Continuity & Resilience (CORE)

ISO 22301 BCM Consulting Firm

Presentations by speakers at the
8th ME Business & IT Resilience Summit
March 10, 2019 at The Address Hotel, Duabi Mall, Dubai, UAE
 SAMA BCM Framework

SAMA BCM Framework

8th BC & IT Resilience Summit

March 10, 2019, The Address Hotel, Dubai Mall

Dhiraj Lal
Executive Director
Continuity and Resilience
Abu Dhabi

2
About Continuity & Resilience (CORE)
Consulting Services (ISO 22301 Certified)
▪ Cyber Security
▪ Business Continuity Management
▪ Crisis Management
▪ IT Disaster Recovery
▪ Information Security
▪ Risk Management

Training Services
▪ NCEMA developed Training (we are trainers for the
NCEMA courses at GCAS, NCEMA licensed training
entity)
▪ CORE is an approved Global Training partner for the
UK based Business Continuity Institute licensed to
conduct BCI trainings anywhere in the Globe

3
Notification and Automation Tools
CORE acts as a enabler between
the partner & client by
providing support for:

• Gather requirements
• Shortlist Vendors
• Subject matter expertise for
tool selection
Benefits
• Perform Vendor Demos
• Tool installation &
implementation
support for BC, ITDR &
Notification
• Assistance during tool testing
4
E-learning Development and Deployment

• Higher coverage
• Consistency in communication
• Higher learning retention
• Learn at your own pace,

Management
IT Service
anytime and anywhere

Continuity
Business
• Latest and most updated
6
course ware always available 2

• Cost effective as against Crisis

1 7 Sustainability
Management
class room based training
• Saves paper reduces carbon
foot print

5
Consulting
Our Consulting approach

Benefits
Initial Assessment &

Interview Senior Management

Current State Assessment
Roadmap

Documentation Review
Initial Industry Benchmarking
Implementation Review
Assessment
Assessment Report Maturity Assessment

Program Management Plan BCM

Implementation

Consulting Focus on high priority items

Business Impact Analysis Operationalize Assignment Implementation Identify potential threats & take
the BCMS
measures to mitigate impact
Risk Assessment
Effective & coordinated response
during crisis in order to minimize
BC Strategy & Response
decision points at the time

Testing
Operationalize the

Validation of documented steps

Exercising
BCMS

Assurance & long term

Performance Evaluation
sustainability

Continual Improvement

6
Training

• Cyber Attack/ Crisis Simulation Exercise

• Senior Management Awareness workshops
• ISMS and BCMS coordinators training courses
• BCI Courses – CBCI Certification Workshop, BIA, Writing BC Plans
workshops
• Certification aspirants workshops for CISSP, CISA, CISM and
CRISC
• ISO 27001 Lead Auditor training
• ISO 22301 Lead Implementer/ Auditor training
• ISO 31000 (Risk Management) courses
• IT Disaster Recovery workshop
7
Training
• NCEMA “official” courses –
✓ 1 day awareness
✓ 5 day Lead Implementer
✓ 5 day Lead auditor
✓ 2 day exercising and Testing
• Cyber Attack/ Crisis Simulation Exercise
• Senior Management Awareness workshops
• Coordinator training courses in ISMS and BCMS
• BCI Courses – CBCI Certification Workshop, BIA, Writing BC Plans
• Lead Auditor training in ISO 27001/ISO 22301
• Certification in Risk Management, IT Disaster Recovery, Crisis Mgt

8
SAMA Framework

• Is quite explicit of what is to be done

• Mandates many items often left unsaid
• Could well be used by non-banks also – key principles are valid
for any industry
• Can be used as a guidance document for any industry, any
geography, any ownership
• Makes clear that BCM is a senior management responsibility,
typically the board level

9
Mandate

• SAMA mandates the BCM framework requirements document to

Member Organizations. This document outlines the BCM
requirements to be implemented by the Member Organizations.
• All Member Organizations are required to comply with these
requirements and integrate it formally in their BCM program.
• The BCM framework document is applicable to the full scope of
the Member Organization, including subsidiaries, employees,
subcontractors, third-parties and customers.

