Business Continuity

Business Continuity Establishing a Successful Program

2011 ISACA Webinar Program

Clyde Hague, CISM, CISSP, CRISC Information Security Officer First Merchants Corporation

Discussion Topics

Breaking Down the Parts Create Solid Base for Business Continuity Additional Parts that Enhance Sustainability

Defining Basic Parts of Business Continuity Incident Response Plan

Handles unexpected events that hopefully will be contained and not need the BCP or DR Does not necessarily require BCP activation nor a disaster declaration Sh ld i l d well-defined severity and d l ti Should include ll d fi d it d declaration criteria, escalation and notification processes Detect, Diagnose, Manage, Contain/Minimize Effects, Restore, Determine Cause, Implement Improvements

Defining Basic Parts of Business Continuity Business Impact Analysis/Risk Assessment

Identifies the resources critical to an organizations continued existence, identifies threats posed to those resources, assess the likelihood of those threats occurring, and the impact of each of those threats on the organization. (Risky Thinking; Everyone knows what order everything will be recovered in. Perform a gap analysis with existing BCP and DR Forms the basis for and is part of your BCP and DR

Defining Basic Parts of Business Continuity Business Continuity Plan

A guide for moving through events to continue your business, especially critical services, not just IT Not all inclusive Some combine BCP and Disaster Recovery; some keep separate Based on a Business Impact Analysis Includes:
Specific steps all are to follow and who is responsible Contact information/call trees Unique documents for different disciplines

Defining Basic Parts of Business Continuity Disaster Recovery

Again, some combine with BCP while others separate Based on Business Impact Analysis An incident can become a disaster either by mishandling or by natural progression of the incident Directs the recovery of systems and services by people while a BCP directs people Not just IT

Create a Solid Base

Supporting documentation must be in place T i all appropriate personnel Train ll i t l Ensure communication channels are established and functioning Everyone reports incidentsthe timing y p g and reaction can make all the difference

Additional Parts
Remote Access for employees Citrix is an example
Allows for higher productivity during an event If recovery site is far away, remote access saves money by limiting travel to necessary employees Employees are happier as they stay at or near their homes Put in place before an event Incorporate in normal work processes - Train and Practice Consider pairing it with Out of Band Authentication or other log on security

Additional Parts
A Mature Vendor Management Program
Do your contracts and agreements provide for your needs during an event? Uptime guarantees are not enough. Are your critical vendors contact info in your BCP? Do your critical vendors have tested BCP/DRs in place? Do they participate in your DR test? What about Cloud Computing? Remember Amazon EC2

Additional Parts
An involved emergency response team Paper plans at home or car and at work A user base that communicates events Consider Addendums to Your BCP for Specific Situations
Pandemic Plan Severe Weather Procedure

Additional Parts
Update and Testing
Plans should be updated periodically at set times Test for disaster restoration of critical infrastructure and business applications Test the applicability and usability of the business continuity plan ti it l Act on lessons learned

Additional Parts
Different Forms of Testing
Penetration Test Social Engineering Test

Post Event Review

Take the time Figure out what went wrong AND what went right

Questions? Questions?
Thank you for your time!
Clyde Hague, CISM, CISSP, CRISC Information Security Officer First Merchants Corporation

