L18: Integrate Control Disciplines to Increase Control and Save Money

Transcription

1 L18: Integrate Control Disciplines to Increase Control and Save Money Kathleen Lucey, FBCI Montague Risk tel:

2 Connections Information Security (computer security, data security, cyber security, logical security) Records Emergency Crisis Business Continuity (disaster recovery, contingency planning, resilience)

3 InfoSec Overview Modern usage begins with the growth of information technology Traditionally ends at the last point controlled by IT Generally reports within IT Professional knowledge base and jargon

4 InfoSec Control Principles Transference of Risk Prevention, Avoidance, Deterrence (Defensive Depth) Detection Mitigation & Recovery Correction

5 Records Overview Exists since the use of paper documents, but particularly since the use of printed documents Organizes and stores critical documents for future access Regulated Third-party industry for short- and long-term archive Professional knowledge base and jargon Generally reports to an internal administrative department (CFO, CAO)

6 Records Control Principles Transference of risk Loss Prevention, Avoidance, Deterrence (Defensive Depth) Detection Recovery Correction

7 Emergency Overview Primarily concerned with the safety of personnel during an infrastructure or other climate-induced or physical failure. Involves many third parties Regulated Professional knowledge base(s) and internal jargon (many) Supports controls used by other functions Generally reports to Facilities or HR, which reports to either the COO, CFO, or CAO

8 Emergency Control Principles Transference of risk and damages Prevention of human injury and loss of life Prevention, Avoidance, Deterrence of an infrastructure-related failure Detection of an emergency condition Mitigation & Recovery from an incident Correction

9 Crisis Overview Shapes and manages the communications to the employees, press, and other parties after a major incident Attempts to minimize the follow-on legal, financial and reputation impacts to the organization Third party involvement: Public Relations firm and/or a Law firm Senior executives are usually involved but only at the time of incident Professional knowledge base(s) and internal jargon (multiple) Generally responsible to the CEO or Chairman of the Board May not be formally organized.

10 Crisis Control Principles Transference of risk and damages wherever possible Detection: Early identification of potential crisis; preplanned response Implementation of a Crisis Plan Mitigation & Recovery from an incident: Spin of crisis-related information to minimize negative impacts Control of communications channels to press, public, and staff Correction

11 Business Continuity Overview Modern usage begins with the growth of information technology, and the perceived dependence of the organization on its IT systems. First called DISASTER RECOVERY. Now may be called RESILIENCY. Driven by market forces: availability of inexpensive commercial shared hot sites and similarity of widely shared equipment. Also IT dependence on electrical power. STILL generally reports within IT; advanced organizations use different structures. Concerned with 1) avoiding an incident that interrupts business operations; 2) mitigating damages if one occurs. Often more attuned to operational impacts of IT systems loss: RTO, RPO

12 Business Continuity Control Principles Transference of risk and damages as possible Prevention, Avoidance, Deterrence (Defensive Depth) of ANY and ALL conditions that may provoke a business interruption Early detection and pre-planned, rehearsed response Damage Mitigation & Recovery Correction

13 Initial Interruption INTERRUPTION MANAGEMENT MODEL Crisis Team Media Relations Team Command Center Support Team Recovery Business Recovery Coordination Business Continuity Teams Interruption Team Business Continuity Coordination IT Recovery Coordination Information Technology Recovery Teams Emergency Logistics Site Repair or Relocate Emergency Funding Admin. Services Employee Support Physical Security Site Repair and Restoration Insurance Liaison Purchasing EMT Government Liaison Transportation, Communications HAZMAT Damage Assessment Site Relocation and Recreation 2009 Montague Risk II, Inc. All rights reserved.

14 CONVERGENCE

15 Convergence of Control Disciplines ALL of these disciplines involve controls to minimize the probability and severity of incidents. ALL are concerned with controls to reduce incidentrelated injuries and damages. IT Disaster Recovery was part of InfoSec in the early 80 s: availability. ALL of these disciplines (and more) are often now included in enterprise resiliency programs.

16 Convergence of Control Disciplines RISK MANAGEMENT: must be concerned with all disciplines working to deter and respond to ALL incidents that may result in personnel injury, operational interruptions to the business OR loss of revenue/customers.

