Marlin Ness, CGEIT, CRISC North America ISRM/ITGRC 2012 14-16 November 2012
Marlin Ness is an Executive Director in Ernst & Youngs Strategic Technology Advisory Services practice. He has over 25 years of enterprise IT processes and systems experience serving all service line clients in IT strategy, architectures, project management, IT effectiveness, IT process improvements, systems lifecycles, and operations. Over the last 15 years he has been responsible for the successful implementation or audit of over 50 command centers, data centers, and IT projects. His expertise lies in the planning, architecture, design, testing, implementation, and operations of multimillion dollar data centers including facilities, networking, telephony, voice, servers, systems, storage, backup and recovery, databases, and security functional areas.
His current focus areas are in IT process effectiveness and efficiency improvements in the financial services, healthcare, credit card, insurance, and pharmaceutical industries. He is Department of Defense CIO certified, is a Project Management Professional (PMP), is Certified in the Governance of Enterprise IT (CGEIT), is CRISC certified, is a Certified Information Systems Security Professional (CISSP), and is ITIL foundation level certified. Speaker Biography SESSION OVERVIEW Business Continuity Management Session One Overview Purpose, Background and Observations Industry Standards and Guidance Business Continuity Framework and Program Design and Implementation Leading Practice Examples Session Two Overview Operations and Testing COBIT 5 and Controls Auditing Business Continuity and Disaster Recovery Case Study Examples Session One Overview Objectives Identify and understand the relevant standards and leading practices, e.g., BS, ISO, ITIL, Disaster Recovery Institute, and COBIT Use the relevant standards Understand the overall risks, governance, roles, responsibilities, processes and controls to implement a pragmatic and effective BCM program Identify and outline the major components of an effective BCM program Practically implement a BCM program that includes leading practices standards and manages risk through effective controls
PURPOSE AND BACKGROUND Purpose the Business of Protecting the Business
BCM is an ongoing management and governance process supported by senior management and resourced to ensure that the necessary steps are taken to identify the impact of potential losses, manage risk, develop resiliency, maintain viable recovery strategies and plans and ensure continuity of products or services through exercising, rehearsal, testing, training, maintenance and assurance. Background Business Continuity Definition
Focuses on keeping the business operating A process of developing and documenting arrangements and procedures that enable an organization to respond to an event that lasts for an unacceptable period of time and return to performing its critical functions after an interruption.
Business Continuity Disaster Recovery Crisis Management Focuses on getting the technical infrastructure up and running in the event of a disaster The technical (e.g., application, network, platform, storage, external dependency) component of business continuity planning to recover a data center, service or application. Focuses on managing the disaster event The overall coordination of an organizations response to a crisis, in an effective, timely manner, with the goal to maximizing employee safety and avoiding or minimizing damage to the organizations profitability, reputation and ability to operate.
OBSERVATIONS CURRENT TRENDS AND THEMES Background Trends, Challenges, Risks and Issues As organizations grow in size and complexity, the impact of non-availability of resources has become more significant. In the current world of the extended enterprise, there is a visibly cascading impact of the inability of any part of the organizational value chain to deliver on its commitments. The importance of BCM has risen in recent years, and is now at or near the top of risk concern for most major organizations. Industry trends indicate: Organizations are investing in technology to improve their business continuity posture The availability of skilled resources remains a challenge To keep in step with changing regulatory expectations, stakeholder interaction is key Simplicity, adaptability and reporting capabilities are top requirements for BCM software Conducting live exercises involves risks which must be carefully managed Non-alignment between IT and business recovery objectives potentially compromises successful business continuity efforts What is Changing in the Industry?
Regulations Federal and state requirements Disparate international requirements Organizational Changes Many organizations have a newly appointed a senior-level position for the Enterprise Business Continuity Program Point of Reference Focusing on both internal/external risks and view considering entire geographic area, not just single site Human Resources Focusing on multi-contact points for employees and the transportability of personnel skill sets Centralized/Decentralized Organizations are reviewing their operational strategies from a people, process and technology perspective
Multiple Platforms Multiple platforms used to support risk framework, creating barriers to management and reporting of risk Resilience Increasing system complexity, dependency/ interdependency in financial systems Due Diligence Expectations: Board of Directors and Audit Committee Increasingly accountable for identifying and mitigating risks Diversification of Business Partners and Service Providers Organizations are assessing their risks with all the external relationships: Telecommunications Hot site, warm site, cold site Business partners Vendors and suppliers, etc.
INDUSTRY STANDARDS AND GUIDELINES Business Continuity Plan From the Business Continuity Management Audit/Assurance copyright ISACA 2011, the business continuity plan must ensure that: Risks are appropriately identified and evaluated by focusing on the impact of known and potential risks on business processes The costs of implementing and managing continuity assurance are less than the expected losses and within managements risk tolerance The business priorities are addressed: critical applications, interim processes, restoration activities and mandated deadlines Manual interfaces to automated processes are identified, personnel are trained and practice drills are conducted Expectations are managed with realistic goals * Copyright ISACA 2011, Business Continuity Management Audit/Assurance Program, page 10 Business Continuity Planning Considerations Business Continuity Planning Guidelines: Guidelines published as good (or best) practice by various authoritative organizations either locally or internationally. Guidelines provide no mandated rules but are used and recognized as credible by BCM professionals. e.g., Ten Professional Practices for Business Continuity Professionals by DRII (Disaster Recovery Institute International). Standards: Official standards from national (and international) accredited standards bodies which relate to Business Continuity as a whole or specific related subset such as IT Service Continuity, e.g., ISO 22301, BS25999-1/2 Code of Practice for Business Continuity management by British Standards Institution (BSI). Legislation: Government laws which include aspects of Business Continuity Management by name or are sufficiently similar in nature. These must be passed by a national, federal, state or provincial government depending upon the legal structure in each particular country or region, e.g., South Koreas Disaster Mitigation Act.
Regulation: Mandatory rules or audited guidance documents from official regulatory bodies in industry sectors such as Financial Services, Energy, Oil and Gas, which could reasonably be construed as having some implications on an organizations BCM provisions, e.g., High Level Principles for Business Continuity by Basel Joint Forum. BCM and DR Standards Today industry standards and leading practices are assisting organizations in improving operational effectiveness and providing a foundational construct for industry maturity. The adoption of leveraging industry standards and leading practices have proven to have numerous benefits: Industry guidance and enablers Ease of adoption Certification/training Benchmarking/comparative analysis Collaboration/lessons learned QA/completeness check Industry standardization
Evolving BCP Focus and Awareness
Source: Disaster Resource Guide - Executive Issue, Volume 12, Issue 3, Page 15 A proliferation of regulations, standards and frameworks has occurred post 9/11. Commonalities exist between different laws, regulations, standards etc. but at the same time differences also need to be identified to ensure that organizations are complying with required legislation and regulations for each geography/region/country and industry sector. We expect the landscape to continue to evolve and require analysis and interpretation. Updates 2 0 0 8
-
2 0 1 2
ISO/IEC 2762 BS2777
ASIS/BSI Continuity Management Standard
PD25111 PD25666
PAS 200 ISO/IEC27301
ISO 22301
ISO 22313 (Pending)
The introduction of a new international standard holds the promise of global standardization and simplification Supplemental BCP Focus and Awareness Business Continuity Planning What is best for your organization? A multitude of laws and regulations specify or imply requirements for business continuity planning. These requirements vary among industry sectors, geography/region, and country, affecting the development, focus and execution of business continuity plans. While compliance requires satisfying the letter of the law/regulation, business continuity requires going beyond the minimum requirements to ensure that an organization is prepared for a varied set of circumstances; thats where standards and guidelines are utilized as a foundation. Due to the lack of a single business continuity model internationally and multiple regulatory requirements, organizations need to review a number of existing models, and modify their models based on appropriate industry and country legislation, regulations, guidelines and standards. As part of an ongoing BCP program regulatory requirements and changes need to be reviewed and updated on a frequent basis to ensure that they continue to comply with required legislation and regulations. Business Continuity Planning Representative Legislation Title Authority Scope Purpose/Description Disaster Preparedness and Response Act 2006 Emergency Relief Guarantee Fund Act 1999 National Emergency Management Agency (NEMA) Country: Bahamas NEMA is the government agency of the Commonwealth of The Bahamas. It is responsible for all disaster planning and related legislation and guidance, particularly related to hurricanes. Personal Data (Privacy) Ordinance Office of the Privacy Commissioner for Personal Data Hong Kong Country: China and Hong Kong The purpose of the Ordinance is to protect the privacy interests of living individuals in relation to personal data. It also contributes to Hong Kongs continued economic well-being by safeguarding the free flow of personal data. Gramm-Leach-Bliley Act of 1999, section 501 (b) (PL 106-102 1999 S 900) Public Law Country: USA Guidelines in this section address standards for developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information . Disaster Mitigation Act NEMA Country: South Korea
To promote BCP and disaster management for local companies.
European Union
EU Commission, Brussels European Union The European Program for Critical Infrastructure Protection (EPCIP) has been laid out in EU Directives by the Commission. It has proposed a list of European critical infrastructures based upon inputs by its Member States. Business Continuity Planning Representative Regulations Title Authority Scope Purpose/Description FFIEC: Business Continuity Planning Booklet (2008) FFIEC Country: USA The FFIEC is responsible for establishing standards to which financial institutions are held. It applies to the US banks and their service providers.
High Level Principles for Business Continuity
Basel Joint Forum: Basel Committee on Banking Supervision International Organization of Securities Commissions (IOSCO) International Association of Insurance Supervisors Global Financial Sector The principles that should be used internationally by financial regulators to assess competence of financial organizations within their jurisdiction. GFAO Supplier Requirements GAO (Government Accountability Office)
Country: USA Requirements for federal agencies to include the requirement for contingency plans in contracts with private sector organizations providing data processing services NYSE Rule 446: Business Continuity and Contingency Planning NYSE (New York Stock Exchange)
Country: USA/NYSE Members Members and member organizations must develop and maintain a written business continuity and contingency plan establishing procedures to be followed in the event of an emergency or disruption. Yearly review must be conducted of the plan. Business Continuity Planning Representative Standards Title Authority Scope Purpose/Description BS 25999-1/2: Business Continuity Management (2007) British Standards Institution Global BS 25999 provides end-to-end business continuity management guidance to organizations with aggressive risk management demands or international business interests by focusing on risk treatment, response and recovery. Superceded by ISO 22301. BS 25777: Information and Communications Technology Continuity Management (2008) British Standards Institution Global BS 25777 helps organizations plan and implement an information and communication technology strategy, demonstrate they are prepared for an IT disaster, and show that they have an effective strategy to manage the loss of internet, email or company information, providing reassurance to business partners. ISO/IEC TR 18044: Information Technology Incident Management (2004) ISO Global ISO/IEC TR 18044 provides guidance on information security incident management. ISO/TC 223: Societal Security - Preparedness and Continuity Management Systems (2008) ISO Global ISO 223 addresses the challenges an organization, group of organizations, or society may face before, during and after a disruptive event. ASIS SPC.1 ASIS International Global ASIS SPC.1 provides a comprehensive approach for security, preparedness, response, mitigation, business/operational continuity, and recovery for disruptive incidents resulting in an emergency, crisis or disaster. ISO 22301:2012 ISO Global Societal security - Business continuity management systems Requirements Business Continuity Planning Representative Guidelines Title Authority Scope Purpose/Description Business Continuity Management Audit/Assurance Program ISACA (2011) Global Tool and template for the completion of a specific assurance process. It was developed to assist the audit and assurance professional in designing and executing a review. Ten Professional Practices for Business Continuity Professionals DRII (Disaster Recovery Institute International)
Global Professional practice including developing business continuity management strategies and other contingency planning measures. BCI GPG 2010 BCI (Business Continuity Institute) Global Global best practice. Post 9-11 Crisis Communications, Best Practices for Crisis Planning, Prevention and Continuous Improvement (June 2002) Business Roundtable (The Southwestern Area Commerce & Industry Association of Connecticut) Global, primarily USA This document is a toolkit to enable companies to develop a crisis communications plan that includes crisis planning, prevention and continuous improvement. COSO Enterprise Risk Management Framework (September 2004)
COSO Global Defines essential enterprise risk management components, discusses key ERM principles and concepts, suggests a common ERM language and provides clear direction and guidance for enterprise risk management. Risk Management Standard, AIRMIC, ALARM, IRM: 2002 AIRMIC ALARM Global primarily UK Establishes guidelines for Risk Management including: Risk assessment Risk reporting Risk treatment Annual Business Continuity Program Region/Location Legislative/Regulatory BCM Guidance Requirements Business Products and Business Requirements Business Impact/Criticality Non-Technical and Technical Dependencies Business Continuity Policy, Risk Management Standards Variance Analysis/Interpretation BCP/DR/Crisis Management Plan Testing and Validation United States Canada Japan Singapore Australia Europe China Korea Emerging and Developing Countries FFIEC BCP MAS BCP Guidelines GBLA SOX SEC 17 CFR 240 Basel II HIPAA IRS Procedure 86-19 ISO 22301 Data Privacy Data Protection Data Availability Reporting and Notification Business Resiliency
BS25999-1/2 NIST 800-30/34 ISO/IEC 24762 ISO 20000/ITIL ISO 27002 ISO 22301 COBIT 5 Business Continuity Alignment Representative Approach for Alignment
Key Considerations The geography and type of business require interpretation for modification to a business continuity plan. Understanding business process and the regulations specific to that process need to be identified during business impact analysis and the mapping of technical and non-technical dependencies to align with the business and support legal and regulatory requirements. Utilization of published standards and guidelines provides a common platform for a consistent approach across regions and allows for customization of the business continuity plan by region/geography as required by local government and the types of business products sold. Management and review of business continuity plans regularly provide the opportunity to maintain compliance with changing legal and regulatory requirements and dynamic business needs.
BUSINESS CONTINUITY FRAMEWORK AND PROGRAM BCM Framework A Business Continuity Management (BCM) program includes resilience strategies, recovery objectives, business continuity, operational risk management considerations and crisis management plans. The prerequisites within this effort include obtaining management support and organizing and managing the formulation of the functions or processes required to construct the BCM framework. Source: Disaster Recovery Institute. Major Components of BCM Framework
Program initiation and management Risk evaluation and control Business impact assessment Develop business continuity strategies Emergency preparedness and response Developing and implementing business continuity plans Awareness and training programs Business continuity plan exercise, audit and maintenance Crisis communications Coordination with external agencies
Source: Disaster Recovery Institute. BCM Methodology Lifecycle Overview S t r a t e g y
i m p l e m e n t a t i o n
R i s k - b a s e d
p r i o r i t i z a t i o n
Assess Phase (Risk-based prioritization) Mitigation Phase (Progress against plan)
Site Risk Assessment Gap Analysis Continuity Strategies Exercise and test results Maintain, Exercise and Test Business Impact Analysis Plan Development 1 2 3 4 5 6 Crisis management plan Reporting Out Business continuity plan Business impact analysis Dependency analysis Business process identification DR and resiliency plan Executive assess phase summary Strategy development Assessment Metrics and Scorecards Note: The Governance and BCM Framework should be built prior to initiating the Assess Phase. Major Components of BCM Framework
Program initiation and management Risk evaluation and control Business impact assessment Develop business continuity strategies Emergency preparedness and response Developing and implementing business continuity plans Awareness and training programs Business continuity plan exercise, audit and maintenance Crisis communications Coordination with external agencies
Source: Disaster Recovery Institute Foster clean linkages between articulated business strategy and ITs objective Ensure continuous support of core business processes and align business resiliency plans with strategic goals Benchmark IT spend thresholds with respect to industry peers Prioritize investments in areas that directly impact firm performance Institutionalize performance reporting criteria to measure end-to-end performance Provide a holistic view of crisis and continuity planning Ensure adequate attention and awareness of business resiliency by the CEO and the Board Embedded ROI accountability into operation rhythm Translate corporate objectives into functional and operational goals Create architectural blueprints to bridge technology choices with business capabilities CEO Board CFO CRO CIO Where does BCM reside? Business Resiliency and Why They Care
Major Components of BCM Framework
Program initiation and management Risk evaluation and control Business impact assessment Develop business continuity strategies Emergency preparedness and response Developing and implementing business continuity plans Awareness and training programs Business continuity plan exercise, audit and maintenance Crisis communications Coordination with external agencies
Source: Disaster Recovery Institute Systemic Risk Risks faced by your business Risks your business presents to customers Risks others (suppliers, vendors, key partners, etc.) present to you Identify what is required to keep the business functional and implement strategies to prevent or reduce systemic risk Nature of the problem is not as important as the impact the problem will have on the company, and your reaction to the problem Impact financial (direct and indirect), reputation, legal, etc. Understand and Assess Systemic Risk Fully understand and evaluate the nature of your systemic risk Determine key third-party service providers and suppliers, and evaluate them Review third-party disaster recovery and business continuity plans Ensure they meet your minimum BCP standards Insist that mitigation measures be taken Negotiate right to audit or comparable clauses in all outsourcing agreements Where does BCM reside? Business Resiliency and Why They Care Increased scrutiny by all stakeholders to ensure continuous availability Due diligence expectations Board of Directors Customers Third Parties Increasing use and diversification of business partners and service providers Telecommunications Hot-site, warm site, cold site Business partners Vendors and suppliers, etc. Increased regulations Federal and state requirements; other regulatory oversight Systemic Risk Measures Organizations are Taking to Address Protect critical business paths Leverage best practices Incorporate BCP into risk assessment and business planning activities Deploy as marketing/competitive advantage Protect your brand Build business case Obtain and maintain plan support Major Components of BCM Framework
Program initiation and management Risk evaluation and control Business impact assessment Develop business continuity strategies Emergency preparedness and response Developing and implementing business continuity plans Awareness and training programs Business continuity plan exercise, audit and maintenance Crisis communications Coordination with external agencies
Source: Disaster Recovery Institute. Business Impact Assessment (BIA) BIA and the Impact Criteria The BIA is a systematic, repeatable and substantially defensible analysis that quantifies and qualifies financial, operational, service, legal/regulatory and brand impacts to the enterprise, in the event key business processes cannot be performed A standard criterion will enable all processes to evaluate impacts consistently across the company By utilizing an impact criteria in the BIA, assumptions and guesswork relating to the criticality of business processes and technology are minimized Sample Impact Criteria (see next slide for further breakdown): Financial Impact Shareholder Value/Reputational/Brand Image Impact Workforce Impact Legal/Regulatory/Compliance Impact Third-Party Agreement Impact Impact criteria and ratings are developed and approved by Senior Management
Business Impact Assessment (BIA) Definition Lost Data Last Backup or Replication Systems and Resources Unavailable Recover from Last Backup and Backlog (if any) System and Resources Recovery RTO Disruptive Event RPO Back to Operation Acceptable Operation Data Loss Service Loss Recovery Point Objective (RPO) Represents the maximum amount of data loss (from time perspective) that the business can sustain during an event. Quantify and qualify the financial cost, customer experience, legal/regulatory obligations, brand image and workforce impacts to the firm in the event key business processes cannot be performed. Recovery Time Objective (RTO) Represents the maximum amount of time that the business can withstand the loss of a critical process, function or resource before a serious adverse business impact would result. BIA Challenges Common Challenges Companies that perform BIAs do not refresh them often enough Lack of business participation because BIAs are too long and complicated Lack of understanding among the business regarding BIA benefits BIAs can be too tactical BIA findings are not validated by Executive Management Challenge Resolution/Leading Practices Simplify the BIA Approach/Use Enablers: Group Workshops Build annual BIA refresh requirements into the BCP policy and standards Educate business owners/management on additional benefits of the BIA (i.e., process documentation and improvement) Identify critical path of enterprise for executive discussion and approval Present BIA findings to Governance Committee for approval
BIA Workshop Advantages: Provides awareness and education to management Helps prioritize business areas and locations, as well as business processes Reduces time and resources required to conduct BIA/BIA refresh Facilitates in capturing consistent data (which may not always be possible using surveys or multiple rounds of interviews) Challenges the business function owners/management on potential impacts, risks and business process recovery from a holistic perspective Captures critical business function interdependencies so that the recovery priorities consider any predecessor functions/processes Link the business process to the underlying application and technical infrastructure dependencies Server pool Network pool Storage pool This diagram represents the critical path to recover mission critical, critical and essential business processes during a disruption. This is one way to syndicate the risk prioritization and recovery strategy to executive management based on the design of the business continuity program. Mission Critical Zero <=24 hours Critical >24 hours & <=120 hours Client Wires Corporate Wires Cash Settlements Check Voids/Stops Roll Wires Client ACH File Verification A&F: Treasury Trade Extension Filing Margin Call Resolution Check and Wire Approval Insite Reporting Margin Processing checks, wires, ACH and journals from retirement accounts Qualified Plan Document Generation Imaging Incoming Advisor Calls Business Processing Responding to emails Service Center Advisory Performance Advisory Account Advisory Fee Billing Manager Select Account Termination Advisory Operations Advisory Surveillance FACS Supervision HOS Registration AML
Compliance Statement Production Confirmation Production Quarterly Performance Production Letter Production Client Reporting Statement Production BranchNet Cost Basis Update File ADP Transporter Tax Reporting Stock Record Reconciliation Stock Record Essential >120 hours B U S I N E S S C R I T I C A L P A T H D i s a s t e r
C o n t i n u i t y
Business Critical Path Diagram Illustrative Example Non-Technical Dependency Analysis Identifies both internal and external interdependencies (upstream and downstream business processes), application, vital records and resources (workforce) required in order for a process to function.
List what needs to happen and/or needs to be available in order for a process to function completely Identify both internal and external interdependencies of the processes Determine applications Recovery Time Capability (RTC) Use as a basis for the Recovery Gap Analysis
Upstream Business Process
Downstream Workforce Vital Records Applications Major Components of BCM Framework
Program initiation and management Risk evaluation and control Business impact assessment Develop business continuity strategies Emergency preparedness and response Developing and implementing business continuity plans Awareness and training programs Business continuity plan exercise, audit and maintenance Crisis communications Coordination with external agencies
Source: Disaster Recovery Institute DESIGN AND IMPLEMENTATION Critical Success Factors Maintain an enterprise-wide perspective Obtain executive commitment and sponsorship Design business process-based approach Understand systemic risk Align with business strategies Validate through exercises with the business and information technology Keep it simple easy to maintain
Continuity Strategy Development Overview What is to be recovered: People, business processes, application critical paths and technical services How will it be recovered: Technology and technical solution options Where will it be recovered: Technologies facilities (e.g., data center, data rooms), workplace and/or service provider(s) When will it be planned: Execute short-term and long-term roadmap How much will it cost: High-level budget requirements
The outcomes of the strategy may have more than one solution to fulfill an organizations recovery and continuity in the face of a business disruption. Sourcing alternatives Technology constraints Business strategy and impact Disaster recovery strategy High-level investment Roadmap and timeline Current strategy gaps Total cost of ownership Infrastructure strategy Guiding principles People constraints Technical dependency In-source Co-location Outsourcing Managed hosting Cloud services
Enterprise risk Business constraints Continuity Strategy Development Approach Crisis Management
Ensure that crisis management plans can be adapted to cover a wide range of issues and disruptions to business processes. Include all entities within crisis management planning to provide a balanced approach to crisis management and recovery efforts across the group. Group crisis management should be more influential in testing crisis management plans with the relevant local entities. Although plans may be derived individually, these should be tested in line with other entities to identify key differences in approach and challenges with coordinating efforts. Run IT crisis management plans and tests alongside tests of other business entity crisis management plans on a regular basis. Ensure the capability to manage a crisis is tested and exercised frequently and crisis management plans adapted/updated where necessary.
Critical Steps to Effective Response 1. Account for everyone
2. Leverage agreed to recovery plan
3. Protect most crucial assets
4. Assemble the team
5. Assign resources to respond
Critical Steps to Effective Response 6. Communicate early and often 7. Mitigate the loss 8. Involve the insurance and claims team 9. Document everything Insurance/Regulatory/Compliance 10. Manage public relations
Long-Term Business and Financial Recovery 1. Manage expectations internal and external 2. Read the policy understand your recovery options 3. Involve all areas of the business 4. Communicate, communicate, communicate 5. Drive the insurance recovery process 6. Review and update the current plans how did you do? Coordination With External Agencies
Coordinating with external agencies includes establishing the applicable procedures and policies for coordinating continuity and restoration activities with external agencies (local, regional, national, emergency responders, defense, etc.) while ensuring compliance with applicable statutes and regulations. Source: Disaster Recovery Institute Coordination With External Agencies
Identify the representatives and establish an open dialog with the external agencies Identify the objectives for the emergency management program and align them with specific external agencies Assist in the development of the exercise requirements of the external agencies as appropriate Coordinate and execute the exercise Debrief and report on the exercise results Source: Disaster Recovery Institute. LEADING PRACTICES EXAMPLES Leading Practices Implement a BCM governance model and an enterprise BCM framework BCM programs should be based upon a clearly defined governance model, supported by a single, common framework that defines a methodology, a set of policies and roles.
The overall BCM governance focuses on: How the BCM program should be operationalized within the business and IT by setting well-defined policies and principles; Who makes what decisions by defining roles and responsibilities for clear accountability; and What mechanisms are in place to ensure that decisions are made, acted upon and complied with in relation to the companys overall direction. BCM governance should steer and respond to decision requests that emerge from the business continuity assessment process whereby senior management can make informed decisions in order to reduce enterprise risk. 1 Leading Practices Integrate business impact analysis (BIA) and risk assessment BIAs and risk assessments are two long-standing components of any business continuity standard and methodology. They remain two of the most critical inputs toward any BCM program, as major strategy and funding decisions will be made based on their results and how critical they are to the enterprise.
Leverage emerging technologies such as cloud computing and virtualization Disaster recovery as a service (DRaaS) provides several levels of protection to help companies recover from downtime in a potentially more cost-effective and timely manner. Workload can be replicated from virtual or physical environments to high-availability cloud infrastructure and then hosted in standby mode. Also, the cloud approach can provide companies the ability to replicate across multiple storage platforms to a cloud infrastructure or elsewhere. Systems (e.g., VMware) can be registered on the cloud in standby mode ready to activate and keep the business up and running should the need arise. 2 3 Leading Practices Build for a resilient environment vs. a reactive recovery Most companies are looking to enhance their ability to rapidly adapt and respond to business disruptions and to maintain continuous business operations, be a more trusted partner and enable growth. However, many companies have delayed investing in or updating their disaster recovery infrastructure and plans due to the lack of funding for disaster recovery over the past five years. Companies should focus 70% to 80% of their disaster recovery spending on supporting the realization of the recovery time objective (RTO) and recovery point objective (RPO) targets for the top 20% to 30% mission-critical applications.
4 Leading Practices Understand the true application dependency for recovery assurance It is essential to completely understand cross-application, data and underlying infrastructure dependency relationships for both disaster recovery planning and as a quality assurance validation that dependent parts have been identified for recovery. This becomes especially critical if an operation is planning to implement (or has already implemented) one or more application services based on service-oriented architecture (SOA), or whose application services are multi- sourced. 5 Leading Practices Increase the complexity of testing Leading practice organizations are including more complex integrated exercises in their annual test plan. While most do not advocate a pull the plug scenario yet, integrated testing between business units and IT is the right way to truly develop confidence in an organizations capability to recover. In these scenarios, the business units may actually deploy to their alternate site and use their IT workaround procedures during the period that the IT systems are being recovered. This type of testing will prove the viability of the alternate site, the viability of the workaround procedures and that the IT systems that the business unit needs can be recovered within its stated RTO. All of these measures will start to establish a validated recovery time capability (RTC) for an organization, while the best tabletop testing can only provide a recovery time estimate (RTE). 6 Leading Practices Adapt crisis management and communications strategies The premise regarding communication during a crisis is still the same: it is important for companies to be proactive and transparent with their communications. Likewise, customers and stakeholders expectations remain the same: they want to know that the companies are taking ownership and accountability and that there is a resolution plan to get the services stabilized and restored. What has changed is the approach to disseminating this information, which can reduce the negative impacts to brand image and customer satisfaction during a disaster. As companies begin to understand the evolution of mass communication, they adapt their crisis communication strategies to leverage the various media outlets to their advantage. This way, they are able to manage their messaging in a timely manner and prevent incorrect information from spreading. 7 Leading Practices Exercise an integrated ERM program Leading companies have implemented integrated ERM programs that bring all types of organizational risk under a single risk universe, regardless of whether a particular risk is classified as a security risk, a health and safety risk, an insurance risk, an environmental management risk or a business continuity risk.
Solicit support from the Board of Directors and the Audit Committee It is much more common for companies to develop and implement company- wide business continuity management programs when there is pressure from the Board or Audit Committee.
Seek certification and achieve regulatory compliance The variety of certifications and regulatory compliance approvals related to business continuity does two things: allows companies to better market their business continuity prowess and maturity to customers and prospects; and allows them to better differentiate themselves in a competitive market.
8 9 10 Current State Assessment Objectives Assess current business continuity documentation and processes against leading practices to evaluate the quality of program and measure acceptance by the organization Provide baseline for determining gaps and determining future state initiatives Use Proprietary Maturity Model to assess and score BCP capabilities.
BC and DR Maturity Model Commitment Business Impact Assessment Threat and Risk Assessment BCP/DRP/Crisis Management Development Testing, Maintenance, Administration Company has received commitment from all levels of the organization and individual lines of business. Risk Assessments and BIA are integrated. Financial decisions to mitigate risk are based upon the potential business impacts to operations at an examined facility. Testing has been consistently implemented over time with all appropriate protocols including documentation of findings and improvements to the plan. Business Continuity team tests coincide with IT tests in which business personnel test operations on the recovered equipment. Leading practices All BCP components (including IT components) are developed according to the organizations BCM framework and are fully integrated with each other (BCPs, DR plans and Crisis Management plans) and span all processes within the organization. Plan updates are both event- and schedule-driven. The BIA process is firmly in place within the organization. While a planned BIA update schedule exists, team members are more proactive about updating the BIA more frequently whenever there are major business changes. Company has deployed cost-effective continuity strategies that align with business requirements. It has factored technical, physical, people and financial resources into continuity efforts. It has also documented manual and semi-automated procedures where appropriate. Develop Continuity Strategies Policies and Procedures Company has developed policies to detail responsibilities of management to ensure timely resumption of critical business functions following a major interruption. Sample Future State Roadmap # Initiative Component Resources* Duration** Dependencies Recommended Starting Quarter T-1 Establish an ABC Bank continuity management oversight committee Commitment Low Low None 1Q2007 T-2 Review the current Business Impact Analysis and Business Recovery Plan with the committee Commitment High Low T-1 1Q2007
T-3 Identify a champion to lead the Banks CM Program Commitment Low Low T-1 1Q2007
T-4 Adapt ABC Enterprise CM policies and procedures for use in the Bank Policies and Procedures Medium Medium None 1Q2007
T-5 Publish those policies and procedures to inform all Bank employees Policies and Procedures Low Low T-1, T-4 1Q2007
Note: Duration is the estimated time required to take the action indicated, not an estimate of ongoing operational time. * Low = Less than 1 FTE, Medium = Between 1 and 3 FTEs, High = Greater than 3 FTEs ** Low = Less than 2 Weeks, Medium = Between 2 Weeks and 1 Month, High = More than 1 Month SESSION ONE RECAP Q&A AUDIENCE PARTICIPATION (WHO HAS THE BEST DISASTER EXAMPLE?)
SESSION TWO Business Continuity Management Session Two Overview Operations and Testing COBIT 5 and Controls Auditing Business Continuity and Disaster Recovery Case Study Examples SESSION TWO OVERVIEW Session Two Overview Objectives Understand and describe leading practices in BCM and DR Understand and describe the most significant risks associated with a BCM and DR program Understand and describe the application of standards used in BCM and DR Understand and describe the COBIT objectives and controls that support managing risk in BCM and DR Understand, describe and implement a BCM and DR audit program Audit the business continuity management process
OPERATIONS AND TESTING Typical BCM Program Phases Implement Strategy and Develop Continuity Plans This activity involves performing all tasks necessary to implement the strategy and the development of the Business Continuity Plans (BCPs), IT Services resiliency and architecture recovery plans and an enterprise Crisis Management Program. Sustain and Maintain BCM Program This activity involves implementing processes designed to sustain and mature the BCM program. Key processes include: Plan Maintenance Regular updates to the documented BCPs, dictated by period or business changes. Training Developing a training program for personnel to prepare and educate them on their roles and responsibilities. Awareness Awareness includes both internal awareness making internal personnel aware of their business continuity roles, responsibilities and expectations. Reporting Developing scorecards and Key Performance Indicators (KPIs) Key Performance Indicators are the measurements that will be used to evaluate the success of the BCM program. Change Management Change management procedures need to be enforced to ensure that the BCP and its processes are kept up-to-date and give the best possible chance of surviving a major business disruption. Exercise and Test This activity involves the development of a testing program and schedule to maximize plan accuracy and team preparation to respond to an event. Sustain and Maintain BCM Program What is the Sustain and Maintain Activity? Once the Assess and Mitigate Phases are completed, the BCM program must enter a phase of sustainability and maintenance. For many companies, this is the most difficult part of operationalizing a business continuity program. This may be accomplished through some of the following activities: Reporting: development of scorecards and key performance indicators (KPIs) key performance indicators are measurements used to evaluate the success of the program. Plan maintenance: regular updates to the documented BCM plans dictated by period or business changes. Training and awareness: development of a training program for personnel to prepare and educate them on their roles and responsibilities. Awareness includes both internal awareness making internal personnel aware of their business continuity roles, responsibilities and expectations; as well as external awareness marketing the organizations program as a differentiator and competitive advantage. Change management: change management procedures needed to be enhanced and enforced to ensure that essential BCM plans and its processes are kept up-to-date and give the best possible chance of surviving a major business disruption. Training and Awareness Programs
They support the mission of the organization They demonstrate organizational commitment Human error accounts for a significant degree of loss Training employees shows that the organization has taken due care They remind people of the basic security practices
Source: Disaster Recovery Institute. Training and Awareness Programs
Knowledge of the vulnerabilities and risks will allow the employees to: Implement better procedures Demonstrate accountability They raise the awareness of the risks of downtime They make people aware of who the business continuity team members are and what their function is They orient new employees to the BCM program
Source: Disaster Recovery Institute Exercise and Test What is the Exercise and Test Activity? This activity involves the development and execution of an exercise and testing program and schedule to maximize plan accuracy and team preparedness to respond to an event. The exercise or the tests can include all or part of the business continuity plan or specific critical component. How is the Exercise and Test executed? There are multiple types of plan exercises that can be executed. These could include: table top exercises, functional exercises across business units, functional exercises with public sector, integrated business and IT exercises, etc. Output Post-exercise results Updated/enhanced plans Testing Framework Purpose: Provide structure, formality and a common nomenclature to the BCM Exercise and Test Program Establish the roles, responsibilities, accountabilities and organizational structure for the BCM PMO and business units Provide consistent methods, tools and processes that will maximize the business units compliance with the BCM policies and standards for the maintenance of BCPs and DRPs
Compliance and alignment: The testing framework is aligned with existing BCM and IT policies. All BCPs and DRPs supporting critical processes and applications should undergo a test at least annually.
