Integrating Information Security and Business Continuity Avalution - - PowerPoint PPT Presentation

Avalution Consulting

Integrating Information Security and Business Continuity

Introductions

Robert Giffin

Managing Director & President Avalution Consulting

2

Agenda and Objectives

3

• Discuss the importance of coordinating Business

Continuity and Information Security

• Identify ways to integrate these disciplines and

concrete ways to start

The Disciplines

4

Information Security Business Continuity

Different Approaches

5

Information Security Business Continuity

The InfoSec World

6

Adapting BCM

7

Raise The Bar

8

Product / Service Business Continuity Objective Current State Recovery Capability Rating Perform Customer Support Ensure No More Than 4 Hours Downtime with Less Than a 90 Second Wait Time 8 hours, Estimated 4 Minute Wait Time at Recovery Manufacture Product 10 Days Target Safety Stock (offsite), Maintain Contingency Sourcing Agreement Effective within 7 Days 1 Day Safety Stock, Contingency Sourcing Agreement with Acme Pending Process Warranty Claims Seamless Failover Between Each Claims Handling Region in the United States Claims Failover Process Complete and Demonstrated – No Downtime Bill Customers Restart Bill Generation and Catch Up On All Back Logged Work within 5 Days; Suspend Collection Reminders to Protect Customer Relationship Billing Tested and Restarted in 3 Days – Back Log Closed in 4 Days

Overlapping Objectives

9

Why Integrate?

• Coordination during

disruptions affecting

• ne or both disciplines
• Effective and cohesive

prioritization across the organization

10

Integrating Information Security and Business Continuity

How Do We Integrate?

11

Unify Management Processes

Build one management framework that governs both disciplines

12

Consistent Elements Between 27001 and 22301

• Policy and procedure expectations
• Documentation Control
• Risk Assessment
• Management Review
• Internal Audit
• Corrective Actions

13

Use a Common Risk Language

14

Unify likelihood and impact ratings to effectively prioritize across both disciplines

Integrate Data Collection

Business Impact Analysis

Information Security Classifications

15

BIA: What We Ask

• What is the impact if information from this

system were to be disclosed to the wrong people?

• What is the impact if information from this

system were to be falsified or corrupted?

• Does this system contain protected health

information or personally identifiable information, such as addresses, phone numbers, driver’s license information, etc.?

16

Coordinated Response Planning

• Lines of communication

and activation criteria are key

• Take advantage of

shared resources and capabilities

• Often the same decision

makers, regardless of incident type

17

Crisis Management and Communications

Business Continuity Cyber Security Emergency Management Others (Physical Security, Environmental, etc.)

Coordinated Incident Response Efforts

18

• Activation &

Escalation Criteria

• Activation Process
• Avoid Common

Pitfalls!

Incident Occurs

• Course of Action

Development

• Expanding or

Reducing the Response Effort

Assessment

• Stakeholder

Communications

• Reduce Duplication

and Inconsistent Messaging

Ongoing Incident Management Efforts

• Detailed Planning
• Risk Assessment
• Post Incident

Review Resolution and Return to Normal

Business Continuity and Information Security Integration:

• Leads to a mutually-beneficial relationship
• Allows the organization to better prioritize risks
• Can be accomplished through coordinating
• Management frameworks
• Data-gathering
• Incident response efforts

Conclusions

19

Questions?

20

Contact Information

Robert Giffin

Managing Director & President robert.giffin@avalution.com

866.533.0575 | avalution.com | bccatalyst.com

@Avalution-Consulting @Avalution

perspectives.avalution.com

21