Abstract

1
Abstract

• It has been suggested in some reports that as
  many as 162 million records of personal data were
  compromised in 2007 up 230 on the previous
  year. Depending on your point of view this is an
  astonishing achievement and gives much-needed
  succour and encouragement to those who seek
  profit from pitiful information management.

2
Captain, the presentation has started. May I
remind you to switch off your communicator!
Mr Spock have the audience beamed aboard the
Starship Enterprise
3
Operational Risk, Business Continuity Management,
Information Assurance How do we glue it all
together to make our organisations more resilient?
Welcome!

• James Royds DMS MBA FBCI FCMI
• james.royds_at_socitm.gov.uk
• 44 (0) 7768 661336

4
Todays Presenter

• Director of the Business Continuity Institute
  (BCI)
• Fellow of BCI and Chartered Management Institute
• 25 years in business, working exclusively in the
  risk industry delivering operational risk and
  Business Continuity solutions since 1996
• BDC Consultant for BCM with SOCITM
• BCM Associate Consultant with Hewlett Packard
• BCI Awards winner 2004, finalist 2005, finalist
  2008
• Regular conference speaker Belfast 2007/2008
• 
  Its good to be back.

5
The big picture

• Paradigm shift? You must judge!
• Appealing to your head and your heart
• Raising the spectre of information as the
  strategic resource of first choice in OR, BCM and
  IA
• Promoting Intangible Relevance
• Strategic engagement Your Boards MUST engage
  with this and get the joke!
• Risk strategy and its effect and influence on
  your operations

6
Why this matters 1

• Critical Infrastructure Protection (CIP) and
  Critical Information Infrastructure Protection
  (CIIP) are about defending the corporate realm.
• CIIP is paramount and needs to be resilient.
• CIP is national, CIIP is international
  (borderless), both are central to our way of
  life.
• There is no current national strategy to defend
  these infrastructures (Cf. UK National Security
  Strategy 2008).
• They matter Water, Food, Oil, Banking, Public
  Sector etc all dependent on CIIP.

7
Why this matters 2

• There are no standards as, for example, in the
  petrochemical arena
• Our enemies use CIIP to both attack us and
  coordinate attacks.
• They use Asymmetric Warfare and Obstructive
  Marketing techniques and use the export of
  democracy, internet, CIP and CIIP to get back at
  us.
• Need resilience and a new attitude.

8
Aims and Objectives

• To help you
• understand the principles of OR, BCM and IA
• understand why and how we need to do all of them
  to protect ourselves
• apply the principles in your organisations
• develop your plans if starting fresh
• improve existing process and plans

9
Themes

• Defending the Corporate realm
• The big picture why all this matters
• Importance of Information
• Asymmetry in the Threat Spectrum
• Intangible Relevance
• Information Dependency

10
Current Drivers 2008

• Regulation / Legislation CCA 2004
• Government (33)
• Auditors
• Corporate Governance / Compliance (60)
• Insurers
• Customers (32)
• Supply Chain
• Protection of Brand / Reputation

11
Key Research 2007

• The Power of Information - An independent
  review by Ed Mayo and Tom Steinberg
• http//www.cabinetoffice.gov.uk/reports
• http//www.opsi.gov.uk

12
(No Transcript)
13
Operational Risk

• The risk of loss that arises from inadequate
  systems, controls, human error or other
  management failure that does not relate to
  strategic, market ...www.wstonline.com/story/risk
  Management/WST20000626S0001
• Risk arising from failure of operational
  processes, internal procedures and controls
  leading to financial loss.www.swissre.com/interne
  t/pwswpspr.nsf/alldocbyidkeylu/ABOD-5UCLEM
• Risk pertaining to the delivery of services.
  These would include risks involving human
  resources, controls and processes.www.lesrisk.com
  /glossary.htm
• The risk of loss resulting from breakdown in
  administrative procedures and controls or any
  aspect of operating procedures.www.tmac.ca/semina
  rs/financial-risk-glossary.html
• The risk that deficiencies in information systems
  or internal controls will result in unexpected
  loss. The risk is associated with human error,
  system failures inadequate procedures
  controls.www.etpconsulting.co.uk/Business20Conti
  nuity/business-continuity-glossary.htm
• The risk run by a firm that its internal
  practices, policies and systems are not rigorous
  or sophisticated enough to cope with untoward
  market conditions or human or technological
  errors. ...www.equityderivatives.com/services/edu
  cation/glossary.php
• Operational risk refers to the risk that an
  error or stoppage in operations could lead to
  economic loss or reduced credibility.www.ap2.se/t
  emplate/Page.aspx
• The risk of loss due to system breakdowns,
  employee fraud or misconduct, errors in models or
  natural or man-made catastrophes, among other
  risks. It may also include the risk of loss due
  to the incomplete or incorrect documentation of
  trades. ...www.cmra.com/html/body_glossary.html
• Any risk that is not market risk or credit risk
  related. This includes the risk of loss from
  events related to technology and infrastructure
  failure, from business interruptions, from staff
  related problems and from external events such as
  regulatory changes.www.montegodata.co.uk/Educate/
  Glossary.htm
• The risk of losses due to procedural errors or
  failures in internal control.www.derivativesdiary
  .com/glossary.html
• According to 644 of International Convergence of
  Capital Measurement and Capital Standards, known
  as Basel II, operational risk is defined as the
  risk of loss resulting from inadequate or failed
  internal processes, people and systems, or from
  external events. ...en.wikipedia.org/wiki/Operati
  onal risk

14
Business Continuity

• The ability of an organization to continue to
  function even after a disastrous event,
  accomplished through the deployment of redundant
  hardware ...www.microsoft.com/windowsserversystem
  /storage/storgloss.mspx
• The ability to maintain operations/services in
  the face of a disruptive event.www.preparingforem
  ergencies.gov.uk/more_info/glossary.shtm
• The degree to which an organization may achieve
  uninterrupted stability of systems and
  operational procedures.www.dmreview.com/rg/resour
  ces/glossary.cfm
• Procedures to ensure an organisations ability to
  continue operating outside of normal operating
  conditionssecint33.un.org/unarms/en/unrecordsmgmt
  /unrecordsresources/glossaryofrecordkp.html
• The ability to recover designated critical
  systems within specified time frames and
  sequences agreed upon via the use of an off-site
  recovery capability or other facilities.www.infos
  ys.com/services/glossary.asp
• Term used for all concerns with failure of IT
  equipment, or the ability to employ it
  effectively. Items affecting Business Continuity
  range from loss of power, to floods, terrorist
  attacks, or anything that causes loss of
  business.www.triplexpower.com/glossary.htm
• Business Continuity is a progression of disaster
  recovery, aimed at allowing an organisation to
  continue functioning after (and ideally, during)
  a disaster, rather than simply being able to
  recover after a disaster. en.wikipedia.org/wiki/B
  usiness continuity

15
Information Assurance

• Information operations (IO) that protect and
  defend information and information systems by
  ensuring their availability, integrity,
  authentication ...www.intelligence.gov/0-glossary.
  shtml
• The protection of systems and information in
  storage, processing, or transit from unauthorized
  access or modification denial of service to
  unauthorized users or the provision of service
  to authorized users. ...https//ia.gordon.army.mil
  /iaso/lesson01.htm
• Information Assurance (IA) is the science of
  managing the risks to information assets. More
  specifically, IA practitioners seek to protect
  the confidentiality, integrity, and availability
  of data and their delivery systems, whether the
  data are in storage, processing, or transit, and
  whether ... en.wikipedia.org/wiki/Information
  Assurance

16
Business Continuity

• Business Continuity Management is an holistic
  management process that identifies potential
  threats to an organisation and the impacts to
  business operations that those threats, if
  realised, might cause and which provides a
  framework for building organisational resilience
  with the capability for an effective response
  that safeguards the interests of its key
  stakeholders, reputation, brand and value
  creating activities. BS
  25999-12006

17
Information Assurance

• confidentiality ensuring that information is
  accessible only to those authorized to have
  access
• integrity safeguarding the accuracy and
  completeness of information and processing
  methods
• availability ensuring that authorized users have
  access to information and associated assets when
  required.

