getting started with business continuity

34
Getting Started with Business Continuity Stephen Cobb, CISSP Security Researcher, ESET NA

Upload: stephen-cobb

Post on 14-Jan-2015

273 views

Category:

Business


1 download

DESCRIPTION

An introduction to business continuity management with a focus on smaller businesses and resources to explore the subject in more depth.

TRANSCRIPT

Page 1: Getting Started with Business Continuity

Getting Started with Business Continuity

Stephen Cobb, CISSPSecurity Researcher, ESET NA

Page 2: Getting Started with Business Continuity

What’s on the agenda?

• How can your organization survive disruptive incidents?– Everything from natural

disasters to hacking attacks• You need a business

continuity plan

Page 3: Getting Started with Business Continuity

What’s the problem?

• Power goes out• Internet connection

goes down• Your office floods• Toxic gas cloud

forces evacuation• Hackers get into your web

server• Hopefully not all at once

Page 4: Getting Started with Business Continuity

Business Continuity Management

• Your organization needs the ability:– “to continue to deliver its

products and services at acceptable predefined levels after disruptive incidents have occurred”

• This is BCM, as defined by ISO 22301

Page 5: Getting Started with Business Continuity

Not all organizations survive

• Some go out of business IF they are hit with a disaster for which they have not adequately prepared

• Often cited statistic: 1 in 4 fail• Fortunately, the path to proper

disaster preparedness is well-documented (see Attachments)

Page 6: Getting Started with Business Continuity

Question #1Does your organization have a business continuity plan?

Yes No I’m not sure I don’t work for an

organization

Page 7: Getting Started with Business Continuity

What sort of disruptive incidents?• Fire• Flood• Earthquake• Tsunami• Tornado• Hurricane• Blizzard• Volcanic eruption creating a giant

ash cloud that grounds aircraft

Page 8: Getting Started with Business Continuity

Incidents and accidents

• Technical– Unscheduled IT outage– Communications outage–Malware infection

• Human– Scandal, fraud and terrorism– Transportation accidents– Social media storm

Page 9: Getting Started with Business Continuity

What’s the biggest threat?

Security incident

Utility supply interuption

Adverse weather

Data breach

Cyber attack

Unplanned ITC outages

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

53%

56%

57%

73%

73%

77%

Business Continuity Institute’s Horizon Scan, 2014, based on interviews with 600+ BCM professionals around the world

Page 10: Getting Started with Business Continuity

What is BCM Step 1?

• Identify and rank threats– List potentially disruptive incidents

most likely to affect your business• Don’t use someone else’s list– Threats vary according to location

Page 11: Getting Started with Business Continuity

Practical strategy

• Brainstorm with representatives from all departments

• Generate company and location specific list of disaster scenarios– Ranked by probability of

occurrence and potential for negative impact

– Consider regional variations, some threats location-specific

Page 12: Getting Started with Business Continuity

BCM Step 2: Business Impact Analysis

• Which business functions are most critical to its survival?

• Requires knowledge, or discovery, of all parts of the organization

• Multi-department team effort• There are templates for this

Page 13: Getting Started with Business Continuity

Practical technique: BIA

• Detail the functions, processes, personnel, places and systems that are critical to the functioning of your organization

• BCM project leader interviews employees in each department

• Resulting table lists functions and key person(s) and alternate(s)

Page 14: Getting Started with Business Continuity

Practical technique: BIA

• Determine number of Survival Days for each function

• How long before lack of that function causes serious impact?

• Rank the impact of that function not being available

Page 15: Getting Started with Business Continuity

The Miora technique

• Use an Impact scale of 1 to 4• Where 1 = critical operational

impact or fiscal loss, and 4 = no short tern impacts

• Multiply Impact x Survival Days• Reveals criticality of functions• Most critical? Functions where

Impact = 1 and Survival Days = 1

Page 16: Getting Started with Business Continuity

Question #2When was the last time your organization tested its disaster/recovery/continuity plan?

2014 2013 Before 2013 We don’t have a plan I don’t work for an

organization

Page 17: Getting Started with Business Continuity

BCM Step 3

• The Response and Recovery Plan• Catalog key data about the assets

required to restore critical functions– IT systems, facilities, personnel,

suppliers, partners, customers, law enforcement, emergency services

• Plan must cover HR, IT, PR, asset management, accounting, facilities

Page 18: Getting Started with Business Continuity

Practical technique: The Plan

• Record asset serial numbers, licensing agreements, leases, warranties, contact details

• Determine “who to call” for each category of incident

• Create a calling tree so the right calls get made, in the right order

Page 19: Getting Started with Business Continuity

Practical technique: IT

• Document arrangements you have in place for transitioning to temp locations and IT facilities

• Document backups and archives• Consider using

cloud-based IT for some functions

Page 20: Getting Started with Business Continuity

Practical technique: PR controls

• You need a “who can say what” list to control interaction with the media during an incident

• Train all employees on this• Consider a “CEO-only” rule• Don’t overlook social media

Page 21: Getting Started with Business Continuity

Practical technique: People

• Document an “all-hands” notification process

• Design and document customer advisory criteria and procedures

Page 22: Getting Started with Business Continuity

Practical technique: Steps

• Steps to recover key operations should be laid out in a sequence that accounts for functional inter-dependencies.

• Get plan approved• Train managers and their reports

on the plan details relevant to each location and department

Page 23: Getting Started with Business Continuity

BCM Step 4: Test and Refine

• Experts recommend testing your plan at least once a year

• Use exercises, walk-throughs, simulations

• With testing you get the most out of your investment in creating the plan

Page 24: Getting Started with Business Continuity

Practical strategy

• Testing enables you to find gaps and account for changes in the business and threats over time

• Tests can also impress management

Page 25: Getting Started with Business Continuity

Yes, BCM is hard work

• But what’s the alternative?• Ignore at your peril• Too daunting to undertake on a

company-wide basis?• Begin with a few departments, or

one office if you have several• Everything you learn in the

process can then be applied more broadly

Page 26: Getting Started with Business Continuity

There is some help for SMBs

• OFB-EZ: Disaster Protection and Recovery Planning Toolkit for the Small to Mid-Sized Business– disastersafety.org/open-for-

business• Very helpful, and free

Page 27: Getting Started with Business Continuity

What threats are on the rise?

• Emerging trends or uncertainties “on the radar” in terms of business continuity implications:–Malicious Internet attacks (73%)– Influence of social media (63%)– New regulations and increased

regulatory scrutiny (55%)• 2014 BCI Horizon Scan

Page 28: Getting Started with Business Continuity

Also rising (45-50%)

• High adoption of Internet-dependent services

• Emergence of a global pandemic

• Increasing supply chain complexity

Page 29: Getting Started with Business Continuity

Areas of rising concern

Page 30: Getting Started with Business Continuity

BCM Resources

• We Live Security article• Resource list with links• eset.com/bcm• Attachments• Consider:– BCI membership

• Subscribe:– Disaster Recovery Journal

Page 31: Getting Started with Business Continuity

Thank you!

[email protected]• www.eset.com• WeLiveSecurity.com• eset.com/bcm

Page 32: Getting Started with Business Continuity

Polling Question: I would like access to the following:

Request access to the Passmark Competitive Analysis Report

Request a custom business trial Subscribe to ESET’s global threat

report All of the above None of the above

Page 33: Getting Started with Business Continuity

Q&A Discussion

Page 34: Getting Started with Business Continuity