1 / 29

Before Disaster Strikes Managing your Business Risks in the 21st Century

Before Disaster Strikes Managing your Business Risks in the 21st Century. David “Mike” Hager Enterprise Security Advisor. Sometimes Things Do Go Wrong!. Our Threats Today Include. A belief on the part of senior management that there are no serious threats directed at their company.

nerea-lawrence
Download Presentation

Before Disaster Strikes Managing your Business Risks in the 21st Century

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Before Disaster StrikesManaging your Business Risks in the 21st Century David “Mike” Hager Enterprise Security Advisor

  2. Sometimes Things Do Go Wrong!

  3. Our Threats Today Include • A belief on the part of senior management that there are no serious threats directed at their company. • Terrorist acts • Natural disasters • Criminal Acts • Network Attacks • Inside attacks • Outside attacks • Viruses

  4. September 11, 2001

  5. Interesting Statistics • General Internet attack trends are showing a 64% annual rate of growth. • The average company experienced 32 attacks per week over the past 6 months. • Two out of five companies that are hit by a disaster go out of business within 5 years. • Gartner report indicates that average cost for network downtime is $42,000 per hour. • More large scale Disasters that affected business continuity have occurred over the past 5 years than any time in recent history.

  6. The 10 Top Management Errors in Addressing Business Continuity 10.Believe Information Security and Disaster Recovery are important issues, but believe they are important issues for someone else to handle. – IT does that right? 9. Pretend the problem will go away if they simply ignore it. – IT does that right? 8. Use Technology as a fix and not a solution. 7. Fail to realize the value of their information and organizational reputations. 6. Believe that “it” will never happen to them!

  7. The 10 Top Management Errors in Addressing Security Threats 5. Fail to understand the relationship between Business Continuity Planning and Disaster Recovery on their business. 4. Believe Business Continuity and Disaster Recovery is solely an IT issue. 3.Build recovery strategies without business involvement 2. Look at Business Continuity and Disaster Recovery as an expense not an investment. 1. Fail to fully design, develop and implement an Corporate wide Business Resumption Strategy.

  8. Where Do You Begin? You begin by identifying whatto protect. If you don’t know what to protect, how do you know how to protect it? Without knowing what to protect you end up either over protecting or under protectingyour valuable, critical and sensitive information. Neither of which “is a good thing.”

  9. “Everyone thinks they know what they have on their networks, but most really don’t.” Mike Hager, Enterprise Security Advisor, Unisys Corporation, CSO Magazine Feb 2004

  10. Lessons learned since 9/11What Worked • Recovery plans were developed for critical IT systems but not for critical business functions • IT Staff members were trained on how to recover systems - most business employees did not know where to go or what to do • Tape Backups were taken and stored off site • Hot Sites in may cases were established for IT recovery – on 9/11 no one could fly to get to them • 800 numbers were established for informational purposes but most employees did not what they were

  11. Lessons learned since 9/11What Did Not Work • Very little documented concerning critical business functions • Most companies did not know what systems they had on their network • Most companies did not know what equipment they had and were not able to account for what needed to be replaced • Crisis Management Plans were not in place • Communications capability was poor - in some cases took days to account for all people • Critical documents and vital records not in electronic form and were lost • Training of employees on roles were almost non-existent

  12. Lessons learned since 9/11What Did Not Work • Business and IT had separate agendas and concepts on what “Recovered” meant • Plans for meeting RTO were IT based not business based • Alternate facilities were not identified prior to disaster • Minimum alternate facility requirements for first 30 – 60 – 90 days was not developed by most companies

  13. Key Elements of Business Continuity and Disaster Recovery Program • Appoint knowledgeable, senior leader to oversee the development of a Business Recovery Strategy for your company/organization • Have Current Business Impact Analysis Data (not more than 2 years old) • Identification of all Mission Critical Activities (MCA) and Mission Critical Systems (IT applications and Systems) • Based on BIA data identification of the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) • Identification of gaps in recovery capability within the business identified RTO and RPO. • Development of strategy and project costs to have the capability of recovering all Missions Critical Activities (MCA) and Mission Critical Systems (MCS) within the established RTO and RPO.

  14. Key Elements of Business Continuity and Disaster Recovery Program • Development and publication of detailed plans for Recovery of all MCA and MCS within the company that cover the entire protection Triad. Plans include: • Corporate Response Plan • Crisis Management Plan (can be part of the Response Plan) • Detailed recovery plans for each critical Business Function (MCA) • Detailed recovery plan for each critical IT System (MCS) • Education and training plans • Testing plans and schedule for each MCA and MCS • Conduct Actual testing of the plans

  15. Protection Triad People Facilities Technology

  16. When it comes to addressing our Business Risks, We never plan to fail We just fail to plan! REMEMBER

  17. Managing the Risks The world has changed dramatically since September 11th. Terrorist acts around the world and major Natural Disasters have shown that we live in a dangerous time. It is critical that we take a proactive approach in mitigating these risks. This is not an easy job. It requires an approach that addresses all risks not just a few and It requires support at all levels within the company.

  18. Questions?

More Related