Achieving Enterprise Resilience And Corporate Certification
Achieving Enterprise Resiliency and Corporate CertificationRelease Date: 2/2/2012AchievingEnterprise ResilienceandCorporate CertificationbyCombining Recovery Operations through aCommon Recovery Language and Recovery Tools,While adhering toDomestic and International Certification StandardsCreated by:Thomas Bronack, CBCPBronackt@dcag.comPhone: (718) 591-5553Cell: (917) 673-6992 Thomas BronackPage: 1Created by: Thomas Bronack
Achieving Enterprise Resiliency and Corporate CertificationRelease Date: 2/2/2012Table of ContentsOverview of the Enterprise Information Technology Environment . 3Systems Development Life Cycle (SDLC), components and flow . 4Migrating products / services to the Production Environment . 5Job Documentation Requirements and Forms Automation . 6Information Security Management System (ISO 27000) . 7Problem Management and Circumvention Techniques . 8Help Desk / Contingency Command Center Operations . 9The Potential Risks and Threats facing a Corporation . 10Laws and Regulations Justifying the Need for a Recovery Plan . 11Why Implement Enterprise Resiliency and Corporate Certification? . 12The Goal of Combining Recovery Operations . 13What is Enterprise Resiliency? . 14What is Emergency Management and Corporate Certification? . 15Business Continuity Management Disciplines and Integration . 16Risk Management via CERT Resilience Management Model (RMM). 17Crisis Management, to Respond to / Control Disaster Events. 18NYS Workplace Violence Prevention Act . 19The Costs of Workplace Violence . 20Target Emergency Response Environment (Logical Overview) . 21Emergency Management overview and components . 22Emergency Management Planning Team Interfaces . 23Emergency Management Operations Environment . 24Emergency Management Environmental Interfaces and Tools . 25Enterprise Resiliency must be built upon a Solid Foundation . 26Coso Risk Assessment Philosophy . 27CobIT Family of Products - Executive Overview . 28CobIT Framework – Detailed Operations . 29ITIL Framework - Automated Forms Management and Control . 30Compliance Laws pertaining to Data Protection - Overview . 31Graham, Leach, Bliley Act (GLB) . 32HIPPA . 33Sarbanes Oxley Act (SOX) . 34Patriot Act . 35EPA Superfund Act . 36Basel II - Overview . 37Business Continuity Conversion and Integration . 38Fully Integrated Recovery Operations and Disciplines (End Goal) . 39How to get started . 40 Thomas BronackPage: 2Created by: Thomas Bronack
Achieving Enterprise Resiliency and Corporate CertificationRelease Date: 2/2/2012Overview of the Enterprise Information Technology EnvironmentRemoteTape / DataVaultLocalTape / DataVaultLocalTape / DataVaultCloudComputingSequence of events:1. Applications are: Developed; Tested; reviewed by Quality Assurance; migrated to ProductionAcceptance where their components are placed in appropriate libraries; renamed to adhere toProduction standards; and protected through IT Security, Encryption, and Library Management(including local and remote vaulting). Components are then Migrated to the ProductionEnvironment for desired scheduling and operations.2. Real Time Electronic and Periodic Incremental Data Backups are used to protect andsynchronize data across environments, while supporting automated load balancing andrecovery Failover procedures.3. The Primary Site can be recovered at the Secondary Site (Company Owned) or Recovery Site(Vendor Owned) depending on your companies desired recovery approach. Thomas BronackPage: 3Created by: Thomas Bronack
Achieving Enterprise Resiliency and Corporate CertificationRelease Date: 2/2/2012Systems Development Life Cycle (SDLC), components and flowSteps involved with implementing Production Products and Services:1. User defines Product / Service Requirements that are built by Development;2. Testing insures proper operations, error identification and reporting, and error recovery;3. Quality Assurance insures adherence to Standards and Procedures and company guidelines;4. Production Acceptance moves new Product / Service into the Production Environment so thatits components can be protected, named properly, and in compliance with audit and industryregulations;5. Production implements security, vital records management, data synchronization andencryption, backup and recovery operations, support, and maintenance; and,6. Recovery Operations are implemented to protect and safeguard IT and Business Locations. Thomas BronackPage: 4Created by: Thomas Bronack
