Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED.
Building an EffectiveCyber Exercise
Richard Long, Senior Advisory Consultant, MHA Consulting
January 10, 2018
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 2
18-year proven track record of applying
industry standards and best practices
across a diverse pedigree of clients.
A simple mission: Ensure the continuous
operations of our clients’ critical processes.
60% of revenue comes from Business
Resiliency, 30% from IT Disaster Recovery,
and 10% from SaaS tools.
SaaS Tools: BIA On-Demand, Compliance
Confidence, Residual Risk.
SAASCompliance and
risk tools.
CAPABLEComprehensive suite
of services.
20Average years
industry experience.Years in
operation.
GLOBALDiverse, global
client base.
18
Richard Long, Practice Leader & Senior Advisory ConsultantPhoenix, Arizona www.mha-it.com
KEY FACTS
SENIOR LEADERSHIP
MHA Consulting’s senior team has an average of over 20 years of industry relevant experience in the areas of Business Continuity, Disaster Recovery, and Project Management.
COMPANY BACKGROUND
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 3
HEALTHCARE EDUCATION FINANCIAL INSTITUTIONS
CONSUMER PRODUCTS INSURANCE TRAVEL & ENTERTAINMENT GOVERNMENT/UTILITY
SERVICES
DIVERSE, GLOBAL CLIENT BASE
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 4
Business Recovery Strategies & Solutions
Data Center Recovery Strategies
Current State Assessment
Policy & Standards
Business Impact Analysis
Threat & Risk Assessment
BCMMETRICSTM
BIA On-Demand (BIAOD)
BCMMETRICSTM
Compliance Confidence (C2)
BCMMETRICSTM
Residual Risk (R2)
Training & Awareness
Mock Disaster Exercises
Plan Functional Walkthroughs
Alternate Worksite Exercises
Crisis Management
Business Recovery
IT Disaster Recovery
Update Recovery Plans
Update Current State Assessment
Update Business Impact Analysis & Threat Assessment
Third Party Assessments
EXERCISES MAINTAIN & IMPROVEASSESS THE CURRENT
ENVIRONMENTRECOVERY STRATEGIES &
SOLUTIONSRESPONSE & RECOVERY
PLANS
ROBUST SUITE OF SERVICES
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 5
S T A N D A R D S I N B U S I N E S S C O N T I N U I T Y
M E A S U R E C O M P L I A N C E I N T H E S E B C M D I M E N S I O N S
• ISO 22301
• FFIEC
• NIST 800
• NFPA 1600
• SEC
• FISMA
• FINRA
• Supply Chain Resiliency Leadership Council
• Program Administration
• Crisis Management
• Business Recovery
• IT Disaster Recovery
• Fire & Life Safety
• Supply Chain Risk Management
• Third Party Management
BCM COMPLIANCE STANDARDS
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED.
Why Are You Here?
6
• What & Why of Cyber Exercises• Scope• Who should participate• Types of exercises
• How of Cyber Exercises• Planning• Managing the activities
• What to Do With the Results
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 7
Business Resumption Planning
• The process initiated to resume business operations to a level consistent with the business requirements.
IT Disaster Recovery Planning
• The recovery of information technology processes, systems, applications, databases, and network assets used to support critical business processes.
Crisis Management
• A series of actions taken to gain control of the event quickly to minimize the effects of an interruption and prepare for recovery.
BUSINESS CONTINUITY MANAGEMENT
S O , W H A T I S B U S I N E S S C O N T I N U I T Y M A N A G E M E N T ?
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 8
Business Continuity
Overall continuation of business functions during
an emergency event.
Disaster Recovery
Recovery of systems, applications, and
processing capabilities.
Process
A business process is functional and available;remains available even during potential impact
events.
Application
Available for use by the organization based on
requirements;remains available even during
potential outage events.
DEFINITIONS
Availability & Resiliency
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 9
THE BIG PICTURE
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 10
CRISIS MANAGEMENT. The tasks and actions taken to manage an event. Plans should include specific sections on cyber events. Include third party assistance.
IT CYBER PLAN. Similar to the IT Disaster Recovery plan; a plan related to IT actions and procedures for cyber events. Include third party assistance.
STRATEGY/IMPLEMENTATION. Technical implementation.
CYBER TESTS. Verifying strategy and management are functional.
01
02
03
04
BASIC COMPONENTS IN CYBER PLANNING
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 11
• Reality-based scenario requiring technical and non-technical response & actions related to any cyber or potential cyber breach (data loss, ransomware, virus, etc.).
• Opportunity to validate the technical response strategy and details.
• Training opportunity for technical staff.
• Training opportunity for business personnel.
• Training opportunity for emergency management of the event.
• Opportunity to identify gaps and weaknesses in the recovery strategy, implementation, procedures, and dependencies.
WHAT IS A CYBER EXERCISE?
F I N D I S S U E S O R G A P S
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 12
• An EXERCISE is not binary.
• Success means being able to react appropriately NO MATTER HOW MANY ISSUES OCCUR.
• Success means finding areas of improvement and issues to resolve.
• Success means improved training and knowledge.
• Failure = No issue; everything was perfect.
