Building a BC/DR Control Library and Regulatory Response Program

Similar documents
BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

Business continuity management and cyber resiliency

Why you should adopt the NIST Cybersecurity Framework

TSC Business Continuity & Disaster Recovery Session

Global Statement of Business Continuity

Session 5: Business Continuity, with Business Impact Analysis

Appendix 3 Disaster Recovery Plan

Business Continuity Management Program Overview

Business Continuity and Disaster Recovery

Policy. Business Resilience MB2010.P.119

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

The Office of Infrastructure Protection

MassMutual Business Continuity Disclosure Statement

Enterprise resilience and the role of Standards

POSITION DESCRIPTION

Turning Risk into Advantage

Business Continuity Policy

Cybersecurity and the Board of Directors

Driving Global Resilience

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Security and Privacy Governance Program Guidelines

Securing Your Digital Transformation

THE POWER OF TECH-SAVVY BOARDS:

STRATEGIC PLAN. USF Emergency Management

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

BCM s Role in Effective Risk Management: A Risk Manager s Point of View

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

falanx Cyber ISO 27001: How and why your organisation should get certified

Information Technology Branch Organization of Cyber Security Technical Standard

When Recognition Matters WHITEPAPER ISO SUPPLY CHAIN SECURITY MANAGEMENT SYSTEMS.

INTELLIGENCE DRIVEN GRC FOR SECURITY

B13: The Case for Integration Converting the BCM Silo into an Enterprise Risk Foundation

Role of BC / DR in CISRP. Ramesh Warrier Director ebrp Solutions

EU General Data Protection Regulation (GDPR) Achieving compliance

MHA Consulting BCM Metrics Resiliency Through Measurement

Cybersecurity in Higher Ed

A Framework for Managing Crime and Fraud

Mitigation Framework Leadership Group (MitFLG) Charter DRAFT

Table of Contents. Sample

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

The value of visibility. Cybersecurity risk management examination

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Business Continuity Management Standards A Side-by-Side Comparison

Using International Standards to Implement a Business Continuity Management System (BCMS)

Business Continuity Planning

Cybersecurity Overview

BUSINESS CONTINUITY AND DISASTER RECOVERY POLICY

PIPELINE SECURITY An Overview of TSA Programs

MNsure Privacy Program Strategic Plan FY

Number: USF System Emergency Management Responsible Office: Administrative Services

National Cyber Security Strategy - Qatar. Michael Lewis, Deputy Director

Introduction to Business Continuity Management

SOLUTION BRIEF Virtual CISO

Applying Mitigation. to Build Resilient Communities

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

ISO Professional Services Guide to Implementation and Certification AND

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

POSITION DESCRIPTION

Risk Advisory Academy Training Brochure

Achieving Enterprise Resiliency And Corporate Certification

Implementing a Global Business

Sage Data Security Services Directory

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

SOC 3 for Security and Availability

How to Derive Value from Business Continuity Planning

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Incident Response Services

Critical Infrastructure Protection Version 5

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

What Does the Future Look Like for Business Continuity Professionals?

Endpoint Security for Wholesale Payments

Audit and Compliance Committee - Agenda

WHITE PAPER OCTOBER 2017 VMWARE ENTERPRISE RESILIENCY. Integrating Resiliency into Our Culture and DNA

Business Continuity Management

Continuity of Business

New York City Emergency Management Public/Private Collaboration and Support

Cyber Risks in the Boardroom Conference

Cyber Security Strategy

Cybersecurity Risk Management:

SECURITY & PRIVACY DOCUMENTATION

Certified Information Security Manager (CISM) Course Overview

7 th BICSI Southeast Asia Conference 2009 Building the Next Generation Broadband Network

Bradford J. Willke. 19 September 2007

Enterprise GRC Implementation

Disaster recovery strategic planning: How achievable will it be?

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

HENRY EE, FBCI, CBCP

Best-in-Class Crisis Preparation: Maximize Readiness with the Four T s. Business Continuity Readiness Overview

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Digital Service Management (DSM)

Building a Resilient Security Posture for Effective Breach Prevention

BCM Program Development

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Overview of the Cybersecurity Framework

Transcription:

Building a BC/DR Control Library and Regulatory Response Program David Garland, Senior Director, Disaster Recovery & Regulatory Compliance, Business Continuity Management CME Group

Regulatory Compliance & Controls September, 2016

Agenda 1 A quick introduction to CME Group 2 Business continuity management at CME 3 The evolution of regulatory response at CME 4 Regulatory response, compliance and controls 5 Questions

A Quick Introduction to CME Group Who we are and what we do

CME Group The world s leading and most diverse derivatives marketplace Our exchanges - Chicago Mercantile Exchange (CME) - Chicago Board of Trade (CBOT) - New York Mercantile Exchange (NYMEX) - Commodities Exchange (COMEX) Our markets: futures and options based on - Interest rates - Equities indexes - Foreign exchange - Energy - Agricultural commodities - Metals - Weather - Real estate Our reach - Access in 150 countries - Market connections through 11 global hubs - Relationships with 12 partner exchanges - Offices and employees around the world

CME Group The world s leading and most diverse derivatives marketplace

Business Continuity Management at CME Group What we do and what our regulators want to understand

Business Continuity Management at CME Group Our team mitigates potential impacts to our markets, customers, assets and employees based on identified risks. We are committed to ensuring CME Group can respond to an incident while safeguarding the interests of our stakeholders, ensuring the safety of employees and protecting our reputation and brand. BCM Methodology Align with US and International standards; Implement response and recovery strategies that are both flexible and agile; Build effective partnerships throughout the company; Employ tested exercise models that evolve with our environment and architecture; Seek opportunities for enhanced resilience; Identify and apply mitigation plans, based on proper risk tolerance; Establish collaborative relationships with external entities, partnerships and agencies; and Monitor and adjust program components to meet both domestic and international regulatory requirements and to reflect material changes to the business.

Business Continuity Management Program Components

Methodology

Crisis Analysis Focus Areas Execute on the requirements of the Global Program which include: Working with Enterprise Risk Management, we plan against top tier risks. Coordinate with the Threat Analysis & Planning Team and communicate with executive leadership, senior management and subject matter experts about potential threats and mitigation efforts. Key stakeholders include: Senior Leadership, Risk Management Team, Threat Planning & Analysis Team, Global Assurance, Risk Committee of the Board of Directors

Business Resilience Focus Areas Execute on the requirements of the Global Program which include: Developing Business Impact Analyses (BIA) & Business Recovery Plans (BRP) Training Business Continuity Coordinators Coordinating Alternate Work Strategies

Event Management & Response Focus Areas Employ advanced tools which serve to facilitate: Effective global notifications Leadership communication Cross-functional collaboration and coordination

Event Management & Response Q1 2016 Events 20% 10% Natural Hazard/Weather 20% Protest/Strike 10% 40% Violence/Terrorism System/Infrastructure Health/Environmental

Disaster Recovery Focus Areas Engage IT at all levels to ensure complete DR solution for existing and new applications and systems Document recovery strategy and procedures for every component of CME Group s IT systems Analyze recovery gaps and single points of failure Expand DR partner and customer relationships Enhance processes to reduce recovery time capabilities, where possible

Exercises & Education Annual Exercise Overview Name Frequency Incident Response Teams Tabletop Exercise Crisis Management Team Emergency Notification Tool Exercise Enterprise Response Team Regional Incident Response Teams National Communication Systems Exercise (GETS) Telecommuting Exercise Full System Failover Exercise Full System Failover & Business Unit Exercise Partner Exchange DR Exercises (PE DR to CME Prod) Industry-wide Exercises Annually Annually Annually Quarterly Annually Annually 2 times a year 2 times a year As requested by Partner Exchange As available & appropriate

Exercises & Education Focus Areas BCM program videos and training guides Events and increased focus during Business Continuity Awareness Week & Emergency Preparedness Month Increased BCM program awareness briefings across the enterprise, including presentations at division and task force meetings On-demand tabletops for departments and crossfunctional teams

Public/Private Partnerships

Customer Outreach Program Features Regular meetings and calls feature guest speakers that offer different perspectives on BC/DR Industry experts on hand to discuss relevant and timely topics of interest Networking opportunities allow for our customers to meet each other and establish new relationships FIA industry-wide DR exercise

Program Strategy & Compliance Focus Areas Regulatory Response Program Controls Audits and assessments Benchmarking and reporting Program maturation Policy and program documentation Policy Response New Business Support

Program Strategy & Compliance Program Alignment

Program Strategy & Compliance Regulatory Compliance Monitor US and International BC/DR regulation for program compliance Monitor global BC/DR standards to ensure program alignment Coordinate, research and respond to regulatory requests and inquiries

The Evolution of Regulatory Response at CME Group

Regulators and Regulation CME Group s Regulators Increased globalization leads to additional regulators both primary and non primary Increased number of requests Existing businesses in new locations New business in existing and new locations

Regulators and Regulation Changes in Regulations Dodd Frank Reform leads to new rules and requirements Business continuity programs must be based on industry best practices Difficult as NIST is not an international standard, but US regulators rely heavily on this standard for BCM Compliance with regulation had to be demonstrated by organizations use of standards and risk methodologies Industry Standards: NIST, FFIEC, ISO 22301, PFMI, NFPA 1600, BSI

The Need for BCM Controls

Controls A process for assuring achievement of an organizations objectives in operational effectiveness and efficiency, reliable financial reporting, compliance with laws, regulations and policies. Financial reporting AICPA SOX IT & Security ITIL NIST Business & Operations ISO ANSI SOC

Why We Need BC/DR Controls Prove operational effectiveness Address risk and understand results of noncompliance Identify tradeoffs Assist in planning Maturation and continuous improvement

Developing Controls: Gap Analysis Review all current regulations and standards Choose a guide- Most BCM standards are comparable in content and some are more prescriptive for compliance. If you can, align the program with the most prescriptive, to help avoid missing any aspects of your program a regulator might address Perform a gap analysis

Developing Controls: After Gap Analysis Write BC/DR controls based on where you want to be The control should be a clear, concise statement written to be applicable to the organization, not the standard or the regulation Share your efforts with the company. Determine testing schedules Compare controls with other company controls to help ensure alignment

Developing Controls: Elements of Our Framework Control ID: Control: Document ID Document Description Risk Description: What risk is this control attributed to? Testing requirements: Using the language from the regulations and standards you decided to use, detail what each control must adhere to. This will be used in the annual review to ensure compliance.

Developing Controls: Elements of Our Framework Standard mapping: for each control, map the standards and regulations that apply to the controls to show how the organization is meeting its objectives This also helps show the alignment with the standard the company chose to comply with and the other standards the company meets for the same control.

What s Next: Company Decisions Ownership of controls Enterprise view of all controls: IT Financial Operational Tools for managing controls Staff considerations: who will review and maintain the departments controls

Final Considerations Operational controls are not new, but how we use them in BCM might be Risk is better addressed within an environment that has controls, and clear visibility of how risk is attributed to controls Having senior leadership buy-in is essential The regulatory landscape, changes and uncertainty

Contact Information David Garland Senior Director, Business Continuity Management +1 212 299 2549 david.garland@cmegroup.com www.cmegroup.com @cmegroup #cmegroup

Thank You

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback