Spring World 2015

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 27, Issue 4

Full Contents Now Available!

Jon Seals

Thursday, 04 December 2014 00:00

BCM 2000: Essentials of BCM Series

Implementing ISO 22301, 22313,
22320, 22398, 27031, 31000, 19011 & 17022
Includes BCI's 2013 Good Practice Guidelines 
Looking for a course that is based on international standards?
 
Looking for templates and examples on how to develop a Business Continuity Management System that meets the requirements of the standards? 
 
Do you like to have fun (and maybe even laugh out loud!) when you learn?
Then BCM 2000: Essentials of Business Continuity Management is the course for you!  Download the Brochure 

Course Description 
BCM 2000: Essentials of Business Continuity Management provides you with knowledge to develop a standards-based, auditable, and actionable business continuity program for your organization.
This course is the critical starting point to developing a program that can be certified ISO 22301. It is comprised of 10 individual modules that can be taken as a series or in combination over time.

Essentials of Business Continuity Management provides the foundation necessary for new or current professionals interested in either developing a career in Business Continuity Management, seeking certification, or for those professionals responsible for developing a business continuity program for their organization.

It is designed to expose the participant to all aspects of a holistic BCM program and to be a solid "how to"guide for building a business continuity program for all types of organizations.


Student activities are included throughout the course and are designed as knowledge checks to reinforce lesson materials and to provide attendees with hands-on activities that will enable them to become familiar with and apply these principles in their jobs.

Delivery Structure
Essentials of BCM is offered as an elearning course that includes the following elements: Download the Brochure
  • Voice over ppts teaching online
  • pdf's of the course book
  • Templates of how to implement the requirements of the standards (sample policies, reports, etc.)
  • Multi-media that is relevant & fun!
  • BCI's 2013 Good Practice Guidelines 
  • Case study
  • Open for Business Toolkit
  • Course review activities to evaluate for comprehension
  • Practice exam questions (for DRII's Qualifying Exam)
  • Online essay for CEU credit  
  • Email access to a qualified expert for questions
  • Online ISO 22301 Lead Implementer Certification Exam included in course fee 
Certification Requirements
Successful completion of the BCM 2000 series with a passing grade on the online CORS in BCM exam completes the educational component for certification as a Certified Organizational Resilience Specialist (CORS) in BCM / ISO 22301 Lead Implementer.

null
Holders of the CORS certification are entitled to apply for statutory membership with the BCI at the AMBCI or MBCI level, subject to evidence of required experience.
With ISO 22301 as an international standard allowing companies to demonstrate their ability to cope with major threats; as well as provide a management systems approach to business continuity management, this course provides you with what you need todevelop a program that complies with these certification standards.

Register Here

And if you have questions, don't hesitate to call or send an email.
Sincerely,
Lynnda Nelson, President
The International Consortium for Organizational Resilience
Education@theicor.org
866.765.8321 US/Canada  +1630.705.0910 International Calls
BCM 2000: Essentials of Business Continuity Management Series
BCM 2011: Business Continuity Program Development
BCM 2021: The Business Impact Analysis
BCM 2022: The Risk Assessment
BCM 2023: Developing Strategies / Options to Protect the Organization
BCM 2031: Plan Design, Program Structure, & Required Documentation
BCM 2032: Incident Response, Management & Communication
BCM 2033: Business Continuity & Recovery Plans
BCM 2035: Writing the ICT Continuity / IT DR Plan
BCM 2041: Awareness, Training, Testing & Exercising
BCM 2042: Program Evaluation, Improvement & Audit
BCM 2011:  BCM Program Development 
In order to develop a Business Continuity Management System, it is important to understand the requirements of management systems, the core concepts of business continuity, and how to determine the scope of the program, develop policy, and the requirements for leadership and governance. BCM 2011 provides an overview of each of these topics as the foundation for developing and managing the BCMS.

BCM 2021:  The Business Impact Analysis
The BIA process is covered from beginning to end with a focus on the identification of the organization's key products and services and the critical activities and resources that support them.  Examples of BIA data gathering questions, methodology, analysis and reporting provided. 

