own internal assessment phelps-… · – the scope of this discussion is limited to business...

Emergency Management & Safety SolutionsOut of

DangerComes

Opportunity

Emergency Management &Safety Solutions

Developing a ComprehensiveEmergency ManagementProgram and Conducting YourOwn Internal Assessment

Safety Solutions

March 2011


DangerComes

Opportunity

Standards Review andConducting a Self-Assessment

www.ems-solutionsinc.com 2March 2012


DangerComes

Opportunity

Agenda• Introduction and Overview

R i i th M j St d d• Reviewing the Major Standards– ASIS SPC.1– BS 25999– FFIEC– NFPA 1600

• Conducting A Self-AssessmentP ti

www.ems-solutionsinc.com 3

– Preparation– Execution– Closure

March 2012 3www.ems-solutionsinc.com


DangerComes

Opportunity

Introduction and Overview

• Basic terminology and conceptsBasic terminology and concepts.– Audit: “to examine carefully with the intent of

verification.”– “Verification” implies that the subject of the

examination is being objectively compared to an existing standard or benchmark; the examination is not subjective.

– The scope of this discussion is limited to business continuity programs, and does not include other disciplines (e.g. information security and general risk management).



DangerComes

Opportunity


• Why would we want to conduct a self-Why would we want to conduct a selfassessment?– External audit preparation/reaction.– Internal audit preparation/reaction.– Board of Directors or executive management

“interest.”Regulatory or legal compulsion– Regulatory or legal compulsion.

– Exploring PS-Prep compliance.– We just want to make sure that our program will

work when we need it!



DangerComes

Opportunity


• Who should conduct the self-assessment?Who should conduct the self assessment?– The essential factor is to find someone who is

qualified, who can be objective during the examination, and who can deliver bad news if necessary.

– The most obvious internal candidate is the business continuity group, with assistance from key business and support groups.

– Internal audit may be able to assist.– An outside group with requisite knowledge and

experience may provide the best results.



DangerComes

Opportunity


• The prerequisite for any assessment, formal orThe prerequisite for any assessment, formal or informal, is to establish a benchmark.

• The standard may be dictated, or you may have the discretion to pick your own.– If the former, the more you know about the standard that will

be used, the better prepared you will be for the audit.– If the latter, you need to know the options and alternatives to

make an informed decision.make an informed decision.

• Always keep in mind: once you know which “rule book” will be used, you have all the answers!



DangerComes

Opportunity


• Four major standards are used in North AmericaFour major standards are used in North America today:– ASIS SPC.1 (2009)*

– BSI 25999-1 (2006) and -2 (2007)*

– FFIEC BCP (2008)

– NFPA 1600 (2010)*

• We have also reviewed (but do not reference) ASIS/BSI ( )BCM.01-2010.

• It also appears that ISO 22301, now in final review stages, will be published later this year.

• Accepted by Department of Homeland Security for use in the PS-Prep program.



DangerComes

Opportunity


• Before we start the review a quick wordBefore we start the review, a quick word about the “standards” world.

• It’s easy to get lost in the maze of acronyms and buzz words that many people use when talking about business continuity.– Not surprisingly, some are more directly applicable

to our topic than others!to our topic than others!

• Let’s put the four “pure” business continuity standards into context with other standards, frameworks, laws and regulations.



DangerComes

Opportunity


The BusinessASIS SPC.1 BSI 25999 FFIEC NFPA 1600

The BusinessContinuity World

The InformationTechnology World

COBIT ITIL

The BusinessWorld

COSOSOX FCPAHIPAA



DangerComes

Opportunity

Reviewing the Major Standards

• As noted four standards dominateAs noted, four standards dominate North American practices.

• Each was developed from a certain perspective, and each reflects the views, biases, and characteristics of its originating organizationoriginating organization.

• However, at their core they all address the same elements and requirements.



DangerComes

Opportunity


BSI 25999-2 NFPA 1600 FFIEC (App A) ASIS SPC.1

1. Scope 1. Administration 1. Examination Scope 1. Scope

2. Definitions 2. Referenced Publications

2. Board and Senior Management Oversight

2. Normative References

3. Planning the BCMS 3. Definitions 3. BIA and Risk Assessment

3. Terms and Definitions

4. Implementing and Operating the BCMS

4. Program Management 4. Risk Management 4. OR System Requirements

5. Monitoring and Reviewing the BCMS

5. Planning 5. BCP – General 4.1 General Requirements

6. Maintaining and Improving the BCMS

6. Implementation 6. BCP – HW, Backup, and Recovery Issues

4.2 Management Policy

7. Testing and Exercises 7. Security Issues 4.3 Planning

8. Program Improvement 8. Pandemic Issues 4.4 Implementation and Operation

9. BCP – Outsourced Activities

4.5 Checking (Evaluation)

10. Testing and Exercises 4.6 Management Review

11. Conclusions



DangerComes

Opportunity





















11. Conclusions



DangerComes

Opportunity





















11. Conclusions



DangerComes

Opportunity





















11. Conclusions



DangerComes

Opportunity


• If you have a choice, review each standard carefullyIf you have a choice, review each standard carefully and choose the one that seems to best fit with your company’s way of doing business.

• Each has strengths:– Financial Services: FFIEC is the logical (and possibly

mandatory) choice.– North America: NFPA 1600 was seen as the de facto

American standard, but the landscape may be changing.American standard, but the landscape may be changing.– International: BSI 25999 has the cachet of international

acceptance, especially in Europe.– Strong ties to other ISO standards: ASIS SPC.1 was

designed to fit.



DangerComes

Opportunity

Conducting a Self-Assessment

• Whether you conduct a self-assessmentWhether you conduct a self assessment in anticipation of a formal audit, or to benchmark your business continuity program, the steps are the same.

• There are three phases to an assessment:assessment:– Preparation– Execution– Closure and Report



DangerComes

Opportunity


• PreparationPreparation– Make sure you have senior management approval

and support.– Identify the parties you’ll need to interview and talk

to them before you start; let them know what to expect.

– Review your standard carefully; make sure you understand what each objective requires.j q

– Develop a scorecard before you start (example on the next slide).

– Determine how results will be reported (and to whom) before the examination begins.



DangerComes

Opportunity


Item falls materially short of an auditable standard.

Item is not fully compliant with an auditable standard.

Item addresses all material requirements of an auditable standard Item addresses all material requirements of an auditable standard.

Item is not applicable to this examination.

Objective 1: Examination Scope 0 0 0 4

Objective 2: Board and Senior Management Oversight 0 0 6 0

Objective 3: Business Impact Analysis (BIA) and Risk Assessment 0 0 5 0

Objective 4: Risk Management 0 3 3 0

Objective 5: Business Continuity Plan (BCP) - General 0 1 0 0

Objective 6: BCP - Hardware, Backup, and Recovery Issues 1 1 2 2

Objective 7: Security Issues 0 0 6 0

Objective 8: Pandemic Issues 0 0 11 0

Objective 9: Outsourced Activities 0 0 1 6

Objective 10: Risk Monitoring and Testing 0 8 6 0

Totals 1 13 40 12

Percent of Total: Red 2%

Percent of Total: Yellow 24%

Percent of Total: Green 74%



DangerComes

Opportunity


FFIECBusiness Continuity Planning

(March 2008)

Review Code

R Y G N/A

1 5 10 2

Objective 1: Examination Scope

1. Review examination documents and financial institution reports for outstanding issues or problems.

2. Review management's response to audit recommendations noted since the last examination.

3. Interview management and review the business continuity request information to identify:

4. Determine management's consideration of newly identified threats and vulnerabilities to the organization's business continuity process.

Objective 2: Board and Senior Management Oversight

1. Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization.

2. Determine whether a senior manager or committee has been assigned responsibility to oversee the development, implementation, and maintenance of the BCP and the testing program.

3. Determine whether the board and senior management has ensured that integral groups are involved in the business continuity process (e.g. business line management, risk management, IT, facility management, and audit).

4. Determine whether the board and senior management have established an enterprise-wide BCP and testing program that addresses and validates the continuity of the institution's mission critical operations.



DangerComes

Opportunity


• ExecutionExecution– Be objective. Examine the evidence presented and

evaluation from the perspective of an outsider.– Be brutally honest. The goal is to identify

deficiencies, not to gloss over them.– Ask questions. The respondents may not

understand what you’re looking for; help them help you.

– Listen carefully and probe deeply. Things are rarely as bad (or as good) as they seem at first blush.



