2015 ceo & board university taking your business ... · 2015 ceo & board university taking...
TRANSCRIPT
MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS © 2015 Wolf & Company, P.C.
2015 CEO & Board University
Taking Your Business Continuity
Plan To The Next Level
Tracy L. Hall, MBCP
Meet Our Presenter
Tracy Hall, MBCP
IT Assurance Manager
Wolf & Company, P.C
Direct: 413-726-6884
Agenda
Taking your Business Continuity Program to the Next
Level
• Statistics and Recent “Disaster” Events
• FFIEC Guidelines / Latest Updates
– Appendix J: Strengthening the Resilience of
Outsourced Technology Service
• Other considerations / Lessons Learned
Not So Fun Facts
A 2012 Survey showed that the Top 4 causes of downtime that year were:
– Hardware Failure 55%
– Human Error 22%
– Software Failure 18%
– Natural Disasters 4%
Don’t Let The Door Hit You…– 40% of business severely compromised by a disaster go out
of business within 6 months
– 90% of businesses that are “down” for 7 days do not reopen
Cost of Not Being Prepared:– Of businesses that experience a major loss of data without a
plan:• 51% close within 2 years
• 43% never reopen
• 6% survive long-term
Increased Scrutiny
It is no longer sufficient to point to the
“Large Book” on the shelf…
Recent Events
6
Changes in preparedness and scrutiny by regulators
and examiners began after 9/11 & Katrina and continue
to increase with each incident.
• Hurricanes Irene & Sandy
• Winter 2011 Blizzard
• The East Coast Earthquake
• Tornadoes and thunderstorms
• Boston bombing
FFIEC Guidelines – 2008 Revision
• Board and Senior Management Responsibilities
– Executive Overview of the BCP Process
– Board of Directors responsibility
• Business Continuity Planning Process
– Enterprise-wide approach to planning
• Business Impact Analysis
– Define critical functions
– Impact to business if those functions were interrupted
– Resources required to support those functions
– Critical Timeframes to Recover
• Risk Assessment
– What threats could possible impact your operations?
– Where are your vulnerabilities?
• Risk Management
– Implementing Controls
– Developing a sound BCP
– Implementing a reliable Recovery Strategy
• Risk Monitoring
– Testing
– Maintenance
• Other Policies, Standards, and Processes
• Vendor Management
• Pandemic Planning
FFIEC Guidelines –2015 Update
February 2015:
Appendix J: Strengthening the Resilience of Outsourced
Technology Services
• Result of increasing dependency on outsourced
technology providers for critical systems and
infrastructure
• Four Specific Areas
FFIEC Guidelines – 2015 Update
Third Party Providers
• More and more processes are outsourced; must
consider vendor response and recovery plans
• Ask for detailed SLAs
• Widespread regional events have identified issues
with suppliers
• Contingent business interruption loss:
– A loss that a business suffers as a result of damage to
other property that prevents one of the suppliers from
providing goods and/or services to the business, or that
prevents the business’ customers from accepting goods
and/or services from the business.
FFIEC Guidelines –2015 Update
Area One
Third-Party Management addresses a financial
institution management’s responsibility to control the
business continuity risks associated with its TSPs and
their subcontractors.
FFIEC Guidelines –2015 Update
How To Prepare
Third-Party Management
• Validate that third party resilience considerations are
part of your vendor management program, including
due diligence, contract negotiations and ongoing
monitoring.
• Evaluate the use of subcontractors by your TSPs.
Ensure TSPs are reviewing their subcontractor’s
business continuity plans.
FFIEC Guidelines –2015 Update
Area Two
Third-Party Capacity addresses the potential
impact of a significant disruption on a third-party
servicer’s ability to restore services to multiple
clients.
FFIEC Guidelines –2015 Update
How To Prepare
Third-Party Capacity
• Ensure that your TSPs have adequate planning and
testing strategies to support multiple clients in a
regional event.