Achieving Enterprise Resiliency and Corporate CertificationRelease Date: 2/2/2012Migrating products / services to the Production EnvironmentQuality Assurance and SDLC CheckpointsInterfaces between Applications, QA, and Production vice Form and results fromAssessmentChange and Release Notes.Application Group Testing ResultsTest Scenarios and ScriptsMessages, Codes, and RecoveriesData for Regression and CP#1Error LoopReturntoSubmitterTesting and QATurnover Package ComponentsNoSuccessfulYesAPPLICATIONS GROUPCreate stedWorkCP#3Error rAcceptanceTestingSubmit toProductionAcceptanceQUALITY ASSURANCE GroupQA ReviewAndAcceptPRODUCTION ACCEPTANCETurnover Package Components:Explanation and Narrative;Files to be released;Predecessor Scheduling;Special Instructions;Risk Analysis;Vital Records Management; andIT Security and Authorizations.Product / Service Turnover Process:1. Client completes a Service Request that is submitted to a Technical and Business review;2. Checkpoint #1 is used to review findings and make Build / Buy decision and strategy;3. Development of Product / Service is completed and successfully Tested;4. Turnover Package is submitted from Testing to QA for Review and Acceptance;5. The Work Request is reviewed at Checkpoint #2 to determine go / no-go for performing WorkRequest;6. Requested work is performed and completed;7. A Post Mortem is performed to review success of Work Request during Checkpoint #3meeting;8. If Work Request fails it is returned to submitter, otherwise it moves to User Acceptance; and,9. A Production Turnover Package is generated and submitted to Production Acceptance. Thomas BronackPage: 5Created by: Thomas Bronack
Achieving Enterprise Resiliency and Corporate CertificationRelease Date: 2/2/2012Job Documentation Requirements and Forms AutomationMain Documentation MenuSub-Documentation MenusProduct / Service Documentation:1. Requestor / Owner defines Usage, Development, Operations, and Maintenance Requirements;2. Approval to Build or Buy product / service;3. Testing of Data Sensitivity and Access Controls through IT Security Management System;4. Data Synchronization and Vital Records Management;5. Backup and Recovery via Local and Remote Vaulting;6. Full Range of Recovery Plans (Emergency, Disaster, Business, Workplace, Risk, etc.);7. Production Acceptance instructions to set-up Product / Service for Processing;8. Implement components into proper libraries and insure naming conventions are met;9. Successful Completion Messages and Output Balancing instructions;10. Error Messages and Codes, Circumventions and Recoveries, and Support Personnel; and,11. Recovery Plans, Locations, and Travel Procedures. Thomas BronackPage: 6Created by: Thomas Bronack
Achieving Enterprise Resiliency and Corporate CertificationRelease Date: 2/2/2012Information Security Management System (ISO 27000)ISO 2700 Overview and SectionsISO 27000Overview and VocabularyProvides background, terms and definitions applicable to the ISMS Family of StandardsISO 27006Certification BodyRequirementsISO 27001RequirementsISO 27002Code of PracticeISO 27007Audit GuidelinesISO 27003ImplementationGuidanceISO 27005Risk ManagementISO 27004MeasurementsISO 27799Health OrganizationsKey:ISO 27011TelecommunicationsOrganizationsNormative (Requirements)StandardsInformative (Guidelines)StandardFixed Line:SupportsThe Information Security Management System was developed as a guideline to assist organizationsimplement a state-of-the-art security system that would protect information, adhere to all compliancerequirements, and establish data management guidelines for best utilizing and protecting information.It consists of four sections (Terminology, General Requirements, General Guidelines, and SectorSpecific Guidelines) and contains ten modules, which are:1.2.3.4.5.6.7.8.9.ISO 27000 – Overview and Vocabulary;ISO 27001 – Requirements definitions and guidelines;ISO 27002 – Code of Practices document and guidelines;ISO 27003 – Implementation Guidelines;ISO 27004 - Measurements guidelines and practices;ISO 27005 – Risk Management guidelines and practices;ISO 27006 – Audit Guidelines;ISO 27799 – Health Organization guidelines and practices; and,ISO 27011 – Telecommunications Organizations guidelines and procedures. Thomas BronackPage: 7Created by: Thomas Bronack
Achieving Enterprise Resiliency and Corporate CertificationRelease Date: 2/2/2012Problem Management and Circumvention TechniquesThe entire Problem Life Cycle is documented above with its ten stages from Symptom Analysisthrough routing / escalation, tracking, resolution, and the updating of documentation and proceduresresulting from a Post Mortem review. Circumventions and Recovery Plans can be updated as aresult of a Post-Mortem review.Tools and products used to sense, analyze, define, and respond to problems are shown. ProblemCircumventions should be performed before reporting incidents to include their success / failure in theproblem report. Most, if not all, of these functions are performed within ITIL in today’s environments.Support Levels and Escalation:1. Level 1 – Analysis performed by Help Desk primary personnel based on a past occurrence ofreported problem (high 90%);2. Level 2 – In-house people responsible for supporting the failing component are notified andasked for problem resolution assistance; and,3. Level 3 – Problem is escalated to Vendor responsible for the failing component. Thomas BronackPage: 8Created by: Thomas Bronack
Achieving Enterprise Resiliency and Corporate CertificationRelease Date: 2/2/2012Help Desk / Contingency Command Center OperationsHelp Desk procedures related to Recovery Operations1. A disaster occurs as the result of a problem, and a problem is defined as a deviation fromstandards, so it is imperative that solid standards and procedures are developed, tested,maintained, and followed by staff and management to reduce disaster events.2. When problems occur they are reported to the “Help Desk” whose personnel search theproblem data base to see if this is a reoccurrence of a previously experienced problem (high90% reoccurrence rate is normal).3. Usually when a problem arises, there are circumvention procedures to follow that will restore /recover and reinitiate / restart the failing operation before problem reporting is performed;4. Other times the problem is the result of a disaster event. When this occurs, the Help Deskattendant relates the problem to a recovery plan. He/she then activates the Recovery Plan byinitiating a related “Call Tree” which notifies the Recovery Coordinator of the event. and,5. The Contingency Recovery Coordinator notifies the “Situation Manager” responsible for thearea affected by the disaster event. He/she then notifies recovery teams and they commencerecovery operations in accordance to the recovery plan. Thomas BronackPage: 9Created by: Thomas Bronack
Achieving Enterprise Resiliency and Corporate CertificationRelease Date: 2/2/2012The Potential Risks and Threats facing a Corporation Thomas BronackPage: 10Created by: Thomas Bronack
Achieving Enterprise Resiliency and Corporate CertificationRelease Date: 2/2/2012Laws and Regulations Justifying the Need for a Recovery PlanRecovery Planning became a requirement when OCC-177 was issued by the Office of theController of the Currency. It was part of the Foreign Corrupt Practices Act that was formulatedwhen Boeing said its financial records for a Korean deal were destroyed. Further regulationswere later formulated to protect financial and compliance data from being illegally accessed ordestroyed via Information Technology or Paper Document storage techniques. Because ofcurrent financial system problems and illegal business practices new laws and regulations havebeen, or are in the process of being, formulated.Current trends are moving Recovery Planning towards Enterprise Resiliency and CorporateCertification that utilize “Best Practices” to achieve overall Recovery Operations via commontools and a common language to protect the entire organization world-wide. EnterpriseResiliency integrates Recovery Operations closer to the everyday tasks performed by personneland internal control systems like SDLC, ITIL, Incident Management, and Change Management, areused to assist in this endeavor. Thomas BronackPage: 11Created by: Thomas Bronack
Achieving Enterprise Resiliency and Corporate CertificationRelease Date: 2/2/2012Why Implement Enterprise Resiliency and Corporate Certification?The ProblemCoordinating Recovery Operations for all disciplines;Better safeguard personnel, clients, suppliers, and business operations;Improving problem response times and reducing outage times;Developing a common Recovery Language and Toolset throughout the enterprise;Adhering to Compliance requirements;Insuring clients and suppliers that recovery operations are optimized;Complying with Domestic and International Recovery Guidelines; andGaining Corporate Certification for Recovery Operation.The Solution:Develop Enterprise Resiliency Operation, including:Emergency and Risk Management;Business Continuity / Disaster Recovery Management / Crisis Management; and,Workplace Violence Prevention.Gain Corporate Certification by adhering to industry guidelines, including:BS 25999 / ISO 22301 (international);Private Sector Preparedness Act (domestic);National Fire Prevention Association 1600;Certification Firms / Organizations to verify compliance and recovery practices; and,Certify Recovery Personnel via DRII or BCI training / testing.Use Best Practices to achieve goals, including:COSO;CobIT;ITIL;ISO 27000;Six Sigma; and,FFIEC.Integrating Enterprise Resiliency throughout the Corporation, including;Business Operations, Client Support, and Supplier Support;System Development Life Cycle, Change Management, and FunctionalResponsibilities;Resiliency Documentation, Awareness, and Training;Functional Responsibilities, Job Descriptions, Standards and Procedures Manual; and,Corporate-Wide Compliance and Recovery Operations. Thomas BronackPage: 12Created by: Thomas Bronack
Achieving Enterprise Resiliency and Corporate CertificationRelease Date: 2/2/2012The Goal of Combining Recovery Operations Thomas BronackPage: 13Created by: Thomas Bronack
Achieving Enterprise Resiliency and Corporate CertificationRelease Date: 2/2/2012What is Enterprise Resiliency?EnterpriseResiliencyEmergency OperationsCenter ntWork PlaceViolencePreventionRiskManagementThe goal of Enterprise Resiliency is to combine the four recovery disciplines ofEmergency Management, Business Continuity Management, Workplace ViolencePrevention, and Risk Management into a cohesive recovery management discipline witha common language and common tools. By following this path, Recovery Personnel willlearn all recovery disciplines making them better able to identify and respond to disasterevents by utilizing the common language, tools, and a common set of Standards andProcedures (optimized Communications).The Road to Enterprise Resiliency Includes (steps to follow):1. Define Risks (Natural, Man-Made, Use CERT RMM and COSO for direction);2. Determine Compliance Requirements (see GLB, HIPPA, SOX, Patriot Act, EPASuperfund, etc.);3. Use Best Practices tools and processes (COBIT, ITIL);4. Understand Corporate Certification Guidelines (DRII, BCI);5. Locate Certification Firms / Organizations (Training the Trainers is in process now);6. Develop a Business Plan and create a Management Commitment within Project InitiationDirective defining Scope and Commitment;7. Perform Risk Assessment / BIA to define current Risks their costs and your ability tomitigate Gaps and Exceptions;8. Build Business Recovery Plans for offices and business locations;9. Build Disaster Recovery Plans for data centers and IT Infrastructure;10. Build Emergency Recovery Plans to protect against Fire, Floods, Physical Protection,and First Responder;11. Build Workplace Violence Prevention Plans to protect locations and personnel;12. Defined Functional Responsibilities to determine what
ISO 27002 Code of Practice ISO 27003 Implementation Guidance ISO 27004 Measurements ISO 27007 Audit Guidelines ISO 27005 Risk Management ISO 27011 Telecommunications Organizations ISO 27799 Health Organizations Normative (Requirements) Standards Informative (Guidelines) Standard Fixed Line: Supports Key: ISO 2700 Overview and Sections
FRM:SG2.SP2 Establish Resilience Budgets FRM:SG2.SP3 Resolve Funding Gaps FRM:SG3 Fund Resilience Activities FRM:SG3.SP1 Fund Resilience Activities FRM:SG4 Account for Resilience Activities ; FRM:SG4.SP1 Track and Document Costs FRM:SG4.SP2 Perform Cost and Performance Analysis FRM:SG5 Optimize Resilience Expenditures and Investments
Jan 27, 2021 · Plan for Resilience, Workplace Edition Robertson Cooper Resilience Model How to Build Resilience Skills in the Workplace 30 Ways to Build Workplace Resilience Five Key Stress Resilience Skills 6 unconventional ways to build focus, resilie
The "Resilience and Climate Smart Agriculture" section of this guide suggests a working definition and roadmap for measuring climate resilience in smallholder supply chains. The "Guiding Steps" section recommends common climate resilience approaches to measuring risk and resilience at the smallholder farmer and farmer
2.2 Global and UK action for building ocean resilience and recovery 18 2.3 Environmental impacts and trends on UK seas 19 2.4 The concept of resilience 20 2.5 Defining marine resilience 22 2.6 The mechanics of ecosystem resilience 24 3. Building resilient ecosystems in W
NATURAL HAZARDS RESILIENCE North Carolina Office of Recovery and Resiliency March 2020 4 resilient. Resilience champions within a community are much more effective than resilience champions from outside a community who are less likely to know the people and place as well as those who live and work there. Incorporating Resilience Today
resilience in social policy to resilience in two other fields (security and development). It finds, first, that resilience is implicated in the depoliticisation of risk. This follows from the argument of critics of resilience that it functions to render power structures invisible re-cast suffering as inevitable,
Resilience and strengthening resilience in individuals January 2011 www.mas.org.uk www.orghealth.co.uk 0845 833 1597/01242 241882 Page 9 Who am I? ‐ Personal features We are driven by the need to survive. Resilience
Resilience Reimagined Greenhouse labs the future transformed 3 Resilience Reimagined Strengthening your resilience to achieve enduring success Now is an opportunity to reimagine resilience: COVID-19 will have shown where you have resilience and where there are vulnerabilities; now is the time to consider what changes you