18
Operational Risk

• The Basel Committee (2004) defines operational
  risk as the risk of loss resulting from
  inadequate or failed internal processes, people
  and systems, or from external events.
• The committee indicates that this definition
  includes legal risk but excludes systemic risk
  and reputational risk.

19
(No Transcript)
20
Terminology
Resilience
21
We are at war
22
The Digital Environment
23
How much is an Exabyte?
24
37,000 Libraries of Congress
25
Is our response proportionate?
http//farm1.static.flickr.com/6/86932091_f269fea1
fc.jpg
26
How business responds
27
The Conundrum

• We cannot sustain a wide technological
  advantage over our adversaries in all areas.
  Increased availability of commercial satellites,
  digital communications, and the internet all give
  adversaries new capabilities at a relatively low
  price.

Source Adapted from an idea by Stephen J Black,
Sept 2003.
28
An Answer?

• Our advantage must come from leaders, people,
  doctrine, organization and training that enable
  us to take advantage of ideas, techniques and
  technology to achieve superior effectiveness in
  our decision-making, in our strategic options,
  and (if things go wrong) in the speed and quality
  of our response measures.

Source Adapted from an idea by Stephen J Black,
Sept 2003.
29
Information Strategic Resource
Lets take a quick look at the T word

• Whether enterprise is for profit or not for
  profit, protecting information is an essential
  part of managing information and information
  systems. Modern companies, corporations and
  governments, for their success and survival, are
  dependent upon information - information that is
  created, processed, stored and shared. Yet the
  act of creating, processing, storing and sharing
  information makes it vulnerable to loss,
  manipulation, theft or destruction.

Source Edward Halibozek
30
(No Transcript)
31
(No Transcript)
32
(No Transcript)
33
(No Transcript)
34
(No Transcript)
35
(No Transcript)
36
So whats really happening

• Threats on the increase
• Viruses, hackers, fraud and espionage
• Exposure dependency on the increase
• IT, networks, communications, technology
  enablers, less central control, new entry points
  for intruders
• Expectations on the increase
• Stakeholders, managers, business partners,
  auditors and regulators all demanding more
  protective measures

37
The Threat Spectrum
38
Conventional Terror
Massive loss of information
39
Digital subversion
1. Access target 2. Obtain root privilege on
target 3. Subvert target for later reuse Target
can now be used as an intermediate link
Massive loss of Data
Q Is this the right context?
40
Information

• Some day on the corporate balance sheet, there
  will be an entry which reads information, for in
  most cases the information is more valuable than
  the hardware which possess it.
  
• Admiral Grace Murray Hopper, United States Navy.

Photo Source http//www.cacr.math.uwaterloo.ca/co
nferencesl
41
Organisations
Your organisation Your reputation
42
Information Management
Sign
The total of relevant knowledge is often called
intellectual capital. This includes not only
knowledge as a single conception, as an
individuals personal resource but as knowledge
of an organization appearing in patents, in
company-specific process models and routines.
Even culture and Customer supplier relationships
belong to intellectual capital.
Source Based on an idea by Thomas Auer Sept 2003
43
Intellectual Capital

• an intangible asset, usually not included on
  an organizations balance sheet, that is
  approximately equal in value to the difference
  between the market capitalization of the company
  and its tangible (or net asset or book) value

Source IT Governance Ltd (2003) Board Briefing
on IT Governance, UK
44
Focus on Information

• Your information is unique to you.
• Your organizational DNA, your footprint.
• In times of crisis, your people, process, are
  all replaceable information is often not.
• Information value provides justification for
  integrated / cross-functional planning while
  information is the key to decision making for
  normal operations AND incident management.

45
Information

• Without information there is no power to decide.
• Without decisions there is no mandate to act.
• Without action there is no future.

Information Assurance
46
RELATIONSHIP OF INFORMATION ASSURANCE TO RELATED
ACTIVITY
47
Review
Incident Management
Analysis Planning Conditioning
Respond
Plan
Mitigate
Train
Recover
Resume
H O R I Z O N S C A N N I N G

• Programme
• People
• Processes
• Premises
• Providers
• Profile
• Performance

Technology Tests Personnel Development
R E S I L I E N T
Space
Incident Management Notify, Respond, Assess,
Assign, Declare, (Decide), Invoke, Brief,
Communicate, Monitor, Close.
EXERCISE
The functions of governance
Trigger
Wider stakeholders 3rd Parties
Define/select STRATEGY
Dependency Modeling
RISK THREAT ASSESSMENT
BUSINESS IMPACT ANALYSIS
MITIGATE RISK
Stakeholder Analysis
COMMUNICATE

• Concurrency
• Emergency Response
• Invocation Ops
• Damaged Site Ops
• Salvage
• Prepare Resumption

DOCUMENT
VALIDATE, BENCHMARK, MAINTAIN
REVIEW
Time gt
PROGRAM MANAGEMENT
BENCHMARK BS 25999-12006, PAS 77, ISO 27001
48
Combined Effect

• The development and life-cycle maintenance of
  a series of integrated planning activities,
  response measures and immediate action plans to
  ensure critical business processes, capabilities
  and services can be restored and sustained in
  priority order in the wake of adverse events or
  incidents.

49
What you must do

• Business Continuity Management
• Formulate Business Continuity Policy
• Allocate roles and responsibilities
• Educate train all members of staff
• Report all incidents
• Implement Incident Management Team
• Develop exercise continuity plans
• Safeguard intellectual property
• Store organizational records off site
• Comply with all regulatory requirements
• Comply with your BCM plans

• Information Assurance
• Formulate Information Security Policy
• Allocate roles and responsibilities
• Educate train all members of staff
• Report all security breaches
• Implement virus access controls
• Develop exercise continuity plans
• Safeguard proprietary software
• Store information records off site
• Comply with all regulatory requirements
• Comply with your ISM plans

50
Principles

• Iterative and joint planning process driven by
  dynamic risk and threat assessment
• Consequences not causes
• Physical asset dispersion
• Focus on critical capabilities and information
• Interoperability, teamwork mutual support
• Training, regular exercises and rehearsals
• Flexible and co-ordinated response measures

51
Critical success factors

• Support throughout your organisation
• Appropriate scope
• Measurable improvements
• Practical plans, policies, procedures
• Appropriate tools and techniques
• Outsourced business partner(s)
• Formal process management methodology
• Clearly defined budget
• Education, awareness, communications

52
Risk Management Identifying and Preventing
the Causes before they happen
Business Continuity Dealing with the
Consequences after they happen
53
The show must go on
54

• Chance favors only the prepared mind
• Louis Pasteur

55
Attitude
http//www.noticebored.com/assets/images/
56
(No Transcript)
57
Conclusions

• Orientate in the direction of threats
• Think strategic effects and plan for the
  consequences not the causes
• Influence Senior Management Decision making
• Integrate risk disciplines across your
  organisation
• Flexible plans emphasising the importance of
  decision support material for crisis management

58
Questions?

• Thank you for listening.
• james.royds_at_socitm.gov.uk
• 447768 661336

59
Briefings

• SOCITM Consulting publishes regular expert
  briefings on areas of current interest, which can
  be emailed to you or downloaded from our website
• www.socitm.gov.uk/consulting

60
For more information

• By email consulting_at_socitm.gov.uk
• By phone 0845 450 0904
• By fax 01463 732501
• By post Socitm Consulting, PO Box 66, Holyhead
  LL65 2YB
• Web www.socitm.gov.uk/consulting

61
Socitm Consulting achieving the vision

• www.socitm.gov.uk/consulting