Test phases and tasks
Managing the exercise and test program for the BCPs of critical processes and DRPs of critical applications Developing the test plan Executing the test Debriefing following the test Test Stages
High
Scope and Complexity
Low 1 5 9 Table-top Recovery Full-Scale Walk-through Site Production
Test Stage Plan Execute Debrief Coordination and oversight Program Scorecard Example
Common Mistakes in Business Continuity Outdated and incomplete business continuity plan Lack of testing Lack of back-up utility for critical operations Insufficient verification and validation of systems Insufficient recovery resources available Common Mistakes in Business Continuity Underestimating or miscalculating risk Misunderstanding roles and responsibilities Slow to react and gather information Failure to understand the insurance contract Balancing business requirements and insurance recovery COBIT 5 AND CONTROLS Example ISACA mapping between COSO and COBIT 4.1 PLAN TESTING Plan Testing Audit/Assurance Objective: The plan should be tested regularly, and the tests should include a comprehensive verification of continuity processes and situational drills to test the assumptions and alternate procedures within the plan. DS4.5 DS4.6 X Testing Policies Control: Testing policies define test frequency, types of tests, use of situational drills and other recognized processes. Obtain testing policies document. Determine that the following policies are stated and documented: Minimum test frequency Conditions requiring more frequent testing Types of scenarios to be tested Testing Methods Control: Testing includes both walkthroughs and full-scale drills of the interim process and recovery plans. Determine that walkthrough tests are performed regularly and include all facets of the plan. Determine that full-scale tests are performed regularly and include higher risks events. Determine if an after-hours call list exists and is current. Determine if a program of continuity awareness exists and is executed regularly. Analysis of Test Results Control: The results from the plan tests are analyzed to identify issues that require BCP revision, additional training or additional resources. DS4.10 X X X Verify that changes to recovery plans have been made as a result of testing and lessons learned. Determine if the results have been communicated to management. Determine that stakeholders and assurance functions monitor and receive post-test analysis. * Copyright ISACA 2011, Business Continuity Management Audit/Assurance Program Audit/Assurance Program Step COBIT Cross- reference COSO C o n t r o l
E n v i r o n m e n t
R i s k
A s s e s s m e n t
C o n t r o l A c t i v i t i e s
I n f o r m a t i o n a n d
C o m m u n i c a t i o n
M o n i t o r i n g
Process Domain and Practice Process Name Consideration for Design and Audit of Business Continuity Disaster Recovery Governance Evaluate, Direct and Monitor EDM01 Ensure Governance Framework Setting and Maintenance Y N EDM02 Ensure Benefits Delivery Y N EDM03 Ensure Risk Optimization Y Y EDM04 Ensure Resource Optimization Y N EDM05 Ensure Stakeholder Transparency Y N Management Align, Plan and Organize AP001 Manage the IT Management Framework Y Y AP002 Manage Strategy Y Y AP003 Manage Enterprise Architecture Y Y AP004 Manage Innovation N N AP005 Manage Portfolio Y N AP006 Manage Budget and Costs Y N AP007 Manage Human Resources Y N AP008 Manage Relationships Y N AP009 Manage Service Agreements Y Y AP010 Manage Suppliers Y Y AP011 Manage Quality Y Y AP012 Manage Risk Y Y AP013 Manage Security Y Y COBIT 5 Mapping Process Domain and Practice
Process Name Consideration for Design and Audit of Business Continuity Disaster Recovery Management Build, Acquire and Implement
BAI01 Manage Programs and Projects Y Y BAI02 Manage Requirements Definition Y Y BAI03 Manage Solutions Identification and Build N Y BAI04 Manage Availability and Capacity N Y BAI05 Manage Organizational Change Enablement Y Y BAI06 Manage Changes Y Y BAI07 Manage Change Acceptance and Transitioning Y Y BAI08 Manage Knowledge Y Y BAI09 Manage Assets Y Y BAI10 Manage Configuration Y Y Management Deliver, Service and Support
DSS01 Manage Operations Y Y DSS02 Manage Service Requests and Incidents Y Y DSS03 Manage Problems Y Y DSS04 Manage Continuity Y Y DSS05 Manage Security Services Y Y DSS06 Manage Business Process Controls Y Y Management Monitor, Evaluate and Assess
MEA01 Monitor, Evaluate and Assess Performance and Conformance Y Y MEA02 Monitor, Evaluate and Assess the System of Internal Control Y Y MEA03 Monitor, Evaluate and Assess Compliance with External Requirements Y Y COBIT 5 Mapping COBIT 5 Supplemental Material DSS04 Manage Continuity DSS04.01 Define the business continuity policy, objectives and scope Y 01 Alignment of IT and business strategy 04 Managed IT-related business risk 07 Delivery of IT services in line with business requirements 14 Availability of reliable and useful information for decision making Identify internal and outsourced business processes and service activities that are critical to the enterprise operations or necessary to meet legal and/or contractual obligations Identify key stakeholders and roles and responsibilities for defining and agreeing on continuity policy and scope Define and document the agreed on minimum policy objectives and scope for business continuity and embed the need for continuity planning in the enterprise culture Identify essential supporting business processes and related IT services DSS04.02 Maintain a continuity strategy Y 01 Alignment of IT and business strategy 04 Managed IT-related business risk 14 Availability of reliable and useful information for decision making Identify potential scenarios likely to give rise to events that could cause significant disruptive incidents Conduct a business impact analysis to evaluate the impact over time of a disruption to critical business functions and the effect that a disruption would have on them Establish the minimum time required to recover a business process and supporting IT based on an acceptable length of business interruption and maximum tolerable outage Assess the likelihood of threats that could cause loss of business continuity and identify measures that will reduce the likelihood and impact through improved prevention and increased resilience Analyze continuity requirements to identify the possible strategic business and technical options Identify potential scenarios likely to give rise to events that could cause significant disruptive incidents Determine the conditions and owners of key decisions that will cause the continuity plans to be invoked Identify resource requirements and cost for each strategic technical option and make strategic recommendations Obtain executive business approval for selected strategic options COBIT 5 Supplemental Material DSS04 Manage Continuity DSS04.03 Develop and implement a business continuity response Y 01 Alignment of IT and business strategy 04 Managed IT-related business risk 14 Availability of reliable and useful information for decision making Define the incident response actions and communications to be taken in the event of disruption. Define related roles and responsibilities including accountability for policy and implementation Develop and maintain operational BCPs containing the procedures to be followed to enable continued operation of critical business processes and/or temporary processing arrangements, including links to plans of outsourced service providers Ensure that key suppliers and outsource partners have effective continuity plans in place. Obtain audited evidence as required. Define the conditions and recovery procedures that would enable resumption of business processing, including updating and reconciliations of information databases to preserve information integrity Define and document the resources required to support the continuity and recovery procedures, considering people, facilities, and IT infrastructure Define and document the information backup requirements required to support the plans, including plans and paper documents as well as data files, and consider the need for security and off-site storage Determine required skills for individuals involved in executing the plan and procedures Distribute the plans and supporting documentation securely to appropriately authorized interested parties and make sure they are accessible under all disaster scenarios DSS04.04 Exercise, test and review the BCP Y 01 Alignment of IT and business strategy 04 Managed IT-related business risk 14 Availability of reliable and useful information for decision making Define objectives for exercising and testing the business, technical, logistical, administrative, procedural and operational systems of the plan to verify completeness of the BCP in meeting business risk Define and agree on with stakeholders exercises that are realistic, validate continuity procedures, and include roles and responsibilities and data retention arrangements that cause minimum disruption to business processes Assign roles and responsibilities for performing continuity plan exercises and tests Schedule exercises and test activities as defined in the continuity plan Conduct a post-exercise debriefing and analysis to consider the achievement Develop recommendations for improving the current continuity plan based on the results of the review
COBIT 5 Supplemental Material DSS04 Manage Continuity DSS04.05 Review, maintain and improve the continuity plan Y 01 Alignment of IT and business strategy 04 Managed IT-related business risk 14 Availability of reliable and useful information for decision making Review the continuity plan and capability on a regular basis against any assumptions made and current business operational and strategic objectives Consider whether a revised business impact assessment may be required, depending on the nature of the change Recommend and communicate changes in policy, plans, procedures, infrastructure, and roles and responsibilities for management approval and processing via the change management process Review the continuity plan on a regular basis to consider the impact of new or major changes to: enterprise organization, business processes, outsourcing arrangements, technologies, infrastructure, operating systems and application systems DSS04.06 Conduct continuity plan training Y 01 Alignment of IT and business strategy 04 Managed IT-related business risk 14 Availability of reliable and useful information for decision making Define and maintain training requirements and plans for those performing continuity planning, impact assessments, risk assessments, media communication and incident response. Ensure that the training plans consider frequency of training and training delivery mechanisms Develop competencies based on practical training including participation in exercises and tests Monitor skills and competencies based on the exercise and test results DSS04.07 Manage backup arrangements Y 01 Alignment of IT and business strategy 04 Managed IT-related business risk 14 Availability of reliable and useful information for decision making Back up systems, applications, data and documentation according to a defined schedule Ensure that systems, applications, data and documentation maintained or processed by third parties are adequately backed up or otherwise secured. Consider requiring return of backups from third parties. Consider escrow or deposit arrangements Define requirements for on-site and off-site storage of backup data that meet the business requirements. Consider the accessibility required to back up data Roll out BCP awareness and training Periodically test and refresh archived and backup data