17 Risk Program Elements Business Continuity Program Emergency Baseline Notification & Communication Logistics & Incident Team Plans Crisis Team Plans Evacuation and Assembly Points Employee Support Materials Emergency Phone Numbers Local Emergency Organization Training & Testing

18 Risk Program Elements Business Continuity Program Resiliency & Recovery Baseline Continuity Team Plans & Testing IT Offsite Backup & Mirroring IT Systems Recreation Plans & Testing Redundancy & Routing Diversity Multiple Suppliers & Continuity Capability Audits Insurance Adequacy Documentation, Training & Testing

19 Risk Program Elements Business Continuity Program Safety & Security Baseline Visitor Reception Procedures Entry & Exit Safety Premises & Lease Checklist Safety & Security Function & Culture Basic Pandemic Planning Training & Testing

20 Risk Program Elements Business Continuity Program Information Protection Baseline Paper document scan on receipt procedure Classification & role-based Access Intrusion Detection / Monitoring & Response Super-User Monitoring & Response Effective Account / Privilege Housekeeping Practices

21 Risk Program Elements Business Continuity Program Emergency Baseline Resiliency & Recovery Baseline Safety & Security Baseline Information Protection Baseline Notification & Communication Logistics & Incident Team Plans Crisis Team Plans Evacuation Assembly Points Employee Support Materials Emergency Phone Numbers Local Emergency Organization Training & Testing Continuity Team Plans & Testing IT Offsite Backup & Mirroring IT Systems Re-creation Plans & Testing Redundancy & Routing Diversity Multiple Suppliers & Continuity Capability Audits Insurance Adequacy Documentation, Training & Testing Visitor Reception Procedures Entry & Exit Safety Premises & Lease Checklist Safety & Security Function & Culture Basic Pandemic Planning Training & Testing Paper document scan on receipt procedure Classification & Need to Know Access Intrusion Detection / Monitoring & Response Super-User Monitoring & Response Effective Account / Privilege Housekeeping Practices Brand Protection Baseline

22 How does the business perform governance on this inter-related set of complex control activities?

23 Organizing for Effectiveness Like the Audit Department, all control functions that cross the borders of company silos should ultimately report OUTSIDE of those silos. A unified command structure can determine meaningful policies and useful common procedures in ALL silos. Each can learn from the others. Living together will de-mystify the internal jargon of each discipline and encourage cross-disciplinary education.

24 Prototype Risk Governance Organization Board Risk Committee Head of Audit Department (CRO) Corporate Risk Business Continuity Emergency / Facilities Physical Security Safety Crisis Information Security Records Insurance / Legal

25 Benefits The Risk Committee of the Board is legally charged with ensuring that appropriate controls are in place across the enterprise. Reports on controls and their effectiveness can be stated in business terms, and be consonant with operational audits. Audit will become a close partner. It will become possible to implement initiatives across disciplines whose impacts can be understood by the business. Missing or ineffective controls are easier to see when all are grouped together.

26 Benefits Cross-pollination of various control cultures erodes knowledge and jargon barriers. A common language and culture will develop among all control disciplines over time. Duplication of efforts can be eliminated, thus increasing productivity. Enterprise-wide contracts for common products and services can be negotiated at significant cost savings.

27 Benefits Nothing precludes subordinate organizations within silos, but each reports to a company-wide director for that control discipline. Risk budgets can be allocated across the company, instead of competing for resources within department- or silo-level organizations.

28 Benefits All disciplines bring a critical part of the risk and governance equation. Each is therefore essential. Only by grouping all disciplines together can they be harmonized and work together effectively. It s a big boat and there is room for everyone. IF we are willing to learn how to understand each other s languages and work with each other!

29 Prototype Risk Governance Organization Board Risk Committee Head of Audit Department (CRO) Enterprise Risk Director, Enterprise Business Continuity Director, Emergency / Facilities Director, Enterprise Physical Security Director, Enterprise Safety Director, Enterprise Crisis Director, Enterprise Information Security Director, Enterprise Records Director, Enterprise Insurance / Legal

30 Shatter the Walls between Control Disciplines! All control disciplines do basically the same thing: just in different areas. Each has its own jargon, and its own territory to defend. Use formal and informal events to gain trust. Use time to your advantage to gain confidence. Be friendly and supportive!

31 Shatter the Walls between Control Disciplines! Business Continuity Physical Security Crisis Information Security Insurance / Legal Safety Emergency / Facilities Records

32 The Chief Risk Officer The CRO will need to understand and speak the languages of multiple control disciplines. The CRO will need knowledge, certification, and experience in multiple control disciplines. The CRO ranks will be filled by individuals willing to step away from each discipline-specific jargon, and to lead the emergence of a new management function that embraces all control disciplines.

33 Advance Your Career YOU Chief Risk Officer Business Continuity Emergency / Facilities Physical Security Safety Crisis Information Security Records Insurance / Legal

34 QUESTIONS? Contact me at: Phone: (mobile)