Are Traditional Disaster Recovery Plans Still Relevant? Bobby Williams, MBCP, MBCI Director, IT Resiliency Planning Fidelity Investments

Similar documents
Introduction to Business Continuity Management

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

Business Continuity: How to Keep City Departments in Business after a Disaster

Table of Contents. Sample

Florida State University

Updates to the NIST Cybersecurity Framework

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

NIST Special Publication

Deciphering Overlapping Standards and Requirements, Using the BCP Genome

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

Data Recovery Policy

Business Continuity and Disaster Recovery

Global Statement of Business Continuity

Continuity of Operations During Disasters: Electronic Systems and Medical Records

Business Continuity - An Inside Perspective

TEL2813/IS2820 Security Management

SYSTEMS ASSET MANAGEMENT POLICY

Promoting the Art and Science of Business Continuity Management Worldwide. Partner of the DRJ

Loss of Control Center Functionality: EOP-008-1, CIP-008-3, CIP September 30, 2014

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

Disaster Recovery and Business Continuity Planning (Mile2)

MassMutual Business Continuity Disclosure Statement

PT-BSC. PT-BSC version 0.3. Primechain Technologies Blockchain Security Controls. Version 0.4 dated 21 st October, 2017

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

MHA Consulting BCM Metrics Resiliency Through Measurement

Business Continuity Management Standards A Side-by-Side Comparison

Contingency Planning

How to Conduct a Business Impact Analysis and Risk Assessment

Business continuity management and cyber resiliency

Laws Influence Business Continuity and Disaster Recovery Planning Among Industries

Using Metrics to Gain Management Support for Cyber Security Initiatives

Using International Standards to Implement a Business Continuity Management System (BCMS)

Business Continuity Policy

NW NATURAL CYBER SECURITY 2016.JUNE.16

NYDFS Cybersecurity Regulations

DR Planning. Presented by. Matt Stolk Associate Director Northwest Regional Data Center Florida State University

Business Continuity Planning Keeping Pace with New Technology

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

Template. IT Disaster Recovery Planning: A Template

Keeping it Simple Driving BCM Program Adoption Through Simplification

The importance of STANDARDS to ensure ACCOUNTABILITY and GOVERNANCE in ehealth-ict security processes

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Emergency Support Function #12 Energy Annex. ESF Coordinator: Support Agencies:

The NIST Cybersecurity Framework

Infocomm Professional Development Forum 2011

Security Guideline for the Electricity Sector: Business Processes and Operations Continuity

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

Master the implementation and management of a Cybersecurity Program based on ISO/IEC 27032

Subject: University Information Technology Resource Security Policy: OUTDATED

Cybersecurity Framework Manufacturing Profile

Principles of Protection: Cybersecurity Data Protection. 11/01/2017 Julia Breaux William Sellers

Resume: Joseph T. Healy 301 Shadow Ridge Drive Little Rock, Arkansas Phone:

BCM Program Development

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

DRI Professional Practices: What Has Changed and What It Means For You THE WEBINAR WILL BEGIN IN SHORTLY. PLEASE STAND BY.

Emerging Issues: Cybersecurity. Directors College 2015

The Confluence of Physical and Cyber Security Management

Altius IT Policy Collection Compliance and Standards Matrix

Implementing a Global Business

Using ITIL to Measure Your BCP

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

DRI2016 Conference Recap Jim Kinsman, MBCP, PMP

Cyber resilience, information security and operational continuity

Risk Management. Continuity Management

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Framework for Improving Critical Infrastructure Cybersecurity

Member of the County or municipal emergency management organization

Altius IT Policy Collection Compliance and Standards Matrix

The next generation of knowledge and expertise

Re: Audit of Information Technology Disaster Preparedness, Recovery, and Continuity

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

BCM s Role in Effective Risk Management: A Risk Manager s Point of View

Do You Know Your Organization's Top 10 Security Risks?

BCP At Bangkok Bank, Thailand

BUSINESS CONTINUITY MANAGEMENT (BCM) INITIATIVES OF THE BANGKO SENTRAL NG PILIPINAS

Writing a business continuity plan according to ISO Presenter: Dejan Kosutic

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

PECB Change Log Form

Bradford J. Willke. 19 September 2007

Cyber Security & Homeland Security:

CCISO Blueprint v1. EC-Council

EXHIBIT A. - HIPAA Security Assessment Template -

How to Derive Value from Business Continuity Planning

University of Wisconsin-Madison Policy and Procedure

Agency Guide for FedRAMP Authorizations

Public Safety Canada. Audit of the Business Continuity Planning Program

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

2015 HFMA What Healthcare Can Learn from the Banking Industry

Please indicate below the principle nature of your department s operations (check all that apply): Student life support.

