global best practices on 3 hot topics risk, business ... · ... indeci (peru), ballarat city ......

.

© Business As Usual 2018 - www.businessasusual.net.au

Rinske Geerlings

Founder

Principal Consultant & Trainer

Business As Usual, Australia

Global best practices on 3 hot topicsRisk, Business Continuity and Cyber Security

.


IT/connectivity

breakdown

Phone

system

failure

Fire

Denial of building

access

Supplier out

of action

Flu

outbreak

Cyber crime/

hacking

Lockout

due to

security

incident

FloodPower outageLocked inside due to

safety issue

If **it hits the fan… what’s the plan?

.


Who am I?

Rinske Geerlings Founder, Managing Director & Principal Consultant/Trainer

• Master of Science (Engineering)

• ISO 22301 / ISO 31000 / ISO27001 / ISO 28000 certified trainer

• CBCP by Disaster Recovery Institute (DRI) International

• MBCI (Business Continuity Institute), RMIA, IIA and ISACA member

• ITIL (IT Infrastructure Library) Master and COBIT certified

• Participant in AllFinance in the lead-up to APRA’s BCM standard (2005)

• Presented at 100+ Business Continuity and Security related seminars/conferences

• 20 years of Business Continuity, Security and Risk Management experience

• Awarded Alumnus of the Year 2012 (Delft, Netherlands),

• Business Woman of the Year 2010-2013 (BPW, global NGO with UN status)

• Awarded Risk Consultant of the Year 2017 Australasia (RMIA)

.


Partial list: Consultancy & Training clients

Government departments/agencies

APEC through Australian Department of Foreign Affairs and Trade (DFAT), Australian Tax Office, Port Authority (Singapore), Port Authority (Nigeria), Central

Provident Fund Board (Singapore), Commonwealth Ombudsman (AU), NSW

Treasury (AU), Asian Disaster Preparedness Centre (ADPC - Thailand), Australian Federal Police, Department of Immigration (AU), Department of Industry &

Investment (AU), Department of Premier and Cabinet (DPC – AU), Tourism Australia, Federal Court of Australia, Worksafe (AU), State Library of NSW (AU),

Australia Post, Department of Education/DETA (QLD - AU), Victorian Ombudsman

(AU), Australian Securities & Investments Commission (ASIC), Department of Defence (AU), Department of Public Works (QLD - AU), INDECI (Peru), Ballarat City

Council (VIC - AU), Coffs Harbour Council (AU), Grafton Council (AU), Lismore Council (AU), Central Highlands Regional Council (CHRC - AU), Wentworth Shire

Council (AU), Department of Health (VIC - AU), Gippsland Water (VIC - AU), Legal Aid NSW (AU), Agimo (Federal Government - AU), RAC (WA - AU)

Banking/finance/

insurance

Reserve Bank of Australia (RBA), Central Bank of Uganda, Bank of Tanzania,

Central Bank of Kenya, National Bank of Rwanda, CRDB Tanzania, Tanzania

Revenue Authority (TRA), Central Bank of Bangladesh, Burundi Central Bank, Bank Negara (Malaysia), Central Bank of Thailand, Bank South Pacific (Papua New

Guinea), Bank of Ceylon (Sri Lanka), Affin Bank (Malaysia), Rabobank (AU), SunSuper (AU), Alliance Bank (Malaysia), Asian Development Bank (ADB -

Philippines), Bangkok Bank (Thailand), St George Bank (AU), NIB Health Funds

(AU), Westpac (AU), Bendigo & Adelaide Bank (AU), Victoria Teachers Credit Union (AU), State Street (AU), Flexirent (AU), CMC Markets (AU), Finance Trust Bank (Uganda)

.


IT/Telecommunication Optus Networks (AU), Opticon (AU), LucidIT (Singapore), Datacom (Asia Pacific), Professional Advantage (AU), Kaz Group (Asia Pacific), Fujitsu (AU), UXC Consulting

(AU), SACOFA (Borneo/Malaysia telco infrastructure), Corptech (AU), CITEC (Asia Pacific), Vodafone (New Zealand)

Manufacturing/Oil &

Gas/Transport/Utilities

CNOOC (Uganda), KenGen (electricity - Kenya), Malaysia Airports, BBC Worldwide,

Fuji Xerox (Asia Pacific), Shell Petroleum (Brunei Darussalam), BASF (Malaysia),

PMP Limited (Asia Pacific), Salmat (AU), Port Waratah Coal Services (PWCS – AU), Boeing (AU), Energex (AU), Leighton Contractors (AU), Knorr Bremse (AU /global), Qantas (AU)

Education Delft University of Technology (Netherlands), Australian Catholic University,

University of New England (UNE - AU), Melbourne University (AU), UNI Strategic (Malaysia), UNI Strategic (South Africa), East African Community (EAC), Coreventus

(Malaysia), Zenith (Malaysia), Covenant Christian School (AU), Queensland Tertiary Admissions Centre (QTAC - AU), Hutchins School (Tasmania - AU), Mentone Girls’

Grammar School (AU), Mount Alvernia School (Brisbane - AU), Swan Christian

Education Association (SCEA - AU), ACE (NSW Community College - AU), ISACA (Papua New Guinea), Learning Links (AU), ARK management education (AU)

Hospitality/Retail/ Distribution/Publishing

Toga Hospitality Group (AU), Federal Hospitality Group (AU), Lagardère Services

(Asia-Pacific), Woolworths (AU), Guinness (Malaysia), Lonely Planet (Australia), REA-Group (realestate.com.au – AU)

Other ASIS (Chile), Munt Opera (Belgium), Scenter (Netherlands), CXC Global (AU),

Thales Group (Asia Pacific), KBR (AU), ISACA (Chile), McKays Lawyers (QLD - AU),

Sparke Helmore Lawyers (AU), Business Continuity Institute (Philippines), Certified Practicing Accountants (CPA, Australia), Barrington (AU), Janellis (AU), Queensland Law Society (AU), WorldVision (Asia Pacific), G4S Security (AU)

Partial list: Consultancy & Training clients

.


• Information Security?

• Other IT roles?

• Risk or Business Continuity?

• Auditing?

• Management Consultant?

• Other / Business / Operational areas?

What about you?

.


.


0 points: “Plan? What plan...

Oh yeah, I think we have one somewhere… Don’t think we’ve ever tested it”

1 point: “We’d be in a mild panic, looking for some pieces of the

plan, but we’ll have it under control pretty soon”

2 points: “Hakuna matata! We’ve tested the plan, we know our

roles, we’re ready with our public response... Bring it on!”

.


.


Key reasons to properly assess your Risks, implement

Information Security controls and develop a Business Continuity Plan (BCP)

.


BOT

.


Do you recognise this?

• When a Business Continuity or Cyber Security Test is suggested, staff

always seem to be busy with ‘higher priority’ activities

• Incident response procedures are published on your Intranet (and you’ve

inducted staff), but if you surveyed a few employees, you’d find they have

likely forgotten them... It’s not front of mind.

• You’re always chasing a certain department to update their plans and

procedures

• When presenting a proposal to optimise your recovery facilities, the Board

wonders why to invest money in a ‘dead site’

.


Other mistakes and misconceptions

• “Everyone’s in the same boat when it comes to disasters like

Pandemics and (Cyber) terrorism”

• “Our external suppliers will rapidly deliver everything we need

- we have put it in the contract”

• “Our organisation has planned for anything but people issues”

• “Business Continuity is all about data backups”

.


What was the BCP? The manual work-around?

This is not a ‘DR’ situation…

.


.


Risk is a function of:

Likelihood (probability) and Impact (consequence)

Risk = the effect of uncertainty upon objectives

.


Risk Management… most efforts tend to go into prevention

Consequence

scenarios

Critical impact

on...

Overall

impact

level

(consider

columns 4 and 5)

1 = low

5 = high

Relevant incidents (i.e.

potential causes)Pre-incident controls in place

> to reduce likelihood

Initial incident -specific response

procedures

> to reduce impact

Residuallikelihood

(consider

column 5)

1 = low

5 = high

Residualrisk

(= impact x

likelihood)

1-5 = low

6-10 = med11-25 = high

1.

Staff and/or

contractors

4

Short term illness/injury/

(bereavement) leave of multiple key staff

e.g. Flu shots for staff <insert links to

existing procedures throughout table as relevant>

e.g. Encourage staff to work from

home if they are contagious <insert

links to existing procedures throughout table as relevant>

3 12

Loss of executive(s) (e.g.

hostage, accident)

e.g. Travel policies for execs e.g. Maintain contact with

emergency services/police, activate ‘delegated authority’ procedures,

grief counselling

1 4

etc

2.

Building(s)

and/or physical

items (e.g. hard

copy docs, machinery), or access to these

5

Theft of equipment e.g. Physical building security ,

alarms, CCTV, staff ID cards,

lockable cabinets, ‘clean desk’ policy, security awareness training

e.g. Report to and maintain contact with police, staff use dedicated

Security hotline number4 20

Terrorist attack, civil

unrest, riot, crowd surge

Choice of site location (not near

embassy, landmarks etc)1 5

Bomb threat N/a e.g. Threat handling (phone)

procedure/checklist, evacuation procedures, contact with police

1 5

Public demonstration held nearby

e.g. Choice of site location (not nearby embassy offices etc)

e.g. Public transport nearby (train, waterways), bicycle path access

1 5

.


3.

IT systems

• Servers

• Network

• Other infrastructure

• Applications

• Data

3

Theft of critical IT equipment/server

Lockable cabinets, physical building security, alarms, CCTV, staff ID cards, lockable cabinets, ‘clean desk’ policy, security awareness training

Report to and maintain contact with police, staff use dedicated Security hotline number

4 12

Virus attacks e.g. Virus protection software, anti-virus policy for contractors

e.g. Applying immediate patch/fix 2 6

Hacking e.g. Firewalls, penetration testing, wireless security policy/tools, password change policy, IT security awareness training, employee leaving procedures

e.g. Report to and maintain contact with police, change passwords on all systems 2 6

Other/ miscellaneous scenarios that

would seriously affect business operations

Various possible impact

levels 1-5

Fraud, financial damages e.g. Up-to-date procedures, access permissions, escorting visitors, culture of organisation

2 2-10

Threat of competition, industrial espionage

e.g. Staying aware of market movements, Non Disclosure Agreement policy

2 2-10

Loss/theft of staff laptop/smartphone (sensitive data leakage)

e.g. Encryption, password protection, secure access devices, staff Security training/awareness

2 2-10

Legal/liability issue (eg. compliance, discrimination, public injury/death, pollution charges)

e.g. Up-to-date procedures, quality assurance, HR policies, Professional Indemnity insurance required by all suppliers/contractors

e.g. Relationship with legal firm > immediate involvement in case of an issue

2 2-10

Software piracy e.g. Up-to-date procedures, quality assurance, IT system installation permissions

2 2-10

Sabotage, vandalism e.g. Reputation management, physical controls

e.g. Insurance, reporting to police 1 1-5

Reputation/PR issue, resentful (ex) staff

e.g. Culture of organisation, employee leaving procedures, exit interview

e.g. Public Relations to provide immediate consistent response across media

1 1-5

Social media based spread of harmful info/discussion about the organisation

e.g. Culture of organisation, employee engagement policies, policy about use of social media

e.g. Public Relations to provide immediate consistent response across social media

1 1-5

.


At 4:30pm the day before payday, severe rain causes flooding and road closures,

preventing egress and entry to your Head Office

Let’s start with this incident....

Knock-on effects

“What (else) could go wrong?

And why should I care?”

.


Risk Capacity vs Risk Appetite

.


Example from daily life

.


.


Business Continuity Teams: Where does Information Security fit?

.


Cultivating a culture that understands & supports Risk, Business Continuity and Security Management

.


.


Revival of the

Post-it Notes!

.


.


Consider ‘recovery risks’

Potential flow-on effects:

Implementing a recovery

solution shouldn’t cause

new (often bigger) crisis!

Examples:

• Unsecured WiFi?

• Is the cloud really that

magical?

.


Consequence scenarios >

1. Loss of staff 2. Loss of building(s) and/or physical items (e.g. hard copy docs, machinery), or access to these

3. Loss of IT/connectivity (servers, network, other infrastructure, applications, data)

4. Loss of voice communication (landlines, mobiles, VOIP)

5. Loss of external (non-IT/phone/building/voice) supplier

Time-critical business processes:

Continuity strategies including initial work-around, maximum tolerable period of disruption (MTPD) and continuity provisions

Time-critical ‘no matter when’

A) Continue inbound and outbound communication

< 2 wks

e.g. “Staff from front desk / reception, call centre, marketing, admin and other departments to share staff and use

documented procedures”

< 2 wks

e.g. “Staff work from home, manually divert

incoming calls”

< 2 bus

days

e.g. “Inform residents of delays, use manual work-arounds based on

hard-copy docs”

< 2 bus

days

e.g. Put up web notice that phone system is down and encourage email communication”

- No impact

> 2 wks

e.g. “Hire temporary or permanent staff as required by contacting

recruitment firms on file”

> 2 wks

e.g. “Selected staff work from alternate site”

> 2 bus days

e.g. “Activate DR systems and process any backlog”

> 2 bus days

e.g. “Diversion by phone company to home phones or mobiles, whichever

are available”

- No impact

B) Process and deliver orders

< 4wks

e.g. “Staff from manufacturing and other departments to assist and use documented procedures”

< 2wks

e.g. “Inform customers of delays, and give free promo items away to compensate for reduced service level”

< 4wks

e.g. “Inform customers of delays, use manual work-arounds based on

hard-copy docs”

- No impact < 4 wks

e.g. “Use day-to-day alternate supplier procedures for supplies and transport services”

> 4

wks

e.g. “Hire temporary or permanent staff as required by contacting recruitment firms on file”

> 2

wks

e.g. “Redirect products from alternate locations and find new warehouse”

> 4

wks

e.g. “Activate DR systems and process any

backlog” - No impact

> 4

wks

e.g. “Find permanent alternate

suppliers”

Time-critical only at certain times during the month

C) Pay time-critical suppliers

< 4

wks

e.g. “Staff from admin and other departments to assist and use documented procedures”

< 4

wks

e.g. “Staff work from home, using mobiles and remote logon to accounts payable system”

< 2

wks

e.g. “Access Internet Banking account from home, ask suppliers for their bank details via home phone and private email, and process

payments one by one”

- No impact < 2

wks

e.g. “If bank is not operating its normal processes/systems, refer to existing alternate (savings)

bank”

> 4 wks

e.g. “Hire temporary or permanent staff as required by contacting

recruitment firms on file”

> 4 wks

e.g. “Selected staff work from alternate

site”

> 2 wks

e.g. “Activate DR systems and process any

backlog” - No impact

> 2 wks

“Evaluate banks and choose one to change all day-to-

day banking over to”

BCP on a page!

.


Manual work-arounds

.


.


Documentation ‘look and feel’

.


.


Quick Reference Card for assessment/initial response

Quick Reference Card - CMT Incident Assessment & Initial actions

1) Staff - Impact assessment Initial actions

o All staff/contractors contacted and accounted for? o Track staff/contractor confirmations (call tree result).

o All staff/contractors safe? oFollow up manually with calls to any missing

staff/contractors/next-of-kin.

oAny staff/contractors affected by a major health

threat? o If so, HR to action incident reporting process/forms.

2) Building - Impact assessment Initial actions

o Is the building/facility usable? o

If permanently unusable in part or in full, contact insurer,

follow up with nearest facilities and start site restoration

processes if possible

o Can the building be accessed? oIf not, monitor council/SES updates every 30 min. Follow

up with nearest facilities regarding shelter.

o Can staff/contractors safely exit the building/area? oIf not, communicate to staff/contractors to remain on site

and provide essential services to them.

3) IT systems - Impact assessment Initial actions

o Is external connectivity in place as per normal? o

If not, and if home locations are UN-affected, work from

there. IT to monitor progresss and report to CMT every 30

mins.

oAre all internal IT systems available as per

normal?o IT to monitor progresss and report to CMT every 30 mins.

oHave recent backups been completed as per

normal?o

If not, IT to determine last successful backups and report

to CMT.

4) Voice communication - Impact assessment Initial actions

o Is voice connectivity in place as per normal? o

Communicate estimated voice downtime via email,

Intranet, web and social media, monitor progresss of main

services being restored and report to CMT every 30 mins.

o Are voice devices available as per normal? o If not, source alternate devices.

5) External supplier - Impact assessment Initial actions

oAre the bank operating and contactable as per

normal?o

If not, revert to company checques for urgent payments

and seek updates on progress from bank.

oIs <suplier xxx> operating and contactable as per

normal?o

If not, revert to ….. and seek updates on progress from

…..

oIs <suplier yyy> operating and contactable as per

normal?o

If not, revert to ….. and seek updates on progress from

…..

6) Miscellaneous - Impact assessment Initial actions

oIs it a particularly challenging time of the

week/month/year?o

Relevant CMT member to proactively contact affected

parties/next-of-kin

oIs any compliance breach likely or already

occurring due to the incident?o

Relevant CMT member to proactively contact regulator

<and media>

oIs a reputational issue occurring due to the

incident, including (social) media storm?o

Relevant CMT member to proactively contact the media

and arrange social media bto be moderated

o ….. o ….

o ….. o ….

o ….. o ….

Crisis Management Team (CMT) - Key contacts

CEO <first name> <mobile> <personal email>

o additional/alternate <first name> <mobile> <personal email>

CFO <first name> <mobile> <personal email>


… <first name> <mobile> <personal email>


Ext comm <first name> <mobile> <personal email>


Social media moderator <first name> <mobile> <personal email>


Legal Counsel <first name> <mobile> <personal email>





Damage Assessment Team (DAT) - Key contacts

HR <first name> <mobile> <personal email>


IT <first name> <mobile> <personal email>


Facilities/property <first name> <mobile> <personal email>


Security <first name> <mobile> <personal email>






Recovery Support Team (RST) - Key contacts

Exec Assistant <first name> <mobile> <personal email>



Admin <first name> <mobile> <personal email>


Reception <first name> <mobile> <personal email>




Display Homes / Remote Offices - Key contacts

Location: … <first name> <mobile> <personal email>




Key external parties

Bank ….. <contact> <mobile> <office email>

IT supplier …. <contact> <mobile> <office email>

….. (regulator/agency) <contact> <phone> <office email>

….. <contact> <mobile> <office email>

Quick Reference Card - Key internal and external contacts

.


Example: Security incidents and reporting timeframes

.


Managing incidents

.


Response Team

.


Assessing incidents

Data breaches and malware attacks often go unnoticed for days/ weeks…

.


Assessing incidents

.


.


Staff awareness tools

.


.


• Internal capacity building (‘Fantastic 4’)

• Dynamic document framework

> prevent ‘collecting dust on the shelf’

• Consequence-based planning >

keep it simple

• Cater for fatigue/unavailability of staff

• ‘Top down’ approach based on time-critical processes

• Strong focus on communication/notification planning, incl. ‘pull communication’

• Colour-coded, matrix style documentation (incl. ‘BCP on a page’)

• Hyperlink/utilise what is already there > don’t duplicate

• Toolkit approach to plan activation > easy to find what we need ‘on the spot’

(e.g. the 1-minute assessment tool)

• Optimally use agreed manual/initial workarounds to reduce cost

• Overall: Prioritisation focus (being selective to reduce workload)

• Test the plan with bells and whistles… and reward mistakes!

My 12 tips to get ‘incident ready’

.


ISO Certification Training Courses

(KAMPALA / ZANZIBAR / NAIROBI, East Africa)

3-day Business Continuity Management courseincl ISO 22301 exam

12-14 April 2018

5-day combination/modular BCM, Risk and InfoSec courseincl ISO 22301, ISO 31000 and ISO 27001 exams

16-20 April 2018

Or come to Australia ☺ 12-16 March 2018Info on: www.businessasusual.net.au

.


Questions?

LinkedIn > look up

‘Rinske Geerlings’

Other info:

www.businessasusual.net.au

[email protected]

global best practices on 3 hot topics risk, business ... · ... indeci (peru), ballarat city ......

Documents