Current Issues and Careers in BCP. Al Berman, President DRI International

Transcription

1 Current Issues and Careers in BCP Al Berman, President DRI International

2 Business Continuity What s Important Now

3 Who we are We provide education, accreditation, and thought leadership in business continuity and related fields. We offer in-depth courses ranging from introductory to masters level, as well as specialty certifications. Founded in 1988, we are the oldest and largest organization of our kind.

4 What we do and where we do it 1 Certified Organization 14,000+ Certified Professionals Classes offered in 14 Languages Certified Professionals in 100+ Countries Courses held in 50 Countries

5 International Government Collaboration Europe: Presented at the Interparliamentary Center for Parliamentary Studies (Belgium) and the IDRC (Davos, Switzerland) APEC: Only officially recognized business continuity certification DRI Canada is a member of the Technical Committee for the CSA Z1600 Standard UAE: Member of Standards Committee Advisory Team Nigeria: Participate in regular embassy drills Malaysia: Annual DRI conference with the Ministry of Science, Technology and Innovation Japan: Joint Declaration on overcoming future crises with municipal governments Singapore: Exclusive training partner for Singapore Business Federation United States: Chair, Alfred P. Sloan Committee to draft the Framework for Preparedness that is the foundation for the Title IX Implementation. Member, U.S. Chamber of Commerce Homeland Security Task Force Member, Council of Experts for ANSI-ANAB Member, FEMA National Advisory Council Private Sector Subcommittee Member, Advisory Committee for Congressionally funded Project for National Security Reform Advisor, Special Assistant to The President for Homeland Security Standards Policy Mexico: National standards advisor

6 Conferences Urban Security Event Rome, Italy Business Continuity Forum Doha, Qatar Global Risk Forum Davos, Switzerland Business Continuity Forum Istanbul, Turkey World Conference of Disaster Risk Reduction Sendai, Japan Crisis and Emergency Management Conference Abu Dhabi, United Arab Emirates Low Carbon Earth Summit Qingdao, China Knowledge Grows by Sharing Hyderabad and Bangalore, India KL2013 KL2014 KL 2015 KL 2016 Kuala Lumpur, Malaysia The State of The Art of Business Continuity and Disaster Recovery ISACA: True Risk Management The Road to Convergence Singapore The Role of the Central Bank and BCM Manila, Philippines DRI BJ 2015 Beijing, China Great Lakes Business Recovery Group Michigan, United States RIMS PERK Presentation Kansas City, KS DRI2013 Philadelphia, United States DRI2012 New Orleans, United States DRI2015 San Antonio, United States Leadership for Peace and Prosperity Conference San Diego, United States PwC International BCM Conference San Juan, Costa Rica ACP Liberty Valley Meeting Pennsylvania, United States NYU Intercep Global Risk Forum New York, United States Mid-Maryland ACP Meeting Maryland, United States DRI2014 Atlanta, United States Congreso BCM y ERM Mexico City, Mexico Congreso ALCONT Medellin, Colombia DRI Day Sao Paolo, Brazil

7 United Nations Collaboration DRI is a member of the Private Sector Partner Working Group of the United Nations Office for Disaster Risk Reduction DRI is representing the private sector to the UNISDR Disaster Management Terminology Committee Research conducted in partnership with the European Commission DRI s International Glossary for Resiliency is a source document DRI hosted a Public Forum in conjunction with the launch of the Hyogo Framework for Action 2 at the World Conference for Disaster Risk Reduction Providing access and voice heard by global policymakers

8 The Most Used Standard in the World Most Used Standard for BCM BC Management 2013

9 Outreach

10 Charitable Giving and Volunteerism Vision Resilient communities worldwide Mission To promote disaster risk reduction through partnership and education To aid recovery efforts through fundraising and volunteerism

11

12 Education

13 Academic recognition

14 Working with the academic community DRI International Collegiate Conferences One-day conference in conjunction with an institution of higher learning Admission - $50 tax-deductible donation to the DRI Foundation (students are Free) A chance for professionals and academics to meet Meet Potential Employers 2016 Schedule University of St. Thomas, Houston, Texas: April 23, 2016 St. John s University, Queens, New York: Sept 12, 2016 Saint Louis University, St. Louis, Missouri: Sept 15, 2016 Centennial College, Toronto, Canada: 11/3/2016