• Identify a comprehensive set of alternative resources
to provide services in the event your TSPs are unable
to recover from a wide-scale disruption.
FFIEC Guidelines –2015 Update
Area Three
Testing with Third-Party Technology Service
Providers addresses the importance of validating
business continuity plans with TSPs and
considerations for a robust third-party testing
program and including third party providers in the
client’s testing.
FFIEC Guidelines –2015 Update
How To Prepare
Testing with Third-Party Technology Service Providers
• Participate in BCP testing with TSPs, whenever
possible.
• If not possible, review TSPs test results, remediation
plans and status reports on their completion.
• Identify any gaps following testing. Draft a plan to
ensure all gaps are addressed.
FFIEC Guidelines –2015 Update
Area Four
Cyber Resilience covers aspects of BCP unique to
disruptions caused by cyber events
FFIEC Guidelines –2015 Update
How To Prepare
Cyber Resilience
• Ensure that Cyber threats are addressed in the BCP
Risk Assessment.
• Validate that TSPs have an up-to-date incident
response plan. Ensure the plan is periodically tested.
• Research and identify third-party forensic investigators
that may be required following a cyber incident.
Other Considerations / Lessons Learned
Executive Oversight
FFIEC guidelines require annual signoff on the BCP
by Board of Directors
– Ensuring a sufficient plan is in place
– Allocating responsibility of the plan
– Plan must be reviewed and updated at least annually
– Employee awareness
– Testing
– Supporting any actual recovery effort
Other Considerations / Lessons Learned
Enterprise Wide Approach to Planning
• BCP is no longer an IT driven initiative
• FFIEC guidelines call for a business driven recovery plan
Other Considerations / Lessons Learned
Scenarios
• Examiners are looking for responses to a wider range
of possible scenarios
• Considering multiple scenarios while still focusing on
“worst case”
– How do we avoid the vicious “What If” cycle?
– How do you determine “worst case”?
Other Considerations / Lessons Learned
Business Impact Analysis (BIA)
• Is this business driven?
• Identifying MAD, RTOs, & RPOs for critical processes
and systems
– Helps determine recovery strategy
– Do they coincide?
• Prioritizing processes and resource requirements into
more condensed, well defined RTOs
MAD= Maximum Allowable Downtime
RTOs= Recovery Time Objective
RPOs= Recovery Point Objective
Other Considerations / Lessons Learned
Recovery Reality
• How realistic is your recovery strategy?
• Have you tested that your recovery strategy supports
the business critical RTOs and RPOs?
• Is your DR site equipped with the appropriate
requirements?
– How often is this reviewed?
– Are changes to business incorporated?
Other Considerations / Lessons Learned
Granularity
• More detailed “Action Plans” at the department level,
especially focusing on the initial phase of incident
response
Other Considerations / Lessons Learned
24
Communications Plans
• Identify methods of communicating to employees,
clients, etc. throughout the incident, not just at the onset
• Develop a procedure for communicating prior to
incidents that have warning
• Ensure the plan adequately identifies who is
responsible for what, including internal and external
communications
Other Considerations / Lessons Learned
Alternate Site Selection
• Geographic Diversity
• Accessibility
• Vulnerabilities
Other Considerations / Lessons Learned
Testing
• Requirement for more dynamic testing
– Different types of exercises
– More frequent tests that are smaller in scope can make
testing more manageable
• Incorporating user community
Other Considerations / Lessons Learned
Awareness & Training
• How often are employees made aware of plan details?
• Do employees understand their role in the BCP?
Other Considerations / Lessons Learned
Incorporating BCP into every day business
• Considering how changes to the business affects your
BCP is essential to ensuring your BCP stays current
and sufficient
– Personnel changes- growth
– System/Application changes – consider redundancy in
budget
– Vendor/Provider changes
– Other technology changes
– New and updated policies and procedures
– Audit Feedback
Conclusion
Thank You! Questions?
Tracy Hall, MBCP
IT Assurance Manager
Wolf & Company, P.C
Direct: 413-726-6884