a proven model for successful private/public partnership · 2016-06-14 · (bens) examples of...
TRANSCRIPT
1
April 12-14, 2010Sheraton New Orleans
A Proven Model for Successful Private/Public
Partnership
Barry CardozaChair, BARCfirstVP/Manager of Business Continuity,
April 12-14, 2010Sheraton New Orleans
Advantages of Partnership
Learn what other companies are doing toward “best practices.”
Discover external resources that you didn’t know were available.
Gain a level of control over things otherwise outside of your control.
If you don’t know where you’re going, no road will get you there.
No reason to have to “re-invent the wheel.”
The Public Sector, not you, may be calling the shots during a crisis.
Leverage the voice of a larger entity to make yourself heard.
Partnerships provide the influence that no one institution can have.
April 12-14, 2010Sheraton New Orleans
Case Study
A Successful Financial Sector Model That Can Be Applied to Any Sector
2
ChicagoFIRST FloridaFIRSTBARCfirst
California North Bay Area
SoCalfirstSouthern California
FloridaFIRSTTampa Bay Region
HoustonFIRST
ColoradoFIRST
Alabama Recovery Center for the Financial Sector
PhiladelphiaHawaii
Las Vegas
Columbus
Washington, DCDetroit
Seattle Regional Recovery Coalition
Alaska
Jackson
Minnesota Information Sharing and
Analysis Center (MN-ISAC)
Minnesota Security Board
Financial and Banking Information Infrastructure Committee (FBIIC)
BITS Financial Services Roundtable
Financial Services Sector Coordinating Council for Critical Infrastructure
Protection and Homeland Security (FSSCC)
Financial Services Information Sharing and
Analysis Center (FS/ISAC)
Regional Partnership Coalition
CenCalfirstCentral California
MOVING OUTSIDE OF THE BOX
Financial coalitions working with other organizations.For example….
BARCfirst
Regional Partnership Coalition (RPC)(All member financial institutions.)
California Emergency Management Agency
(CalEMA)
Business RecoveryManagers Association
and Association of Contingency Planners
Dept. of Homeland Security (DHS)
County Health Agencies
Federal Bureau of Investigation (FBI)
Business Executivesfor National
Security (BENS)
April 12-14, 2010Sheraton New Orleans
Business
Recovery
Managers
Association
www.BRMA.com
3
www.acp-international.com
42 Chapters in the U.S.
Association of Contingency Planners (ACP)
www.nyu.edu/intercep
International Center for Enterprise Preparedness (InterCEP)
4
April 12-14, 2010Sheraton New Orleans
Leveraging Partnerships to Your Immediate Advantage
April 12-14, 2010Sheraton New Orleans
TWO SIDES OF THE COIN
How can the Private Sector assist the Public Sector?
How can the Public Sector assist the Private Sector?
To be successful, a partnership must be win/win.
THE NEW DYNAMIC – FEWER POINTS OF CONTACT
ChicagoFIRST FloridaFIRSTBARCfirst
California North Bay Area
SoCalfirstSouthern California Region
FloridaFIRSTTampa Bay Region
HoustonFIRSTColoradoFIRST
Alabama Recovery Center for the Financial Sector
PhiladelphiaHawaii
Las Vegas
Columbus
Washington, DCDetroit
Seattle Regional Recovery Coalition
Alaska
Jackson
Minnesota Information Sharing andAnalysis Center (MN-ISAC)
Minnesota Security Board
Regional Partnership Coalition(Financial Sector)
5
13 |
THE NEW DYNAMIC – FEWER POINTS OF CONTACT
92 local associations and 13 international affiliates representing 16,500-plus members who own or manage
more than 9 billion square feet of commercial properties.
Building Owners & Managers Association(BOMA)
THE NEW DYNAMIC – FEWER POINTS OF CONTACT
Lockheed VerizonBlack & Decker
The Salvation Army Novak Biddle Venture Partners
KeySpan EnergySprint
Belco Oil & Gas
AccentureBoeing
Citigroup
Exponent
Lincoln GroupEquifax
Pioneer Financial Services
SunGard
Tupperware
United Retail Group, Inc.
Amazon.Com
Business Executives For National Security(BENS)
Examples of National & International Resources
Building Owners and Managers Association (BOMA)www.boma.org
Association of Contingency Planners (ACP)www.acp-international.com
Institute of Electrical and Electronics Engineers, Inc. (iEEE)www.ieee.org
National Fire Protection Association (NFPA)www.nfpa.org
International Association of Emergency Managers (IAEM)www.iaem.com
6
Using Private/Public Sector Events to Bring People Together
BARCfirst Pandemic Response Exercise May 2007
Joint BARCfirst-BENS-BRMAInfrastructure Symposium
June 25, 2009
7
Joint BARCfirst-BENS-BRMAInfrastructure Symposium
June 25, 2009
Joint BARCfirst-BENS-BRMAInfrastructure Symposium
June 25, 2009
BARCfirst
Cyber Forum
October 26, 2009
8
Event Goals and Objectives
• Raise cyber risk awareness among business continuity and disaster recovery executives and managers
• Review recent cyber risks and their potential impact to your organization’s IT systems and business operations
• Discuss how to effectively manage these events from an operational and business perspective
• Examine existing and necessary information sharing and incident response processes to address such an event
The Cyber Risk Landscape
23
Cyber incidents are increasing in frequency, scale, and sophistication
9
Critical infrastructure depends on the vitality of the interwoven cyber infrastructure
Cyber-linkages among sectors raise the risk of cascading failures throughout the Nation.
• The loss or degradation of certain critical infrastructure functions could negatively impact performance in other areas
• The private sector owns over 80% of the critical infrastructure; during an incident, the private sector is often first to detect a problem
– For example, a successful cyber attack on a power plant’s control system could impact several critical sectors, as detailed below:
Electric Power Sector
Communications Sector
Financial Sector
Emergency Response
Convergence
10
Threat vs. Risk
29
Several Attacker Profiles
• Script Kiddies
– Relatively untrained hackers that find exploit code/tools on the Internet and run them indiscriminately against targets
– While largely unskilled, they are numerous
Criminals
Cyber based attacks offer new means to commit traditional crimes, such as fraud and extortion
Organized cyber crime groups have adopted legitimate business practices, structure, and method of operation
Insiders
Insiders have a unique advantage due to access/trust
They can be motivated by revenge, organizational disputes, personal problems, boredom, curiosity, or to “prove a point”
Terrorists
Cyber attacks have the potential to cripple infrastructures which are not properly secured
In addition, cyber-linkages between sectors raise the risk of cascading failures throughout the Nation
Critical infrastructure is crucial to National Security
Estonia attacks, April 2007 :
A series of denial-of-service attacks which overwhelmed Estonian government, banking, and broadcaster websites in April 2007
Attacks occurred during a public dispute with Russian government. Russian sympathizers within Estonia eventually claimed responsibility for the attacks
Poland transit incident, January 2008 :
Using an Internet connection and a modified television remote, a 14 year old boy took control of the light-rail system in the city of Lodz
The attack on the systems command and control systems resulted in the derailment of four trains
Russian – Georgian War, August 2008:
Distributed denial-of-service attacks (DoS) crippled many Georgian Web Sites
Georgian officials alleged the coordinated cyber attacks against their Web Sites were conducted by Russian criminal gangs tipped off about Russia's intent to invade
Hackers appeared to have been prepped with target lists and details about Georgian web site vulnerabilities before the two countries engaged in a ground, sea, and air war
30
11
Cyber Crime and Theft
• E-crime “has become a major shadow economy ruled by business rules and logic that closely mimics the legitimate business world”
• Cyber criminals target commercial organizations for:
– Personal Data of Customers and Employees
– Finances (through theft or extortion)
– Proprietary Data/Industrial Espionage/Intellectual Property
• From January 1, 2008, through December 31, 2008, there were 275,284 complaints filed online with Internet Crime Compliant Center (IC3) – a 33.1% increase from the previous year
• The U.S. Department of Commerce estimates stolen Intellectual Property costs companies a collective $250 billion each year
31
Malware
Malware can be hosted on malicious websites, sent via email, or made to self-propagate across networks
It can be used to steal information, destroy data, annoy users, or allow attackers to remotely control hosts
Common types include:
Virus
Worm
Trojan
32
Scenario Introduction
33
12
BARCfirst Alert Email
• On October 26, BARCfirst members receive an alert email from the BARCfirst Steering Committee
• The email reports on an active shooter in the downtown area
• It also contains an attachment and an embedded link for access to the most up to date information
34
BARCfirst website defaced
35
Discussion Questions
• What are your primary concerns?
• Are you communicating internally within your organization?
• Are you willing to contact outside organizations to determine if it’s a common problem?
– If so, with whom? (other companies, information sharing bodies, law enforcement)
• What are the business implications…
– of being attacked?
– of sharing attack information internally/externally if it just affects your organization?
36
13
April 12-14, 2010Sheraton New Orleans
Leveraging Private/Public Resources to Your
Immediate Advantage
http://www.naccho.org/topics/infrastructure/profile/resources/2008reports/index.cfm
Public Health Agency Information
April 12-14, 2010Sheraton New Orleans
Public Health Agency Information
Source: National Association of County & City Health Officials (NACCHO)
14
Public Health Agency Information
Source: National Association of County & City Health Officials (NACCHO)
Public Health Agency Information
http://www.healthguideusa.org/local_health_departments.htm
Educate Your Employees
www.flu.gov
15
Educate Your Employees
www.wsib.on.ca/wsib/wsibsite.nsf/Public/flu_resources
Educate Your Employees
Educate Your EmployeesSample Public Sector Publications
www.operationhope.org/effak
www.fema.gov/pdf/library/children.pdf
www.FEMA.gov
www.fema.gov/pdf/areyouready/areyouready_full.pdf
www.fema.gov/pdf/library/f&web.pdf
16
www.fema.gov/pdf/library/pfd_all.pdf
Educate Your EmployeesSample Public Sector Publications
www.CDC.gov
National Communications System (NCS)
Government Emergency Communications Service (GETS)www.gets.ncs.gov
Wireless Priority Service (WPS)www.wps.ncs.gov
Telecommunications Service Priority (TSP)www.tsp.ncs.gov
Shared Resources (SHARES)High Frequency Radio Program
www.ncs.gov/shares
Not all companies qualify for these services, but it never hurts to ask. Companies may also qualify because of membership to an organization.
17
Communication is essential to response and recovery.
April 12-14, 2010Sheraton New Orleans
Emerging Threats
Natural
Man-made
Changing weather patterns; e.g., ARKSTORM
Terrorism; We can’t keep the terrorists out and many are already here.
Cyber Crime/Terrorism/Warfare
Private/Public Partnerships to help us through future challenges.
April 12-14, 2010Sheraton New Orleans
Barry [email protected](415) 765-3956
Questions?