Business Continuity Management Standards A Side-by-Side Comparison

Similar documents
Table of Contents. Sample

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

Introduction to Business continuity Planning

Business continuity management and cyber resiliency

MassMutual Business Continuity Disclosure Statement

Appendix 3 Disaster Recovery Plan

Public Safety Canada. Audit of the Business Continuity Planning Program

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

TSC Business Continuity & Disaster Recovery Session

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Business Continuity Planning

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Disaster Recovery and Business Continuity Planning (Mile2)

BUSINESS CONTINUITY AND DISASTER RECOVERY POLICY

Business Continuity and Disaster Recovery

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

DISASTER RECOVERY PRIMER

Security and Privacy Governance Program Guidelines

Global Statement of Business Continuity

Certified Information Systems Auditor (CISA)

How to Conduct a Business Impact Analysis and Risk Assessment

Sample Exam Privacy & Data Protection Foundation

Business Continuity Planning Keeping Pace with New Technology

Implementing a Global Business

MHA Consulting BCM Metrics Resiliency Through Measurement

Threat and Vulnerability Assessment Tool

VMware BCDR Accelerator Service

ISO 22301: An Overview of BCM Implementation Process. Presenter: Dejan Kosutic

Information Technology Branch Organization of Cyber Security Technical Standard

Infocomm Professional Development Forum 2011

Security Guideline for the Electricity Sector: Business Processes and Operations Continuity

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

EPRO. Electric Infrastructure Protection Initiative EPRO BLACK SKY SYSTEMS ENGINEERING PROCESS

International Atomic Energy Agency Meeting the Challenge of the Safety- Security Interface

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

Canada Life Cyber Security Statement 2018

FDIC InTREx What Documentation Are You Expected to Have?

Department of Management Services REQUEST FOR INFORMATION

Data Recovery Policy

Why you should adopt the NIST Cybersecurity Framework

PECB Change Log Form

CYBERSECURITY TRAINING EXERCISE KMU TRAINING CENTER NOVEMBER 7, 2017

Leveraging ITIL to improve Business Continuity and Availability. itsmf Conference 2009

BCM Program Development

ISO 22301: An Overview of BCM Implementation Process. Presenter: Dejan Kosutic

Turning Risk into Advantage

When Recognition Matters WHITEPAPER ISO SUPPLY CHAIN SECURITY MANAGEMENT SYSTEMS.

Continuous protection to reduce risk and maintain production availability

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Implementing a BCM Programme

HIPAA RISK ADVISOR SAMPLE REPORT

Critical Cyber Asset Identification Security Management Controls

MNsure Privacy Program Strategic Plan FY

The Common Controls Framework BY ADOBE

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Principles for BCM requirements for the Dutch financial sector and its providers.

Protecting your data. EY s approach to data privacy and information security

NYDFS Cybersecurity Regulations

NEW DIPLOMA. Airport Security Diploma Programme

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Risk Management in Electronic Banking: Concepts and Best Practices

Business Continuity Plan

Management s Response to the Auditor General s Review of Management and Oversight of the Integrated Business Management System (IBMS)

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY

Business Continuity Management Program Overview

Building a BC/DR Control Library and Regulatory Response Program

A Framework for Managing Crime and Fraud

Facilities Management and Business Continuity. 10 May 2017

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

7 th BICSI Southeast Asia Conference 2009 Building the Next Generation Broadband Network

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

BUSINESS CONTINUITY MANAGEMENT (BCM) INITIATIVES OF THE BANGKO SENTRAL NG PILIPINAS

GUIDANCE NOTE ON CYBERSECURITY

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

I. PURPOSE III. PROCEDURE

Introduction to Business Continuity Management

Data Backup and Contingency Planning Procedure

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Bradford J. Willke. 19 September 2007

Disaster recovery strategic planning: How achievable will it be?

The NIST Cybersecurity Framework

A Survival Guide to Continuity of Operations. David B. Little Senior Principal Product Specialist

WHITE PAPER- Managed Services Security Practices

locuz.com SOC Services

How to be cyber secure A practical guide for Australia s mid-size business

HENRY EE, FBCI, CBCP

Google Cloud & the General Data Protection Regulation (GDPR)

Business Continuity: How to Keep City Departments in Business after a Disaster

Member of the County or municipal emergency management organization

Transcription:

Business Continuity Standards A Side-by-Side Comparison By Brian Zawada (CBCP) & Jared Schwartz (CBCP) Whether your organization has begun a grassroots initiative to develop a business continuity plan or has started to wrap-up the initial implementation of a continuity management process, the need to continually revisit and improve the Business Continuity (BCM) process is critical to the development of successful and robust recovery strategies. In an effort to enhance Business Continuity capabilities (and to comply with regulatory guidelines), some corporations have elected to adopt suggested best practices from industry-independent and industry-specific entities and regulatory agencies. Based on our experience and research, a significant (and growing) number of standards exist that are related to BCM. As such, the task of pinpointing best practice consistencies across the majority of these groups can be quite daunting. After studying the various recommended and mandatory BCM guidelines, we were able to identify common themes and specific process steps that will help in the implementation of a successful BCM process. Below is our list of BCM standards and the associated agencies that advocate each best practice: Business Continuity Plan Process a BCM process that includes crisis management, business resumption planning, and IT recovery Establish a BCM steering committee that includes a coordinator and others who have both operations and technology expertise Define BCM objectives Energy Document a BCM Mission Statement Schedule and document BCM testing and maintenance events Conduct a Risk Assessment Identify key legislation, insurance, regulations and industry codes of practice 1

Define a formal, risk assessment process with the objective of identifying the source, likelihood and vulnerability of specific threats that may affect operations Energy Assess current mitigating controls Conduct a Business Impact Analysis Identify key business processes and critical dependencies; the impacts of potential business interruptions should be identified and continually updated Identify process-specific Time Objectives (RTO) Identify minimum capacity requirements to restore business operations to an acceptable level Prioritize recovery efforts based on established RTOs Review Service Level Agreements between the organization and its external partners Identify and catalog critical resources, records, facilities, equipment, vital records, critical data and infrastructure Define Strategies Establish a procedure for contracting with vendors should be established in order to acquire critical resources in the event of a disaster Identify and document contact information and procedures for local authorities 2

Identify alternate recovery site(s) for all critical business processes Conduct a cost benefit analysis to determine the location and costs associated with recovery site alternatives and the distance from the primary site Define Business Continuity Procedures Standard methods for documenting response, recovery and restoration procedures, communication plans, etc. Energy Develop and document procedures for relocating and recovering critical business processes based on management-approved recovery time objectives Document emergency response and business/it process recovery procedures that are - team-based - checklist oriented - chronological Define the names of emergency response and recovery team members, together with their contact information Create response, recovery and restoration activities that take into account personnel safety and physical and IT security Document crisis communication procedures Identify a crisis communications coordinator should be identified Training and Awareness Plan 3

Develop and document training plans; training should occur on a regular, defined basis Energy Plan Testing Procedures Assign, document, and communicate roles and responsibilities for BCP testing; tests should involve all critical business units, departments and functions. Utilize numerous types of testing approaches (table top drills, disaster simulations and full plan tests) Implement a post-test analysis report and review process Auditing and Maintaining the Plan Define and document specific timelines for updating the business continuity plan Store the BCP both online and off-site Audit the BCM process on a periodic basis to ensure compliance with company standards 4

Although these governing authorities agree on a majority of the recommendations, some best practices were omitted from a majority of the published regulations. To summarize, the following gaps should not be overlooked when developing and implementing a Business Continuity process. A BCP Budget should be formalized and approved by senior management Formal disaster declaration authorities, which will be responsible for implementing the continuity strategies in the event of a disaster or business interruption, should be identified. The organization should implement an incident management system or process for stabilizing, monitoring, and recovering from a disaster or business interruption. The plan should be reviewed periodically and benchmarked against industry regulations and other organizations' processes. Regardless of the maturity of your organization s Business Continuity process, regulations and guidelines are an excellent approach to ensure completeness and compliance with best practices. Through compliance with these guidelines, your company can help to ensure a comprehensive business continuity management process. Brian Zawada (CBCP), a Senior Manager and the firm s Business Continuity product leader, is located in Protiviti's Cleveland office. Brian can be reached at brian.zawada@protiviti.com. Jared Schwartz (CBCP) is a Senior Consultant and is located in New York s Manhattan office. Jared can be reached at jared.schwartz@protiviti.com. Both Brian and Jared specialize in the development and implementation of BCM solutions nationwide. Protiviti helps clients identify, measure, and manage operational and technology-related risks they face within their industries and throughout their systems and processes. The company also offers a full spectrum of internal audit services, technologies and skills for business risk management, and assists corporate board members in addressing corporate governance issues. Protiviti (www.protiviti.com), a wholly owned subsidiary of Robert Half International Inc., serves its clients through locations in 30 major markets in the United States and Europe. 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback