Professional Documents
Culture Documents
Dhiraj Lal
Executive Director
Continuity and Resilience
Abu Dhabi
2
About Continuity & Resilience (CORE)
Consulting Services (ISO 22301 Certified)
▪ Cyber Security
▪ Business Continuity Management
▪ Crisis Management
▪ IT Disaster Recovery
▪ Information Security
▪ Risk Management
Training Services
▪ NCEMA developed Training (we are trainers for the
NCEMA courses at GCAS, NCEMA licensed training
entity)
▪ CORE is an approved Global Training partner for the
UK based Business Continuity Institute licensed to
conduct BCI trainings anywhere in the Globe
3
Notification and Automation Tools
CORE acts as a enabler between
the partner & client by
providing support for:
• Gather requirements
• Shortlist Vendors
• Subject matter expertise for
tool selection
Benefits
• Perform Vendor Demos
• Tool installation &
implementation
support for BC, ITDR &
Notification
• Assistance during tool testing
4
E-learning Development and Deployment
• Higher coverage
• Consistency in communication
• Higher learning retention
• Learn at your own pace,
Management
IT Service
anytime and anywhere
Continuity
Business
• Latest and most updated
6
course ware always available 2
5
Consulting
Our Consulting approach
Benefits
Initial Assessment &
Documentation Review
Initial Industry Benchmarking
Implementation Review
Assessment
Assessment Report Maturity Assessment
Testing
Operationalize the
Continual Improvement
6
Training
8
SAMA Framework
9
Mandate
10
Member Organisations
11
Target Audience
This document is intended for those, who are responsible for and
involved in defining, implementing and reviewing business continuity
controls….
• Board of Directors
• CEO
• Chief Risk Officer
• Senior and Executive Management
• Business owners
• Owners of information assets
• CIO/CISO
• Business Continuity Managers
• Internal Auditors
12
BCM Governance
BC governance framework should be monitored by senior management.
1. Board of directors or a delegated executive member should have the
ultimate responsibility for the BCM program.
2. Management should allocate sufficient budget to execute the required
BCM activities.
3. BCM Committee should be mandated by the board of directors.
4. Senior management, such as CRO, COO, CIO, CISO, BCM Manager
and other relevant departments should be represented in the business
continuity committee.
5. A business continuity committee charter should reflect:
a. Committee objectives
b. Roles and responsibilities
c. Minimum number of meeting participants
d. Meeting frequency (minimum on quarterly basis)
13
Responsibilities
A BCM function should be established.
The BCM function should be adequately staffed with qualified team members
The BCM Manager and BCM coordinators are responsible to maintain and keep
the BCPs and arrangements up-to-date.
14
Business Impact Analysis (BIA)
The Member Organization should determine the following but no limited
to:
a. The potential impact of business disruptions for each prioritized
business function and processes, including but not restricted to
financial, operational, customer, legal and regulatory impacts
b. The recovery time objectives (RTOs), recovery point objectives
(RPOs) and maximum Acceptable Outage (MAO)
c. The internal and external interdependencies
d. Supporting recovery resources
The BCM committee should endorse the prioritized list, BIA results, RA
and the defined RTOs, RPOs and MAOs.
Member Organizations should ensure that RTOs are adequately defined
for payment systems, customer related services, etc. considering the
high availability of these operations and minimum disruption in the event
of disaster.
15
Risk Assessment (RA)
16
IT Disaster Recovery
The Member Organization should define and implement a backup and
recovery process.
The Member Organization should have offsite location for storing
backups.
The Member Organization should ensure that critical services, business
functions and processes run on reliable and robust infrastructure and
software.
An IT DRP in alignment with business impact analysis should be defined,
approved, implemented and maintained …. to recover and restore
technology services and infrastructure components (Data, systems,
network, services and applications)
17
Alternate Data Centre
18
Suppliers and Service Providers
• For all critical activities, as determined by the BIA, the Member
Organization should ensure that the key service providers (if any)
have a BCP in place and their plans tested at least on a yearly
basis.
• Formal contracts should be signed with third-parties to ensure the
continuity of outsourced services or delivery of replacing hardware
or software within the agreed timelines in case of a disaster (for
IT DR). Include guidelines to ensure that the contracts signed with
external service providers are aligned with the BIA and RA
outcomes.
• Capability of vendors, suppliers and service providers should be
assessed at least on a yearly basis… to support and maintain
service levels for prioritized activities during disruptive incidents
19
Alternate Locations (RA)
• The Member Organization should have sufficient alternative
business workspace(s) where it can relocate the required
resources to deliver the critical processes required as per
predefined recovery objectives in the BIA.
• The alternative business workspace(s) should have clear
demarcation of the sitting arrangement for different business
units.
• The Member Organization should implement sufficient logical,
physical and environmental security controls in order to support
the same level of access and security in case the alternative
location needs to be activated.
20
Business Continuity Plans (BCPs)
The procedures should collectively include:
a. Key resources (e.g., people, equipment, facilities, technologies)
b. Defined roles, responsibilities and authorities for stakeholders
c. A process to manage the immediate consequences of a disruptive
incident and escalation procedures
d. A process to continue the critical activities within predetermined
recovery objectives (RTO, RPO and MAO)
e. A process to resume the Member Organization’s operations to
business-as-usual once the incident is resolved
f. Guidelines for communicating with employees, relevant third-
parties and emergency contacts
g. Process for including relevant cyber security requirements, if any,
within the business continuity planning
21
Crisis Management Plan (CMP)
The Member Organization should document
• Criteria for declaring a crisis.
• Command center for centralized management and an emergency
command center.
• Crisis-management team members which include representatives
of the critical products, services, functions and processes of the
Member Organization (including Communications department, and
any third-parties to be involved also)
• Communication plan (including rapid communication) including
the media response plan, to ensure overall safety and address the
communication with the internal and external stakeholders during
crisis.
• The frequency of crisis management tests
22
Awareness and Training
• A training program should be provided on an annual basis to
employees involved in BCM to achieve the required level of
experience, skills and competences.
• The Member Organization should periodically measure the
effectiveness of the training and awareness program.
• The Member Organization and relevant third-parties, such as
providers and suppliers should be:
a. Familiar with relevant parts of business continuity policy and plans
b. Contractually bound to provide their services or products within
the agreed time, in case of disruptive event
c. Familiar with their point of contact or their local BCM coordinator
in the Member Organization
d. Familiar with their roles and responsibilities during disruptive
incidents
23
Exercise and Testing
24
IT DR Tests
25
Effectiveness
• Internal Audit or a qualified external auditor, should observe the
business continuity and disaster recovery testing activities as an
independent participant
• In case of test failure, the re-testing timelines should not exceed
the limit of three (3) months.
• All BCP and DRP tests results should be reported to the BCM
committee, senior management and the board of directors.
• Test results of business continuity and disaster recovery should be
shared with SAMA within four weeks after the test. The Member
Organization should identify the improvements based on the test
performed and provide an action plan to SAMA within two months
after the submission of the test results.
26
Summary
• If you are struggling with what to do in your BCM program,
consider taking guidance from the SAMA framework.
• Set up for success your BCM program in line with SAMA principles,
focusing on:
▪ Senior Management Accountability (Board level)
▪ Adequate budget
▪ Adequate and competent resources
▪ Full lifecycle implementation
▪ Exercise and Testing
▪ Regular Senior Management Monitoring and support
▪ Continuous Improvement
27
Dhiraj Lal
Executive Director
Landline : +971 2 6594006
Mobile & WhatsApp: +971 52 9263933
Email: dhiraj.l@continuityandresilience.com
Skype: dhiraj.lal21
28
Implementation Approach & Methodology
29
Head Office
Email: info@continuityandresilience.com
Contact:
Padmanabha Bora
Director
Mobile & WhatsApp: +91 9654870406
Email: pb@continuityandresilience.com
Skype: Padmanabha.bora
30
CORE Cyber Security / Information Security
Services
• Corporate Instructor Led Trainings
• Cyber Attack Simulation Exercise
• Customised training for Corporate
Capacity
Building & Skill • Public Certification Aspirants Workshops (CISSP, CISA, CISM, CRISC)
Dvlp
• CSIRT as a Service
• SOC (remote, BOMT/O&M)
• Predictive Security through Threat Hunting & Counter Threat Intelligence
Managed
Security • Forensics & Investigation Services
Services
31
Trainings
32
Sectors
• Telecom
• Critical Infrastructure
• Financial Sector
• Banking
• Government sector
• Oil and Gas
• Insurance
• Government
• Real Estate
• Aviation
• IT/ ITeS
• … Etc
33
How can we help?
• Gap Assessment
• Training for top management
• Implementation Roadmap
• Coordinators Orientation training
• Policy
• Templates
• RA Strategies
• Vulnerability Assessment
• Penetration Testing
• Tool Assessment as per your IT setup
• Data Centre assessment
34
E-learning Support
35
Continuity & Resilience (CORE)
ISO 22301 BCM Consulting Firm
Presentations by speakers at the
8th ME Business & IT Resilience Summit
March 10, 2019 at The Address Hotel, Duabi Mall, Dubai, UAE