DelCreo, Inc. An Enterprise Risk Management Company 1 Changed World, New Risks Mark Carey, CPA, CISA DelCreo, Inc. 440-250-9391

Slides:



Advertisements
Similar presentations
Museum Presentation Intermuseum Conservation Association.
Advertisements

DISASTER PLANNING: Do it Before Disaster Strikes Community Issues Satellite Workshops Department of Commerce & Economic Opportunity.
Homeland Security at the FCC July 10, FCCs Homeland Security Focus Interagency Partnerships Industry Partnerships Infrastructure Protection Communications.
Business Continuity Training & Awareness by Sulia Toutai (ANZ)
A Brief Overview of Emergency Management Office of Emergency Management April 2006 Prepared By: The Spartanburg County Office of Emergency Management.
National Incident Management System (NIMS)  Part of Homeland Security Presidential Directive-5, February 28,  Campuses must be NIMS compliant in.
Mark Carey, CPA, CISA President Toll free: x101 International: x101 Enterprise Risk Management:
Facilitating a Dialog between the NSDI and Utility Companies J. Peter Gomez Manager, Information Requirements, Xcel Energy.
Wade E. Kline, AICP Community Development Planner.
Visual 1.1 Course Overview Unit 1: Course Overview.
David A. Brown Chief Information Security Officer State of Ohio
National Infrastructure Protection Plan
1 NGA Regional Bio-Terrorism Conference Boston, Massachusetts January 12-13, 2004.
Civilian Intelligence Organizations
1 Continuity Planning for transportation agencies.
DHS, National Cyber Security Division Overview
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
National Space-Based Positioning, Navigation, and Timing (PNT) Federal Advisory Board DHS Challenges & Opportunities Captain Curtis Dubay, P.E. Department.
© 2011 Delmar, Cengage Learning Part I The Nature and Setting of Police Administration Chapter 3 Police Administration and Homeland Security.
© 2003 DelCreo, Inc. All rights reserved. | U.S. Toll-free 866.DELCREO | International 001/ |
Greg Shaw How do we turn private sector preparedness into an investment rather than a cost of doing.
Business Crisis and Continuity Management (BCCM) Class Session
Enterprise Risk Management and Business Continuity Planning Mark Carey, CPA, CISA President x8431
PPA 573 – Emergency Management and Homeland Security Lecture 9b - Department of Homeland Security Strategic Plan.
TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Stephen S. Yau CSE , Fall Security Strategies.
The National Incident Management System. Homeland Security Presidential Directive 5 To prevent, prepare for, respond to, and recover from terrorist attacks,
Services Tailored Around You® Business Contingency Planning Overview July 2013.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
IAEA International Atomic Energy Agency International Cooperation in Nuclear Security David Ek Office of Nuclear Security.
Technician Module 2 Unit 8 Slide 1 MODULE 2 UNIT 8 Prevention, Intelligence & Deterrence.
Maintaining Essential Business and Community Services During a Pandemic Paul R. Patrick, Director Bureau of Emergency Medical Services Utah Department.
October 27, 2005 Contra Costa Operational Area Homeland Security Strategic and Tactical Planning and Hazardous Materials Response Assessment Project Overview.
Isdefe ISXXXX XX Your best ally Panel: Future scenarios for European critical infrastructures protection Carlos Martí Sempere. Essen.
Co-location Sites for Business Continuity and Disaster Recovery Peter Lesser (212) Peter Lesser (212) Kraft.
Critical Infrastructure Protection Overview Building a safer, more secure, more resilient America The National Infrastructure Protection Plan, released.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Business Continuity Management For Project Managers.
Chapter 13 Information Resource Management The McGraw-Hill Companies, Inc All rights reserved. Irwin/McGraw-Hill.
Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.
Homeland Security, First Edition © 2012 Pearson Education, Inc. All rights reserved. Introduction to Homeland Security CHAPTER 1.
PHEP Capabilities John Erickson, Special Assistant Washington State Department of Health
Phases of BCP The BCP process can be divided into the following life cycle phases: Creation of a business continuity and disaster recovery policy. Business.
Created by: Ashley Spivey For Department of Homeland Security All information from:
What is “national security”?  No longer defined only by threat of arms  It really is the economy  Infrastructure not controlled by the government.
Homeland Security, First Edition © 2012 Pearson Education, Inc. All rights reserved. Intelligence and Counterintelligence and Terrorism CHAPTER 8.
Session 161 National Incident Management Systems Session 16 Slide Deck.
1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.
Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.
Business Continuity Disaster Planning
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.
Disaster Recovery Planning (DRP) DRP: The definition of business processes, their infrastructure supports and tolerances to interruptions, and formulation.
November 19, 2002 – Congress passed the Homeland Security Act of 2002, creating a new cabinet-level agency DHS activated in early 2003 Original Mission.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
DHS/ODP OVERVIEW The Department of Homeland Security (DHS), Office for Domestic Preparedness (ODP) implements programs designed to enhance the preparedness.
SEC 470 OUTLET The learning interface/sec470outletdotcom.
SEC 470 Entire Course (UOP) For more course tutorials visit  SEC 470 Week 1 US Patriot Act Paper  SEC 470 Week 2 Federal Agencies.
Community Health Centers of Arkansas Hazard Vulnerability Assessment Workshop August 11, 2017 Mark Fuller.
EAST AFRICAN DATA HANDLERS DATA SECURITY/MOBILITY
INFORMATION SECURITY IN ARMENIA: PRESENT STATUS AND TASKS
ENTERPRISE RISK MANAGEMENT IN THE CASE OF THE FINANCIAL SERVICE SECTOR
Critical Infrastructure Protection Policy Priorities
Introduction to: National Response Plan (NRP)
Copyright © 2012, Elsevier Inc. All rights Reserved.
Business Continuity Program Overview
Cyber Security in a Risk Management Framework
Prevention, Intelligence
Presentation transcript:

DelCreo, Inc. An Enterprise Risk Management Company 1 Changed World, New Risks Mark Carey, CPA, CISA DelCreo, Inc

DelCreo, Inc. An Enterprise Risk Management Company 2 Risk Management Lessons and Business Applications

DelCreo, Inc. An Enterprise Risk Management Company 3 Office of Homeland Security Government Lesson US faces many new, non-conventional threats: –Terrorism –Proliferation of weapons of mass destruction –Attacks on critical infrastructure –International drug trade –etc. No single department, agency, state, local or private sector entity can handle alone, up to 46 different federal agencies are responsible for addressing the non-conventional threats The Office of Homeland Security was created to “coordinate the executive branch's efforts to detect, prepare for, prevent, protect against, respond to, and recover from terrorist attacks within the United States.” Business Application Businesses also face new, non-conventional and complex conventional threats that require coordinated risk management through an enterprise- wide risk management organization/function

DelCreo, Inc. An Enterprise Risk Management Company 4 Homeland Security Council Government Lesson The Homeland Security Council was established to: –Advise and assist the President with respect to all aspects of homeland security –Ensure coordination of homeland security-related activities of executive departments and agencies –Effective development and implementation of homeland security policies Business Application Consider establishing an enterprise risk council to: –Provide relevant risk information to CXO’s and BOD –Coordinate risk management activities of various functions and business units –Develop and implement corporate risk management policies

DelCreo, Inc. An Enterprise Risk Management Company 5 Silos Government Lesson Silos exist in: –departments and agencies, Federal, state and local Foreign and domestic US, allies and other –Information Systems and Databases –Processes Intelligence gathering and dissemination activities Business Application Create processes, systems and tools to reach across silos to provide the “big picture” Focus corporate risk management resources on what matters the most Leverage the “silo” expertise through better coordination for complex risks

DelCreo, Inc. An Enterprise Risk Management Company 6 Low Cost, High Tech Government Lesson Sophisticated technologies that may be employed as weapons of Mass Destruction –Biological and chemical weapons –Technology Tools that have the ability to inflict massive damage are getting cheaper Business Application Sophisticated tools are increasingly affordable and are being used by competitors, customers, employees, litigation teams, etc. Understand impact there tools may have on your organization

DelCreo, Inc. An Enterprise Risk Management Company 7 Low Tech, High Impact Government Lesson Terrorist have employed low tech weapons to inflict massive physical or psychological damage –Box cutters –Envelopes Business Application Identify assets at risk –Strategic Initiatives –People –Process –Information Systems –Physical Infrastructure –Geography –Organization –Products –Flows (supplies, information, electricity, cash, etc.) Focus risk assessment on how the asset may be impacted Consider best and worst case scenarios (to ensure preparation for best and worst times)

DelCreo, Inc. An Enterprise Risk Management Company 8 Incident Management Government Lesson The Executive Branch lacked a formal terrorist incident management process, coordinator and team The Homeland Security Director will be the individual primarily responsible for coordinating the domestic response in the event of an imminent threat, and during and in the immediate aftermath of a terrorist attack Business Application Define a formal incident management process with pre- incident planning activities, escalation triggers, defined responsibilities and response pathways