• Impossible (almost) to be true
• Failure = Not being able to perform any recovery or only talking “theoretical”.
WHAT IS A CYBER EXERCISE?
N O T A S U C C E S S O R F A I L U R E
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 13
• Technical Exercises
• Validating technical components and performance
• Business (Non-Technical) Exercise
• Functional impacts
• Communication (Internal & External)
• Organizational Management/Crisis Management
• Overall management of event
• Including Third Parties
• Law Enforcement
• Security Consultants
• Combination of all of these
TYPES OF CYBER EXERCISES
T H E R E I S N O T O N E T Y P E
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 14
• Data Breach
• Private, confidential, personal data leaving the premises; may be electronic or physical
• Ransom/vendetta of data obtained
• Malware/Ransomware
• Data corrupted/encrypted
• Requires paying actor to unencrypt data
• Malware/Virus
• Server impacting
• Phishing access
• Which leads to above
• DDOS – Denial of service
TYPES OF CYBER EXERCISES
S C E N A R I O S
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 15
Planning is not about Cyber Implementation.
• Should not be about finding gaps and correcting them before the exercise.
• Should not be about making sure the exercise is a “success.”
PLANNING FOR THE EXERCISE
P L A N – D O N ’ T I M P L E M E N T
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 16
Planning = Organization
• Determine type of exercise.
• Buy-in from management.
• Identify and schedule the participants.
• Communicate scope and execution expectations.
• Ensure there is no production impact.
• Identify potential impacts which may be major roadblocks that stop the exercise.
• Action item identification and follow-up.
• Organize resources and schedule time.• Third Parties
• Develop exercise schedule.• People Schedule
PLANNING FOR THE EXERCISE
P R E P A R E – D O N ’ T O V E R P L A N
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 17
• Law Enforcement
• Local
• Federal (FBI)
• Insurance
• Security consultants/partners
• Technical partners
• Storage/Server/Network
• Monitoring
• PR/Communication firms
THIRD PARTIES
W H O D O Y O U I N C L U D E ?
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 18
• Technical Exercises
• Simulate the scenario and execute troubleshooting or research.
• Identify actions.
• Business (Non-Technical) Exercise
• Scenario based to force use of workarounds or BC plans.
• Organizational Management/Crisis Management
• Use different scenarios, not just data breach of PII.
• Increasing complexity or impacts
SCOPE
W H A T I S A P P R O P R I A T E S C O P E ?
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 19
T E C H N I C A L & B U S I N E S S
• Crisis Management
• Infrastructure (Network/Storage/Server)
• Security (both IT and Physical)
• Risk Management
• Local
WHO ARE THE PARTICIPANTS?
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 20
C O M M U N I C A T I O N & D I S C I P L I N E
• Ensure disciplined actions:
• Use documentation, not memory
• Communicate at each major milestone
• Communicate all issues no matter how small
• Use of timeline
• Single source of status & updates
• Keep it real
• Execute in real time if possible
MANAGING THE EXERCISE
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 21
MANAGING THE EXERCISEConsider:
Pre-Start Meeting – Remind about communication methodology and execution expectations.01
Online tool/sharing.• Consolidated Issues List• Schedule and Recovery Status02
Regular Status Meeting.• Leaders provide status, not those
performing the recovery• Prevents distractions to technical staff
03RECOMMENDATION
Remind and follow up on use of documentation and identification of issues.• Focus on identification of issues, not binary
results.
04
Single Coordinator.05
Follow-up on issues/action items identified.06
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 22
H O W C A N Y O U P E R F O R M M O R E T H A N O N E ?
• Perform a single large integrations-based exercise annually.
• Perform component exercises monthly/quarterly.
• Technical
• Crisis Management
• Business
• Short (5 – 15 min.) exercises in staff meeting.
MULTIPLE EXERCISES
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 23
ADJUST THE STRATEGY. May require modifications to the recovery strategy based on results and needs.
ADJUST RECOVERY PROCEDURES & DOCUMENTATION. A major benefit is updating and ensuring functional procedures and actions.
REVIEW & UPDATE COORDINATION WITH BC PLAN. Review and validate the integration and validity of BC plans while recovery occurs.
BUDGET. Honest results help in determining both budget and approval from management.
01
02
03
04
WHAT TO DO WITH THE RESULTS
ACTION ITEMS. Identify and manage actions from the exercise to improve and ensure functional capability.
05
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 24
SO, WHAT ARE THE NEXT STEPS?
W H A T D O W E D O N O W ?H O W D O W E S T A R T O R C O N T I N U E ?
Identify when the last actual exercise occurred.
A R E A S T O R E V I E WW H E R E T O P R I O R I T I Z E
• Crisis Management Plan• Communication Plan• Technology Solutions
Do you know the results of the last exercise?
Perform a crisis management exercise.
• People know what to do• Training of all staff on risks• Validate current state
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED. 25
FINAL THOUGHTS
IT’S NOT IF, BUT WHEN
© 2018 MHA CONSULTING. ALL RIGHTS RESERVED.
MHA CONSULTING, INC.
T H A N K Y O U
www.mha-it.com
(888) 689-2290
(602) 370-1864
Richard Long, Senior Advisory Consultant