Business continuity management and cyber resiliency

Similar documents
TSC Business Continuity & Disaster Recovery Session

Business Continuity Management

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

How to Conduct a Business Impact Analysis and Risk Assessment

Cybersecurity for Health Care Providers

Implementing a Global Business

Healthcare HIPAA and Cybersecurity Update

CCISO Blueprint v1. EC-Council

BCM s Role in Effective Risk Management: A Risk Manager s Point of View

Certified Information Systems Auditor (CISA)

Disaster Recovery and Business Continuity Planning (Mile2)

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Protecting your next investment: The importance of cybersecurity due diligence

You ve Been Hacked Now What? Incident Response Tabletop Exercise

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Business Continuity Planning

PECB Change Log Form

Introduction to Business continuity Planning

Principles for BCM requirements for the Dutch financial sector and its providers.

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

Building a BC/DR Control Library and Regulatory Response Program

Business Continuity Planning Keeping Pace with New Technology

Table of Contents. Sample

Business Continuity Management Standards A Side-by-Side Comparison

Business Continuity Risk Management IT Service Continuity

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

Business Continuity and Disaster Recovery

Rethinking Information Security Risk Management CRM002

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Brussels. Cyber Resiliency Minimizing the impact of breaches on business continuity. Jean-Michel Lamby Associate Partner - IBM Security

BUSINESS CONTINUITY MANAGEMENT. A short guide 2017

EQUINIX BUSINESS CONTINUITY ADVANCED SERVICES KEEP YOUR BUSINESS UP AND RUNNING

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Information Security Is a Business

Cyber Security Incident Response Fighting Fire with Fire

CYBER RESILIENCE & INCIDENT RESPONSE

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Business Continuity Management Program Overview

Why you should adopt the NIST Cybersecurity Framework

DeMystifying Data Breaches and Information Security Compliance

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Cyber Insurance: What is your bank doing to manage risk? presented by

Information Security Incident Response Plan

INTELLIGENCE DRIVEN GRC FOR SECURITY

NYDFS Cybersecurity Regulations

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Cyber Resilience. Think18. Felicity March IBM Corporation

Keys to a more secure data environment

Facilities Management and Business Continuity. 10 May 2017

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Incident Response Table Tops

American Association of Port Authorities Port Security Seminar & Expo Cyber Security Preparedness and Resiliency in the Marine Environment

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

locuz.com SOC Services

The Common Controls Framework BY ADOBE

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Cybersecurity The Evolving Landscape

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

Introduction to Business Continuity Management

Cyber Risks in the Boardroom Conference

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

CompTIA Advanced Security Practitioner (CASP) (Exam CAS-001)

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

SECURITY & PRIVACY DOCUMENTATION

Canada Life Cyber Security Statement 2018

BUSINESS CONTINUITY. Topics covered in this checklist include: General Planning

Bradford J. Willke. 19 September 2007

Appendix 3 Disaster Recovery Plan

2015 HFMA What Healthcare Can Learn from the Banking Industry

Vulnerability Assessments and Penetration Testing

Session 5: Business Continuity, with Business Impact Analysis

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Cyber Criminal Methods & Prevention Techniques. By

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

BCM Program Development

Avanade s Approach to Client Data Protection

Policy Title; Business Continuity Management Policy. Date Published/Reviewed; February 2018

Unified Communications Phase 2 Presentation to IT Services Users Group

Cyber Protections: First Step, Risk Assessment

Cyber Security. The Question of the Day. Sylint Group, Inc. How did we come up with the company name Sylint and what does it mean?

