380 likes | 398 Vues
May 11, 2007. BC Plan Exercising – Doing it By the Numbers Presentation to Three Rivers Contingency Planning Ass’n. Paul Kirvan, FBCI, CBCP, CISSP Marsh Risk Management New York City. Agenda. Welcome and Introduction Getting Started Ingredients for Your Exercise
E N D
May 11, 2007 BC Plan Exercising –Doing it By the NumbersPresentation to Three Rivers Contingency Planning Ass’n Paul Kirvan, FBCI, CBCP, CISSP Marsh Risk Management New York City
Agenda • Welcome and Introduction • Getting Started • Ingredients for Your Exercise • Exercise Checklists and Template • Awareness and Training • Exercising, Awareness and Training According to Industry Standards • Summary
Getting Started Ask Yourself the Five Ws • What are you exercising? • Who will be involved in the exercise? • Why are you conducting an exercise? • Where will you conduct the exercise? • When will you schedule the exercise? Remember: You can never exercise too much, because most people never exercise at all…
Ingredients for Your Exercise • Senior management support, funding • Corporate policy for exercising • Plans to exercise, e.g., BC, EM, security • Exercise type, e.g., table-top, full-scale • Exercise development team • Compelling scenario
Ingredients for Your Exercise • Participants in the exercise • Facilitators, observers, scribes, assistants • Suitable venue • Access to A/V resources • Exercise process, e.g., script, injects, A/V, “actors”, and (oh yes) the plan • Post-exercise debrief, lessons learned, plan updating, report to management
Exercise Checklists • A few words about policy “Senior executives in each <company name> location shall ensure that business continuity plans are exercised at least once annually to make certain that the information contained within each plan is accurate and that the procedures contained within each plan are appropriate and can be properly executed by <company name> associates. Each business unit leader will ensure that adequate budget provision is made to cover costs associated with organizing and executing exercises, conducting awareness and training programs where needed, and to follow up on plan exercises by documenting the exercise results and updating plan documentation as indicated.”
Exercise Checklists • Exercises should include • A business continuity plan, security plan, and/or crisis response plan • Exercise objectives with particular emphasis on key business processes • Evaluation criteria for exercise results and measures for improving the plan and re-exercising it • Documentation of exercise results and the steps proposed to correct any problems
Exercise Checklists • Examples of exercise activities • Team Member Orientation — Meet with all employees to outline the business continuity program • Team Exercise — Conduct a tabletop exercise with a focus on recovery strategies • Team Leader Exercise — Conduct a tabletop exercise with a focus on facility-wide recovery • Functional Exercise — Conduct a hands-on test of hardware and/or connectivity resources at an alternate recovery center; use of alternate (manual) procedures at the home or alternate facility can be tested
Exercise Checklists • Exercise types • Tabletop Exercises — A meeting to discuss team responsibilities and reaction to emergency scenarios. • Walk-Through Drill — A performance function where actual emergency response functions are acted out. • Functional Drill — A response function where activities like medical response, emergency notification, and emergency warnings are tested. • Evacuation Drill — An exercise where employees walk the planned and alternate evacuation routes and account for personnel at the meeting place. • Full-Scale Exercise — A real-life simulation as close to the real thing as possible.
Exercise Checklists • What are you exercising? • Recovery Team Alert List — Contact information for all personnel assigned to the team. As this list can change frequently, team leaders should send a copy of it to each team member to review and update. • Critical Functions List — Critical functions that each team must accomplish during a recovery effort. Team leaders must review these functions to determine that they are relevant. • Team Recovery Steps — Strategies for recovery of critical functions; must be reviewed to validate that strategies are meeting current business objectives and reflect the best possible solutions.
Exercise Checklists • What are you exercising? • Functional Recovery Steps — Step-by-step procedures to complete the desired operational recovery; must be carefully reviewed and validated to determine accuracy and completeness. • Vendor and Customer List — Contact information for critical vendors and customers; must be reviewed to determine list accuracy and completeness. • Work Area Requirements — Critical resources required to support recovery at a designated work area site; must be reviewed to determine list accuracy and completeness. • Off-Site Storage List — Critical records or resources stored off site; must be reviewed to determine accuracy and completeness.
Exercise Checklists • Goals of exercising • Establish an exercise program that addresses the review, testing, and modification of BC, EM and security plans • Verify that the plan actually works • And remember… • Business continuity, security, and emergency response plans are living documents • They should reflect the latest information available • The best way to ensure that the plans will facilitate the desired recovery is to review and exercise them at least twice a year
Exercise Checklists • Exercising checklist – 1 • Has a complete documented review or test of the BC plan been performed within the last year? • Has the plan been modified to correct weaknesses found during the last review and/or test? • Has a test administrator been appointed? • Has a comprehensive testing program been developed? • Does this program define every review and test with respect to its objective and scope, scheduling, procedures, and participants? • Has the program been reviewed to determine if all elements of the business continuity, security, and crisis management plans are in place and accurate?
Exercise Checklists • Exercising checklist – 2 • Has the person responsible for monitoring this process documented the results of each review or test? • Has a system been developed for enacting changes to the plan following reviews and tests? • Is there a process in place to ensure the completion of action items identified following reviews and tests? • Are the action items identified following the reviews and tests on schedule? • Are data, such as telephone numbers and names of individuals responsible for specific tasks, up-to-date? • Are business, operation, and technology service delivery mechanisms the same as when the plan was last tested?
Exercise Checklists • Exercising checklist – 3 • Have the assumptions on which the plan is based been validated as part of the testing process? • Were the business, operations, and technology managers involved in testing and validating these assumptions? • Has the completeness of business continuity, security, and crisis procedures been reviewed and have the results of the review been documented? • Has a full test of the business continuity, security, and crisis plans been performed within the last year? • Did the full test verify the awareness and preparedness of personnel? • Were all people identified in the plan mobilized during the full test?
Exercise Checklists • Exercising checklist – 4 • Were all resources specified in the plan mobilized during the full test? • Were the procedures stated in the plan carried out to determine how well the plan really works? • Is there a documented set of corporate standards, criteria, or guidelines covering testing objectives and requirements? • Do those objectives meet/exceed the minimum specifications given in the test objectives and requirements of the documented corporate testing criteria? • Has an emergency notification test been performed within the year? • Did the test include the use of an automated notification system?
Exercise Checklists • Exercising checklist – 5 • Has a walkthrough test in which the BC, security, crisis coordinator, team members, and business managers verbally discuss specific steps of the documented recovery procedures been performed within the past year? • Has a complete test — by which every facet of a business continuity, security, and crisis plans are tested together or as logical subsets — been performed within the year? • Has the business performed or participated in a recovery test of its technology infrastructure within the last year? • Have business units participated in a building outage test for all groups in the same building within the last year? • Has the company reviewed the results of the test for all businesses within the building?
Exercise Checklists • Exercising checklist – 6 • Has an outside service provider review — by which the business reviews the recoverability of the outside service provider — been performed within the last year? • Is there a completed annual testing plan summary worksheet that defines the annual plan test in advance? • Does senior management approve the annual testing plan worksheet? • Have test scripts been developed and approved by business units for each test performed? • During the test, are the actual times for performing each activity recorded? • Are test results recorded during the test or review?
Exercise Checklists • Exercising checklist – 7 • Has an individual been designated to record results of the test or review? • Are testing results summarized and reported at least quarterly? • Do quarterly post-testing summary reports include the following • Objectives that map to annual testing plan worksheet • Actual dates of test/review • Test results • Action items • Follow-up responsibility
Exercise Checklists • Exercising checklist – 8 (last one) • Has a copy of the quarterly post-testing summary report been sent to the appropriate individuals, including internal/external audit functions? • Has the plan been revised and updated in accordance with findings of the review or test? • Has the revised plan, once approved and documented, been scheduled for the next test or review?
