450 likes | 460 Views
Explore strategies for operational resiliency in the financial industry through an innovative framework. Enhance shareholder value, protect assets, ensure efficient processes, and prioritize compliance in the face of disruptions. Gain insights into enterprise and operational resiliency activities.
E N D
The Financial Services Technology Consortium Empowering the Industry Through Innovative Ideas FSTC’s2008 Annual Conference On the Innovative Edge:Successful Strategies for Financial Services Industry Navigators
FSTC’s2008 Annual Conference On the Innovative Edge:Successful Strategies for Financial Services Resiliency Benchmarking A Case Study Industry Navigators
Operational Resiliency ManagementA Benchmarking Case StudyGary DanielsRick WebbLisa YoungFSTC Annual Meeting, Sonoma CaliforniaJune 19, 2008
Resiliency Management – A Strategic Approach Enhancing Shareholder Value Protecting Assets Ensuring Efficient Processes Provides Roadmap Identify & Prioritize Compliance Efficiency Adaptive Response to Business Disruptions Collaborative Endeavor Third Party Management Public - Private Sector Coordination
Resiliency: Enterprise vs. Operational • Resiliency: capability to sustain the enterprise and continue achieving the mission in the presence & realization of risk • Requires agility, adaptability, evolution • Emergent property EnterpriseResiliency • Core Operational Resiliency Activities: • Security • Business Continuity • IT Operations OperationalResiliency
Improvement is an evolutionary process • Necessary shifts: • Convergence • “De-complexing” • Meaningful measurement • “Rehearsing” vs. “Preparing” • Investment vs. cost
Resiliency Management Product Suite Framework Appraisal Method Introductory Courses Framework training “How-to” courses Executive workshops Advanced Courses Practitioner training Appraisal leader training Instructor training EnterpriseManagement OperationsManagement ProcessManagement Engineering • 27 capability areas • 4 categories
Increasing maturity Maturity in REF: 5 Capability Levels 4 • Processes are • Acculturated • Defined • Measured • Governed Continuously Improved 3 Directed 2 Managed 1 Performed Practices areperformed 0 Incomplete
Supporting the resiliency engineering process RISK – Risk Management EF – Enterprise Focus COMP – Compliance Management FRM – Financial Resource Management COMM – Communications Management OTA – Organizational Training and Awareness Enterprise management capabilities
Establishing resiliency for organizational assets, business processes, and services Engineering capabilities • RRD – Resiliency Requirements Development • RRM – Resiliency Requirements Management • ADM – Asset Definition & Management • SC – Service Continuity • CM – Controls Management • SSD – Secure Systems Development • ISR – Integrated Service Resiliency
Managing operational aspects of resiliency VAR – Vulnerability Analysis & Resolution AM – Access Management ID – Identity Management IMC – Incident Management & Control SAP – Scenario Analysis & Planning Operations management capabilities • KIM – Knowledge & Information Management • TM – Technology Management • PM – People Management • EC – Environmental Control • HRM – Human Resources Management • EXD – External Dependencies
Defining, planning, deploying, implementing, monitoring, controlling, appraising, measuring, and improving processes PM – Process Management MA – Measurement and Analysis MON – Monitoring Process management capabilities
Capability areas are related, for example CM - ControlsManagement IMC - IncidentManagement & Control OTA - OrganizationalTraining & Awareness SC - ServiceContinuity RISK - RiskManagement EF - EnterpriseFocus KIM - Knowledge &Information Mgmt. ADM - Asset Definition& Management
Capability levels apply to each capability area,for example Gap Status Target Service Continuity Gap Incident Mgmt& Control Status Target Gap Organizational Training& Awareness Status Target Gap Target Status Risk Management Target Status People Management Target achieved 0 1 2 3 4