Information Security Incident Response Plan

Heavy Vehicle Cyber Security Bulletin

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

Global Security Consulting Services, compliancy and risk asessment services

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

Transcription:

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Business continuity management and cyber resiliency

Introductions Eric Wunderlich, CRMA, ABCP Senior Manager Risk and Internal Audit Eric.Wunderlich@bakertilly.com 312 729 8185

Agenda > Business Continuity Management Overview > Top Threats and Vulnerabilities > Trends and Other Considerations

The Cost of Disruption IT OUTAGE $53,210 Minor incidents, average cost per minute of downtime Up to $14.25M Average cost of IT outage over 24 months CYBER / DATA BREACH $11.6M Average cost of cyber attack and data breach Up to $58M Average costs for remediation SEVERE WEATHER 2 nd Rank for sources of supply chain disruption Up to $360,000 Average cost of severe weather related events Source: Business Continuity Institute, Counting the Cost, 2014

Cybersecurity in Insurance > Higher incidence of cybersecurity threats and attacks 2 nd most frequently hacked sector and top ten sub-sector 41 known security breaches in the insurance sector 3.5 million identities stolen in the finance/insurance industry in 2016 > Common attacks include phishing and ransomware 60% of all attacks were insiders Of that 60%, roughly two-thirds of these insider attacks were carried out with malicious intent Ransomware is mostly distributed via e-mail, with an average of 1,200+ global ransomware detections daily FBI estimates that $400 billion in intellectual property is leaving the US each year

Business Continuity Defined Business Continuity Management is a management process that identifies risk, threats and vulnerabilities that could impact an entity s continued operations and provides a frame-work for building organizational resilience and the capability for an effective response. - Disaster Recovery Institute Business Continuity Management is defined as a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. - ISO 22301:2012

Business Continuity Overview 1 2 3 4 5 6 PROGRAM INITIATION AND PLANNING RISK EVALUATION AND CONTROL BUSINESS IMPACT ANALYSIS (BIA) DEVELOP CONTINUITY PLANS TRAINING AND IMPLEMENTATION TESTING AND MAINTENANCE ONGOING PROJECT MANAGEMENT AND COMMUNICATION

Business Continuity Overview Plan Responsibility Focus of Plan Objectives Emergency Response Facility Get the people out safely Develop procedures and policies to ensure the safety of employees, visitors, and community immediately after the occurrence of an event. Crisis Management Crisis Management Team Protect the company Focus corporate efforts to respond to any incident that has a significant negative impact to the enterprise. Business Continuity Facility or Major Function Get the business up and running Establish procedures that provide for the continuation of business operations in the event of a crisis on the corporate, divisional, or site level. Disaster Recovery IT Get the systems up Establish system recovery plans to restore technology (access to data and systems) in the event of a disaster.

Business Continuity Overview Incident Time Zero Business Continuity Plan Objective: back-to-normal as quickly as possible Timeline Within minutes after the onset of an event Emergency Response Minutes to days Crisis Management Minutes to days depending on what s needed to survive Business Continuity Minutes to days IT Disaster Recovery Back to Normal

Program Initiation and Planning > Establish the need for BCM Regulatory and/or contractual Organizational objectives Competitive advantages > Obtain leadership and management support for BCM Develop mission statement and/or charter Establish objectives and program structure Identify budget and resource needs Develop project plans and timelines Assign responsibilities > Communicate, communicate, communicate Establish clear communication channels Disseminate across the organization

Impact Risk Evaluation and Control > Gain agreement on risk assessment and tolerance Understand organization s risk tolerance Establish measurement criteria > Conduct information gathering activities Develop risk universe Collaborate with other groups and functions > Evaluate and classify risk impacts and vulnerabilities Evaluate impacts of risks related to availability of personnel, information technology, and communication > Identify and evaluate effectiveness of controls and safeguards High Impact Moderate Likelihood Moderate Impact Moderate Likelihood Likelihood High Impact High Likelihood Moderate Impact High Likelihood

Business Impact Analysis > Establish process and methodology Define objectives and scope Identify criteria to quantify and qualify impact Determine data collection and information gathering approaches > Conduct data gathering activities Processes and/or functions Minimum resource requirements Interdependencies > Prioritize processes and determine order of recovery Identify gaps between current recovery capabilities and results of BIA

RTO and RPO Illustration Data Backup Initial Data Loss Post-Disruption Data Loss (Backlog) Time Disruption Recovery of operations (BC strategy activated) Function / Service / Application operational to owner s definition Time RTO Business process functional

Develop Continuity Plans > Identify available continuity and recovery strategies Requirements for business functions and operations to meet RTO and RPO Internal and external options» i.e. Repair/rebuild, alternate site, manual workaround, reciprocal agreement, etc. Assess viability of recovery strategies > Develop emergency response strategies Protection of life, property, and environment Consult and coordinate with public agencies for response strategies Develop crisis communication plan and identify authorized spokesperson > Document recovery plans Site level plans, functional or departmental plans, scenario-based plans, etc.

Training, Testing, and Maintenance > Establish objectives of the training and exercise programs Obtain support of senior management and plan sponsors Identify desired level of expertise to be achieved Align activities with recovery priorities and tactical requirements > Identify appropriate audiences Prioritize groups based on awareness and training needs Goal is to increase awareness and establish confidence > Develop a realistic, progressive, and cost effective program Start simple and build on mastery

Top Threats and Vulnerabilities

Threats and Vulnerabilities Source: Business Continuity Institute, 2016 Horizon Scan Report

Threats and Vulnerabilities (cont d) Source: Business Continuity Institute, 2016 Horizon Scan Report

Cybersecurity Are You Prepared? Consider these Many companies lack the technical means to detect intrusion and data exfiltration activities 69% of data breaches were externally discovered by law enforcement or customers (Source: Mandiant M-Trends 2015 Report) Median number of days from earliest compromise to detection: 205 (Source: Mandiant M-Trends 2015 Report) Business Continuity and Incident Response plans are critical to minimizing exposure from cyber attacks Involving Business Continuity Management saved on average $9 per record breached (Source: 2016 Cost of Data Breach Study: Global Analysis from Ponemon Institute) Communication and notification protocols can help to ensure timely and relevant information for internal and external stakeholders Customer/Supplier notification protocols Media response and spokesperson

Cybersecurity Are You Prepared? CYBERSECURITY RISK ASSESSMENTS Malware CYBERSECURITY/PRIVACY COMPLIANCE READINESS Services: 31% of Spear Phishing attacks All other Industries: 21% of Spear Phishing attacks INDUSTRIES AT RISK Retail/Wholesale: 10% of Spear Phishing attacks Manufacturing: 20% of Spear Phishing attacks Finance, Insurance, Real Estate: 18% of Spear Phishing attacks Hackers Espionage Identity thieves VULNERABILITY ASSESSMENT/ PENETRATION TESTING CYBERSECURITY ARCHITECTURE & IMPLEMENTATION CYBERSECURITY POLICY & PROGRAM DEVELOPMENT Source: Symantec Internet Security Threat Report 2015 Regulations SOC REPORTING

Trends and Other Considerations

How does BCM fit into your organization?

What does your response plan cover?

How often do you perform simulations?

Who is involved in the simulations?

How often are plans invoked and why?

What scenarios should we plan for?

Feedback from BCP Invocation

Use of Technology

Self Assessment Questions Customers Do we have a plan to reduce risk to our customers? What is the risk of losing a critical customer or channel? Supply Chain Are we reliant on a single supplier? Do we have alternatives identified? Do we know the financial health of our suppliers? Staff Do staff contracts give us flexibility (i.e. hours, location) to deal with major disruption? Do staff know what to do if office or facility is inaccessible? Reputation Information Technology Sites & Facilities Have we prepared messages for dealing with a major disruption or crisis? Do we have trained spokespeople for communicating with media? Have we identified all critical information and IT applications? Is all critical information backed up and readily accessible? Have we appropriately addressed cyber security risks? Do alternative office and facility locations exists? Are employees aware? Have we identified and communicated with local agencies and municipalities for emergency response protocols?

Critical Success Factors 01 Leadership Support 02 and Buy-In Awareness and training programs Clear lines of communication Communication and Awareness Awareness and training programs Clear lines of communication Structured and 03 Disciplined Approach 04 One size does not fit all Align to organizational objectives and requirements Ensure program and plan include relevant components (The 3 P s) Continuous Improvement Measure and track performance Testing and maintenance activities

"The time to repair the roof is when the sun is shining." John F. Kennedy

Eric Wunderlich, CRMA, ABCP Senior Manager Risk and Internal Audit Eric.Wunderlich@bakertilly.com 312 729 8185 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback