Integrating Information Security and Business Continuity Avalution - PowerPoint PPT Presentation

Integrating Information Security and Business Continuity Avalution Consulting

Introductions Robert Giffin Managing Director & President Avalution Consulting 2

Agenda and Objectives • Discuss the importance of coordinating Business Continuity and Information Security • Identify ways to integrate these disciplines and concrete ways to start 3

The Disciplines Business Continuity Information Security 4

Different Approaches Business Continuity Information Security 5

The InfoSec World 6

Adapting BCM 7

Raise The Bar Product / Business Continuity Objective Current State Recovery Rating Service Capability Perform Ensure No More Than 4 Hours Downtime 8 hours, Estimated 4 Customer with Less Than a 90 Second Wait Time Minute Wait Time at Support Recovery 10 Days Target Safety Stock (offsite), 1 Day Safety Stock, Manufacture Maintain Contingency Sourcing Agreement Contingency Sourcing Product Effective within 7 Days Agreement with Acme Pending Seamless Failover Between Each Claims Claims Failover Process Process Handling Region in the United States Complete and Warranty Demonstrated – No Claims Downtime Restart Bill Generation and Catch Up On All Billing Tested and Restarted Back Logged Work within 5 Days; in 3 Days – Back Log Closed Bill Customers Suspend Collection Reminders to Protect in 4 Days Customer Relationship 8

Overlapping Objectives 9

Why Integrate? • Coordination during disruptions affecting one or both disciplines • Effective and cohesive prioritization across the organization 10

Integrating Information Security and Business Continuity How Do We Integrate? 11

Unify Management Processes Build one management framework that governs both disciplines 12

Consistent Elements Between 27001 and 22301 • Policy and procedure expectations • Documentation Control • Risk Assessment • Management Review • Internal Audit • Corrective Actions 13

Use a Common Risk Language Unify likelihood and impact ratings to effectively prioritize across both disciplines 14

Integrate Data Collection Information Security Classifications Business Impact Analysis 15

BIA: What We Ask • What is the impact if information from this system were to be disclosed to the wrong people? • What is the impact if information from this system were to be falsified or corrupted? • Does this system contain protected health information or personally identifiable information, such as addresses, phone numbers, driver’s license information, etc.? 16

Coordinated Response Planning • Lines of communication Crisis Management and and activation criteria Communications are key • Take advantage of Others (Physical Security, Emergency Management shared resources and Environmental, etc.) Business Continuity Cyber Security capabilities • Often the same decision makers, regardless of incident type 17

Coordinated Incident Response Efforts Resolution and Return Assessment to Normal • Activation & • Stakeholder Escalation Criteria Communications • Course of Action • Detailed Planning • Activation Process • Reduce Duplication Development • Risk Assessment and Inconsistent • Avoid Common • Expanding or • Post Incident Messaging Pitfalls! Reducing the Review Response Effort Ongoing Incident Incident Occurs Management Efforts 18

Conclusions Business Continuity and Information Security Integration: • Leads to a mutually-beneficial relationship • Allows the organization to better prioritize risks • Can be accomplished through coordinating - Management frameworks - Data-gathering - Incident response efforts 19

Questions? 20

Contact Information Robert Giffin Managing Director & President robert.giffin@avalution.com 866.533.0575 | avalution.com | bccatalyst.com @Avalution @Avalution-Consulting perspectives.avalution.com 21