DelCreo, Inc. An Enterprise Risk Management Company 9 Early Warning System Government Lesson Silos prevented effective aggregation of early warning signals Local decisions to disregard significant information Lack of appropriate escalation metrics and thresholds Many early warning signals were not deemed credible Business Application Develop and constantly enhance quality of information collected and of early warning tools

DelCreo, Inc. An Enterprise Risk Management Company 10 ERM Definition An consistent and organization-wide approach to develop and implement a comprehensive risk strategy and program in order to: –Provide a baseline level of protection of value creating assets, or –Use risk management strategies and tools to assure success of strategic objectives and improve organizational returns (as defined by key stakeholders)

DelCreo, Inc. An Enterprise Risk Management Company 11 Business Case: Improve Total Cost of Risk Gaps in Risk Coverage and Information –Emerging risk areas –Strategic Planning and Decision Making Processes do not receive complete, reliable and timely risk information –Programs/Projects with multiple vulnerabilities –Vulnerabilities that require multiple skills, aggregation of data, etc to mitigate Cost of Managing Risks –Poor use of process enabling technology –Knowledge management –Modeling/Data aggregation tools –Coordination and communication between risk functions, business organizations, and management

DelCreo, Inc. An Enterprise Risk Management Company 12 Disaster Recovery Lessons Learned

DelCreo, Inc. An Enterprise Risk Management Company 13 Business Process and Business Unit Recovery Efforts Overlooked Lesson Most disaster planning had revolved around the data center or IT capabilities of the enterprise. Back office operations continuity plans put into effect following the September 11 th attacks often overlooked highly paper-centric back office operations business processes. Recommendation An enterprise-wide approach to continuity planning must include attention not only to the data center, IT and network communications issues, but those of time-critical business processes wherever they might flow through the organizational structure.

DelCreo, Inc. An Enterprise Risk Management Company 14 Geography Lesson Many recovery plans and arrangements were based on the assumption that local hot sites and alternate workspaces would be available. Other companies had a difficult time accessing their hot sites and alternate workspaces when air travel was stopped. Recommendation Geographic factors should be fully considered in the threat and vulnerability assessment, assumptions used in planning, and during the development of the recovery plans. Source: Mckinsey & Company, “Impact of Attack on New York Financial Services”, Nov, 2001

DelCreo, Inc. An Enterprise Risk Management Company 15 Single Points of Failure Lesson Transportation, telecommunications and power elements of the infrastructure had several key “single points of failure”. Many business processes today take place outside of an organizations boundaries. Many supply chains have key participants that are critical single points of failure outside the operational control of an individual organization. Recommendation Infrastructure, process and other third party providers should be included in the continuity planning process. Source: Mckinsey & Company, “Impact of Attack on New York Financial Services”, Nov, 2001

DelCreo, Inc. An Enterprise Risk Management Company 16 Trained Personnel Is Critical Lesson Personnel is the critical key to success For one company impacted, 100% of the people who had participated in the hotsite disaster recovery testing were killed in the September 11 th attacks Recommendations In this instance, people who had to assist in the recovery were unfamiliar with the continuity plans and actions necessary to expedite recovery operations. Organizations should incorporate cross-training and rotation of recovery plan testing and maintenance responsibilities.

DelCreo, Inc. An Enterprise Risk Management Company 17 Mix of Threats and Vulnerabilities Has Changed Lesson Terrorism threats have increased significantly in US and worldwide and will likely continue into at least the short-term future Recommendations Fundamental BCP concepts have remained the same, but terrorism threats and vulnerabilities have increased in importance, especially for Fortune 500 companies and public and private civil infrastructure organization’s people and facilities. Organizations should consider themselves at risk from a physical terrorist attack in order to improve readiness.

DelCreo, Inc. An Enterprise Risk Management Company 18 Desktop Software Offsite Backup Lesson The World Trade Center offices did not contain many, if any, mainframe computers. Almost all of the systems affected were distributed client- server type implementations. Many organizations did not store current versions of their desktop client-server software so that desktop networks can be rebuilt at an alternative site if necessary. Recommendation To avoid delays in rebuilding desktop configurations, companies should step up their programs for storage and maintenance of desktop configuration software at appropriate offsite locations as well as to train operations personnel involved in recovery efforts in the most effective and efficient ways to rapidly rebuild time-critical desktop environments.

DelCreo, Inc. An Enterprise Risk Management Company 19 Unforeseen Indirect Threats and Vulnerabilities Demand Attention Lesson The collateral impacts of the terrorist attacks has significantly affected almost all organizations in terms of airline shut downs, economic downturns in the U.S. and world economies, etc., and the ripple effects of these impacts. Recommendation Business continuity planning impact assessments should thoroughly consider value web and supply chain issues