paul kirvan, fbci, cbcp, cissp marsh risk management new york city bc plan exercising – doing it...
TRANSCRIPT
Paul Kirvan, FBCI, CBCP, CISSPMarsh Risk Management
New York City
BC Plan Exercising –Doing it By the Numbers
Presentation to Three Rivers Contingency Planning Ass’n
May 11, 2007
Marsh 2
Agenda
Welcome and Introduction
Getting Started
Ingredients for Your Exercise
Exercise Checklists and Template
Awareness and Training
Exercising, Awareness and Training According to Industry Standards
Summary
Welcome and Introduction
Getting Started
Marsh 5
Getting Started
Ask Yourself the Five Ws
What are you exercising?
Who will be involved in the exercise?
Why are you conducting an exercise?
Where will you conduct the exercise?
When will you schedule the exercise?
Remember: You can never exercise too much, because most people never exercise at all…
Ingredients for Your Exercise
Marsh 7
Ingredients for Your Exercise
Senior management support, funding
Corporate policy for exercising
Plans to exercise, e.g., BC, EM, security
Exercise type, e.g., table-top, full-scale
Exercise development team
Compelling scenario
Marsh 8
Ingredients for Your Exercise
Participants in the exercise
Facilitators, observers, scribes, assistants
Suitable venue
Access to A/V resources
Exercise process, e.g., script, injects, A/V,
“actors”, and (oh yes) the plan
Post-exercise debrief, lessons learned, plan
updating, report to management
Exercise Checklists and Template
Marsh 10
Exercise Checklists
A few words about policy
“Senior executives in each <company name> location shall ensure that business continuity plans are exercised at least once annually to make certain that the information contained within each plan is accurate and that the procedures contained within each plan are appropriate and can be properly executed by <company name> associates. Each business unit leader will ensure that adequate budget provision is made to cover costs associated with organizing and executing exercises, conducting awareness and training programs where needed, and to follow up on plan exercises by documenting the exercise results and updating plan documentation as indicated.”
Marsh 11
Exercise Checklists
Exercises should include– A business continuity plan, security plan, and/or crisis response
plan
– Exercise objectives with particular emphasis on key business processes
– Evaluation criteria for exercise results and measures for improving the plan and re-exercising it
– Documentation of exercise results and the steps proposed to correct any problems
Marsh 12
Exercise Checklists
Examples of exercise activities– Team Member Orientation — Meet with all employees to outline
the business continuity program
– Team Exercise — Conduct a tabletop exercise with a focus on recovery strategies
– Team Leader Exercise — Conduct a tabletop exercise with a focus on facility-wide recovery
– Functional Exercise — Conduct a hands-on test of hardware and/or connectivity resources at an alternate recovery center; use of alternate (manual) procedures at the home or alternate facility can be tested
Marsh 13
Exercise Checklists
Exercise types – Tabletop Exercises — A meeting to discuss team responsibilities
and reaction to emergency scenarios.
– Walk-Through Drill — A performance function where actual emergency response functions are acted out.
– Functional Drill — A response function where activities like medical response, emergency notification, and emergency warnings are tested.
– Evacuation Drill — An exercise where employees walk the planned and alternate evacuation routes and account for personnel at the meeting place.
– Full-Scale Exercise — A real-life simulation as close to the real thing as possible.
Marsh 14
Exercise Checklists
What are you exercising? – Recovery Team Alert List — Contact information for all personnel
assigned to the team. As this list can change frequently, team leaders should send a copy of it to each team member to review and update.
– Critical Functions List — Critical functions that each team must accomplish during a recovery effort. Team leaders must review these functions to determine that they are relevant.
– Team Recovery Steps — Strategies for recovery of critical functions; must be reviewed to validate that strategies are meeting current business objectives and reflect the best possible solutions.
Marsh 15
Exercise Checklists
What are you exercising? – Functional Recovery Steps — Step-by-step procedures to
complete the desired operational recovery; must be carefully reviewed and validated to determine accuracy and completeness.
– Vendor and Customer List — Contact information for critical vendors and customers; must be reviewed to determine list accuracy and completeness.
– Work Area Requirements — Critical resources required to support recovery at a designated work area site; must be reviewed to determine list accuracy and completeness.
– Off-Site Storage List — Critical records or resources stored off site; must be reviewed to determine accuracy and completeness.
Marsh 16
Exercise Checklists
Goals of exercising– Establish an exercise program that addresses the review, testing,
and modification of BC, EM and security plans– Verify that the plan actually works
And remember…– Business continuity, security, and emergency response plans are
living documents
– They should reflect the latest information available
– The best way to ensure that the plans will facilitate the desired recovery is to review and exercise them at least twice a year
Marsh 17
Exercise Checklists
Exercising checklist – 1 – Has a complete documented review or test of the BC plan been
performed within the last year?
– Has the plan been modified to correct weaknesses found during the last review and/or test?
– Has a test administrator been appointed?
– Has a comprehensive testing program been developed?
– Does this program define every review and test with respect to its objective and scope, scheduling, procedures, and participants?
– Has the program been reviewed to determine if all elements of the business continuity, security, and crisis management plans are in place and accurate?
Marsh 18
Exercise Checklists
Exercising checklist – 2 – Has the person responsible for monitoring this process
documented the results of each review or test?
– Has a system been developed for enacting changes to the plan following reviews and tests?
– Is there a process in place to ensure the completion of action items identified following reviews and tests?
– Are the action items identified following the reviews and tests on schedule?
– Are data, such as telephone numbers and names of individuals responsible for specific tasks, up-to-date?
– Are business, operation, and technology service delivery mechanisms the same as when the plan was last tested?
Marsh 19
Exercise Checklists
Exercising checklist – 3 – Have the assumptions on which the plan is based been
validated as part of the testing process?
– Were the business, operations, and technology managers involved in testing and validating these assumptions?
– Has the completeness of business continuity, security, and crisis procedures been reviewed and have the results of the review been documented?
– Has a full test of the business continuity, security, and crisis plans been performed within the last year?
– Did the full test verify the awareness and preparedness of personnel?
– Were all people identified in the plan mobilized during the full test?
Marsh 20
Exercise Checklists
Exercising checklist – 4 – Were all resources specified in the plan mobilized during the full
test?
– Were the procedures stated in the plan carried out to determine how well the plan really works?
– Is there a documented set of corporate standards, criteria, or guidelines covering testing objectives and requirements?
– Do those objectives meet/exceed the minimum specifications given in the test objectives and requirements of the documented corporate testing criteria?
– Has an emergency notification test been performed within the year?
– Did the test include the use of an automated notification system?
Marsh 21
Exercise Checklists
Exercising checklist – 5 – Has a walkthrough test in which the BC, security, crisis
coordinator, team members, and business managers verbally discuss specific steps of the documented recovery procedures been performed within the past year?
– Has a complete test — by which every facet of a business continuity, security, and crisis plans are tested together or as logical subsets — been performed within the year?
– Has the business performed or participated in a recovery test of its technology infrastructure within the last year?
– Have business units participated in a building outage test for all groups in the same building within the last year?
– Has the company reviewed the results of the test for all businesses within the building?
Marsh 22
Exercise Checklists
Exercising checklist – 6 – Has an outside service provider review — by which the business
reviews the recoverability of the outside service provider — been performed within the last year?
– Is there a completed annual testing plan summary worksheet that defines the annual plan test in advance?
– Does senior management approve the annual testing plan worksheet?
– Have test scripts been developed and approved by business units for each test performed?
– During the test, are the actual times for performing each activity recorded?
– Are test results recorded during the test or review?
Marsh 23
Exercise Checklists
Exercising checklist – 7 – Has an individual been designated to record results of the test or
review?
– Are testing results summarized and reported at least quarterly?
– Do quarterly post-testing summary reports include the following Objectives that map to annual testing plan worksheet Actual dates of test/review Test results Action items Follow-up responsibility
Marsh 24
Exercise Checklists
Exercising checklist – 8 (last one)– Has a copy of the quarterly post-testing summary report been
sent to the appropriate individuals, including internal/external audit functions?
– Has the plan been revised and updated in accordance with findings of the review or test?
– Has the revised plan, once approved and documented, been scheduled for the next test or review?
Marsh 25
Exercise Template
Exercise Template – 1 – Title page– Revision history– Table of contents– Pre-exercise
Exercise planning background Pre-exercise planning meetings
– The exercise Scope of exercise Date / time / venue of exercise Type of exercise Plan(s) to be exercised Exercise objectives
– The scenario Setting the stage Exercise assumptions Pick the scenario
Marsh 26
Exercise Template
Exercise Template – 2 – Develop the script
Basic flow and structure Role of participants, observers, actors Instructions to participants Establish roles Define A/V support Communications directory Messages to participants
– The players Facilitator Assistant to Facilitator Exercise design team Simulation design team (larger exercises) Evaluators, auditors Victims, oops, participants
Marsh 27
Exercise Template
Exercise Template – 3 – The exercise
Pre-exercise briefing Conduct exercise Mid-course pause if needed Continue until time called
– Exercise debriefing Immediately following exercise What worked, what didn’t Lessons learned What to do next, e.g., update plan Capture participant responses and
compile with other observations
Marsh 28
Exercise Template
Exercise Template – 4 – Written report on the exercise
Results Recommended actions
– Evaluations Participants All other players Need for additional training Other actions
Marsh 29
Exercise Template
Exercise Schedule
– Four (4) weeks prior to exercise Design Team meets one hour per week
– 1 day prior to exercise: 1 hour meeting – Simulation Team Orientation 1 hour meeting – Assistant Orientation 1 hour meeting – Evaluators Orientation
– Day of exercise 9:00 AM Exercise participant orientation 9:30 AM Exercise 11:30 AM Break and buffet lunch 11:45 AM Lunch and debrief 1:00 PM Exercise complete
Awareness and Training
Marsh 31
Awareness and Training
Awareness programs– Senior management “push”– Human Resources “push”– Department briefings– Hazard fairs– Bulletin boards– E-mail / voice mail – Paycheck inserts– New employee orientation– Lunch room briefings– Major company meetings
Marsh 32
Awareness and Training
Training programs– Senior management participation– In-house programs– External training firms, consultants– Local authorities, e.g. police, fire, EMS– Certification, e.g., Red Cross,CPR– Emergency response training– Team member training– Cross-training
Exercising, Awareness and Training According to the Industry Standards
Marsh 34
NFPA 1600; Standard on Disaster/Emergency Management and Business Continuity Programs – 2007– Exercising, A&T recommended; no details on process
DRII / DRJ Generally Accepted Principles for Business Continuity Management – 2005– Exercising, A&T recommended; some details on process
NIST 800-34: Contingency Planning Guide for Information Technology (IT) Systems – 2000– Exercising, A&T recommended; no details on process
Continuity of Operations (COOP) Plans– Exercising, A&T recommended; no details on process
Exercising, Awareness and TrainingAccording to Industry Standards
Marsh 35
NASD Rules 3510 (Clearing Firms) and 3520 (All Firms) - 2004; NYSE Rule 446 – 2003– Exercising, A&T recommended; no details on process
Federal Financial Institutions Examination Council (FFIEC) Examination Handbook, Corporate Contingency Planning – 1996, 2003– Exercising, A&T recommended; no details on process
Financial Services Technology Consortium Resilience Maturity Model (RMM)– Exercising, A&T recommended; no details on process
National Credit Union Administration (NCUA) Letter 01-CU-21 Contingency Plan Best Practices– Exercising, A&T recommended; no details on process
Exercising, Awareness and TrainingAccording to Industry Standards
Marsh 36
British Standard BS 25999 Part 1– Exercising, A&T recommended; no details on process
Business Continuity Institute (BCI) Good Practice Guidelines – 2007 edition– Exercising, A&T recommended; some details on process
Bank of Thailand Guideline on Business Continuity Management– Exercising, A&T recommended; no details on process
Standards Australia / New Zealand HB 292/293– Exercising, A&T recommended; some details on process
Exercising, Awareness and TrainingAccording to Industry Standards
Summary
Marsh 38
Summary
Thank you…
Test, don’t guess
Define exercise objectives, parameters, activities
Identify participants, observers, auditors
Build realistic scenarios, scripts, a/v support
Conduct a table-top first
Coordinate with internal and external organizations
Arrange awareness and training activities
Conduct post-exercise debriefing
Use results to update plans
Conduct follow-up exercises as needed
Brief management on results
Schedule on annual (or more frequent) basis
“The Big Dozen”