BCM 2022: The Risk Assessment
Using the ISO 31000 standard on Risk Management as its basis, this course describes the process of conducting a risk assessment and analyzing the results to mitigate risks.  From risk identification, risk description, risk analysis, risk evaluation, risk communication, and risk reporting, this course covers the entire risk assessment process using an enterprise risk management approach.   A key requirement of the standards is the identification of the organization's risk appetite or acceptance and this course provides the methodology for this identification. In addition, BCM 2022 includes a review of different quantitative and qualitative methods for analyzing risk.

BCM 2023:  Developing Strategies / Options to Protect the Organization
This course introduces the student to the challenges of selecting the appropriate strategies / options
for the continuity and recovery of business processes, critical functions, operations and the supporting information technologies within the specified recovery time objective.  Building on the information gathered during the BIA and risk assessment, BCM 2023 explores how to evaluate the different strategies necessary for mitigating risk, continuing operations when possible, and recovering operations if interrupted. BCM 2023 reviews strategies for people, property, assets, technology and information, reputation, suppliers, and financial viability.

BCM 2031:  Plan Design, Program Structure & Required Documentation
In order to develop the actual plan documents the organization will need to decide on the approach, methodology and the plan document structure. BCM 2031 outlines the necessary roles and responsibilities of the members of the organization, the key elements that must be included in every plan type, and how to meet the requirements for managing documentation.

BCM 2032:  Incident Response, Management & Communications
Implementing procedures for responding to an incident of any kind, managing the incident, and ensuring successful communication with all interested parties before, during and after the incident is an essential requirement for all business continuity programs. BCM 2032 also ties to the requirements of ISO 22320 on Incident Management and PAS 200 on Crisis Management & Communications.  The objective of BCM 2032 is to develop and implement procedures for response to and stabilization of the situation following an incident or event, including establishing and managing an Emergency Operations Center and local command centers during the crisis.

BCM 2033:  Business Continuity & Recovery Plans
All of the procedures developed as part of strategy development need to be documented in the business continuity and recovery plan. BCM 2033 reviews the requirements for business continuity plans and how to document procedures according to ISO 22301.

BCM 2034:  ICT Continuity / IT DR Plans & Procedures 
The focus of the ICT Continuity and the IT Disaster Recovery Plan is on the IT infrastructure that supports the business operations and ensuring that the plan in place protects the key infrastructure of
the organization. ISO 27031 on ICT Continuity outlines the methodology for ensuring that the ICT infrastructure supports the BCM infrastructure to ensure that there are no unsupported critical processes and the RTOs can be met. BCM 2034 reviews the guidelines for ICT continuity under ISO 27031, ISO 27001, and NIST 800-34.

BCM 2041:  Awareness, Training, Testing & Exercising 
Building a BCMS culture is an essential component of ensuring a successful program. Determining competence of all parties involved in the business continuity management system and increasing competence through awareness, training, testing, and exercising is a key component of this process and is vital to the success of the BCMS. BCM 2041 also aligns to the guidance of ISO 22398 for developing exercise programs. 

BCM 2042: Program Evaluation, Improvement & Audit 
It is impossible to keep the BCM program current and actionable or to move to a management system without monitoring, measuring, analyzing, and evaluating the BCMS. BCM 2042 explores the requirements for internal audit and management review of the BCMS. Also included are the requirements for writing the audit report based on ISO 19011 and ISO 17022. 
If you would like to submit an article or presentation for a future ICORrespondence Newsletter submit it to Lynnda@theicor.org.
 
Sincerely,
 
Lynnda Nelson, President
The International Consortium for Organizational Resilience
Save 10%
Did you know that you can save 10% on all ICOR courses if you are a member of one of the following organizations?  Contact them to find out how or email info@theicor.org.
  • ICOR
  • ACP
  • AFCOM
  • ASIS
  • BRPA
  • BRPA SW
  • IAEM
  • IFMA
  • NEDRIX 
Become an ICOR Member Today!

Outstanding 582 percent growth down to innovation and outstanding service

 

ABERDEEN, UK – Inoapps has announced that it has ranked number 292 on the Deloitte Technology Fast 500 EMEA 2014, a ranking of the 500 fastest growing technology companies in EMEA. Rankings are based on percentage revenue growth over five years.

 

Inoapps grew 582 percent during this period.

 

Inoapps’ CEO, Andy Bird, credits the 582 percent revenue growth over the past five years to innovation and exceptional service commenting, "We are thrilled to be ranked in the Fast 500. To appear in this list as well as the Fast 50 is testament to the success of our ambitious growth plans supported by our team’s innovation and exceptional service delivery.”

 

“Securing a position in the Deloitte Technology Fast 500 is an impressive feat, especially in the highly competitive and rapidly changing environment of the technology industry,” said David Halstead, Deloitte UK and partner in charge of the Deloitte Technology Fast 500 EMEA programme. "We congratulate Inoapps on being among the most dynamic and successful technology companies in the region."

 

In addition to ranking in the Deloitte Technology Fast 500, Inoapps ranked 45th in the UK Deloitte Technology Fast 50, which is a ranking of the 50 fastest growing technology firms in the UK.

 

Deloitte Technology Fast 500 EMEA selection and qualifications

The Technology Fast 500 list is compiled by the Deloitte EMEA Technology Fast 50 programme, nominations submitted directly to the Technology Fast 500, as well as public company database research. To qualify for the Technology Fast 500, entrants must have had base-year operating revenues of at least €50,000 and current-year operating revenues of at least €800,000.

 

Entrants may be either public or private companies but must be a ‘technology company’, headquartered in EMEA. A ‘technology company’ is defined as a company that develops or owns proprietary technology that contributes to a significant portion of the company's operating revenues, or manufactures a technology-related product, or devotes a high percentage of effort to the research and development of technology. Using other companies' technology in a unique way does not qualify.

 

About Inoapps

Headquartered in Aberdeen, Scotland, Inoapps is a global company with operations across Europe, the Middle East, Asia and the Americas.

 

A leading Oracle Platinum Partner and Oracle Applications, Technology & Hardware specialist, Inoapps delivers the complete Oracle application-to-disk enterprise IT environment through the provision of consulting, and implementation together with hosting and managed services. The company has clients across a broad range of industry sectors including energy, engineering, construction, travel, financial services and manufacturing as well as local and central government.

 

Inoapps is proud to be recognized by Oracle as Specialized Partner of the Year for Accelerate Solutions: EMEA 2010 & 2012, Oracle General Business Applications Partner of the Year 2009, 2010 & 2011, UK Oracle User Group Database Partner of the Year 2011/12 and the Sunday Times Hiscox Tech Track 100 2014.

Inoapps recently received a £10 million investment of growth capital from BGF (Business Growth Fund), the independent company established to provide growth capital to UK businesses.

www.inoapps.com

 

About Deloitte Technology Fast 500™ EMEA

The Deloitte Technology Fast 500 EMEA programme is the region’s most objective industry-ranking to focus on the technology field, recognising technology companies that have achieved the fastest rates of revenue growth in Europe, the Middle East, and Africa (EMEA) during the past five years. Combining technological innovation, entrepreneurship and rapid growth, Fast 500 companies – large, small, public and private – span a variety of industry sectors, and are leaders in hardware, software, telecom, semiconductors, internet, media, life sciences and emerging areas, such as clean technology.

 

The programme is supported by the Deloitte Technology Fast 50 initiatives, which rank high growth technology companies by location or specifically defined geographic area and is run by the Deloitte Touche Tohmatsu Limited’s Technology, Media & Telecommunications (TMT) global industry group. Co-sponsors include Fidelity Growth Partners Europe, a venture and growth capital investor which backs entrepreneurs with aspiration for greatness in the IT and clean technology sectors across Europe, Silicon Valley Bank, the premier bank for technology, life science, private equity and premium wine businesses and Taylor Wessing, a leading International law firm with a focus on the industries of tomorrow. More information on the programme and prior year winners is available on www.deloitte.com/fast500emea.

 

About Deloitte

In this press release references to Deloitte are references to Deloitte LLP, which is among the country's leading professional services firms.

Deloitte LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, whose member firms are legally separate and independent entities. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms.

FireEye Outperforms Mainstream Security Providers in New Advanced Malware Test

 

LONDON – Delta Testing, a specialist in anti-malware testing methodologies and research, today released a new report highlighting shortcomings in the detection rates of leading players in the advanced threat solution market. Based on independent tests carried out by Delta Testing, the New Approach to Assessing Advanced Threat Solutions report, shows a significant discrepancy between the seven vendors tested, with FireEye achieving a 99.14 per cent detection rate compared to Fidelis 5.17 at the other end of the scale.

 

Unlike established information security tests which rely on legacy malware such as common viruses and worms or malware repositories, Delta Testing runs advance malware that has never before been detected by a product. This malicious code is sourced from Delta’s network of incident response teams, security researchers and organisations that have been breached.

 

By using malicious code already in the wild, yet recent enough that no signatures currently exist, products are exposed to an unpredictable environment. This approach ensures that products that don’t have the ability to detect unknown malware using dynamic analysis can be easily identified. The approach of using actual malicious code along with actual packet captures is a clear advantage over using synthetic malware that, while lab-appropriate, doesn’t mimic real-life examples.

 

In the advanced threat protection solutions test, packet captures were stripped of customer data and replayed through the latest published software version of the advanced malware protection products. All of the products were allowed time to analyse the packets in their virtual environments or perform lookups in their cloud or threat intelligence. Each product’s interface was subsequently checked to see if an alert had been triggered to determine detection. Detection rates were calculated as a percentage by dividing the number of detections against a total number of samples sent.

 

Finding summary:

Vendor              

Appliance(s)

Version(s)

Result (per cent)

AhnLab

MDS 2000

Version 2.1.2.27( Build 75r)

6.9

Checkpoint

2200 Appliance

4600 Appliance

Version R77

Version R77

24.14

Fidelis Cybersecurity Solutions

XPS Edge 200

XPS Sensor

XPS Command Post

Version: 7.6.5

Version: 7.6.5

Version: 7.6.5

5.17

FireEye

NX 7500

Version 7.4.0

99.14

McAfee

Advanced Threat Defence

Network Security Platform

Version 3.0.2.36.34869

Version 8.0.5.9

12.94

Vendor A

Appliance with Cloud Based Sandbox

Version 6.0.0

21.55

TrendMicro

Deep Discovery Advisor

Deep Discovery Inspector

Version 2.95.0.1104

Version 3.5

33.91

 

Commenting on the findings, Mark Thomas, commercial director, Delta Testing says, “It would appear that most mainstream vendors are on par when it comes to previously known attacks. However, as soon as you move towards a methodology that exposes the products to fresh malware samples taken from actual customer environments, detection rates start to show significant variations based on the technology and detection methodology used by the vendor. This clearly demonstrated FireEye’s leadership in detecting advanced/unknown threats.”

 

“While only one malware sample tested was missed by all seven products, the fact that no vendor scored 100 per cent in identifying all of the samples shows that some attacks are still getting through the net. As such, in order to meet the shortfall, organisations need to consider a holistic approach to security which doesn’t just rely on detection but addresses threat prevention and response tactics too.”

The full report can be viewed and downloaded here: http://www.deltatestingltd.com/threat-files-download.

 

About Delta Testing

Delta Testing specialises in anti-malware testing methodologies and research and is committed to creating the industry’s finest real world test systems to combat advanced attacks. The company comprises of several in-house malware specialists headed by a Chief Researcher with over 20 years industry experience. Together the team has tested hundreds of products from global vendors, giving the company unrivalled expertise. Delta Testing is based in West Glamorgan, UK.

First AGM to be Held Electronically via Webinar/webex; goal is to reach all USA members

 

NEW YORK, NY – The Business Continuity Institute’s USA Chapter Board of Directors has announced the chapter will hold its Annual General Meeting (AGM) electronically via webinar/webex on Monday, December 15, 2014 at 4:00 pm EST.

According to chapter president Douglas Weldon, “The AGM presents an exciting opportunity for the chapter to describe its accomplishments and discus its current state, outline upcoming goals and priorities, and provide an opportunity for BCI USA Chapter members to ask questions and provide comments.”

The BCI USA Chapter’s AGM is open to all active BCI members in the U.S.  

In the past, the chapter has held AGMs at Disaster Recovery Journal (DRJ) conferences, but this year the USA Chapter Board decided to make the AGM available to all USA members so the event will be held via webinar/webex.

Agenda topics will include:

  • Review and Approval of 2013 USA Chapter AGM Minutes

  • Review and Approval of Chapter Financials

  • 2014 Focus Areas

  • Introduction of 2015 Chapter Board Members

  • 2015 Key Initiatives

  • Awards Program

  • Open Discussion

      

The chapter will be sending out webinar invitations to all members shortly so members are encouraged to register as soon as possible in advance of this important event. 

 

About the Business Continuity Institute

Founded in 1994, the Business Continuity Institute (BCI) is a a member-owned, not-for-profit professional association of business continuity professionals. The BCI provides a broad range of educational and though-leadership programs, and has over 8,000 members in more than 120 countries working in an estimated 3,000 organizations across private and public sectors. The BCI USA Chapter was founded in 2008 and currently has over 900 members. More information on the BCI can be found by visiting www.thebci.org.

Portfolio and resource management company recognised for completeness of vision and ability to execute

 

READING, UK – Planview® has been positioned in the Leaders quadrant of the 2014 Gartner “Magic Quadrant for Integrated IT Portfolio Analysis (IIPA) Applications, published November 18, 2014.” This marks the fourth consecutive year the company has placed in the Leaders quadrant for its Planview Enterprise® product.

 

According to the Gartner report: “The IIPA software market consists of vendors providing the integration of individual portfolios – for investments, projects, assets and IT services – to present a more holistic story regarding the true state of the IT portfolio. Integrating these views enables IT leaders to see the cost, effort, technical complexity, feasibility and interrelated effects of a proposed IT change or initiative.

 

Planview Enterprise has native capabilities to manage investment, project, application, services and product portfolios. This integrated portfolio approach helps IT leaders optimise the use of their constrained people and financial resources in support of business goals. The at-a-glance “ribbon” in the product gives IT leaders access to interactive tiles that provide visual, direct access to the metrics, notifications, and analytics that are critical to any portfolio as well as the ability to see across portfolios.

 

Planview extended these portfolio views to the applications and services portfolios in the most recent release of Planview Enterprise, helping IT leaders make more informed technology and business decisions.

 

“As the Gartner report states, IT organisations are maturing in their approaches to IIPA, facilitated by software that provides an integrated view of IT silos,” says Patrick Tickle, chief product officer at Planview. “Planview continues to lead the way in helping technology and business leaders understand how a broad range of portfolios – including products, applications, investments, and services – come together to drive business results.”

 

Gartner evaluates vendors on two main criteria: ability to execute (product or service, overall viability, customer experience, operations and sales/marketing execution) and completeness of vision (innovation, business model, market understanding, and having a strong strategy for product, marketing, sales, geography and vertical/industry).

 

Regarding the specific criteria for the Leaders Quadrant, the Gartner report continues: “Leading IIPA products can interweave IT portfolios and IT scenarios by identifying the interrelationships and interdependencies among the elements within and across them. Product features of Leaders often include detailed organisation, modeling, and what-if planning and other scenario planning to map IT’s planned physical response to directives that are handed down as part of the overall business strategy and the proceeding IT strategy.”

 

To access a copy of the report, visit Planview.info/Magic

Planview also received a “Strong Positive” rating ? the highest possible given ? in the May 16, 2014, Gartner “MarketScope for IT Project and Portfolio Management Software Applications” by Daniel B. Stang and Robert A. Handler.

2014 saw continued use of buzzwords like cloud, wearables, BYOD and IoT but conversations around what this will mean to business if we don’t evolve and prepare our IT infrastructures were significantly lacking.

There’ll always be some level of disconnect between maintaining IT and maintaining business productivity; both have very different deliverables. However the two must be interlinked as there are key areas where IT and business objectives overlap. Understanding the ICT environment in depth is important to improving business resilience and the efficiency of the ICT infrastructure.

In this article Patrick Hubbard highlights emerging areas where greater understanding is required to enable organizations to maintain current levels of ICT availability and resiliency.

...

http://www.continuitycentral.com/feature1254.html

EMC Corporation has published the findings of a new global data protection study that reveals that data loss and downtime cost enterprises more than $1.7 trillion in the last twelve months. Data loss is up by 400 percent since 2012 while, surprisingly, 71 percent of organizations are still not fully confident in their ability to recover after a disruption.

The EMC Global Data Protection Index, conducted by Vanson Bourne, surveyed 3,300 IT decision makers from mid-size to enterprise-class businesses across 24 countries.

Impact of data loss and downtime
The good news is that the number of data loss incidents is decreasing overall. However, the volume of data lost during an incident is growing exponentially:

  • 64 percent of enterprises surveyed experienced data loss or downtime in the last 12 months;
  • The average business experienced more than three working days (25 hours) of unexpected downtime in the last 12 months;
  • Other commercial consequences of disruptions were loss of revenue (36 percent) and delays to product development (34 percent).

New wave of data protection challenges
Business trends, such as big data, mobile and hybrid cloud are creating new challenges for data protection:

  • 51 percent of businesses lack a disaster recovery plan for any of these environments and just 6 percent have a plan for all three;
  • In fact, 62 percent rated big data, mobile and hybrid cloud as 'difficult' to protect
  • With 30 percent of all primary data located in some form of cloud storage, this could result in substantial loss.

The protection paradox
Adopting advanced data protection technologies dramatically decreases the likelihood of disruption. And, many companies turn to multiple IT vendors to solve their data protection challenges. However, a siloed approach to deploying these can increase risks:

  • Enterprises that have not deployed a continuous availability strategy were twice as likely to suffer data loss as those that had;
  • Businesses using three or more vendors to supply data protection solutions lost three times as much data as those who unified their data protection strategy around a single vendor;
  • Those enterprises with three vendors were also likely to spend an average of $3 million more on their data protection infrastructure compared to those with just one.

More details: http://emc.im/DPindex

There are a great many challenges to overcome to prepare a sizable organization for crises, emergencies or reputation disasters. But one seems nearly intractable: the ignorance of those in high places. The very ones who will make the big decisions when push comes to shove. The lawyers, the CEOs, the regional execs, the Incident Commanders, the chiefs, the directors, the presidents.

If the ones who call the shots during a response do not understand the water they are swimming in, the effort is doomed–despite all the preparation that communication and public relations leaders may put in place.

A week or so ago I had the privilege of presenting to the Washington State Sheriffs and Police Chief’s association training meeting. Chief Bill Boyd and I were to give a four hour presentation to these law enforcement leaders. Bill did the bulk of the work on the presentation, but had a medical emergency and couldn’t present with me. One item he had gathered for this really hit me–and those present. The Boston Police radio message from the Incident Commander on the scene just after the bombing occurred included the calm but clearly adrenalin-filled IC’s details on what actions the police on the scene were taking. Then he said, “And I need someone to get on social media and tell everyone what we are doing.” That’s correct. One of the top priorities of this Commander was to inform the public of police actions and the way to do that he knew was through the agencies social media channels.

...

http://ww2.crisisblogger.com/2014/12/the-biggest-crisis-comm-obstacle-high-level-ignorance/

Boards, regulators and leadership teams are demanding more and more of risk, compliance, audit, IT and security teams. They are asking them to collaboratively focus on identifying, analyzing and managing the portfolio of risks that really matter to the business.

As risk management programs evolve to more formal processes aligned with business objectives, leaders are realizing that by developing a proactive mindset in risk and compliance management, teams can provide added value to help the organization gain agility by identifying new opportunities as well as managing down-side risk. Organizations with this new perspective are more successful in orchestrating change to provide a 360-degree view of both risk and opportunity.

Risk teams that are further along on the journey of leveraging proactive approaches to risk management look not only within the organization but beyond to supplier, third party and customer ecosystems. This means developing a view across the larger enterprise infocosm, to ensure alignment of people, processes and technologies.

...

http://www.riskmanagementmonitor.com/how-active-governance-can-help-advance-risk-intelligence/

(TNS) — In baseball, when a slugger has been slumping for a few years in a row, the pundits in the upper deck will be quick to declare a trend; “the bum’s done,” they’ll assert.

Weather forecasters are a little more retrospective.

In 2001, forecasters had announced that they believed that since 1995, the tropics had been in a cycle of more and stronger storms. Such periods can last 25 to 40 years.

The hurricane season that ended Sunday, Nov. 30, was quiet. So was the year before that. Only three seasons since 1995 have been below average. We just went through two of them.

This followed some of the busiest, and most damaging, years on record.

...

http://www.emergencymgmt.com/disaster/Is-Storm-Needed-Prevent-Hurricane-Amnesia.html