10
Member Organisations

The BCM Framework document is applicable to following:

• All organizations affiliated with SAMA (“the Member
Organizations”)
• All banks operating in Saudi Arabia
• All banking subsidiaries of Saudi banks
• Subsidiaries of foreign banks situated in Saudi Arabia

11
Target Audience
This document is intended for those, who are responsible for and
involved in defining, implementing and reviewing business continuity
controls….
• Board of Directors
• CEO
• Chief Risk Officer
• Senior and Executive Management
• Business owners
• Owners of information assets
• CIO/CISO
• Business Continuity Managers
• Internal Auditors

12
BCM Governance
BC governance framework should be monitored by senior management.
1. Board of directors or a delegated executive member should have the
ultimate responsibility for the BCM program.
2. Management should allocate sufficient budget to execute the required
BCM activities.
3. BCM Committee should be mandated by the board of directors.
4. Senior management, such as CRO, COO, CIO, CISO, BCM Manager
and other relevant departments should be represented in the business
continuity committee.
5. A business continuity committee charter should reflect:
a. Committee objectives
b. Roles and responsibilities
c. Minimum number of meeting participants
d. Meeting frequency (minimum on quarterly basis)

13
Responsibilities
A BCM function should be established.

The BCM function should be adequately staffed with qualified team members

Cross-functional teams, consisting of strategic, tactical and operations team

members should contribute in implementation and maintenance of the
business continuity and disaster recovery plans.

The BCM Manager and BCM coordinators are responsible to maintain and keep
the BCPs and arrangements up-to-date.

The IT manager should be responsible to maintain and keep the disaster

recovery plans and arrangements upto-date with an overall accountability of
integration within the BCM Program on the BCM Manager.

14
Business Impact Analysis (BIA)
The Member Organization should determine the following but no limited
to:
a. The potential impact of business disruptions for each prioritized
business function and processes, including but not restricted to
financial, operational, customer, legal and regulatory impacts
b. The recovery time objectives (RTOs), recovery point objectives
(RPOs) and maximum Acceptable Outage (MAO)
c. The internal and external interdependencies
d. Supporting recovery resources

The BCM committee should endorse the prioritized list, BIA results, RA
and the defined RTOs, RPOs and MAOs.
Member Organizations should ensure that RTOs are adequately defined
for payment systems, customer related services, etc. considering the
high availability of these operations and minimum disruption in the event
of disaster.

15
Risk Assessment (RA)

Risk assessment results should be communicated to the BCM

committee
The risk assessment should include risks associated with overall
organization as well as data centers (primary and alternative), which
are not owned by the Member Organization (e.g., consider the
timeframe needed to relocate to a new site and accordingly, it should
include a sufficient timeframe in the contractual agreement)
Capability of vendors, suppliers and service providers should be
assessed at least on a yearly basis
Member Organization should ensure that the key service providers (if
any) have a BCP in place and their plans tested at least on a yearly
basis…. for all critical activities, as determined by the BIA

16
IT Disaster Recovery
The Member Organization should define and implement a backup and
recovery process.
The Member Organization should have offsite location for storing
backups.
The Member Organization should ensure that critical services, business
functions and processes run on reliable and robust infrastructure and
software.
An IT DRP in alignment with business impact analysis should be defined,
approved, implemented and maintained …. to recover and restore
technology services and infrastructure components (Data, systems,
network, services and applications)

17
Alternate Data Centre

The Member Organization should establish an alternative data center at

an appropriate location.
The location should be identified based on a risk assessment to confirm
that the location does not share the same risks of the main data center
(e.g., geographical threat)
Data, system, network and application configurations, and capacities in
the alternative data center should be commensurate to such
configurations and capacities maintained in the main data center.
Member Organization should implement the same logical, physical,
environmental and cyber security controls for the alternative data center
as for the primary data center.