DSS04.08 Conduct post- resumption review Y 01 Alignment of IT and business strategy 04 Managed IT-related business risk 14 Availability of reliable and useful information for decision making Assess adherence to the documented BCP Determine the effectiveness of the plan, continuity capabilities, roles and responsibilities, skills and competencies, resilience to the incident, technical infrastructure, and organizational structures and relationships Identify weaknesses or omissions in the plan and capabilities and make recommendations for improvement Obtain management approval for any changes to the plan and apply via the enterprise change control process AUDITING BUSINESS CONTINUITY AND DISASTER RECOVERY Background and Objective Background The purpose is to ensure the objective, scope, policy, standards, approach and budget for business continuity and disaster recovery are controlled. Audit Objective Our objective in this review is to confirm the existence of appropriately designed controls within the areas of disaster recovery and business continuity.
ISACA BCM Audit/Assurance Program Objective and Scope ObjectiveThe continuity planning audit/assurance review will: Provide management with an evaluation of the enterprises preparedness in the event of a major business disruption Identify issues that may limit interim business processing and restoration of same Provide management with an independent assessment of the effectiveness of the business continuity plan and its alignment with subordinate continuity plans
ScopeThe review will focus on the enterprise business continuity plan, policies, standards, guidelines, procedures, laws and regulations that address maintaining continuous business services. This will include: Development, maintenance and testing of the business continuity plan Ability to provide interim business services and the effective and timely restoration of same Risk management and costs related to the business continuity plan* Copyright ISACA 2011 * Copyright ISACA 2011, Business Continuity Management Audit/Assurance Program, page 11 Auditing BCM Benefits of auditing the BCM plan Audit scope and objective considerations Key audit areas Common issues stemming from plan audits Benefits of Auditing the Plan Provides assurance to executive management and the board that plans are robust, complete and up-to-date Identifies weaknesses in the plan Motivates personnel to maintain their plans Helps justify allocation of resources Helps justify costs associated with business continuity
Audit Considerations Scope and Objective Considerations Controls to be reviewed and tested Methodology used to develop plans Consistency between business unit business continuity plans and enterprise disaster recovery plans Application of common planning standards External suppliers and service providers Audit Considerations Plan Development Established planning standards Methodology and standards used to develop the plans, enterprise-wide Purpose, objective, scope and assumptions to be used in developing and executing plans Roles, accountabilities, and responsibilities Senior management Business unit management and personnel Business continuity coordinator Information security personnel Audit Considerations Plan Development Assess Phase Plan development requirements Business impact assessment Risk assessment Risk avoidance measures
Mitigate Phase System restoration and recovery procedures Vendor management Manual processing/downtime procedures Maintenance, testing and administration requirements Training and communication Building the Audit Scope Considerations Identify the scope of the audit: Disaster recovery Business continuity Crisis management Building the Audit Scope Options Business Continuity Area 3-4 Weeks 5-8 Weeks Policy, Scope and Objectives Review of the policy and scope of the business continuity program Detailed review of the policy and scope of the business continuity program Risk Assessment Review the procedures from a risk assessment and the results Detailed review of the risk assessment procedures and results Business Impact Analysis Review business impact analysis (BIA) and associated assessment criteria and results High-level review of the recovery time/point objectives Detailed review of BIA results and validation of recovery time and point objectives in BCPs to meet business needs Validation with DRP Business Continuity Strategies Review current strategies to address various interruptions and/or disasters using multiple scenarios Detailed review of business continuity recovery strategies to meet highly probable disaster scenarios Business Continuity Plan Review current business continuity plan to ensure core components are addressed Detailed review of the business continuity plan assessed against RTOs/RPOs Work Area Recovery Review processes for managing workforce for critical business processing Detailed review of managing workforce at alternate facility/site Area 3-4 Weeks 5-8 Weeks Business Continuity Plan Testing Review of the testing procedures for the Business Continuity Program (BCP) Detailed review of the testing program (procedures, processes), testing scenarios and test plans Business Continuity Plan Maintenance Review of the maintenance and change management procedures for the BCP Detailed review of the BCPs maintenance to ensure the plan stays current; review feedback from testing/training incorporated into plan updates Business Continuity Program Governance Review managements policies and procedures regarding the BCP Detailed review of Business Continuity Management Program and governance policies/procedures Building the Audit Scope Options Business Continuity Area 3-4 Weeks 5-8 Weeks Physical Security Review of physical security to manage access to data center Detailed review of physical security through assessment, monitoring and review of procedures Backup and Recovery Review current backup and recovery procedures to ensure data is appropriately backed up and protected Detailed review of backup and recovery procedures, validation to ensure B&R meets recovery objectives Recovery Procedures Review the procedures that will recover critical infrastructure Detailed review of the procedures for recovery of critical infrastructure Disaster Recovery Strategy Review strategies to address service interruptions and/or disasters Component level Data center Site Regional Detailed review of the DR strategies to ensure recovery objectives and SLAs are met, review to identify single points of failure (SPOF), multiple strategies based on varying scenarios Disaster Recovery Plan Review the current disaster recovery plan to ensure core components are included Detailed review of the contents of the DRP Building the Audit Scope Options Disaster Recovery Area 2-4 Weeks 5-8 Weeks Business Recovery Review that the DR strategies and plans will meet the needs of the business for recovery Detailed review of the DR strategies and plans to meet the needs of the business, review and validation of the BIA to ensure consistency Disaster Recovery Plan Testing Review of the testing procedures of the DRP Detailed review of the testing program (procedures, processes), review of testing scenarios and test plans Disaster Recovery Plan Maintenance, Reviews, Updates Review of the maintenance procedures of the DRP Detailed review of the DRPs maintenance to ensure the plan stays current; review feedback from testing/training incorporated into plan updates Disaster Recovery Plan Training Review training procedures for DRP Detailed review of the training agenda and materials to ensure end users understand their role and how to utilize DRP Building the Audit Scope Options Disaster Recovery Audit Approach Inspection of Key Documentation Planning standards, mission statement and governance Business impact analysis and risk assessment results Identification of critical business processes/operations Identification of critical business path Minimum recovery timeframes and resources are defined Timeframes established based on the financial and operational impact to the organization Policies and procedures Business continuity Disaster recovery Emergency preparedness Crisis management Backup and restoration Audit Approach Inspection of Key Documentation Employee/vendor contact lists Verify accuracy and completeness of contact lists Off-site inventories Plan testing and results Contractual agreements SAS 70 reports and disaster recovery plans of critical third-party service providers Employee education and communication protocols
Audit Approach Observations of Key Activities
Plan test activities Documentation review and update activities Alternate power and generator tests Telecommunications failover tests Virtual department enablement Common Plan Risks Emergency preparedness Emergency/evacuation procedures Team structure Crisis management Employee, patient, student, etc. communication protocol (business and non-business hours) Marketing/media communication protocol
Common Plan Risks Physical plan documentation location(s) Control/versioning of plans Use of automated tools Staff training and awareness Roles and responsibilities Security of primary facility Unauthorized access Protection from fire and other environmental threats Storage of sensitive information
Common Plan Risks Backup process Backup tapes Adequacy of backup procedures How often are systems backed up? When is media transferred off-site? How often are backups rotated? Are backups properly inventoried? Software and data Testing of backup media (periodic restoration) Hardware and support facilities Alternate processing facility Proximity to primary facility Security of site Vendor contracts (if any)
Common Plan Risks Identification and storage of vital records Off-site storage Backup tapes Supporting documentation Security of off-site storage facility Authorized personnel Accessibility and level of response for off-site storage facility Internal work-flow dependencies Relocation dependency? Do recovery time frames coincide? External dependencies Adequacy of third-party business continuity plans Do recovery time frames coincide?
