global best practices on 3 hot topics risk, business ... · ... indeci (peru), ballarat city ......
TRANSCRIPT
.
© Business As Usual 2018 - www.businessasusual.net.au
Rinske Geerlings
Founder
Principal Consultant & Trainer
Business As Usual, Australia
Global best practices on 3 hot topicsRisk, Business Continuity and Cyber Security
.
© Business As Usual 2018 - www.businessasusual.net.au
IT/connectivity
breakdown
Phone
system
failure
Fire
Denial of building
access
Supplier out
of action
Flu
outbreak
Cyber crime/
hacking
Lockout
due to
security
incident
FloodPower outageLocked inside due to
safety issue
If **it hits the fan… what’s the plan?
.
© Business As Usual 2018 - www.businessasusual.net.au
Who am I?
Rinske Geerlings Founder, Managing Director & Principal Consultant/Trainer
• Master of Science (Engineering)
• ISO 22301 / ISO 31000 / ISO27001 / ISO 28000 certified trainer
• CBCP by Disaster Recovery Institute (DRI) International
• MBCI (Business Continuity Institute), RMIA, IIA and ISACA member
• ITIL (IT Infrastructure Library) Master and COBIT certified
• Participant in AllFinance in the lead-up to APRA’s BCM standard (2005)
• Presented at 100+ Business Continuity and Security related seminars/conferences
• 20 years of Business Continuity, Security and Risk Management experience
• Awarded Alumnus of the Year 2012 (Delft, Netherlands),
• Business Woman of the Year 2010-2013 (BPW, global NGO with UN status)
• Awarded Risk Consultant of the Year 2017 Australasia (RMIA)
.
© Business As Usual 2018 - www.businessasusual.net.au
Partial list: Consultancy & Training clients
Government departments/agencies
APEC through Australian Department of Foreign Affairs and Trade (DFAT), Australian Tax Office, Port Authority (Singapore), Port Authority (Nigeria), Central
Provident Fund Board (Singapore), Commonwealth Ombudsman (AU), NSW
Treasury (AU), Asian Disaster Preparedness Centre (ADPC - Thailand), Australian Federal Police, Department of Immigration (AU), Department of Industry &
Investment (AU), Department of Premier and Cabinet (DPC – AU), Tourism Australia, Federal Court of Australia, Worksafe (AU), State Library of NSW (AU),
Australia Post, Department of Education/DETA (QLD - AU), Victorian Ombudsman
(AU), Australian Securities & Investments Commission (ASIC), Department of Defence (AU), Department of Public Works (QLD - AU), INDECI (Peru), Ballarat City
Council (VIC - AU), Coffs Harbour Council (AU), Grafton Council (AU), Lismore Council (AU), Central Highlands Regional Council (CHRC - AU), Wentworth Shire
Council (AU), Department of Health (VIC - AU), Gippsland Water (VIC - AU), Legal Aid NSW (AU), Agimo (Federal Government - AU), RAC (WA - AU)
Banking/finance/
insurance
Reserve Bank of Australia (RBA), Central Bank of Uganda, Bank of Tanzania,
Central Bank of Kenya, National Bank of Rwanda, CRDB Tanzania, Tanzania
Revenue Authority (TRA), Central Bank of Bangladesh, Burundi Central Bank, Bank Negara (Malaysia), Central Bank of Thailand, Bank South Pacific (Papua New
Guinea), Bank of Ceylon (Sri Lanka), Affin Bank (Malaysia), Rabobank (AU), SunSuper (AU), Alliance Bank (Malaysia), Asian Development Bank (ADB -
Philippines), Bangkok Bank (Thailand), St George Bank (AU), NIB Health Funds
(AU), Westpac (AU), Bendigo & Adelaide Bank (AU), Victoria Teachers Credit Union (AU), State Street (AU), Flexirent (AU), CMC Markets (AU), Finance Trust Bank (Uganda)
.
© Business As Usual 2018 - www.businessasusual.net.au
IT/Telecommunication Optus Networks (AU), Opticon (AU), LucidIT (Singapore), Datacom (Asia Pacific), Professional Advantage (AU), Kaz Group (Asia Pacific), Fujitsu (AU), UXC Consulting
(AU), SACOFA (Borneo/Malaysia telco infrastructure), Corptech (AU), CITEC (Asia Pacific), Vodafone (New Zealand)
Manufacturing/Oil &
Gas/Transport/Utilities
CNOOC (Uganda), KenGen (electricity - Kenya), Malaysia Airports, BBC Worldwide,
Fuji Xerox (Asia Pacific), Shell Petroleum (Brunei Darussalam), BASF (Malaysia),
PMP Limited (Asia Pacific), Salmat (AU), Port Waratah Coal Services (PWCS – AU), Boeing (AU), Energex (AU), Leighton Contractors (AU), Knorr Bremse (AU /global), Qantas (AU)
Education Delft University of Technology (Netherlands), Australian Catholic University,
University of New England (UNE - AU), Melbourne University (AU), UNI Strategic (Malaysia), UNI Strategic (South Africa), East African Community (EAC), Coreventus
(Malaysia), Zenith (Malaysia), Covenant Christian School (AU), Queensland Tertiary Admissions Centre (QTAC - AU), Hutchins School (Tasmania - AU), Mentone Girls’
Grammar School (AU), Mount Alvernia School (Brisbane - AU), Swan Christian
Education Association (SCEA - AU), ACE (NSW Community College - AU), ISACA (Papua New Guinea), Learning Links (AU), ARK management education (AU)
Hospitality/Retail/ Distribution/Publishing
Toga Hospitality Group (AU), Federal Hospitality Group (AU), Lagardère Services
(Asia-Pacific), Woolworths (AU), Guinness (Malaysia), Lonely Planet (Australia), REA-Group (realestate.com.au – AU)
Other ASIS (Chile), Munt Opera (Belgium), Scenter (Netherlands), CXC Global (AU),
Thales Group (Asia Pacific), KBR (AU), ISACA (Chile), McKays Lawyers (QLD - AU),
Sparke Helmore Lawyers (AU), Business Continuity Institute (Philippines), Certified Practicing Accountants (CPA, Australia), Barrington (AU), Janellis (AU), Queensland Law Society (AU), WorldVision (Asia Pacific), G4S Security (AU)
Partial list: Consultancy & Training clients
.
© Business As Usual 2018 - www.businessasusual.net.au
• Information Security?
• Other IT roles?
• Risk or Business Continuity?
• Auditing?
• Management Consultant?
• Other / Business / Operational areas?
What about you?
.
© Business As Usual 2018 - www.businessasusual.net.au
.
© Business As Usual 2018 - www.businessasusual.net.au
.
© Business As Usual 2018 - www.businessasusual.net.au
0 points: “Plan? What plan...
Oh yeah, I think we have one somewhere… Don’t think we’ve ever tested it”
1 point: “We’d be in a mild panic, looking for some pieces of the
plan, but we’ll have it under control pretty soon”
2 points: “Hakuna matata! We’ve tested the plan, we know our
roles, we’re ready with our public response... Bring it on!”
.
© Business As Usual 2018 - www.businessasusual.net.au
.
© Business As Usual 2018 - www.businessasusual.net.au
Key reasons to properly assess your Risks, implement
Information Security controls and develop a Business Continuity Plan (BCP)
.
© Business As Usual 2018 - www.businessasusual.net.au
BOT
.
© Business As Usual 2018 - www.businessasusual.net.au
Do you recognise this?
• When a Business Continuity or Cyber Security Test is suggested, staff
always seem to be busy with ‘higher priority’ activities
• Incident response procedures are published on your Intranet (and you’ve
inducted staff), but if you surveyed a few employees, you’d find they have
likely forgotten them... It’s not front of mind.
• You’re always chasing a certain department to update their plans and
procedures
• When presenting a proposal to optimise your recovery facilities, the Board
wonders why to invest money in a ‘dead site’
.
© Business As Usual 2018 - www.businessasusual.net.au
Other mistakes and misconceptions
• “Everyone’s in the same boat when it comes to disasters like
Pandemics and (Cyber) terrorism”
• “Our external suppliers will rapidly deliver everything we need
- we have put it in the contract”
• “Our organisation has planned for anything but people issues”
• “Business Continuity is all about data backups”
.
© Business As Usual 2018 - www.businessasusual.net.au
What was the BCP? The manual work-around?
This is not a ‘DR’ situation…
.
© Business As Usual 2018 - www.businessasusual.net.au
.
© Business As Usual 2018 - www.businessasusual.net.au
Risk is a function of:
Likelihood (probability) and Impact (consequence)
Risk = the effect of uncertainty upon objectives
.
© Business As Usual 2018 - www.businessasusual.net.au
Risk Management… most efforts tend to go into prevention
Consequence
scenarios
Critical impact
on...
Overall
impact
level
(consider
columns 4 and 5)
1 = low
5 = high
Relevant incidents (i.e.
potential causes)Pre-incident controls in place
> to reduce likelihood
Initial incident -specific response
procedures
> to reduce impact
Residuallikelihood
(consider
column 5)
1 = low
5 = high
Residualrisk
(= impact x
likelihood)
1-5 = low
6-10 = med11-25 = high
1.
Staff and/or
contractors
4
Short term illness/injury/
(bereavement) leave of multiple key staff
e.g. Flu shots for staff <insert links to
existing procedures throughout table as relevant>
e.g. Encourage staff to work from
home if they are contagious <insert
links to existing procedures throughout table as relevant>
3 12
Loss of executive(s) (e.g.
hostage, accident)
e.g. Travel policies for execs e.g. Maintain contact with
emergency services/police, activate ‘delegated authority’ procedures,
grief counselling
1 4
etc
2.
Building(s)
and/or physical
items (e.g. hard
copy docs, machinery), or access to these
5
Theft of equipment e.g. Physical building security ,
alarms, CCTV, staff ID cards,
lockable cabinets, ‘clean desk’ policy, security awareness training
e.g. Report to and maintain contact with police, staff use dedicated
Security hotline number4 20
Terrorist attack, civil
unrest, riot, crowd surge
Choice of site location (not near
embassy, landmarks etc)1 5
Bomb threat N/a e.g. Threat handling (phone)
procedure/checklist, evacuation procedures, contact with police
1 5
Public demonstration held nearby
e.g. Choice of site location (not nearby embassy offices etc)
e.g. Public transport nearby (train, waterways), bicycle path access
1 5
.
© Business As Usual 2018 - www.businessasusual.net.au
3.
IT systems
• Servers
• Network
• Other infrastructure
• Applications
• Data
3
Theft of critical IT equipment/server
Lockable cabinets, physical building security, alarms, CCTV, staff ID cards, lockable cabinets, ‘clean desk’ policy, security awareness training
Report to and maintain contact with police, staff use dedicated Security hotline number
4 12
Virus attacks e.g. Virus protection software, anti-virus policy for contractors
e.g. Applying immediate patch/fix 2 6
Hacking e.g. Firewalls, penetration testing, wireless security policy/tools, password change policy, IT security awareness training, employee leaving procedures
e.g. Report to and maintain contact with police, change passwords on all systems 2 6
Other/ miscellaneous scenarios that
would seriously affect business operations
Various possible impact
levels 1-5
Fraud, financial damages e.g. Up-to-date procedures, access permissions, escorting visitors, culture of organisation
2 2-10
Threat of competition, industrial espionage
e.g. Staying aware of market movements, Non Disclosure Agreement policy
2 2-10
Loss/theft of staff laptop/smartphone (sensitive data leakage)
e.g. Encryption, password protection, secure access devices, staff Security training/awareness
2 2-10
Legal/liability issue (eg. compliance, discrimination, public injury/death, pollution charges)
e.g. Up-to-date procedures, quality assurance, HR policies, Professional Indemnity insurance required by all suppliers/contractors
e.g. Relationship with legal firm > immediate involvement in case of an issue
2 2-10
Software piracy e.g. Up-to-date procedures, quality assurance, IT system installation permissions
2 2-10
Sabotage, vandalism e.g. Reputation management, physical controls
e.g. Insurance, reporting to police 1 1-5
Reputation/PR issue, resentful (ex) staff
e.g. Culture of organisation, employee leaving procedures, exit interview
e.g. Public Relations to provide immediate consistent response across media
1 1-5
Social media based spread of harmful info/discussion about the organisation
e.g. Culture of organisation, employee engagement policies, policy about use of social media
e.g. Public Relations to provide immediate consistent response across social media
1 1-5
.
© Business As Usual 2018 - www.businessasusual.net.au
At 4:30pm the day before payday, severe rain causes flooding and road closures,
preventing egress and entry to your Head Office
Let’s start with this incident....
Knock-on effects
“What (else) could go wrong?
And why should I care?”
.
© Business As Usual 2018 - www.businessasusual.net.au
Risk Capacity vs Risk Appetite
.
© Business As Usual 2018 - www.businessasusual.net.au
Example from daily life
.
© Business As Usual 2018 - www.businessasusual.net.au
.
© Business As Usual 2018 - www.businessasusual.net.au
Business Continuity Teams: Where does Information Security fit?
.
© Business As Usual 2018 - www.businessasusual.net.au
Cultivating a culture that understands & supports Risk, Business Continuity and Security Management
.
© Business As Usual 2018 - www.businessasusual.net.au
.
© Business As Usual 2018 - www.businessasusual.net.au
Revival of the
Post-it Notes!
.
© Business As Usual 2018 - www.businessasusual.net.au
.
© Business As Usual 2018 - www.businessasusual.net.au
Consider ‘recovery risks’
Potential flow-on effects:
Implementing a recovery
solution shouldn’t cause
new (often bigger) crisis!
Examples:
• Unsecured WiFi?
• Is the cloud really that
magical?
.
© Business As Usual 2018 - www.businessasusual.net.au
Consequence scenarios >
1. Loss of staff 2. Loss of building(s) and/or physical items (e.g. hard copy docs, machinery), or access to these
3. Loss of IT/connectivity (servers, network, other infrastructure, applications, data)
4. Loss of voice communication (landlines, mobiles, VOIP)
5. Loss of external (non-IT/phone/building/voice) supplier
Time-critical business processes:
Continuity strategies including initial work-around, maximum tolerable period of disruption (MTPD) and continuity provisions
Time-critical ‘no matter when’
A) Continue inbound and outbound communication
< 2 wks
e.g. “Staff from front desk / reception, call centre, marketing, admin and other departments to share staff and use
documented procedures”
< 2 wks
e.g. “Staff work from home, manually divert
incoming calls”
< 2 bus
days
e.g. “Inform residents of delays, use manual work-arounds based on
hard-copy docs”
< 2 bus
days
e.g. Put up web notice that phone system is down and encourage email communication”
- No impact
> 2 wks
e.g. “Hire temporary or permanent staff as required by contacting
recruitment firms on file”
> 2 wks
e.g. “Selected staff work from alternate site”
> 2 bus days
e.g. “Activate DR systems and process any backlog”
> 2 bus days
e.g. “Diversion by phone company to home phones or mobiles, whichever
are available”
- No impact
B) Process and deliver orders
< 4wks
e.g. “Staff from manufacturing and other departments to assist and use documented procedures”
< 2wks
e.g. “Inform customers of delays, and give free promo items away to compensate for reduced service level”
< 4wks
e.g. “Inform customers of delays, use manual work-arounds based on
hard-copy docs”
- No impact < 4 wks
e.g. “Use day-to-day alternate supplier procedures for supplies and transport services”
> 4
wks
e.g. “Hire temporary or permanent staff as required by contacting recruitment firms on file”
> 2
wks
e.g. “Redirect products from alternate locations and find new warehouse”
> 4
wks
e.g. “Activate DR systems and process any
backlog” - No impact
> 4
wks
e.g. “Find permanent alternate
suppliers”
Time-critical only at certain times during the month
C) Pay time-critical suppliers
< 4
wks
e.g. “Staff from admin and other departments to assist and use documented procedures”
< 4
wks
e.g. “Staff work from home, using mobiles and remote logon to accounts payable system”
< 2
wks
e.g. “Access Internet Banking account from home, ask suppliers for their bank details via home phone and private email, and process
payments one by one”
- No impact < 2
wks
e.g. “If bank is not operating its normal processes/systems, refer to existing alternate (savings)
bank”
> 4 wks
e.g. “Hire temporary or permanent staff as required by contacting
recruitment firms on file”
> 4 wks
e.g. “Selected staff work from alternate
site”
> 2 wks
e.g. “Activate DR systems and process any
backlog” - No impact
> 2 wks
“Evaluate banks and choose one to change all day-to-
day banking over to”
BCP on a page!
.
© Business As Usual 2018 - www.businessasusual.net.au
Manual work-arounds
.
© Business As Usual 2018 - www.businessasusual.net.au
.
© Business As Usual 2018 - www.businessasusual.net.au
Documentation ‘look and feel’
.
© Business As Usual 2018 - www.businessasusual.net.au
.
© Business As Usual 2018 - www.businessasusual.net.au
Quick Reference Card for assessment/initial response
Quick Reference Card - CMT Incident Assessment & Initial actions
1) Staff - Impact assessment Initial actions
o All staff/contractors contacted and accounted for? o Track staff/contractor confirmations (call tree result).
o All staff/contractors safe? oFollow up manually with calls to any missing
staff/contractors/next-of-kin.
oAny staff/contractors affected by a major health
threat? o If so, HR to action incident reporting process/forms.
2) Building - Impact assessment Initial actions
o Is the building/facility usable? o
If permanently unusable in part or in full, contact insurer,
follow up with nearest facilities and start site restoration
processes if possible
o Can the building be accessed? oIf not, monitor council/SES updates every 30 min. Follow
up with nearest facilities regarding shelter.
o Can staff/contractors safely exit the building/area? oIf not, communicate to staff/contractors to remain on site
and provide essential services to them.
3) IT systems - Impact assessment Initial actions
o Is external connectivity in place as per normal? o
If not, and if home locations are UN-affected, work from
there. IT to monitor progresss and report to CMT every 30
mins.
oAre all internal IT systems available as per
normal?o IT to monitor progresss and report to CMT every 30 mins.
oHave recent backups been completed as per
normal?o
If not, IT to determine last successful backups and report
to CMT.
4) Voice communication - Impact assessment Initial actions
o Is voice connectivity in place as per normal? o
Communicate estimated voice downtime via email,
Intranet, web and social media, monitor progresss of main
services being restored and report to CMT every 30 mins.
o Are voice devices available as per normal? o If not, source alternate devices.
5) External supplier - Impact assessment Initial actions
oAre the bank operating and contactable as per
normal?o
If not, revert to company checques for urgent payments
and seek updates on progress from bank.
oIs <suplier xxx> operating and contactable as per
normal?o
If not, revert to ….. and seek updates on progress from
…..
oIs <suplier yyy> operating and contactable as per
normal?o
If not, revert to ….. and seek updates on progress from
…..
6) Miscellaneous - Impact assessment Initial actions
oIs it a particularly challenging time of the
week/month/year?o
Relevant CMT member to proactively contact affected
parties/next-of-kin
oIs any compliance breach likely or already
occurring due to the incident?o
Relevant CMT member to proactively contact regulator
<and media>
oIs a reputational issue occurring due to the
incident, including (social) media storm?o
Relevant CMT member to proactively contact the media
and arrange social media bto be moderated
o ….. o ….
o ….. o ….
o ….. o ….
Crisis Management Team (CMT) - Key contacts
CEO <first name> <mobile> <personal email>
o additional/alternate <first name> <mobile> <personal email>
CFO <first name> <mobile> <personal email>
o additional/alternate <first name> <mobile> <personal email>
… <first name> <mobile> <personal email>
o additional/alternate <first name> <mobile> <personal email>
Ext comm <first name> <mobile> <personal email>
o additional/alternate <first name> <mobile> <personal email>
Social media moderator <first name> <mobile> <personal email>
o additional/alternate <first name> <mobile> <personal email>
Legal Counsel <first name> <mobile> <personal email>
o additional/alternate <first name> <mobile> <personal email>
… <first name> <mobile> <personal email>
o additional/alternate <first name> <mobile> <personal email>
… <first name> <mobile> <personal email>
Damage Assessment Team (DAT) - Key contacts
HR <first name> <mobile> <personal email>
o additional/alternate <first name> <mobile> <personal email>
IT <first name> <mobile> <personal email>
o additional/alternate <first name> <mobile> <personal email>
Facilities/property <first name> <mobile> <personal email>
o additional/alternate <first name> <mobile> <personal email>
Security <first name> <mobile> <personal email>
o additional/alternate <first name> <mobile> <personal email>
… <first name> <mobile> <personal email>
o additional/alternate <first name> <mobile> <personal email>
… <first name> <mobile> <personal email>
o additional/alternate <first name> <mobile> <personal email>
Recovery Support Team (RST) - Key contacts
Exec Assistant <first name> <mobile> <personal email>
o additional/alternate <first name> <mobile> <personal email>
… <first name> <mobile> <personal email>
Admin <first name> <mobile> <personal email>
o additional/alternate <first name> <mobile> <personal email>
Reception <first name> <mobile> <personal email>
o additional/alternate <first name> <mobile> <personal email>
… <first name> <mobile> <personal email>
o additional/alternate <first name> <mobile> <personal email>
Display Homes / Remote Offices - Key contacts
Location: … <first name> <mobile> <personal email>
Location: … <first name> <mobile> <personal email>
Location: … <first name> <mobile> <personal email>
Location: … <first name> <mobile> <personal email>
Key external parties
Bank ….. <contact> <mobile> <office email>
IT supplier …. <contact> <mobile> <office email>
….. (regulator/agency) <contact> <phone> <office email>
….. <contact> <mobile> <office email>
Quick Reference Card - Key internal and external contacts
.
© Business As Usual 2018 - www.businessasusual.net.au
Example: Security incidents and reporting timeframes
.
© Business As Usual 2018 - www.businessasusual.net.au
Managing incidents
.
© Business As Usual 2018 - www.businessasusual.net.au
Response Team
.
© Business As Usual 2018 - www.businessasusual.net.au
Assessing incidents
Data breaches and malware attacks often go unnoticed for days/ weeks…
.
© Business As Usual 2018 - www.businessasusual.net.au
Assessing incidents
.
© Business As Usual 2018 - www.businessasusual.net.au
.
© Business As Usual 2018 - www.businessasusual.net.au
Staff awareness tools
.
© Business As Usual 2018 - www.businessasusual.net.au
.
© Business As Usual 2018 - www.businessasusual.net.au
• Internal capacity building (‘Fantastic 4’)
• Dynamic document framework
> prevent ‘collecting dust on the shelf’
• Consequence-based planning >
keep it simple
• Cater for fatigue/unavailability of staff
• ‘Top down’ approach based on time-critical processes
• Strong focus on communication/notification planning, incl. ‘pull communication’
• Colour-coded, matrix style documentation (incl. ‘BCP on a page’)
• Hyperlink/utilise what is already there > don’t duplicate
• Toolkit approach to plan activation > easy to find what we need ‘on the spot’
(e.g. the 1-minute assessment tool)
• Optimally use agreed manual/initial workarounds to reduce cost
• Overall: Prioritisation focus (being selective to reduce workload)
• Test the plan with bells and whistles… and reward mistakes!
My 12 tips to get ‘incident ready’
.
© Business As Usual 2018 - www.businessasusual.net.au
ISO Certification Training Courses
(KAMPALA / ZANZIBAR / NAIROBI, East Africa)
3-day Business Continuity Management courseincl ISO 22301 exam
12-14 April 2018
5-day combination/modular BCM, Risk and InfoSec courseincl ISO 22301, ISO 31000 and ISO 27001 exams
16-20 April 2018
Or come to Australia ☺ 12-16 March 2018Info on: www.businessasusual.net.au
.
© Business As Usual 2018 - www.businessasusual.net.au
Questions?
LinkedIn > look up
‘Rinske Geerlings’
Other info:
www.businessasusual.net.au