relationship Ensure call center and communication capabilities available Provide zero hour communication plans in advance No content approvals required Educate firm about your business and your industry Identify industry hot buttons and key issues
  • Command and Control Legal Considerations Identify internal and external legal resources External counsel involvement assists with public opinion Establish legally documented delegations of authority Enable expanded signature authority Provide proof of authority to internal and external parties Develop declaration and completion of incident documents Enable special powers for designated individuals to be legally recognized Ensure powers are removed at the end of the incident
  • Command and Control Information Infrastructure Establish rally points for command and control activities Physical site Conference bridge Ensure sites include redundant capabilities for power, communication, and life safety Establish multiple rally points Geographically separated if possible Identify single points of failure and scheduled refresh for supplies and equipment Base requirements on recovery time and point objectives
  • Command and Control Grab and Go Books Contain essential information for crisis management Contact information Processes and procedures Forms Communication plans Require highest level of data protection controls Access control and encryption Important to constantly update Electronic versions ideal for data synchronization Directory and data store synchronization Store electronic versions in secure distant location
  • Tiered Response Model Each tier invokes different capabilities and resource availability Minimizes disruption to normal business activities Command and control oversees incident response, business continuance, and disaster recovery Operational response overseen by operations management Trust people to do their jobs
  • Incident Response Events versus Incidents versus Investigations Events and incidents require different levels of investigation and response Events highlight business impacting activities to investigate Can lead to incidents Incidents require structured and focused response Identify, analyze, remediate, and document Formal documentation
  • Incident Response Operational versus Forensic Response Incident identification process classifies response type Operational or forensic Operational response focuses on return to normal activities Minimal disruption to business activities Forensic response focuses on preservation and integrity of evidence (ex., e-Discovery) Required for litigation activities Potential for business disruption
  • Incident Response Recognition of Incident Completion Important to identify incident completion Reduce or discontinue incident response resource usage Completion of physical incidents easier to identify then logical incidents Dormant attack code and multi-phase attacks Reduce to operational response instead of discontinuing efforts completely Operational response team can monitor situation for flare ups Engage legal council for opinion in forensic response Evidence preservation Chain of custody
  • Business Continuance Overview Focuses on ability of enterprise to operate effectively while encountering business debilitating incident Based on business processes not facilities and technology Includes partial and complete business disruptions
  • Business Continuance Key Business Process Identification Mapping of revenue streams is traditional approach identifying key business processes Revenue required for business survival Other considerations Compliance requirements Contractual arrangements Service level agreements Customer expectations Public and customer opinions
  • Business Continuance Partner and Vendor Impact Businesses are typically customers and consumers of other businesses Contractual availability requirements may exist Service Level Agreements (SLAs) Legal and financial consequences if requirements are not met can be significant Important to establish secondary capabilities to minimize impact to partners and vendors Reciprocal arrangements with similar organizations Establish arrangements in advance
  • Business Continuance Business Impact Analysis Enumerates impact of loss of or all of business process capabilities Typically performed through surveys and questionnaires Highlight obvious processes an