Model scope • Focus improvement efforts on a part or all of the framework • Pick 1 or more capability areas to start • Pick capabilities associated with one of the leading standards, e.g., NFPA 1600, ISO 27000, BS2599 • Use one of our Targeted Improvement Roadmaps 1 24
Resilient Enterprise: Benchmarking for MaturityCall for Participation • Joint FSTC-CERT project beginning in June 2008 • Learn about the framework and develop skills to lead your organization’s resiliency • Attend 4 workshops, • Participate in benchmarking with maturity • Compare and learn from other org’s resiliency activities • Be in the first formal REF course • Translate knowledge into actionable and strategic improvements for your organization
Benchmarking FSTC members against REF • 10 large financial institutions • Project period: September 2007 through February 2008 • Objectives: • Test REF appraisal concepts • Provide gap analysis exercise for participants • Develop summary statistics that can be used as basis for comparison by individual participants
AMD ANSI Ameriprise Bank of America Carnegie Mellon Capital Group Citicorp Discover EMC DRII FSSCC R&D* IBM JPMorgan Chase Key Bank KPMG MasterCard Marshall and IIsley NY Federal Reserve Bank* PNC Bank US Bank Wachovia Resiliency Project Members *Project Advisor
Benchmarking methodology • Self-assessment with guidance from CERT • Required objective, documentary evidence for practice performance • Did not address maturity concepts (yet to come) • Five REF capability areas • Service Continuity • Incident Management & Control • Organizational Training & Awareness • Risk Management • People Management
Increasing maturity Benchmarking focus 4 Continuously Improved Current BenchmarkingFocus 3 Directed 2 Managed 1 Performed Practices areperformed 0 Incomplete
Measuring practice implementation 1 Performed 0 Incomplete
Service Continuity Results Service Continuity(SC) is a REFcapability area Graphs are used tovisualize the summary ofbenchmarking datasubmitted
7 6 5 4 3 2 1 Service Continuity Results There are 21specific practicesin SC Whichsupport 7 goals
Service Continuity Results Artifacts were usedto determine the extentto which each practicewas implemented
Service Continuity Results Blocks show theaverage of reportedimplementations Bars show therange of implementationreported
Service Continuity Results Identify Services Maintain Plans Exercise Plans Develop Plans Validate Plans Execute Plans Prepare
Service Continuity Results Some participantsdid not executeany plans duringproject period Identify Services Maintain Plans Exercise Plans Develop Plans Validate Plans Execute Plans Prepare
SC–Service Continuity • SC-1 Prepare for Service Continuity SC-1.1 Plan for Service Continuity SC-1.2 Establish Standards and Guidelines for Service Continuity • SC-2 Identify and Prioritize Essential Services SC-2.1 Identify the Organization’s Essential Services SC-2.2 Identify Internal and External Dependencies and Interdependencies SC-2.3 Identify Vital Organizational Records and Databases • SC-3 Develop Service Continuity Plans SC-3.1 Identify Plans to be Developed SC-3.2 Develop and Document Service Continuity Plans SC-3.3 Resource Service Continuity Plans SC-3.4 Store and Secure Service Continuity Plans SC-3.5 Communicate Plans to Relevant Stakeholders SC-3.6 Develop Service Continuity Plan Training
SC–Service Continuity • SC-4 Validate Service Continuity Plans SC-4.1 Validate Plans to Requirements and Standards SC-4.2 Identify and Resolve Plan Conflicts • SC-5 Exercise Plans SC-5.1 Develop Testing Program and Standards SC-5.2 Develop and Document Plan Exercises SC-5.3 Exercise Plans SC-5.4 Evaluate Plan Test Results • SC-6 Execute Plans SC-6.1 Execute Plans SC-6.2 Measure the Effectiveness of the Plan in Operation • SC-7 Maintain Service Continuity Plans SC-7.1 Establish Change Criteria SC-7.2 Maintain Changes to Plans
Service Continuity Results One organization’s data Identify Services Maintain Plans Exercise Plans Develop Plans Validate Plans Execute Plans Prepare
Incident Management & Control Results Respond & Recover Establish Process Analyze Events Detect Events Learn
IMC–Incident Management & Control • IMC-1 Establish Incident Management and Control Process IMC-1.1 Plan for Incident Management IMC-1.2 Resource Incident Management Plan • IMC-2 Detect Events IMC-2.1 Detect and Report Events IMC-2.2 Log and Track Events IMC-2.3 Collect, Document, and Preserve Event Evidence IMC-2.4 Define and Maintain Incident Validation Criteria • IMC-3 Analyze Events IMC-3.1 Triage Events IMC-3.2 Analyze Events
IMC–Incident Management & Control • IMC-4 Respond to and Recover from Incidents IMC-4.1 Escalate Incidents IMC-4.2 Develop Incident Response IMC-4.3 Communicate Incidents IMC-4.4 Close Incidents • IMC-5 Establish Incident Learning IMC-5.1 Perform Post-Incident Review IMC-5.2 Integrate with Problem Management Process IMC-5.3 Translate Experience to Strategy
Organizational Training & Awareness Results Establish Awareness Program Conduct Awareness Activities Establish Training Program Conduct Training
OTA–Organizational Training & Awareness • OTA-1 Establish Awareness Program OTA-1.1 Establish Awareness Needs OTA-1.2 Establish Awareness Training Plan OTA-1.3 Establish Awareness Training Capability • OTA-2 Conduct Awareness Activities OTA-2.1 Perform Awareness Activities OTA-2.2 Establish Awareness Records OTA-2.3 Assess Awareness Activity Effectiveness • OTA-3 Establish Resiliency Training Capability OTA-3.1 Establish Resiliency Training Needs OTA-3.2 Establish Resiliency Training Plan OTA-3.3 Establish Resiliency Training Capability • OTA-4 Conduct Resiliency Training OTA-4.1 Deliver Resiliency Training OTA-4.2 Establish Resiliency Training Records OTA-4.3 Assess Resiliency Training Effectiveness
Risk Management Results Mitigate & Control Risk Establish Parameters Use Risk Info Analyze Risk Identify Risk Prepare
RISK–Risk Management • RISK-1 Prepare for Risk Management RISK-1.1 Determine Risk Sources and Categories RISK-1.2 Establish an Operational Risk Management Strategy • RISK-2 Establish Risk Parameters and Focus RISK-2.1 Define Risk Parameters RISK-2.2 Establish Risk Measurement Criteria • RISK-3 Identify Risk RISK-3.1 Identify Asset-level Risks RISK-3.2 Identify Service-level Risks
RISK–Risk Management • RISK-4 Analyze Risk RISK-4.1 Evaluate Risk RISK-4.2 Categorize and Prioritize Risk RISK-4.3 Assign Risk Disposition • RISK-5 Mitigate and Control Risk RISK-5.1 Develop Risk Mitigation Plans RISK-5.2 Implement Risk Strategies • RISK-6 Utilize Risk Information to Manage Resiliency RISK-6.1 Review and Adjust Protection Strategies RISK-6.2 Review and Adjust Sustainability Strategies
People Management Results Manage Risks to Availability Establish Key Personnel Manage Availability
PM–People Management • PM-1 Establish Key Personnel PM-1.1 Identify Key Personnel • PM-2 Manage Risks Associated with Personnel Availability PM-2.1 Identify and Assess Personnel Risk PM-2.2 Mitigate Personnel Risk • PM-3 Manage the Availability of Personnel PM-3.1 Establish Redundancy for Key Personnel PM-3.2 Perform Succession Planning PM-3.3 Prepare for Redeployment PM-3.4 Plan to Support Personnel During Disruptive Event PM-3.5 Plan for Return-to-Work Considerations
Benchmarking conclusions • Appraisal concepts work • Evidence requirement caused scrutiny & objectivity • Gradations of implementation provided insights unavailable from binary checklist approaches • Gap analysis to framework helps identify improvement opportunities • Comparative summary data is valuable • Gap analysis to peer data helps prioritize and justify improvement actions
For more information Charles Wallen Charles.Wallen@fstc.org www.fstc.org Lisa Young lry@cert.org www.cert.org/resiliency_engineering
The Financial Services Technology Consortium Empowering the Industry Through Innovative Ideas FSTC’s2008 Annual Conference On the Innovative Edge:Successful Strategies for Financial Services Industry Navigators
FSTC’s2008 Annual Conference On the Innovative Edge:Successful Strategies for Financial Services Futurist Closing Luncheon Program:On the Horizon: The Future of Telecommunications and Banking Industry Navigators