15 Helping pay for college through scholarship To help pay for rising education costs $5,000 for a high school senior $5,000 for an Undergraduate Student Parent or legal guardian must be a Certified Professional in good standing For Undergraduate Scholarship: Applicant may be a DRI Certified Professional in good standing Focus Area: Education

16 Business Continuity as a Career

17 Job Trends

18 Let s Talk Money

19 Job Openings

20 Most sought-after credential DRI International November 25, 2015

21 Helping Those That Protect Us

22 Veteran s Outreach Program To establish a Veterans Outreach Program where recently separated or near-term separation military members can participate in a DRI program focused on career development, transitioning to the corporate (both public and private) sector Helping those who protect us Providing free training (sponsored or Montgomery GI Bill) Providing career guidance Reaching out to military and veterans organizations to provide free seminars

23 Veteran s Outreach Program New education program RP6 s mission is to guide service members, veterans and their families to their next objective BCP 501 to be delivered for RP6 veterans community Held April 27-29, 2016 in Lakewood, Washington

24 BCM, Resiliency & Risk Management

25 BCM, Resiliency & Risk Management

26 Business Continuity Management

27 Disaster Response Components Emergency Response Crisis Management Business Continuity Activity Inception - Duration

28 Combining Disciplines More Integrated Solution Business Continuity Disaster Recovery (IT Recovery and Continuity) Emergency Response Crisis Management UNDER THE BANNER OF BUSINESS CONTINUITY MANAGEMENT

29 Why BCM?

30 Reasons for Business Continuity External Drivers Impacts Pressure from audit committees Pressure from financial institutions Pandemic concern New threats & risks since 9/11 Demands from customers Increased regulatory and self-regulated requirements Loss of customers or inability to attract new customers Loss of revenue Decrease in stock value Increase of insurance premiums Loss of assets and employees Regulatory sanctions

31 Reasons for Business Continuity

32 Reasons for Business Continuity Customer Focused

33 Reasons for Business Continuity External Drivers Impacts Pressure from audit committees Pressure from financial institutions Pandemic concern New threats & risks since 9/11 Demands from customers Increased regulatory and self-regulated requirements Loss of customers or inability to attract new customers Loss of revenue Decrease in stock value Increase of insurance premiums Loss of assets and employees Regulatory sanctions

34 Business Continuity Laws, Regulations and Standards Pre-9/11 Post-9/11 Consumer Credit Protection Act OMB Circular A-130 FEMA Guidance Document Paperwork Reduction Act ISO (Previously ISO17799) FFIEC BCP Handbook Computer Security Act 12 CFR Part 18 Presidential Decision Directive 67 FDA Guidance on Computerized Systems used in Clinical Trials ANSI/NFPA Standard 1600 Turnbull Report (UK) ANAO Best Practice Guide (Australia) SEC Rule 17 a-4 FEMA FPC 65 CAR JHACO Sarbanes-Oxley Act of 2002 HIPAA, Final Security Rule FFIEC BCP Handbook -2003/ 2008 Fair Credit Reporting Act NASD Rule 3510 NERC Security Guidelines FERC Security Standards NAIC Standard on BCP NIST Contingency Planning Guide FRB-OCC-SEC Guidelines for Strengthening the Resilience of US Financial System NYSE Rule 446 California SB 1386 Australia Standards BCM Handbook GAO Potential Terrorist Attacks Guideline Federal and Legislative BC Requirements for IRS Basel Capital Accord MAS Proposed BCP Guidelines (Singapore) NFA Compliance Rule 2-38 FSA Handbook (UK) BCI Standard, PAS 56 (UK) Civil Contingencies Bill (UK) NFPA: PS-Prep Sarbanes-Oxley 2002 Safety Act FCD-1/2 NYS Circular Letter 7 ASIS State of NY FIRM White Paper on CP NISCC Good Practices (Telecomm) Australian Prudential Standard on BCM HB221 HB292 BS25999 SS507 SS540 TR19 CA Z1600 ISO/PAS HiTech Act of 2009 NZ 5050 ISO22301 FINRA 4370 UAE SEC - Compliance Programs Dodd-Frank Wall Street Reform Act ISO22301 NFPA:

35 BCM, Resiliency, Risk Management

36 Resiliency Enterprise Risk Risks associated with not only accidental losses, but also financial, strategic, operational, and other risks. Operational Risk Risks associated with internal inadequacies of an organization or a breakdown of its controls, operations or procedures. Business Continuity Reducing the impacts that occur when there is a failure in Enterprise or Operational Risk Management

37 Cause vs. Effect Risk Management Anticipates Causes (Risks) Identifies Threats (Facility, Environmental, Climatic, Geopolitical, Personnel, Business, Technology, etc) Recommends Mitigation Probability Cost of Mitigation BCM - Deals with Effects What are the Implications of failing to mitigate or prevent Preparation Structure, planning, resources, testing Execution Relocation, operating under duress

38 Risk Assessment Preparing to Deal with Causes Power Failure Location 1 Possible Scenarios Primary Workspace Primary Systems & Electronic Data Key Personnel Key Vendors and Services Vital Records (Paper Files & Mail) Electric Internal G Y G G G Con Ed failure G Y G G G Back-up Generators failure G Y G G G Gas Leaks R R R G G Communications Loss of Vendor Service G R G R G Loss of Voice Service G G G R G Loss of Cellular Service G G G Y G Loss of Data Transmissions G R G R G Router / Hub Failure/Firewall G R G R G Overloaded: Performance failure G R G R G IT Processing Software failure G R G G Y Infrastructure damaged G R G R Y Mainframe failure G R G R Y Server failure G R G R Y Router failure G R G R Y Hubs Failure G R G R Y Water / Plumbing / Sprinkler Malfunction G Y R

39 Cause vs. Effect Risk Management Anticipates Causes (Risks) Identifies Threats (Facility, Environmental, Climatic, Geopolitical, Personnel, Business, Technology, etc) Recommends Mitigation Probability Cost of Mitigation BCM - Deals with Effects What are the Implications of failing to mitigate or prevent Preparation Structure, planning, resources, testing Execution Relocation, operating under duress

40 BCM Focuses on Effects, Impacts, Consequences INCIDENT OCCURS Facilities Business or Operational Technology Organization Fire Flood Bomb Scare SARS,H1N1, H5N1 Terrorism etc. Supply Chain Process Error Transit Strike SARS, H1N1, H5N1 Labor Strike etc. Network Problem Application Error Hardware Failure Virus Power Problem etc. M & A Succession IP Issue Audit Issues Financial Problems etc.

41 Cause vs. Effect Risk Management Anticipates Reducing Causes Causes (Risks) Identifies Threats (Facility, Environmental, Climatic, Geopolitical, Personnel, Business, Technology, etc) Recommends Mitigation Probability Cost of Mitigation Reducing Effects BCM - Deals with Effects What are the Implications of failing to mitigate or prevent Preparation Structure, planning, resources, testing Execution Relocation, operating under duress

42 Business Continuity Management Today

43 A Few Issues of Concern Supply Chain From Albuquerque to Sendai & Beyond Cyber Threat Insurance Risk Transfer Business Interruption Extra Expense and BCP Technology Clouds and Resiliency Standards Laws Regulations Standards

44 A Look at Supply Chain Issues

45 Challenges Supply Chain From Albuquerque to Sendai & Beyond Cyber Threats Extending Supply Chain Scope Insurance Risk Transfer Real ROI

46 Supply Chain From Albuquerque to Sendai & Beyond

47 Supply Chain

48 Supply Chain Procurement and Strategic Sourcing Transportation Management Inventory Planning and Management Physical Distribution Customer Service and Support

49 Nokia vs. Ericsson -- March 17, 2000 Pre Fire Ranking Nokia (32%) Motorola (22%) Ericsson (12%) 10 Minute Fire in Albuquerque Philips Microchip Plant Post Fire Ranking Nokia shipments grew by 10.5 percent over the previous year, to 140 million units. Motorola shipments dropped by 1.7 percent to 59 million units. Siemens shipments grew by 10.2 percent to 30 million units. Samsung shipments grew by 36.8 percent to 28 million units. Ericsson shipments dropped by 35 percent to 27 million units. On July 20, 2000, Ericsson reported that the fire and component shortages had caused a second-quarter operating loss of $200 million in its mobile phone division. Total loss $400 million