Common Plan Risks Adequacy of detailed recovery procedures Alternate site activation Network System recovery and start-up Application Testing Test schedule Does test judge adequacy of the plan? Staff rotated? Surprise testing Written report of results Common Plan Risks Plan maintenance Schedules Adequacy of scheduled maintenance Sufficiency of testing coverage Documentation updates Approval Accountability Employee education and awareness Overall: Does the plan make sense? Example Assessment Results 0 1 2 3 4 5 Business Continuity Plan Management BCM Policy, Standards, and Procedures Business Impact Assessment Risk Assessment Documentation Plan Testing Assessment Target This spider graph is an example of the assessment results and maturity target for a specific enterprise. * Copyright ISACA 2011, Business Continuity Management Audit/Assurance Program, page 25 Key Takeaways Management and boards are becoming increasingly aware of the need for BCM Funding and resources are becoming available Think about BCM when processes or technology change Effective planning (BIA, risk assessment, etc.) and testing ensures focus, program optimization and helps minimize costs Resources are at your disposal Find a way to audit plan components at least annually CASE STUDY EXAMPLES Case Study 1 Client: A global financial services organization Problem Statement: Maintenance and financial overheads: Multiple primary and DR data centers in the US and the rest of the world Risk to business some of the primary and DR data centers were geographically close Compliance risk some of the consumer finance applications DR environments were hosted in externally managed datacenter facilities to mitigate DR risk, due to geographically close data centers Unorganized IT environment portfolio businesses have IT environments in multiple data centers Excessive network usage due to primary-DR site replication Identified Solution: Devised a strategy to pair the US data centers two primary and two DR in the Southwest and Midwest US Move all the externally hosted application environments to internal DR data centers Revalidated applications availability SLAs for DR, with business Implemented guidance principles for businesses to host IT environments in a set of datacenters Tactical and Strategic Benefits Achieved: Regional disaster risks for businesses were mitigated Strategic cost and effort savings exercised from consolidation and newer technology data centers Achieved organized portfolio of IT environments by rearranging and optimizing
Case Study 2 Client: A global financial services client Banking and Capital Markets, Wealth Management Problem Statement: Compliance, operational and business risk three MRAs for Business Continuity in ecommerce and Online Banking Multiple data centers in the US and worldwide. The business continuity requirements still needed attention. Identified Solution: MRA remediation actions were identified to provide three fully redundant data centers to support the services. Each data center had 100%+ redundancy and could meet N-2 data centre failure Supported remediation of the MRAs, including governance development architecture reviews, and BCP/DR remediation support for ecommerce and online Banking Tactical and Strategic Benefits Achieved: MRA remediation was achieved Business, operational and compliance risks were mitigated
Case Study 3 Client: Global Financial Services Client Industry Leading Insurance Company Problem Statement: The client recently began an integration of its offices and operations in over 40 countries. Regional and local country offices have evolved independently over the last 15 years, which has been adding to the firm's technology footprint through Merger and Acquisition activity. A foundational global technology integration program has started the consolidation of international Active Directory Domains and selected local country corporate applications into a centrally hosted, third-party managed, data center service provider. Several countries have indicated that they currently have their own local country DR/BCP services, processes and support providers, and that the Global AD consolidation program will disconnect connectivity to their local DR sites and disrupt current BCP processes and plans. Identified Solution: Due to variances in independent country infrastructures and technology hosting/DR strategies, intermediate approaches on a country-by-country basis needed to be developed to ensure DR and BCP continuity as the global technology consolidation program continues. Through the program/country relationship management framework Ernst & Young has implemented across 40 countries, it has the visibility and access to help the client facilitate intermediate-step DR solution design and implementation activities across multiple technical, compliance and country organizations to resolve DR connectivity and continuity issues, while it continues with its global technology consolidation program. Initial regional and country discussions have started and will continue along the life of the program. Tactical and Strategic Benefits Achieved: Tactical local country DR strategies and solutions can maintain local country continuity and connectivity, while the global technology consolidations program completes. More strategic DR strategies and programs can be developed and implemented worldwide at a time when organizations and infrastructure are at a higher level of globally integrated maturity.
SESSION TWO RECAP Q&A AUDIENCE PARTICIPATION EXERCISE (WHO HAS THE BEST BC OR DR AUDIT FINDING?) For More Information Dan Stavola Executive Director, Ernst & Young LLP PMP, ITIL
dan.stavola@ey.com +1 212 773 5767
Marlin Ness Executive Director, Ernst & Young LLP PMP, CGEIT, CRISC, CISSP DoD CIO Certified
marlin.ness@ey.com +1 312 879 3312
The views expressed herein are those of the presenters and do not necessarily reflect the views of Ernst & Young LLP. Asheesh Bajaj Manager, Ernst & Young LLP ITILv3, BCPP, Quality
asheesh.bajaj@ey.com +1 980 422 2955
Collaborate Contribute Connect The Knowledge Center is a collection of resources and online communities that connect ISACA members globally, across industries and by professional focus - under one umbrella. Add or reply to a discussion, post a document or link, connect with other ISACA members, or create a wiki by participating in a community today! http://www.isaca.org/Knowledge-Center