COVID 19: Addressing Business Continuity in the online world
Transcript of COVID 19: Addressing Business Continuity in the online world
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 1 ---
COVID 19: Addressing Business Continuity in the online world
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 2 ---
COVID 19 challenges
Remote work: Opportunities and Risks
BCM vs BCP
Cyber Resilience
Examples
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 3 ---
STATISTICS
Change in remote work trends due to COVID-19 in
2020
What percentage of your workforce will remain permanently remote post-COVID
who were not remote before COVID?
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 4 ---
STATISTICS, 7 SURPRISING STATS ON THE SHIFT TO REMOTE WORK
1. There has been a massive shift to work from home. 88% of organizations have encouraged or required their employees to work from home and 91% of teams in Asia Pacific have implemented ‘work from home’ arrangements since the outbreak.[i]
2. Coronavirus has been a catalyst for remote work. 31% of people said that Coronavirus (COVID-19) was the trigger to begin allowing remote work at their company.[ii]
3. Organizations are mobilizing, using crisis response teams to coordinate their response. 81% of companies now have a crisis response team in place. [iii]
4. Business continuity tops C-level concerns. 71% of executives are worried about continuity and productivity during the pandemic.[iv]
5. Cybercriminals are taking advantage of the crisis. Over a 24-hour period, Microsoft detected a massive phishing campaign using 2,300 different web pages attached to messages and disguised as COVID-19 financial compensation information that actually led to a fake Office 365 sign-in page.[viii]
6. Technology and infrastructure are some of the biggest barriers to connectivity and workforce productivity. 54% of HR leaders indicated that poor technology and/or infrastructure for remote working is the biggest barrier to effective remote working in their organization.[ix]
7. Remote work is here to stay. 74% of companies plan to permanently shift to more remote work post COVID.[xv]
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 5 ---
Cases
September 11, 2001 USA
March 11, 2011 Japan, Damage $309bln
Hurricane KatrinaAugust 2005 USA, Damage $125bln
Volcano Eyjafjallajökull14 April 2010 North Europe
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 6 ---
The Reality
43% of US companies never reopen after a disaster and 29% more close within 3 years.
20% of small to medium size businesses suffer a major disaster every 5 years.
78% of organizations which lacked contingency plans but suffered catastrophic loss were gone within 2 years…most had insurance, and many had business interruption coverage!
(Sources: U.S. National Fire Protection Agency, U.S. Bureau of Labor, Richmond House Group and B2BContinuity.com)
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 7 ---
Cases
It doesn’t concern us
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 8 ---
Case 2018, Central Bank of Armenia
CENTRAL BANK OF ARMENIA
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 9 ---
Standards, Frameworks and Documents
ISO 22301 – Business Continuity Management Systems
Business Continuity Management Audit/Assurance Program - ISACA
GTAG 10 Business Continuity Management - IIA
Toolkits & papers from web
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 10 ---
Definitions
ISO 22301
business continuity management system BCMSpart of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity
business impact analysis
process of analyzing activities and the effect that a business disruption might have upon them
incident
situation that might be, or could lead to, a disruption, loss, emergency or crisis
business continuity plan
documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruptionNOTE Typically this covers resources, services and activities required to ensure the continuity of critical business functions.
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 11 ---
BCM Audit, GTAG 10
It is the ability of the business to continue
operations with minimal disruption or
downtime in the advent of natural or man-
made disasters.
Business continuity planning is a strategic
discipline that should be an integral part of the
organization's culture.
What is Business Continuity ?
??? BCP VS BCM ???
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 12 ---
What is BCM?
An ongoing process supported by senior management
and funded to ensure that the necessary steps are taken
to identify the impact of potential losses, maintain viable
recovery strategies and recovery plans, and ensure
continuity of services through personnel training, plan
testing, and maintenance.
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 13 ---
BCM Lifecycle
Execution
Compliance Monitoring
& Auditing
Training & Awareness
Programs
Business Continuity
Plan Testing
Solutions Deployment
and Enhancement
Business Continuity
Strategy Design
Governance
Continuity Life Cycle
Business Impact
Analysis
Risk Assessment
Project Initiation
And Management
Analysis
Culture
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 14 ---
QUESTION
When a disaster occurs, the highest priority is:
1. Minimizing data loss by saving important data
2. Ensuring everyone is safe
3. Recovery of backup tapes
4. Calling a manager
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 15 ---
QUESTION
The amount of data transactions that are allowed to be lost following a computer failure is the:
1. Recovery Time Objective
2. Recovery Point Objective
3. Service Delivery Objective
4. Maximum Tolerable Outage
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 16 ---
ER, CM, BC ---> BCM
Minutes Hours Days Weeks
incident
TimeT = T0
1 - Emergency Response
2 - Crisis Management
First action that focuses on avoiding, deterring, and preventing disasters and/or preparing the organization to respond to a disaster
3 - Business Continuity
CM focuses on managing external/internal communications and senior management activities during a disaster.
The goal of ER is lifesaving, safety,
and initial efforts to limit the
impact to asset damage.
The goal of CM is to effectively address the coordinated response, resources, and internal and external communication
BCM capabilities are focused on
the recovery of critical business
processes.
The goal of BCM is to minimize the financial and other impacts to a business caused during a disaster or business disruption.
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 17 ---
RTO, RPO
Normal Processing
Normal
Processing
ISO 22301:2012, Societal security – Business continuity management systems
RPO recovery point objective
point to which information used by an activity must be restored to enable the activity to operate (“maximum data loss”)
RTO recovery time objective
period of time following an incident within which:
➢product or service must be resumed
➢activity must be resumed
➢ resources must be recovered
incidentRPO
T = T0T = T0 - X
Lost data
RTO
Time Down
T = T0+Y
Backup 1
LastBackup
Backup 2
Processing Gap: Lag time between the disruption point and resumption of normal processing.
The data that will be lost, destroyed, or otherwise unavailable, after successful recovery
IIA Definitions
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 18 ---
Core Processes
Process
1. Accounting and Finance
RTO
2. Licensing
3 hours
5 hours
3. Government payments 1.5 hours
4. HR 2 days
5. Public Relations 0.5 hours
RPO (Backup frequency)
1 hours
5 days
4 hours
2 weeks
2 hours
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 19 ---
Example
Process
1. Monetary policy short term programming. CB operations in local market
2. Operations in international markets. Foreign reserve management
3. Exchange rate calculation and publication
4. Bank interest rate calculation and publication
5. Cash circulation
RTO
3 hours
5 hours
1.5 hours
2 days
0.5 hours
RPO (Backup frequency)
1 day
0.5 hours
1 day
2 weeks
0.5 hours
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 20 ---
HIGH LEVEL QUESTIONS MUST BE ADDRESSED
CAE should be able to answer the following simple and important questions related to business continuity:
Does the organization’s leadership understand the current business continuity risk level and the potential impacts of likely degrees of loss?
Can the organization prove the business continuity risks are mitigated to an approved acceptable level?
If an unacceptable business continuity risk exists but executive management has decided to assume the risk, are the organization’s owners and business partners aware that management has decided not to mitigate the risk?
Has the decision to accept the risk been properly documented?
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 21 ---
ACTIONS NECESSARY TO MEET BCM REQUIREMENTS
Management Commitment to BCM Program
Build a business caseUnderstand the valueEstablish a BCM program
Conduct a Business Impact Analysis (BIA)
Identify business processes & define critical processes Define RTO and RPO for processesIdentify other parties and physical resources for recovery
Conduct a BC Risk Assessment & BC Mitigation
Assess the impact of disruptive eventsDefine BC disruptive events Develop BC risk mitigation strategies
Define Business Recovery and Continuity Strategies
Define staffing alternatives needed for recoveryDefine alternative sourcing of critical functionsDefine alternative offices needed for recovery Plan to transition back to normal operations
Establish Disaster Recovery for IT
Understand business recovery requirements
Select recovery solutions and recovery sites
Deploy, Verify and Maintain BCM Program Capabilities
Deploy BCM program awareness and trainingMaintain the BCM program and BC plansExercise business continuity capabilitiesEstablish crisis communications and align with crisis management Align with emergency response and external agencies coordination
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 22 ---
BCM AUDIT CHECKLIST
1. Management
2. Business Impact analysis and Risk Assessment
3. Contingency Arrangements
4. Documented Plans
5. Training and testing
6. Review and UpdateBCM Audit checklist.docx
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 23 ---
COVID 19 AND CYBER RESILIENCE
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 24 ---
THE EXPERIENCE AT FBI
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 25 ---
OUTSIDE OF THE PERIMETER IS DANGEROUS
Corporate security perimeter stops > 99% of threats
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 26 ---
THREAT LANDSCAPE OF REMOTE WORK
IT personnel
Access Infrastructure WAN
Endpoint
Employee
LAN PhishingSocial engineering
MalwareTheft
Tampering
WardrivingCracking
MasqueradingMan-in-the-middle
EavesdroppingTraffic analysis
Man-in-the-middle
MalwareTampering
PhishingSocial engineering
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 27 ---
• 91% of successful data breaches started with a phishing attack
• 23% of targeted people open phishing emails and 11% click on links or open attached files
RISK: PHISHING
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 28 ---
• Not designed for large-scale and prolonged usage
• Inadequate capacities• Low number of concurrent users
• Low number of notebooks and mobile devices
• Limited bandwidth
• Insufficient support
• Pressure on IT Departments to find solutions fast
RISK: WEAK INFRASTRUCTURE
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 29 ---
- Business: Not enough conferencing capacity. Do something. Fast!
- IT: We cannot bring in more servers fast… Maybe the cloud?
- Business: We need it yesterday!
- IT: Alright… let’s Zoom then!
RISK: CLOUD
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 30 ---
Some critical data has been transmitted through China even
when not necessary
POOR SECURITY DESIGN
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 31 ---
PHISHING EXAMPLES
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 32 ---
• Authorities and firms should prioritize• Clear remote access policies (who, what, when, and how)
• Robust authentication of users and devices
• Strong encryption methods
• Secure remote access devices (endpoint security)
• Network security monitoring
• Cloud usage should be based on detailed risk assessments
• Additional user awareness campaigns should be launched
• Robust controls over configurations at both ends of the connection
• Additional security controls for critical functions
RECOMMENDATIONS
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 33 ---
CYBER HYGIENE – IT IS NOT DIFFICULT!
Choose the right environment
Protect your WiFi
Keep work and home separate
Do no open suspicious content
Hide your webcam when not in use
Secure your devices after work
Apply updates regularly Use strong passwords / 2FA
Protect videoconferences
Komitas Stepanyan,PhD, CRISC, CRMA, CobitF
IT AuditVirtual Training for PEMPAL
--- 34 ---
ONE LAST THING…
IT personnel
Access Infrastructure WAN
Endpoint
Employee
LAN
THINK END-TO-END