50 Why Nokia Gained and Ericsson Lost Preparation - Nokia Considered solutions before event occurred Understood the need Implemented recovery at other Philips plants Believed early reports of little damage and interruption Smart people will find a solution Wishful Thinking - Ericsson

51 Once Burned: Better BCM Means More Reliable Suppliers Business Interruption and Recovery Plan Supplier will provide Motorola with a detailed, written business interruption and recovery plan, including business impact and risk assessment, crisis management, information technology disaster recovery, and business continuity. Supplier will update the plan annually. Supplier will notify Motorola in writing within twenty-four (24) hours of any activation of the plan. Motorola Corp 2002

52 Japanese Impact Upon Supply Chain GM shuts down for lack of supplies Chrysler Ford no Red Black Pigments Apple ipad2 Backorder Chip shortage Chip increased prices Case Polishing

53 Japan as a Supplier

54 Changing Direction Moving More Production Off Shore Some 70 per cent of domestic manufacturers expect at least one partner in their supply chains to speed up relocation efforts overseas, a trade ministry poll showed, accelerating a nearly two decade-long migration of Japanese manufacturing capability overseas. "Relocating is on the table for many executives. If a key supplier or partner moves, that could trigger a large exodus," said Shuzo Takada, director of the ministry's industrial revitalisation division.

55 Changing Direction Moving More Production Off Shore Off Shore Back Up Renesas Electronics, plans to increase offshore production from 8% - 25% Fujitsu plans to shift more chip output to a factory in China Hoya, is planning its first overseas plant in China Mitsui Mining & Smelting, which supplies 90 percent of the ultra-thin copper foil used in smartphones, is building a backup production line in Malaysia. Japanese Firms Plan to Set Up Backup Production Bases in Taiwan The two Japanese firms, one a semiconductorequipment maker and the other an electronic chemical material supplier, plan to make investments totaling NT$600 million in value.

56 Mapping Risk in Supply Chain

57 Emerging Supply Chain Risks Risk & Insurance Magazine

58 Cyber Threats Extending Supply Chain Scope

59 Cyber Crimes In The News

60 The New Attacks Easy Source of Attacks Find a trusted source (third party vendor) One with less than adequate security phish, hack Steal credentials Gain entry to Target POS Test the hack Spread to rest of POS system live Credit/Debit card info Upload (FTP) data to innocent servers in Miami and Brazil Data winds up in Russia and Eastern Europe SUPPLY CHAIN WEAKNESS AFFECTED CUSTOMER CREATED POTENTIAL LEGAL LIABILITY SUIT SETTLED WITH 40,000,000 CUSTOMERS GUESS HOW MUCH? $10 MILLION - 25 CENTS PER PLAINTIFF

61 ENTER THE GOVERNMENT

62 More Pressure to Perform Due Diligence on Supply Chain New Regulations to Ensure Vendor Security HIPAA Omnibus Rules Vendor Due Diligence FFIEC Third-Party Providers, Key Suppliers, and Business Partners Cybersecurity Assessment Pilot Program OCC Third Party Relationships FINRA PCI Assessing how firms manage cybersecurity threats Credit Card Processing (Outsourcing cloud services provider, hosted call-center, IT services firm, disaster recovery location, document storage company)

63 Bulletin OCC A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships. A bank should ensure comprehensive risk management and oversight of third-party relationships involving critical activities. An effective risk management process throughout the life cycle of the relationship includes: plans that outline the bank s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party. proper due diligence in selecting a third party. written contracts that outline the rights and responsibilities of all parties. ongoing monitoring of the third party s activities and performance. contingency plans for terminating the relationship in an effective manner. clear roles and responsibilities for overseeing and managing the relationship and risk management process. Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management. Independent reviews that allow bank management to determine that the bank s process aligns with its strategy and effectively manages risks. The OCC charters, regulates, and supervises all national banks and federal savings associations as well as federal branches and agencies of foreign banks. The OCC is an independent bureau of the U.S. Department of the Treasury. Mission To ensure that national banks and federal savings associations operate in a safe and sound manner, provide fair access to financial services, treat customers fairly, and comply with applicable laws and regulation

