Standards Review and Conducting a Self-Assessment

Transcription

1 Emergency Management & Safety Solutions Developing a Comprehensive Emergency Management Program and Conducting Your Own Internal Assessment March 2011 Standards Review and Conducting a Self-Assessment September

2 Agenda Introduction and Overview Reviewing i the Major Standards d ASIS SPC.1 BS FFIEC NFPA 1600 Conducting A Self-Assessment Preparation Execution Closure 3 Introduction and Overview Basic terminology and concepts. Audit: to examine carefully with the intent of verification. Verification implies that the subject of the examination is being objectively compared to an existing standard or benchmark; the examination is not subjective. The scope of this discussion is limited to business continuity programs, and does not include other disciplines (e.g. information security and general risk management). 4

3 Introduction and Overview Why would we want to conduct a self- assessment? External audit preparation/reaction. Internal audit preparation/reaction. Board of Directors or executive management interest. Regulatory or legal compulsion. Exploring PS-Prep compliance. We just want to make sure that our program will work when we need it! 5 Introduction and Overview Who should conduct the self-assessment? The essential factor is to find someone who is qualified, who can be objective during the examination, and who can deliver bad news if necessary. The most obvious internal candidate is the business continuity group, with assistance from key business and support groups. Internal audit may be able to assist. An outside group with requisite knowledge and experience may provide the best results. 6

4 Introduction and Overview The prerequisite for any assessment, formal or informal, is to establish a benchmark. The standard may be dictated, or you may have the discretion to pick your own. If the former, the more you know about the standard that will be used, the better prepared you will be for the audit. If the latter, you need to know the options and alternatives to make an informed decision. Always keep in mind: once you know which rule book will be used, you have all the answers! 7 Introduction and Overview Four major standards are used in North America today: ASIS SPC.1 (2009)* BS (2006) and -2 (2007)* FFIEC BCP (2008) NFPA 1600 (2010)* We have also reviewed (but do not reference) ASIS/BSI BCM It also appears that ISO 22301, now in final review stages, will be published late this year or early in Accepted by Department of Homeland Security for use in the PS-Prep program. 8

5 Introduction and Overview Before we start the review, a quick word about the standards world. It s easy to get lost in the maze of acronyms and buzz words that many people use when talking about business continuity. Not surprisingly, some are more directly applicable to our topic than others! Let s put the four pure business continuity standards into context with other standards, frameworks, laws and regulations. 9 Introduction and Overview The Business Continuity World ASIS SPC.1 BS FFIEC NFPA 1600 The Information Technology World COBIT ITIL The Business World SOX HIPAA COSO FCPA 10

6 Reviewing the Major Standards As noted, four standards dominate North American practices. Each was developed from a certain perspective, and each reflects the views, biases, and characteristics of its originating organization. However, at their core they all address the same elements and requirements. 11 Reviewing the Major Standards BS NFPA 1600 FFIEC (App A) ASIS SPC.1 1. Scope 1. Administration 1. Examination Scope 1. Scope 2. Definitions 2. Referenced Publications 2. Board and Senior Management Oversight 3. Planning the BCMS 3. Definitions 3. BIA and Risk Assessment 4. Implementing and Operating the BCMS 5. Monitoring and Reviewing the BCMS 6. Maintaining and Improving the BCMS 2. Normative References 3. Terms and Definitions 4. Program Management 4. Risk Management 4. OR System Requirements 5. Planning 5. BCP General 4.1 General Requirements 6. Implementation 6. BCP HW, Backup, and Recovery Issues 4.2 Management Policy 7. Testing and Exercises 7. Security Issues 4.3 Planning 8. Program Improvement 8. Pandemic Issues 4.4 Implementation and Operation 9. BCP Outsourced 4.5 Checking (Evaluation) Activities 10. Testing and Exercises 4.6 Management Review 11. Conclusions 12

7 Reviewing the Major Standards BS NFPA 1600 FFIEC (App A) ASIS SPC.1 1. Scope 1. Administration 1. Examination Scope 1. Scope 2. Definitions 2. Referenced Publications 2. Board and Senior Management Oversight 3. Planning the BCMS 3. Definitions 3. BIA and Risk Assessment 4. Implementing and Operating the BCMS 5. Monitoring and Reviewing the BCMS 6. Maintaining and Improving the BCMS 2. Normative References 3. Terms and Definitions 4. Program Management 4. Risk Management 4. OR System Requirements 5. Planning 5. BCP General 4.1 General Requirements 6. Implementation 6. BCP HW, Backup, and Recovery Issues 4.2 Management Policy 7. Testing and Exercises 7. Security Issues 4.3 Planning 8. Program Improvement 8. Pandemic Issues 4.4 Implementation and Operation 9. BCP Outsourced 4.5 Checking (Evaluation) Activities 10. Testing and Exercises 4.6 Management Review 11. Conclusions 13 Reviewing the Major Standards BS NFPA 1600 FFIEC (App A) ASIS SPC.1 1. Scope 1. Administration 1. Examination Scope 1. Scope 2. Definitions 2. Referenced Publications 2. Board and Senior Management Oversight 3. Planning the BCMS 3. Definitions 3. BIA and Risk Assessment 4. Implementing and Operating the BCMS 5. Monitoring and Reviewing the BCMS 6. Maintaining and Improving the BCMS 2. Normative References 3. Terms and Definitions 4. Program Management 4. Risk Management 4. OR System Requirements 5. Planning 5. BCP General 4.1 General Requirements 6. Implementation 6. BCP HW, Backup, and Recovery Issues 4.2 Management Policy 7. Testing and Exercises 7. Security Issues 4.3 Planning 8. Program Improvement 8. Pandemic Issues 4.4 Implementation and Operation 9. BCP Outsourced 4.5 Checking (Evaluation) Activities 10. Testing and Exercises 4.6 Management Review 11. Conclusions 14

8 Reviewing the Major Standards BS NFPA 1600 FFIEC (App A) ASIS SPC.1 1. Scope 1. Administration 1. Examination Scope 1. Scope 2. Definitions 2. Referenced Publications 2. Board and Senior Management Oversight 3. Planning the BCMS 3. Definitions 3. BIA and Risk Assessment 4. Implementing and Operating the BCMS 5. Monitoring and Reviewing the BCMS 6. Maintaining and Improving the BCMS 2. Normative References 3. Terms and Definitions 4. Program Management 4. Risk Management 4. OR System Requirements 5. Planning 5. BCP General 4.1 General Requirements 6. Implementation 6. BCP HW, Backup, and Recovery Issues 4.2 Management Policy 7. Testing and Exercises 7. Security Issues 4.3 Planning 8. Program Improvement 8. Pandemic Issues 4.4 Implementation and Operation 9. BCP Outsourced 4.5 Checking (Evaluation) Activities 10. Testing and Exercises 4.6 Management Review 11. Conclusions 15 Reviewing the Major Standards BS NFPA 1600 FFIEC (App A) ASIS SPC.1 1. Scope 1. Administration 1. Examination Scope 1. Scope 2. Definitions 2. Referenced Publications 2. Board and Senior Management Oversight 3. Planning the BCMS 3. Definitions 3. BIA and Risk Assessment 4. Implementing and Operating the BCMS 5. Monitoring and Reviewing the BCMS 6. Maintaining and Improving the BCMS 2. Normative References 3. Terms and Definitions 4. Program Management 4. Risk Management 4. OR System Requirements 5. Planning 5. BCP General 4.1 General Requirements 6. Implementation 6. BCP HW, Backup, and Recovery Issues 4.2 Management Policy 7. Testing and Exercises 7. Security Issues 4.3 Planning 8. Program Improvement 8. Pandemic Issues 4.4 Implementation and Operation 9. BCP Outsourced 4.5 Checking (Evaluation) Activities 10. Testing and Exercises 4.6 Management Review 11. Conclusions 16

9 Reviewing the Major Standards BS NFPA 1600 FFIEC (App A) ASIS SPC.1 1. Scope 1. Administration 1. Examination Scope 1. Scope 2. Definitions 2. Referenced Publications 2. Board and Senior Management Oversight 3. Planning the BCMS 3. Definitions 3. BIA and Risk Assessment 4. Implementing and Operating the BCMS 5. Monitoring and Reviewing the BCMS 6. Maintaining and Improving the BCMS September Normative References 3. Terms and Definitions 4. Program Management 4. Risk Management 4. OR System Requirements 5. Planning 5. BCP General 4.1 General Requirements 6. Implementation 6. BCP HW, Backup, and Recovery Issues 4.2 Management Policy 7. Testing and Exercises 7. Security Issues 4.3 Planning 8. Program Improvement 8. Pandemic Issues 4.4 Implementation and Operation 9. BCP Outsourced 4.5 Checking (Evaluation) Activities 10. Testing and Exercises 4.6 Management Review 11. Conclusions 17 Reviewing the Major Standards If you have a choice, review each standard carefully and choose the one that seems to best fit with your company s way of doing business. Each has strengths: Financial Services: FFIEC is the logical (and possibly mandatory) choice. North America: NFPA 1600 is currently seen as the de facto standard, but the landscape may be changing. International: BS has the cachet of wide acceptance, especially in Europe. Strong ties to other ISO standards: ASIS SPC.1 was designed to fit. 18

10 Conducting a Self-Assessment Whether you conduct a self-assessment in anticipation of a formal audit, or to benchmark your business continuity program, the steps are the same. There are three phases to an assessment: Preparation Execution Closure and Report 19 Conducting a Self-Assessment Preparation Make sure you have senior management approval and support. Identify the parties you ll need to interview and talk to them before you start; let them know what to expect. Review your standard carefully; make sure you understand what each objective requires. Develop a scorecard before you start (example on the next slide). Determine how results will be reported (and to whom) before the examination begins. 20

11 Conducting a Self-Assessment Item falls materially short of an auditable standard. Item is not fully compliant with an auditable standard. Item addresses all material requirements of an auditable standard. Item is not applicable to this examination. Objective 1: Examination Scope Objective 2: Board and Senior Management Oversight Objective 3: Business Impact Analysis (BIA) and Risk Assessment Objective 4: Risk Management Objective 5: Business Continuity Plan (BCP) - General Objective 6: BCP - Hardware, Backup, and Recovery Issues Objective 7: Security Issues Objective 8: Pandemic Issues Objective 9: Outsourced Activities Objective 10: Risk Monitoring and Testing Totals % Percent of Total: Red Percent of Total: Yellow 24% Percent of Total: Green 74% 21 Conducting a Self-Assessment FFIEC Business Continuity Planning (March 2008) Review Code R Y G N/ A Objective 1: Examination Scope 1. Review examination documents and financial institution reports for outstanding issues or problems. 2. Review management's response to audit recommendations noted since the last examination. 3. Interview management and review the business continuity request information to identify: 4. Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process. Objective 2: Board and Senior Management Oversight 1. Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. 2. Determine whether a senior manager or committee has been assigned responsibility to oversee the development, implementation, and maintenance of the BCP and the testing program. 3. Determine whether the board and senior management has ensured that integral groups are involved in the business continuity process (e.g. business line management, risk management, IT, facility management, and audit). 4. Determine whether the board and senior management have established an enterprise-wide BCP and testing program that addresses and validates the continuity of the institution's mission critical operations. 22

12 Conducting a Self-Assessment Execution Be objective. Examine the evidence presented and evaluation from the perspective of an outsider. Be brutally honest. The goal is to identify deficiencies, not to gloss over them. Ask questions. The respondents may not understand what you re looking for; help them help you. Listen carefully and probe deeply. Things are rarely as bad (or as good) as they seem at first blush. 23 Conducting a Self-Assessment Closure and Reporting Avoid making broad judgments in your assessment. Put subjective statements into full context. Be ready to explain your assessment; include documentation where appropriate. Don t pull any punches (if you can avoid it). Be prompt. Once the examination has been completed, get the results out as quickly as possible. Work with your management team to track deficiencies all the way through resolution. Set a date for a follow up/next examination. 24

13 Time for a 10 Minute Break! 25 Emergency Management & Safety Solutions Developing a Comprehensive Emergency Management Program and Conducting Your Own Internal Assessment September 2010

14 Comprehensive Emergency Management Program September Agenda What is in a Comprehensive Program? Risk Assessment Emergency Response Business Continuity Disaster Recovery Crisis Communications Incident Management Training and Exercises Maintenance Process September

15 Before you do anything - assess! Before you plan your response you must assess your risks: Natural hazards Your neighbors Human risks Environmental risks Political/country risks Your building: Life safety, security Determine risks and develop appropriate prevention and mitigation strategies. September Incident Management Emergency Response Disaster Recovery Business Continuity Planning Crisis Communications 30

16 Emergency Response What is included in your emergency response program? Basic emergency procedures for all staff Employee training and/or materials Basic first aid supplies Floor warden/emergency response teams (ERT) Written procedures for ERT Training for ERT based on their role 31 Emergency Response What is included in your emergency response program? Drills - fire, earthquake, tornado, radio More specialized disaster type supplies Company emergency responder team Detailed emergency procedures for all company responders including building specific information Emergency exercise to test teams and procedures 32

17 Disaster Recovery The complexity of your DR plan has a lot to do with your size. It goes without saying that the bare minimum DR plan is nightly back up with tapes stored off site. Small firms may simply do back up nightly and a staff person takes the tapes off site. Moderate size may have a document storage company take them off site to a warehouse. Large firm may have a contract with a hot-site restoration vendor. What is included in your disaster recovery program? Authority to Declare a Disaster Clearly identified priorities for recovery of applications and data Recovery Tasks & Procedures: infrastructure and data restoration and resynchronization of data 33 Disaster Recovery Complete inventory list of your equipment and applications. A schematic map of the server farm (in case you have to configure one from scratch!) Temperature monitoring of the server farm with an alarm notification system, check out Pre-designated hot site to recover your data or a drop ship arrangement for equipment Regular testing of equipment, procedures and staff Up-to-date documentation on recovery of systems and applications including procedures and equipment Telecommunications recovery strategies for all mission critical numbers 34

18 Business Continuity What is included in your business continuity program (BCP)? Business impact analysis Clearly identified mission critical functions that are time-sensitive Individuals assigned to a BCP role in each mission critical department Detailed work area recovery plans 35 Business Continuity What is included in your business continuity program (BCP)? Departmental plans that support the timely recovery of those identified time-sensitive mission critical functions. Plans identify: Staff Equipment Technology and data required Work area recovery strategy Employee communication Vendor communication Critical operating procedures for time sensitive functions Regular exercises of the plan 36

19 Crisis Comm What is crisis-communications? Communication strategies that reduce the likelihood of an internal business problem going "public" or minimize the reaction if disclosure of the crisis cannot be avoided. The Plan should include: The crisis communication team Positioning Designated spokespersons Media policies and procedures Identified key audiences Draft communications including media, employee, investors and other key stakeholders Collateral l materials Contact log Guidelines for speakers presentations and handling media interviews. 37 Communication Tools Land lines - avoid your company phone switch Centrex Ring down lines Cell Nextel Satellite Blackberry/Treo/Iphone Symon (reader-boards) Voice over Internet (VOIP) Instant Messaging Motorola Walk-Abouts Net meetings Web site Notification systems Conference Bridge Ham Two-way radios Pager CB Radio Text messaging Fax Runners GETS card (critical infrastructure) 38

20 Emergency Response Disaster Recovery Business Continuity Planning Crisis Communications See a problem? 39 Incident Management Emergency Response Disaster Recovery Business Continuity Planning Crisis Commun- ications 40

21 What is Incident Management? Organized and centralized approach that allows for: Command Control Coordination Communication Collaboration Consistency Look for industry best practices. Incident Command System (ICS) 41 Incident Command System History The Incident Command System (ICS) was developed in response to a series of fires in Southern California in the early 1970s. ICS is widely adopted d in the U.S. at all levels of government. Used worldwide. 42

22 Training and Exercises Train all employees on the plan There is only two ways to know if any of this works 1. Have a disaster 2. Do at least one exercise per year We recommend #2, less stressful, more productive! Practice! Bi-annual Telephone tree tests Tabletop exercise reviews with staff 43 Lastly It s An On-going Effort Develop a maintenance schedule; someone needs to be responsible for a bi- annual review. Remember the work is never done! 44

23 Emergency Management & Safety Solutions Developing a Comprehensive Emergency Management Program and Conducting Your Own Internal Assessment September 2010 Workshop 46

24 Workshop For this portion of the session please group yourselves into teams as directed. Each team will need to: Nominate a spokesperson Complete the assignments Report out your team s results at the end of the workshop session September Workshop Assignment Please develop team responses to the following situation: You have been directed to prepare and execute a self-examination of your organization s Business Continuity Management Program. Describe the actions you will take in each of the three major steps of the examination: Preparation, Execution, and Closure and Report. 48

25 Preparation What standard will/must you use, and why? What level of management support will you expect to receive? Who will you talk to before the audit begins, and why? What type of political l pressure will you anticipate receiving and how will you handle it? 49 Execution What type of documentation will you need to collect to support the audit? Would you anticipate having to make inprogress reports to your manager? To senior management, if different? If the manager of a group or department being examined wants to talk to you about the outcome of the audit before your work is complete, how will you handle it? In general, will your organization be receptive to the audit? 50

26 Closure and Report Who within your organization will be the first reviewer of the audit report, and why? Would you anticipate having to make adjustments to the audit report after senior management reviews the results; if so, why? How will your organization typically socialize the type of information found in an audit report? Does your organization have a mechanism for tracking audit findings and deficiencies until they are resolved? Is it effective? 51 Thank You! Regina Phelps RN BSN MPA CEM Kelly David Williams MBA JD San Francisco, California