DangerComes

Opportunity


• Closure and ReportingClosure and Reporting– Avoid making overly broad judgments in your

assessment. – Put subjective statements into full context.– Be ready to explain your assessment; include

documentation where appropriate.– Don’t pull any punches (if you can avoid it).– Be prompt Once the examination has beenBe prompt. Once the examination has been

completed, get the results out as quickly as possible.– Work with your management team to track

deficiencies all the way through resolution.– Set a date for a follow up/next examination.



DangerComes

Opportunity

Time for a 10 Minute Break!



DangerComes

Opportunity



Safety Solutions

September 2010


DangerComes

Opportunity

Comprehensive Emergency Management Program

www.ems-solutionsinc.com 27March 2012


DangerComes

Opportunity

Agenda

• What is in a Comprehensive Program? – Risk Assessment– Emergency Response– Business Continuity– Disaster Recovery– Crisis Communications– Incident Management


g– Training and Exercises – Maintenance Process

March 2012


DangerComes

Opportunity

Before you do anything - assess!• Before you plan your response you must assessBefore you plan your response you must assess

your risks:– Natural hazards– Your neighbors– Human risks– Environmental risks

Political/country risks


– Political/country risks– Your building: Life safety, security

• Determine risks and develop appropriate prevention and mitigation strategies.

March 2012


DangerComes

Opportunity

Incident Management

The Four Pillars

Emergency DisasterR

Business

C ti it

CrisisCommun-

March 2012 www.ems-solutionsinc.com 30

Response Recovery Continuity ications


DangerComes

Opportunity

• What is included in your emergency response program?– Basic emergency procedures for all staff

– Employee training and/or materials

– Basic first aid supplies

– Floor warden/emergency response teams (ERT)

– Written procedures for ERT

Training for ERT based on their role

Emergency

Response


– Training for ERT based on their role


DangerComes

Opportunity

• What is included in your emergency response program?– Drills - fire, earthquake, tornado, radio

More specialized disaster type supplies– More specialized disaster type supplies– Company emergency responder team– Detailed emergency procedures for all

company responders including building specific information

– Emergency exercise to test teams and procedures

Emergency

Response


procedures


DangerComes

Opportunity

• The complexity of your DR plan has a lot to do with your size.

• It goes without saying that the bare minimum DR plan is nightly back up with tapes stored off site.

Small firms may simply do back up nightly and a staff person– Small firms may simply do back up nightly and a staff person takes the tapes off site.

– Moderate size may have a document storage company take them off site to a warehouse.

– Large firm may have a contract with a “hot-site” restoration vendor.

• What is included in your disaster recovery program?– Authority to Declare a Disaster

Clearly identified priorities for recovery of applications and

Disaster

Recovery


– Clearly identified priorities for recovery of applications and data

– Recovery Tasks & Procedures: infrastructure and data restoration and resynchronization of data


DangerComes

Opportunity

– Complete inventory list of your equipment and applications.

– A schematic map of the server farm (in case you have to configure one from scratch!)to configure one from scratch!)

– Temperature monitoring of the server farm with an alarm notification system, check out www.temperatureguard.com

– Pre-designated “hot site” to recover your data or a drop ship arrangement for equipment

– Regular testing of equipment, procedures and staff– Up-to-date documentation on recovery of systems and

Disaster

Recovery


Up to date documentation on recovery of systems and applications including procedures and equipment Telecommunications recovery strategies for all mission critical numbers


DangerComes

Opportunity

• What is included in business continuity?

– Business impact analysis

Clearly identified mission critical– Clearly identified mission critical functions that are “time-sensitive”

– Individuals assigned to a BCP role in each mission critical department

– Detailed work area recovery plans

Business

Continuity



DangerComes

Opportunity

• What is included in business continuity?– Departmental plans that support the timely

recovery of those identified time-sensitive mission critical functions. Plans identify:

• Staff• Equipment• Technology and data required• Work area recovery strategy• Employee communication• Vendor communication• Critical operating procedures for time sensitive

Business

Continuity

Critical operating procedures for time sensitive functions

• Regular exercises of the plan



DangerComes

Opportunity

• What is “crisis-communications?”– Communication strategies that reduce the likelihood of an

internal business problem going "public" or minimize the reaction if disclosure of the “crisis” cannot be avoided.

