keynote address: robbie atabaigi, manager advisory information protection, kpmg llp
Post on 07-Aug-2015
183 Views
Preview:
TRANSCRIPT
www.nicsa.org
Agenda• Opening Remarks and Introduction 5 minutes
• Industry Overview 15 minutes
• Emerging Trends 15 minutes
• Industry Perspectives 15 minutes
• Closing Remarks 5 minutes
• Q&A 20 minutes
www.nicsa.org
Speaker Bio
Robbie Atabaigi – KPMG, Manager, Information Protection & Business Resiliency, Atlanta, GA• Over 29 years of experience in developing and evaluating many
aspects of enterprise risk management including Emergency Preparedness and Response, Crisis Management, Disaster Recovery, and Business Continuity.
• Robbie is certified as one of only 300 worldwide Master Business Continuity Planners (MBCP). She has a breadth and depth of experience across industries with a focus in assisting organizations to maintain availability of critical business functions and resources.
• Winner of the 2015 Business Continuity Institute’s Continuity and Resilience Consultant of the Year award.
www.nicsa.org
BCM Program Overview
Business Resiliency Management – Holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities. The management of recovery or continuity in the event of a disaster. Also the management of the overall program through training, rehearsals, and reviews, to ensure the program stays current and up to date.
Business Resiliency Management
Emergency Response
Crisis Management
IT/Disaster Recovery
Business Unit Plans
www.nicsa.org
North American and Global . . .• Regulations:
• FFIEC• FINRA• FERC / NERC
• Common Standards/Guidelines:• NFPA 1600• BS 25999 / ISO 22301• ASIS BCM.1 / ASIS SPC.1• NIST SP 800• DRII / BCI• COBIT• ITIL
• Australia – HB 221:2004 Business Continuity Management• India – RBI BC Circulars• Singapore – MAS Business Continuity Management
Guidelines• UK – Financial Services Authority Handbook.
Commonalities:• Oversight Board /
Reporting• Program Structure• Assessments• Recovery Plans• Training• Exercising• Maintenance
www.nicsa.org
DRJ – Rules and Regulations
http://www.drj.com/resources/dr-rules-regulations.html
www.nicsa.org
Unique Industry Considerations- Timing / Business Decisions- Stakeholder Confidence- Increasing Regulatory Scrutiny
Finance
- Farm to Table- Supply Chain- Transportation
Food & Beverage
- Data Protection- Customer ConfidenceHealthcare
- Geographic Dispersion- Outsourcing / Off-shoring- Resource Constraints
Manu-facturing
- Brand / Reputation- Supply Chain- Transportation
Retail
www.nicsa.org
Emerging Trends
Vendor management
Breaking down the silos
Cyber is a top threat
Commitment is a two way street
Social media as a viable
tool/issue
Increasing presence of
BYOD
Correct and efficient
communication
Policy has to be actionable and a
living process
Older technology not being replaced
Assumption that IT will recover
everything
www.nicsa.org
BCM ComponentsRisk Assessment
• Methodology and Approach (Qualitative)
• Analysis of Threats / Vulnerabilities
- Natural - Man-Made - Technical• Existing Controls and
BCM Capabilities• Mitigation Strategies
Business Impact Analysis• Methodology and
Approach (Quantitative and Qualitative)
• Stakeholder Input• Business vs. Technology
Driven• Interdependencies• RTOs / RPOs• Alternate Operating
Procedures• Resource Requirements
Strategy Evaluation & Implementation
• Linkage to Findings From Risk Assessment and BIA
• Partnership Between Business and Technology
• Cost Benefit Analysis• Chosen Prior to Plans
being Developed
Program Governance• Oversight• Regulation / Standard /
Guideline / Roadmap• Actionable Policy• Framework with Roles
and Responsibilities / Accountability
• Frequency of Updates / Reviews
• Plan Distribution and Methods
Plan Structure and Documentation
• Plan Development Schedule
• Consistent format – Understandable, Task-Driven, Easy to Maintain
• Addresses Both Business and IT Resumption
• Identifies Resources and Timeline
• Return to “Normal / Business as Usual”
Training & Communications
• Existence and Evidence of Execution
• Training Schedule• Types Offered• Participants (New and
Existing Employees)• Training Content• Training Results• Linkage to Other Training
Programs
BCP Testing & Results• Exercise Schedule,
Involvement and Frequency
• Exercise Type• Involvement of Business
Partners and Supply Chain
• Testing Content• Testing Results• Incorporation of
Lessons Learned
Maintenance• Change Management• Maintenance Logs• Frequency of Updates /
Reviews• Plan Distribution and
Methods• Storage / Security of
Plans
www.nicsa.org
Common Weaknesses
• No BCM Policy Statement
• No Standard / Roadmap
• Lack of Integration Between Plans
• Variation in Preparedness Between Business Units / Sites
• BCP Maintenance Roles and Responsibilities Not Clearly Defined
• BCP Not Included in the Enterprise Change Management Process
• Lack of Testing and/or Lack of Incorporation of Lessons Learned
• Lack of Stakeholder Involvement in the BIA
www.nicsa.org
Thank You!
Robbie Atabaigi, MBCP, MBCI, CISAManagerInformation Protection & Business Resilience
KPMG LLP Tel 404.222.3257Suite 2000 Fax 678.827.0630303 Peachtree Street Cell 404.375.8754Atlanta, GA 30308-3210
ratabaigi@kpmg.com
KPMG LLP is a U.S. limited liability partnership.
Deanna FloresPrincipalTax
KPMG LLP Tel 858.750.7340Suite 600 4747 Executive Drive San Diego, CA 92121-3100
djflores@kpmg.com
KPMG LLP is a U.S. limited liability partnership.
top related