18
Suppliers and Service Providers
• For all critical activities, as determined by the BIA, the Member
Organization should ensure that the key service providers (if any)
have a BCP in place and their plans tested at least on a yearly
basis.
• Formal contracts should be signed with third-parties to ensure the
continuity of outsourced services or delivery of replacing hardware
or software within the agreed timelines in case of a disaster (for
IT DR). Include guidelines to ensure that the contracts signed with
external service providers are aligned with the BIA and RA
outcomes.
• Capability of vendors, suppliers and service providers should be
assessed at least on a yearly basis… to support and maintain
service levels for prioritized activities during disruptive incidents

19
Alternate Locations (RA)
• The Member Organization should have sufficient alternative
business workspace(s) where it can relocate the required
resources to deliver the critical processes required as per
predefined recovery objectives in the BIA.
• The alternative business workspace(s) should have clear
demarcation of the sitting arrangement for different business
units.
• The Member Organization should implement sufficient logical,
physical and environmental security controls in order to support
the same level of access and security in case the alternative
location needs to be activated.

20
Business Continuity Plans (BCPs)
The procedures should collectively include:
a. Key resources (e.g., people, equipment, facilities, technologies)
b. Defined roles, responsibilities and authorities for stakeholders
c. A process to manage the immediate consequences of a disruptive
incident and escalation procedures
d. A process to continue the critical activities within predetermined
recovery objectives (RTO, RPO and MAO)
e. A process to resume the Member Organization’s operations to
business-as-usual once the incident is resolved
f. Guidelines for communicating with employees, relevant third-
parties and emergency contacts
g. Process for including relevant cyber security requirements, if any,
within the business continuity planning

21
Crisis Management Plan (CMP)
The Member Organization should document
• Criteria for declaring a crisis.
• Command center for centralized management and an emergency
command center.
• Crisis-management team members which include representatives
of the critical products, services, functions and processes of the
Member Organization (including Communications department, and
any third-parties to be involved also)
• Communication plan (including rapid communication) including
the media response plan, to ensure overall safety and address the
communication with the internal and external stakeholders during
crisis.
• The frequency of crisis management tests

22
Awareness and Training
• A training program should be provided on an annual basis to
employees involved in BCM to achieve the required level of
experience, skills and competences.
• The Member Organization should periodically measure the
effectiveness of the training and awareness program.
• The Member Organization and relevant third-parties, such as
providers and suppliers should be:
a. Familiar with relevant parts of business continuity policy and plans
b. Contractually bound to provide their services or products within
the agreed time, in case of disruptive event
c. Familiar with their point of contact or their local BCM coordinator
in the Member Organization
d. Familiar with their roles and responsibilities during disruptive
incidents

23
Exercise and Testing

The Member Organization should:

• Define, approve, implement, execute and monitor regular BCP and
DRP tests
• Train their employees and third-parties and test the effectiveness of
the BC and DR plans.
• Ensure that defined test scenarios cover the activation and
involvement for crisis management team.
• Conduct BCP simulation test exercises (“at least once a year”)
• The tests should consider appropriate scenarios that are well planned
with clearly defined objectives (e.g., per function, per service, per
process, per location, per worst cases scenarios)
• The Member Organization should take into consideration to include
cyber security scenarios.
• Consider conducting an integrated BCM test for all critical services,
business processes and functions.

24
IT DR Tests

The Member Organization should:

• Periodically execute a DR test combined with BCP (“at least once a
year”).
• Conduct an evaluation of the executed test of IT DR infrastructure
that supports the Member Organization’s critical systems
• Ensure that the DR test results provide an evaluation and
suggestion for improvements
• Ensure that tests cover the activation and involvement of the
crisis management team.

25
Effectiveness
• Internal Audit or a qualified external auditor, should observe the
business continuity and disaster recovery testing activities as an
independent participant
• In case of test failure, the re-testing timelines should not exceed
the limit of three (3) months.
• All BCP and DRP tests results should be reported to the BCM
committee, senior management and the board of directors.
• Test results of business continuity and disaster recovery should be
shared with SAMA within four weeks after the test. The Member
Organization should identify the improvements based on the test
performed and provide an action plan to SAMA within two months
after the submission of the test results.

26
Summary
• If you are struggling with what to do in your BCM program,
consider taking guidance from the SAMA framework.
• Set up for success your BCM program in line with SAMA principles,
focusing on:
▪ Senior Management Accountability (Board level)
▪ Adequate budget
▪ Adequate and competent resources
▪ Full lifecycle implementation
▪ Exercise and Testing
▪ Regular Senior Management Monitoring and support
▪ Continuous Improvement

ALL THE BEST!!!!

27
Dhiraj Lal
Executive Director
Landline : +971 2 6594006
Mobile & WhatsApp: +971 52 9263933
Email: dhiraj.l@continuityandresilience.com
Skype: dhiraj.lal21

28
Implementation Approach & Methodology

29
Head Office

Continuity & Resilience

Level 15,Eros Corporate Tower
Nehru Place ,New Delhi-110019, INDIA
Tel: +91 11 41055534/ +91 11 41613033
Fax: +91 11 41055535

Email: info@continuityandresilience.com

Contact:
Padmanabha Bora
Director
Mobile & WhatsApp: +91 9654870406
Email: pb@continuityandresilience.com
Skype: Padmanabha.bora

30
CORE Cyber Security / Information Security
Services
• Corporate Instructor Led Trainings
• Cyber Attack Simulation Exercise
• Customised training for Corporate
Capacity
Building & Skill • Public Certification Aspirants Workshops (CISSP, CISA, CISM, CRISC)
Dvlp

• Governance, Risk & Compliance

• CERT & CSIRT (BOMT Model)
• Forensics & Investigations / VAPT
Professional
• Gap Analysis / Health Checks & Pre Audit Services
Services

• CSIRT as a Service
• SOC (remote, BOMT/O&M)
• Predictive Security through Threat Hunting & Counter Threat Intelligence
Managed
Security • Forensics & Investigation Services
Services

• Confront & Denial of Operations Area through Smoke Screen

• Forensics Workstation & DDoS Protection Tool
• Employee Forensics & Monitoring Tool
Products • Mobile Device Management & Mobile Data Security

31
Trainings

Public In-house Tailor-made

Programs Workshops
• Global • Global • Customized to
Certifications Certifications clients
like BCI, IRCA like BCI, • Specialized
• CORE IRCA, coverage
Certifications • CORE • Awareness
Certifications Education
• Simulated
Exercises

32
Sectors
• Telecom
• Critical Infrastructure
• Financial Sector
• Banking
• Government sector
• Oil and Gas
• Insurance
• Government
• Real Estate
• Aviation
• IT/ ITeS
• … Etc
33
How can we help?
• Gap Assessment
• Training for top management
• Implementation Roadmap
• Coordinators Orientation training
• Policy
• Templates
• RA Strategies
• Vulnerability Assessment
• Penetration Testing
• Tool Assessment as per your IT setup
• Data Centre assessment
34
E-learning Support

• Scope The BCM framework document defines principles,

objectives and control considerations for initiating, implementing,
maintaining, monitoring and improving business continuity
controls in member organizations. The BCM framework document
has an interrelationship with other corporate policies for related
areas, such as enterprise risk management, health, safety and
environment (HSE), physical security, cybersecurity (including
cyber resilience and incident management).

35
Continuity & Resilience (CORE)
ISO 22301 BCM Consulting Firm
Presentations by speakers at the
8th ME Business & IT Resilience Summit
March 10, 2019 at The Address Hotel, Duabi Mall, Dubai, UAE