• The Plan should include:• The Plan should include:– The crisis communication team– Positioning– Designated spokespersons– Media policies and procedures– Identified key audiences– Draft communications including media, employee, investors

and other key stakeholders

Crisis

Comm


– Collateral materials– Contact log– Guidelines for speakers presentations and handling media

interviews.


DangerComes

Opportunity


DangerComes

Opportunity

Communication Tools• Land lines - avoid your

company phone switch• Web site• Notification systemscompany phone switch

• Centrex• Ring down lines• Cell• Nextel• Satellite• Blackberry/iPhone• Symon (reader-boards)

Notification systems• Conference Bridge• Ham • Two-way radios • Pager • CB Radio• Email• Text messaging


• Symon (reader-boards)• Voice over Internet (VOIP)• Instant Messaging• Motorola “Walk-Abouts”• “Net” meetings

• Text messaging• Fax• Runners• GETS card (critical

infrastructure)


DangerComes

Opportunity

Emergency

Response

Disaster Recovery

Business

Continuity

Planning

CrisisCommun-ications


See a problem?


DangerComes

Opportunity

Incident Management

Emergency

Response

DisasterRecovery

Business

Continuity

Planning CrisisCommun-ications


Response ications


DangerComes

Opportunity

What is Incident Management?• Organized and centralized approach that allows

ffor:– Command

– Control

– Coordination

– Communication

Collaboration


– Collaboration

– Consistency

• Look for industry best practices.– Incident Command System (ICS)


DangerComes

Opportunity

Incident Command System History

Th I id t C d• The Incident CommandSystem (ICS) wasdeveloped in response toa series of fires inSouthern California in theearly 1970s.

ICS i id l d t d


• ICS is widely adoptedin the U.S. at all levelsof government.

• Also used globally.


DangerComes

Opportunity

Training and Exercises• Train all employees on the

planp• There is only two ways to

know if any of this works1. Have a disaster2. Do at least one exercise per

year

• We recommend #2, lessstressful, more productive!


, p• Practice! Bi-annual…

– Telephone tree tests– Tabletop exercise reviews with

staff


DangerComes

Opportunity

Lastly…It’s An On-going Effort

Develop a• Develop a maintenance schedule; someone needs to be responsible for a bi-annual review


annual review.

• Remember…the work is never done!


DangerComes

Opportunity



Safety Solutions

September 2010


DangerComes

Opportunity

Workshop



DangerComes

Opportunity

Workshop

• For this portion of the session please group yourselves into teams as directed.

• Each team will need to:– Nominate a spokesperson

– Complete the assignments

R t t t ’ lt t th d f


– Report out your team’s results at the end of the workshop session

March 201247www.ems-solutionsinc.com


DangerComes

Opportunity

Workshop Assignment

• Please develop team responses to the• Please develop team responses to the following situation:

“You have been directed to prepare and execute a self-examination of your organization’s Business Continuity Management Program. Describe the actionsManagement Program. Describe the actions you will take in each of the three major steps of the examination: Preparation, Execution, and Closure and Report.”



DangerComes

Opportunity

Preparation

• What standard will/must you use and why?• What standard will/must you use, and why?

• What level of management support will you expect to receive?

• Who will you talk to before the examination begins, and why?

Wh t t f liti l ill• What type of political pressure will you anticipate receiving and how will you handle it?



DangerComes

Opportunity

Execution

• What type of documentation will you need to yp ycollect to support the examination?

• Would you anticipate having to make in-progress reports to your manager? To senior management, if different?

• If the manager of a group or department being examined wants to talk to you about the outcome of the examination before your work is completeof the examination before your work is complete, how will you handle it?

• In general, will your organization be receptive to the examination? If not, what will you do to compensate?



DangerComes

Opportunity

Closure and Report

• Who within your organization will be the first y greviewer of the examination report, and why?

• Would you anticipate having to make adjustments to the examination report after senior management reviews the results; if so, why?

• How will your organization typically socialize the type of information found in an examinationtype of information found in an examination report?

• Does your organization have a mechanism for tracking examination findings and deficiencies until they are resolved? Is it effective?



DangerComes

Opportunity

Thank You!

Regina Phelps RN BSN MPA CEMKelly David Williams MBA JD

Emergency Management & Safety SolutionsSan Francisco, California415-643-4300 www.ems-solutionsinc.com

own internal assessment phelps-… · – the scope of this discussion is limited to business...

Documents