Exercise Template • Exercise Template – 1 • Title page • Revision history • Table of contents • Pre-exercise • Exercise planning background • Pre-exercise planning meetings • The exercise • Scope of exercise • Date / time / venue of exercise • Type of exercise • Plan(s) to be exercised • Exercise objectives • The scenario • Setting the stage • Exercise assumptions • Pick the scenario
Exercise Template • Exercise Template – 2 • Develop the script • Basic flow and structure • Role of participants, observers, actors • Instructions to participants • Establish roles • Define A/V support • Communications directory • Messages to participants • The players • Facilitator • Assistant to Facilitator • Exercise design team • Simulation design team (larger exercises) • Evaluators, auditors • Victims, oops, participants
Exercise Template • Exercise Template – 3 • The exercise • Pre-exercise briefing • Conduct exercise • Mid-course pause if needed • Continue until time called • Exercise debriefing • Immediately following exercise • What worked, what didn’t • Lessons learned • What to do next, e.g., update plan • Capture participant responses and compile with other observations
Exercise Template • Exercise Template – 4 • Written report on the exercise • Results • Recommended actions • Evaluations • Participants • All other players • Need for additional training • Other actions
Exercise Template • Exercise Schedule • Four (4) weeks prior to exercise • Design Team meets one hour per week • 1 day prior to exercise: • 1 hour meeting – Simulation Team Orientation • 1 hour meeting – Assistant Orientation • 1 hour meeting – Evaluators Orientation • Day of exercise • 9:00 AM Exercise participant orientation • 9:30 AM Exercise • 11:30 AM Break and buffet lunch • 11:45 AM Lunch and debrief • 1:00 PM Exercise complete
Awareness and Training • Awareness programs • Senior management “push” • Human Resources “push” • Department briefings • Hazard fairs • Bulletin boards • E-mail / voice mail • Paycheck inserts • New employee orientation • Lunch room briefings • Major company meetings
Awareness and Training • Training programs • Senior management participation • In-house programs • External training firms, consultants • Local authorities, e.g. police, fire, EMS • Certification, e.g., Red Cross,CPR • Emergency response training • Team member training • Cross-training
Exercising, Awareness and Training According to the Industry Standards
Exercising, Awareness and TrainingAccording to Industry Standards • NFPA 1600; Standard on Disaster/Emergency Management and Business Continuity Programs – 2007 • Exercising, A&T recommended; no details on process • DRII / DRJ Generally Accepted Principles for Business Continuity Management – 2005 • Exercising, A&T recommended; some details on process • NIST 800-34: Contingency Planning Guide for Information Technology (IT) Systems – 2000 • Exercising, A&T recommended; no details on process • Continuity of Operations (COOP) Plans • Exercising, A&T recommended; no details on process
Exercising, Awareness and TrainingAccording to Industry Standards • NASD Rules 3510 (Clearing Firms) and 3520 (All Firms) - 2004; NYSE Rule 446 – 2003 • Exercising, A&T recommended; no details on process • Federal Financial Institutions Examination Council (FFIEC) Examination Handbook, Corporate Contingency Planning – 1996, 2003 • Exercising, A&T recommended; no details on process • Financial Services Technology Consortium Resilience Maturity Model (RMM) • Exercising, A&T recommended; no details on process • National Credit Union Administration (NCUA) Letter 01-CU-21 Contingency Plan Best Practices • Exercising, A&T recommended; no details on process
Exercising, Awareness and TrainingAccording to Industry Standards • British Standard BS 25999 Part 1 • Exercising, A&T recommended; no details on process • Business Continuity Institute (BCI) Good Practice Guidelines – 2007 edition • Exercising, A&T recommended; some details on process • Bank of Thailand Guideline on Business Continuity Management • Exercising, A&T recommended; no details on process • Standards Australia / New Zealand HB 292/293 • Exercising, A&T recommended; some details on process
Summary “The Big Dozen” • Test, don’t guess • Define exercise objectives, parameters, activities • Identify participants, observers, auditors • Build realistic scenarios, scripts, a/v support • Conduct a table-top first • Coordinate with internal and external organizations • Arrange awareness and training activities • Conduct post-exercise debriefing • Use results to update plans • Conduct follow-up exercises as needed • Brief management on results • Schedule on annual (or more frequent) basis Thank you…