64 HIPPA Business Associates Concerned with ephi Focus Area Change Required Internal Existing Agreements With Business Associate Addenda Existing Relationships without Business Associate Addenda All Covered Entities must review their existing vendor relationships and affiliations to determine whether any relationship meets the new Business Associate Criteria. All Business Associates must review their existing subcontractor arrangements for compliance purposes. Identify Vendors and/or affiliates or affiliation relationships which involve access or disclosure of PHI and which do not have documented BA addenda. RHIO relationships must include a Business Associate Addendum. A parent or affiliate which provides quality assurance or other functions involving access or review of PHI must have a Business Associate Addendum in place. Vendors who provide PHI to patients must have a Business Associate Addendum in place. Other entities, such as document storage and/or disposal vendors must have a Business Associate Addendum in place. HIPAA Inventory all existing contracts and identify all signed Business Associate Addenda and/or subcontractor agreements. Review contracts signed prior to January 25, 2013 and determine end date for compliance as per transitional rule. Conduct a risk assessment of all vendor relationships to identify those that may fall within the new regulatory definitions. Do not overlook corporate relationships with affiliates which do not involve the exchange of information for treatment purposes. For individuals employed by vendors or affiliates but who may fall within a covered entity s or Business Associate s work force, assure proper designation and training. Hybrid Entities Hybrid Entities that perform multiple functions and roles (such as operating a hospital and university) must now include any Business Associate functions under the health care component of its operations subject to the new rules. Review internal designations of health component for any Hybrid Entity. Assure direct compliance with HIPAA/HITECH as to Business Associate functions carried out by organization.

65 And One for the US Government FISMA- (Federal Information Security Management Act) Federal Highway Administration bid solicitation Security assessment: formal evaluation of control environment (annual) Plan of action: plan to mitigate assessment findings (quarterly) System security plan: documentation of all controls (annual) Security categorization: impact level of each system (annual) System contingency plan: documentation of redundancy (annual) Security policy and workforce training records (annual) Interconnection agreements from sub-contractors (annual)

66 Government Contract Lost Oct 10, 2014, 7:01am EDT Dayton Business Journal It seems that being the victim of a data breach could lead to companies losing government contracts, according to a report by the Washington Business Journal. The Office of Personnel Management s decision not to renew two contracts with US Investigations Services LLC might have set a precedent for how government handles contractor breaches, according to the report. As a reminder, in July 2014, USIS was hit by a cyber attack that reportedly affected 25,000 government employees. USIS suspected it to be "state-sponsored." The government quickly suspended work with USIS and then opted to drop its contracts with the company. Robert Nichols, a lawyer specializing in government contracts at D.C. firm, Covington & Burling LLP, says the lost contracts could place higher demands on contractors in securing their work with government data, according to Federal Computer Week. For this reason alone, government contractors must have adequate system protections in place to keep data safe.

67 Timeline March Attempted OPM Attack June USIS - Contractor Notifies Government of Breach July 9, NY Times First Reveals Attempted OPM Hack August 6, USIS Acknowledges Breach September Previously Undisclosed Hack at KeyPoint Contractor Notification sent in June 2015 USIS contract not renewed December Another Hack Disclosed; OPM Systems Successfully Breached April OPM Detects Hack of Personnel Files May OPM Learns Background Check Data At Risk June 4, OPM Announces Massive Breach of Personnel Files June 12, OPM Confirms Related Breach of Background Check Files June 16, OPM Blames Lax Security on Outdated Technology

68 OPM

69 Our Policy Director of National Intelligence James Clapper testifies on Capitol Hill in Washington, Thursday, Sept. 10, 2015, before the House Intelligence Committee hearing on cyber threats. "Until such time as we do create both the substance and the mindset of deterrence, this sort of thing is going to continue,"

70 Balancing Security and Privacy Apple vs. FBI vs. Department of Justice Issue Governments Right to Access Information Vs. Individuals Right to Privacy Underlying Issue Trusting the Government Government Security Abuse (stringrays)

71 We can all sleep better at night "Gates is absolutely right," maintained Al Berman, President of DRI International.

72 Thank You Questions, Comments