FedRAMP Initial Review Standard Operating Procedure. Version 1.3

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

The Office of Infrastructure Protection

Transcription:

Are Traditional Disaster Recovery Plans Still Relevant? Bobby Williams, MBCP, MBCI Director, IT Resiliency Planning Fidelity Investments

Who am I? Bobby Williams is the Director of IT Resiliency Planning for Fidelity Investments. He has earned his MBCP from the DRII and his MBCI from the BCI. Bobby chairs the DRII International Glossary Committee. He also serves on the NFPA 1600 Emergency Management and Business Continuity committee. Bobby has worked in the IT industry for 25 years in technical roles, vendor education, pre/post sales engineering, disaster recovery management, and business continuity management. He earned his BSEE degree from the University of Tennessee, Chattanooga. Bobby retired from the Tennessee Army National Guard where he served as an artillery officer in the 196th Field Artillery Brigade. Bobby.Williams@fmr.com Office: 919-458-4239

Agenda NIST Cybersecurity Framework & Special Publications Overview of the NIST SP 800-34 (rev 1) Move from DR to Contingency Planning Major Points in the NIST Contingency Plan Incorporating NIST Contingency plans into an existing DR program

Who are you? Technical? BC? Risk? Finance? Health Care?

Overview Banks and OCC regulated financial institutions are now expected to follow the FFIEC Cybersecurity Assessment Tool which is based on the NIST Cybersecurity Framework. We will look at the NIST SP 800-34 (rev 1) and see how the controls can aid us to create or evaluate our technology recovery program to see how it could help with creating a robust Information Security program based on the NIST SP 800-53 controls.

NIST Cybersecurity Framework Contingency Planning (CP) controls referenced in the CSF come from NIST SP 800-53 Rev 4 NIST Special Publication 800-53 Rev 4 - Security and Privacy Controls for Federal Information Systems and Organizations All 5 functions within the CSF have contingency planning controls. 23 subcategories include CP controls NIST Special Publication 800-34 Rev 1 - Contingency Planning Guide for Federal Information Systems

What types of plans does NIST list? Business Continuity (BCP) Continuity of Operations (COOP) Crisis Communications Critical Infrastructure Protection (CIP) Cyber Incident Response Occupant Emergency Plan (OEP) Disaster Recovery (DRP) Information System Contingency Plan (ISCP)

Crosswalk of plan types SP 800-34 Rev 1

Is a Contingency Plan different from a DR plan? According to SP 800-34 Rev 1 Disaster Recovery Plan (DRP) The DRP applies to major, usually physical, disruptions to service that deny access to the primary facility infrastructure for an extended period. A DRP is an information system-focused plan designed to restore operability of the target system, application, or computer facility infrastructure at an alternate site after an emergency. The DRP only addresses information system disruptions that require relocation.

Is a Contingency Plan different from a DR plan? According to SP 800-34 Rev 1 Contingency Plan (CP) An CP provides established procedures for the assessment and recovery of a system following a system disruption. The CP provides key information needed for system recovery, including roles and responsibilities, inventory information, assessment procedures, detailed recovery procedures, and testing of a system.

Is a Contingency Plan different from a DR plan? The CP differs from a DRP primarily in that the contingency plan procedures are developed for recovery of the system regardless of site or location.

Contingency Planning Controls

CP-2 Control CP-2 CONTINGENCY PLAN Control: The organization: a. Develops a contingency plan for the information system that: i. Identifies essential mission and business processes and associated contingency requirements; ii. Provides restoration priorities and metrics; iii. Addresses contingency roles, responsibilities, and assigned individuals with contact information; iv. Addresses maintaining essential missions and business processes despite an information system disruption, compromise, or failure; v. Addresses eventual full information system restoration without deterioration of the security measures originally planned; and vi. Is reviewed and approved by designated officials within the organization; b. Distributes copies of the contingency plan to key contingency personnel; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system at periodic intervals; e. Revises the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing ; and f. Communicates contingency plan changes to key contingency personnel.

Implementation Steps Program should focus on standardized CP s for each application/system based on the impact NIST has an SP for the risk management process CP s must be reviewable, revisable, and reasonable CP originally intended for the system level Some companies implement at the application level Some companies implement at the IT product level Your mileage may vary

Process to create a CP 1. Develop the contingency planning policy; 2. Conduct the business impact analysis (BIA); 3. Identify preventive controls; 4. Create contingency strategies; 5. Develop an information system contingency plan; 6. Ensure plan testing, training, and exercises; and 7. Ensure plan maintenance.

What should be included in a CP? Who is responsible for recovery? How are they notified? Recovery Time and Recovery Point Objectives How is the system configured? Architectural Diagrams Upstream dependencies What does this application need to function? Downstream dependencies What depends on this application? Recovery steps Appendix references

Questions? NIST Special Publications SP 800-53 (rev 4) http://nvlpubs.nist.gov/nistpubs/specialpublications/nist. SP.800-53r4.pdf SP 800-34 (rev 1) http://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpubli cation800-34r1.pdf Bobby.Williams@fmr.com Office: 919-458-4239

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback