Business Continuity Planning and Disaster Recovery Business Continuity Planning and Disaster Recovery Katalin Szenes Dr., CISA, CISM, CGEIT, CISSP szenes.katalin@nik.uni-obuda.hu University Óbuda- Óbudai Egyetem Faculty JvN - Neumann János Informatikai Kar Inst. SW Technology - Szoftvertechnológiai Intézet Dr. Szenes 1 Table of Contents • • • • • • • • • • Dr. Szenes purpose and main aspects definitions - BCP, disaster, DRP, IT BCP, IT DRP tasks of the IS auditor example on these tasks: CISA Q no 6-3 on audit concerns: CISA Q no 6-10 Consequences Concerning the Acceptance of the Risks other planning issues preliminaries to be settled preliminaries / insurance emergency management team CISA Q no 6-8 notification priorities CISA Q NO 6-9 organizational unit IT & the BCP 2 1 Business Continuity Planning and Disaster Recovery Table of Contents z On the Components of the Information Systems Business Continuity Plan o some [development] phases o [development] process o o categories of incidents & incident management BIA & risk management system risk ranking issues in BIA phase questions in BIA phase example on risk aspects CISA Q no 6-1 - answer: see ISO/IEC 27001, 2, too Dr. Szenes 3 Table of Contents z On the Components of the Information Systems Business Continuity Plan - cont'd o o Dr. Szenes BCP documents Infrastructure types - hot, warm, etc. provisions for 3rd party agreements on the audit of 3rd party agreements infrastructure / telecommunications, networks infrastructure / storage 4 2 Business Continuity Planning and Disaster Recovery Table of Contents • • • • • • • BCP plan - testing considerations rulebook contents recovery aspects (RPO, RTO, etc.) The IS BCP of the Individual Systems COBIT 3, 4 support of IS audit and IT security the processes of Delivery & Support DS4 - Ensure Continuous Service DS4 control objectives ISACA CRM case study references Dr. Szenes 5 purpose and main aspects (forrás, többek között: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) purpose: z to enable a business to continue offering critical services in the event of a disruption and to survive even a disastrous interruption of its activities the business continuity planning has to take into consideration: z the market & strategy goals of the corporate Î z the strategic business processes Î z those key operations that are most necessary to the survival of the organization z the human/material resources supporting them Note: z ?? business continuity plan must be based on the long-range IT plan ?? Dr. Szenes 6 3 Business Continuity Planning and Disaster Recovery purpose and main aspects (forrás, többek között: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) the business continuity plan includes: z the disaster recovery plan to recover a facility rendered inoperable, including relocating operations into a new location - for later use z the restoration plan that is used to return operations to normality whether in a restored or new facility - only after mitigating the effect of the disruption by restarting the business applications involved Dr. Szenes 7 Business Continuity Planning - Definition The purpose of business continuity planning is to enable a business to continue operations should any kind of disturbance arise. Rigorous planning and commitment of resources is necessary to adequately plan for such an event. Business continuity planning is primarily the responsibility of senior management as they are entrusted with the safeguarding of both the assets and the viability of the company. The business continuity planning is to take into consideration: • those key operations that are utmostly necessary to the survival and later to the market success of the organizations • the human / material resources supporting them. Dr. Szenes 8 4 Business Continuity Planning and Disaster Recovery Business Continuity Planning - Definition The second part, the operations part of the business continuity plan should address all functions and assets required to continue as a viable organization and to keep acquiring market sucess. The extent of provision for reserve facilities depends on the cost / effectivity considerations of the top management. Dr. Szenes 9 Disaster Recovery Plan - Definition Disasters are disruptions that cause critical information resources to be inoperative for a period of time, e.g. (weather, terrorism, disruption in expected services, human error, etc.) (this disaster def. & examples are from the CISA® Review Course transparents) The business continuity plan includes: • the disaster recovery plan that is generally the plan to be followed by the business units to recover a harmed / demolished facility or business functionality, or an operational facility and • the operations plan that is to be followed by the business units to "get by" while recovery is taking place. Dr. Szenes 10 5 Business Continuity Planning and Disaster Recovery Information Systems Business Continuity Planning / Information Systems Disaster Recovery Plan - Definition Everything is the same as in the case of the Business Continuity Planning / Disaster Recovery Plan with the exception that the continuity of the information systems processing is threatened. Information systems processing is one operations of many that keep the organization not only alive but also successful thus it is of strategic importance. Thus the event to be controlled is such a disruption and the objective of the control measure is to survive an interruption of the information systems processing. Dr. Szenes 11 Information Systems Business Continuity Planning / Information Systems Disaster Recovery Plan - Definition Throughout the planning process of business continuity the overall plan of the organization should be taken into consideration. All IS plans must be consistent with and support the corporate business continuity plan. This means that especially those information processing systems must have the more elaborated and ready-to-start reserve processing facilities that support key operations. Dr. Szenes 12 6 Business Continuity Planning and Disaster Recovery the tasks of the auditor (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery / Learning Objectives) the tasks of the auditor: z Evaluate the adequacy of backup and restore provisions to ensure the availability of information required to resume processing z Evaluate the organization's disaster recovery plan to ensure that it enables the recovery of IT processing capabilities in the event of a disaster z Evaluate the organization's business continuity plan to ensure the organization's ability to continue essential business operations during the period of an IT disruption ./. Dr. Szenes 13 the tasks of the auditor (forrás, többek között: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) the tasks of the auditor - cont'd z Check if the BCP follows corporate strategy z Evaluate plans for { accuracy { adequacy { effectiveness { etc. Evaluate offsite storage z Evaluate ability of IS and user personnel to respond effectively z Ensure plan maintenance is in place z Evaluate readability of business continuity manuals and procedures ./. Dr. Szenes 14 7 Business Continuity Planning and Disaster Recovery the tasks of the auditor (forrás, többek között: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) the tasks of the auditor - cont'd z Check the documents from the viewpoint of Currency Effectiveness Validity: interview personnel for appropriateness and completeness z Evaluate the BCP quality, e.g.: Determine whether corrective actions are in the plan Evaluate thoroughness and accuracy Determine problem trends and resolution of problems ./. Dr. Szenes 15 the tasks of the auditor (forrás, többek között: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) the tasks of the auditor - cont'd z Evaluate media & documentation handling: { presence, { synchronization and { currency of media and documentation z Perform a detailed inventory review z Review all documentation { is it current, is it detailed enough? { change management { configuration management ./. Dr. Szenes 16 8 Business Continuity Planning and Disaster Recovery the tasks of the auditor (forrás, többek között: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) the tasks of the auditor - cont'd z Evaluate offsite storage facility { if any, and what is there? { evaluate the physical and environmental access controls { examine the equipment for current inspection and calibration tags { etc. z Key personnel must have an understanding of their responsibilities ./. Dr. Szenes 17 the tasks of the auditor (forrás, többek között: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) questions for checking: { Who is responsible for administration or coordination of the plan? { Is the plan administrator/coordinator responsible for keeping the plan up-to-date? { Is there a disaster recovery implementation team (i.e., the first response team members who will react to the emergency with immediate action steps)? { Where is the disaster recovery plan stored? { What critical systems are covered by the plan? { What systems are not covered by the plan? Why not? ./. Dr. Szenes 18 9 Business Continuity Planning and Disaster Recovery the tasks of the auditor (forrás, többek között: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) questions for checking - cont'd { What equipment is not covered by the plan? Why not? { Does the plan operate under any assumptions? What are they? { Does the plan identify rendezvous points for the disaster management committee or emergency management team to meet and decide if business continuity should be initiated? { Are the documented procedures adequate for successful recovery? { Does the plan address disasters of varying degrees? { Are telecommunication’s backups (both data and voice line backups) addressed in the plan? z and how? - see later: infrastructure / telecommunications ./. Dr. Szenes 19 the tasks of the auditor (forrás, többek között: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) questions for checking - cont'd { Is there a backup facility site? and / or: what kind of precautions are made? (see later: different types of infrastructures) { Does the plan address relocation to a new information processing facility in the event that the original center cannot be restored? { Does the plan include procedures for z merging master file data, z automated tape management system data, z etc., into pre-disaster files? Dr. Szenes 20 10 Business Continuity Planning and Disaster Recovery the tasks of the auditor - CISA Q no 6-3 (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) An IS auditor should be involved in: z A. observing tests of the disaster recovery plan. z B. developing the disaster recovery plan. z C. maintaining the disaster recovery plan. z D. reviewing the disaster recovery requirements of supplier contracts. Dr. Szenes 21 the tasks of the auditor - CISA Q no 6-3 (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) Answer: A z The IS auditor should always be present when disaster recovery plans are tested to ensure that the test meets the required targets for restoration, ensure that recovery procedures are effective and efficient, and report on the results, as appropriate. z IS auditors may be involved in overseeing plan development, but they are unlikely to be involved in the actual development process. z Similarly, an audit of plan maintenance may be conducted, but the IS auditor normally would not have any responsibility for the actual maintenance. z An IS auditor may be asked to comment upon various elements of a supplier contract, but, again, this is not always the case. Dr. Szenes 22 11 Business Continuity Planning and Disaster Recovery on audit concerns - CISA Q no 6-10 (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) version 1 - the transparents In an audit of a business continuity plan, which of the following findings is of MOST concern? z A. There is no insurance for the addition of assets during the year. z B. The business continuity plan manual is not updated on a regular basis. z C. Testing of the backup data has not been done regularly. z D. Records for maintenance of the access system have not been maintained. Dr. Szenes 23 on audit concerns - CISA Q no 6-10 (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) version 1 - the transparents The correct answer is C z The most vital assets for a company are data. In a business continuity plan, it is critical to ensure that data are available. Therefore, regular testing of the backup of data must be done. If testing is not done, the organization may not be able to retrieve data when required during a disaster; hence, the company may lose its most valuable asset and may not be able to recover from the disaster. z A loss on account of lack of insurance is limited to the value of assets. z If the business continuity plan manual is not updated, the company may find the manual not fully relevant for recovery during a disaster. However, recovery could be still possible. z Non-maintenance of records in an access system will not directly impact the relevance of the business continuity plan. Dr. Szenes 24 12 Business Continuity Planning and Disaster Recovery on audit concerns - CISA Q no 6-10 (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) version 2 In an audit of a business continuity plan, which of the following findings is of MOST concern? z A. There is no insurance for the addition of assets during the year. z B. The business continuity plan is not updated on a regular basis. z C. Testing of the backup data has not been done regularly. z D. Records for maintenance of the access system have not been maintained. The correct answer is? Dr. Szenes 25 Consequences Concerning the Acceptance of the Risks The alternatives of the elimination of the risks are determined by the resources that the management wants to spend on the "safety". The management classifies according to business importance the assets processes data and the data processing systems importance is equal to the importance of the element they support. • • • Dr. Szenes 26 13 Business Continuity Planning and Disaster Recovery other planning issues (forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) the entire organization needs to be considered for BCP the personnel has to z classify critical systems, resources z to determine acceptable recovery times z react the personnel who must react to the interruption/disaster scenarios are those who are responsible for the most critical resources Î management and user involvement is vital to the success of the business continuity plan Dr. Szenes 27 other planning issues (forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) User management involvement is essential to the identification of critical systems, their associated critical recovery times and the specification of needed resources. z The three major divisions that require involvement in the formulation of the business continuity plan are { support services, { business operations and { information processing support. z as the underlying purpose of business continuity planning is the resumption of business operations, every organizational unit should give aspects / and or /help in the development of the BCP, IT BCP, etc., already in the planning phase Dr. Szenes 28 14 Business Continuity Planning and Disaster Recovery other planning issues (forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) the BCP, IT BCP, etc., are to be based on z the risk assessment results, and the BIA z the business goals & strategy z all issues involved in interruption to business processes, z including recovering from a disaster Important: z The plan should be documented and written in a simple language understandable to all. z Copies of the plan should be maintained offsite. Dr. Szenes 29 other planning issues (forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) to the BCP, IT BCP, etc., the following other info are to be collected: z Pre-disaster readiness z possible Evacuation procedures z Circumstances under which a disaster should be declared z Identification of contract informations z Recovery option explanations z Identification of resources for recovery and continued operation of the organization z Dr. Szenes 30 15 Business Continuity Planning and Disaster Recovery preliminaries to be settled (forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) to the BCP, IT BCP, etc., the followings should be agreed upon: z z z z z z z z z z z z The policies that will govern all of the continuity and recovery efforts The goals/requirements/products for each phase Alternate facilities to perform tasks and operations Critical information resources to deploy (e.g., data and systems) Persons responsible for completion Available resources to aid in deployment (including human) The scheduling of activities with priorities established Key decision-making personnel Backup of required supplies Telecommunication networks disaster recovery methods Redundant array of inexpensive disks (RAID) Insurance ( . / . Dr. Szenes 31 preliminaries / insurance (forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) Most insurance covers only financial losses, based upon the historical level of performance and not the existing level of performance. Also, insurance does not compensate for loss of image/goodwill. The Business Continuity Plan should contain: z key information about the organization's insurance. z it should take the corporate physical, logical, market, etc. environment into consideration z etc. IT BCP: z The information systems processing insurance policy is usually a multi-peril policy designed to provide various types of IS coverage. z It should be modularly constructed in modules, so that it can be adapted to the insured’s particular IT architecture, and requirements, z etc. Dr. Szenes 32 16 Business Continuity Planning and Disaster Recovery preliminaries / insurance (forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) (BCP / IT BCP) insurance is to cover, among others: z actual costs of recovery z replacement / reconstruction of every kind of equipment and facilities z IT losses, e.g. { IS Media & software & ... reconstruction z Extra expense z Business interruption z Valuable papers and records z Errors and omissions z Fidelity coverage z Media transportation z etc., other kind of costs of business continuity Dr. Szenes 33 emergency management team (forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) The emergency management team coordinates the activities of all other recovery teams. This team oversees: • Retrieving critical and vital data from offsite storage • Installing and • testing systems software and applications at the systems recovery • Identifying, purchasing, and installing hardware at the system recovery site • Operating from the system recovery site • Rerouting network communications traffic • ./. Dr. Szenes 34 17 Business Continuity Planning and Disaster Recovery emergency management team (forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) • emergency management team -cont'd • Reestablishing the user/system network • Transporting users to the recovery facility • Reconstructing databases • Supplying necessary office goods, i.e., special forms, check stock, paper • Arranging and paying for employee relocation expenses at the recovery facility • Coordinating systems use and employee work schedules • etc.! Dr. Szenes 35 CISA Q NO 6-8 notification priorities (forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) In a business continuity plan, which of the following notification directories is the MOST important? z z z z Dr. Szenes A. B. C. D. Equipment and supply vendors Insurance company agents Contract personnel services A prioritized contact list 36 18 Business Continuity Planning and Disaster Recovery CISA Q NO 6-8 notification priorities (forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) The correct answer is D z A prioritized list of contacts is most important since it will direct the process of communication and contact to various entities in order of priority. z Choices A, B and C are musts, but not as important as choice D. Dr. Szenes 37 CISA Q NO 6-9 organizational unit IT & the BCP (forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) Which of the following components of a business continuity plan is PRIMARILY the responsibility of an organization’s IS department? Dr. Szenes z A. Developing the business continuity plan z B. Selecting and approving the strategy for the business continuity plan z C. Declaring a disaster z D. Restoring the IS systems and data after a disaster 38 19 Business Continuity Planning and Disaster Recovery CISA Q NO 6-9 organizational unit IT & the BCP (forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) The correct answer is D z The correct choice is restoring the IT systems and data after a disaster. The IT department of an organization is primarily responsible for restoring the IT systems and data after a disaster at the earliest possible time. z Members of the organization’s senior management are primarily responsible for developing the business continuity plan for an organization. Management is also responsible for selecting and approving the strategy for developing and implementing a detailed business continuity plan. The organization should identify a person in management as responsible for declaring a disaster. Although IT is involved in the three other choices, it is not primarily responsible for them. Dr. Szenes 39 On the Components of the Information Systems Business Continuity Plan - considerations only ! z [some] phases of development (forrás, többek között: CISA® Review Course transparents, ISACA 2010 ) based on business impact analysis creation of a business continuity and disaster recovery policy classification of operations and criticality analysis forming responsible teams and nominating responsible employees and collecting their calling data development of a business continuity plan and disaster recovery procedures, and { training and awareness program { implementation of the plan { regular testing and monitoring { { { { { { { Dr. Szenes 40 20 Business Continuity Planning and Disaster Recovery On the Components of the Information Systems Business Continuity Plan - considerations only ! z planning [or rather: development] process (forrás: CISA® Review Course transparents, ISACA 2010 ) Dr. Szenes 41 categories of incidents & incident management (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) { Negligible incidents are those causing no perceptible or significant damage, such as very brief operating system (OS) crashes with full information recovery or momentary power outages with uninterruptible power supply (UPS) backup. { Minor events are those that, while not negligible, produce no negative material (of relative importance) or financial impact. { Major incidents cause a negative material impact on business processes and may affect other systems, departments or even outside clients. { Crisis is a major incident that can have serious material (of relative importance) impact on the continued functioning of the business and may also adversely impact other systems or third parties. The severity of the impact depends on the industry and circumstances, but is generally directly proportional to the time elapsed from the inception of the incident to incident resolution. Dr. Szenes 42 21 Business Continuity Planning and Disaster Recovery categories of incidents & incident management (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) Dr. Szenes 43 On the Components of the Information Systems Business Continuity Plan - considerations only ! BIA and risk management z CISA CRM: Business Impact Analysis (BIA) risk management Ù business continuity plan development: z risk assessment includes: system risk ranking ranking: z Critical z Vital z Sensitive z Non-sensitive ranking in details: Dr. Szenes 44 22 Business Continuity Planning and Disaster Recovery On the Components of the Information Systems Business Continuity Plan - considerations only ! BIA and risk management (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) system risk ranking: z Critical – These functions cannot be performed unless they are replaced by identical capabilities. Critical applications cannot be replaced by manual methods. Tolerance to interruption is very low; therefore, cost of interruption is very high. z Vital – These functions can be performed manually, but only for a brief period of time. There is a higher tolerance to interruption than with critical systems and, therefore, somewhat lower costs of interruption, provided that functions are restored within a certain time frame (usually five days or less). ./. Dr. Szenes 45 On the Components of the Information Systems Business Continuity Plan - considerations only ! BIA and risk management (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) system risk ranking - cont'd z Sensitive – These functions can be performed manually, at a tolerable cost and for an extended period of time. While they can be performed manually, it usually is a difficult process and requires additional staff to perform. z Non-sensitive – These functions may be interrupted for an extended period of time, at little or no cost to the company, and require little or no catching up when restored. Dr. Szenes 46 23 Business Continuity Planning and Disaster Recovery On the Components of the Information Systems Business Continuity Plan - considerations only ! BIA and risk management issues in BIA phase z consequences on BCP, that is, on: { alternatives - see infrastructure types { recovery strategies & methods z risk management cycle Dr. Szenes 47 On the Components of the Information Systems Business Continuity Plan - considerations only ! BIA and risk management questions in BIA phase (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) z What are the different business processes? z What are the critical information resources related to an organization’s critical business processes? z What is the critical recovery time period for information resources in which business processing must be resumed before significant or unacceptable losses are suffered? Dr. Szenes 48 24 Business Continuity Planning and Disaster Recovery On the Components of the Information Systems Business Continuity Plan example on the risk aspect - CISA Q (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery ) 6-1 During an audit of a large bank, the IS auditor observes that no formal risk assessment exercise has been carried out for the various business applications to arrive at their relative importance and recovery time requirements. The risk to which the bank is exposed is that the: z business continuity plan may not have been calibrated to the relative risk that disruption of each application poses to the organization. z business continuity plan may not include all relevant applications and, therefore, may lack completeness in terms of its coverage. z business impact of a disaster may not have been accurately understood by the management. z business continuity plan may lack an effective ownership by the business owners of such applications. Dr. Szenes 49 On the Components of the Information Systems Business Continuity Plan example on the risk aspect - CISA Q (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) 6-1 Answer: A z The first and key step in developing a business continuity plan is a risk assessment exercise that analyzes the various risks that an organization faces and the impact of non-availability of individual applications. z ISO: [I refer to 27001,2 ] Dr. Szenes 50 25 Business Continuity Planning and Disaster Recovery On the Components of the Information Systems Business Continuity Plan example on the risk aspect - CISA Q (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) ISO reference to 6-1 Answer /1 27002: Chapter 14: BUSINESS CONTINUITY MANAGEMENT 14.1 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT z 14.1.1 Including information security in the business continuity management process z 14.1.2 Business continuity and risk assessment. z 14.1.3 Developing and implementing continuity plans including information security 14.1.4 Business continuity planning framework. z 14.1.5 Testing, maintaining and re-assessing business continuity plans on the standard, see the references ! to buy: www.mszt.hu ! Dr. Szenes 51 On the Components of the Information Systems Business Continuity Plan example on the risk aspect - CISA Q (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) ISO reference to 6-1 Answer /2 27001: Annex A -Control Objectives and Control [Measure]s A.14 Business continuity management A.14.1 Information security aspects of business continuity management z Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. z see control measures A.14.1.1 - A.14.1.5 ! on the standard, see the references ! to buy: www.mszt.hu ! Dr. Szenes 52 26 Business Continuity Planning and Disaster Recovery On the Components of the Information Systems Business Continuity Plan (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) BCP documents • • • • • • • • Continuity of operations plan (COOP) Disaster recovery plan (DRP) Business resumption plan Continuity of support plan / IT contingency plan Crisis communications plan Incident response plan Transportation plan Occupant emergency plan (OEP) Dr. Szenes 53 On the Components of the Information Systems Business Continuity Plan - considerations only ! z Infrastructure Types: o Mirroring o Hot, Warm or Cold Site o Alternative Hardware o Backup of Required Supplies o Telecommunication Networks o Servers, Storage o Offsite Libraries and Library Controls o Security and Control of Offsite Facilities o Media and Documentation Backup o etc. details: . / . Dr. Szenes 54 27 Business Continuity Planning and Disaster Recovery infrastructure types (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) z Mirroring [ parallel processing - special HW or organized] z Hot Sites – They are fully configured and ready to operate within several hours. The equipment, network and systems software must be compatible with the primary installation being backed up. The only additional needs are staff, programs, data files and documentation. New definition for hot site: z The hot site is intended for emergency operations of a limited time period and not for long-term extended use. Long-term use would impair the protection of other subscribers. cont'd with consequences ./. Dr. Szenes 55 infrastructure types (forrás, többek között: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) consequences of the new definition: z Therefore, the hot site should be viewed as a means of accomplishing the continuation of essential operations for a period of up to several weeks following a disaster or major emergency. Further plans are still necessary to provide for subsequent operations. z Several vendors offer warm- or cold-site facilities for a subscriber to migrate to after recovery of operations has been completed. This will free up the hot site for use by other subscribers. cold site defintion also new, with suscribers! Dr. Szenes 56 28 Business Continuity Planning and Disaster Recovery infrastructure types (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) warm site: z Warm Sites – They are partially configured, usually with network connections and selected peripheral equipment, such as disk drives, tape drives and controllers, but without the main computer. Sometimes a warm site is equipped with a less powerful central processing unit (CPU), than the one generally used. The assumption behind the warm site concept is that the computer can usually be obtained quickly for emergency installation (provided it is a widely used model) and, since the computer is the most expensive unit, such an arrangement is less costly than a hot site. After the installation of the needed components, the site can be ready for service within hours; however, the location and installation of the CPU and other missing units could take several days or weeks. Dr. Szenes 57 infrastructure types (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) z Cold Sites – These are sites that have only the basic environment (electrical wiring, air conditioning, flooring, etc.) to operate an IPF reducing the cost. The cold site is ready to receive equipment but does not offer any components at the site in advance of the need. Activation of the site may take several weeks. z Duplicate (redundant) Information Processing Facility – These are dedicated, self-developed recovery sites that can backup critical applications. They can range in form from a standby hot site to a reciprocal agreement with another company installation. Dr. Szenes 58 29 Business Continuity Planning and Disaster Recovery infrastructure types (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) z Mobile Sites – This is a specially designed trailer that can be quickly transported to a business location or to an alternate site to provide a readyconditioned information processing facility. z Reciprocal Agreement-with other organizations – This is a less frequently used method between two or more organizations with similar equipment or applications. Under the typical agreement, participants promise to provide computer time to each other when an emergency arises. provisions for 3rd party agreements . / . Dr. Szenes 59 infrastructure / provisions for 3rd party agreements (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) z Configurations—Are the vendor’s hardware and software configurations adequate to meet company needs since these will vary over time? z Disaster—Is the definition of disaster broad enough to meet anticipated needs? z Speed of availability—How soon after a disaster will facilities be available? z Subscribers per site—Does the agreement limit the number of subscribers per site? z Subscribers per area—Does the agreement limit the number of subscribers in a building or area? z Preference—Who gets preference if there are common or regional disasters? Is there backup for the backup facilities? Is use of the facility exclusive or does the customer have to share the available space if multiple customers simultaneously declare a disaster? Does the vendor have more than one facility available for subscriber use? Dr. Szenes 60 30 Business Continuity Planning and Disaster Recovery infrastructure / provisions for 3rd party agreements (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) z Insurance—Is there adequate insurance coverage for company employees at the backup site? Will existing insurance reimburse those fees? z Usage period—How long is the facility available for use? Is this period adequate? What technical support will the site operator provide? Is this adequate? z Communications—Are the communications adequate? Are the communication connections to the backup site sufficient to permit unlimited communication with the alternate site if needed? Dr. Szenes 61 infrastructure / provisions for 3rd party agreements (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) z Warranties—What warranties will the vendor make regarding availability of the site and the adequacy of the facilities? Are there liability limitations (there usually are) and is the company willing to live with them? z Audit—Is there a right-to-audit clause permitting an audit of the site to evaluate the logical, physical and environmental security? z Testing—What testing rights are included in the contract? Check with the insurance company to determine any reduction of premiums that may be forthcoming due to the backup site availability. z Reliability—Can the vendor attest to the reliability of the site(s) being offered? Ideally, the vendor should have a UPS, limited subscribers, sound technical management, and guarantees of computer hardware and software compatibility. Dr. Szenes 62 31 Business Continuity Planning and Disaster Recovery on the audit of 3rd party agreements (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) z An IS auditor should obtain a copy of the contract with the vendor. z Ensure that the contract is written clearly and is understandable. z Reexamine and confirm the organization’s agreement with the rules that apply to sites shared with other subscribers. z Ensure that insurance coverage ties in with and covers all (or most) expenses of the disaster. z Ensure that tests can be performed at the hot site at regular intervals. z Review and evaluate communications requirements for the backup site. z Ensure that enforceable source code escrow is reviewed by a lawyer specializing in such contracts. z Determine the limitation recourse tolerance in the event of a breached agreement. z The contract should be reviewed against a number of guidelines { Contract is clear and understandable { Organization’s agreement with the rules { etc. Dr. Szenes 63 infrastructure / telecommunications, networks (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) z [measures concerning networks include]: – Alternative routing – Diverse routing – Long-haul network diversity – Protection of the local loop [wire between the local switch and the end-user customer] { – Voice recovery { – Availability of appropriate circuits and adequate bandwidth { { { { details: . Dr. Szenes /. 64 32 Business Continuity Planning and Disaster Recovery infrastructure / telecommunications, networks (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) details on the methods of providing telecommunications continuity: z Redundancy—Involves providing extra capacity with a plan to use the surplus capacity should the normal primary transmission capability not be available. In the case of a LAN, a second cable could be installed through an alternate route for use in the event the primary cable is damaged. z Alternative routing—The method of routing information via an alternate medium such as copper cable or fiber optics. This involves use of different networks, circuits or end points should the normal network be unavailable. z Diverse routing—The method of routing traffic through split cable facilities or duplicate cable facilities. This can be accomplished with different and/or duplicate cable sheaths. Dr. Szenes 65 infrastructure / telecommunications, networks (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) details on the methods of providing telecommunications continuity - cont'd z Long haul network diversity—Many recovery facilities vendors have provided diverse long-distance network availability utilizing T1 circuits among the major long-distance carriers. This ensures long-distance access should any one carrier experience a network failure. Several of the major carriers have now installed automatic re-routing software and redundant lines that provide instantaneous recovery should a break in their lines occur. [T1 is what telephone companies have traditionally used to transport digitized telephone conversations between central offices T2, T3 more than 1 T1 multiplexed Î higher speed] Dr. Szenes 66 33 Business Continuity Planning and Disaster Recovery infrastructure / telecommunications, networks (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) details on the methods of providing telecommunications continuity - cont'd z Last mile circuit protection—Many recovery facilities provide a redundant combination of local carrier T1s, microwave and/or coaxial cable access to the local communications loop. This enables the facility to have access during a local carrier communication disaster. Alternate local carrier routing is also utilized. z Voice recovery—With many service, financial and retail industries dependent on voice communication, redundant cabling and alternative routing should be provided for voice communication lines as well as data communication lines. Dr. Szenes 67 infrastructure / storage (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) Redundant array of inexpensive disks (RAID) • Provide performance improvements and fault tolerant capabilities via hardware or software solutions • Provide the potential for cost-effective mirroring offsite for data back-up Dr. Szenes 68 34 Business Continuity Planning and Disaster Recovery infrastructure (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) Q 6-7 An IS auditor discovers that an organization’s business continuity plan provides for an alternate processing site that will accommodate 50 percent of the primary processing capability. Based on this, which of the following actions should the IS auditor take? z A - Do nothing, because generally, less than 25 percent of all processing is critical to an organization’s survival and the backup capacity, therefore, is adequate. z B - Identify applications that could be processed at the alternate site and develop manual procedures to back up other processing. z C - Ensure that critical applications have been identified and that the alternate site could process all such applications. z D - Recommend that the information processing facility arrange for an alternate processing site with the capacity to handle at least 75 percent of normal processing. Dr. Szenes 69 infrastructure (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) Q 6-7 The correct answer is C z A business continuity plan should provide for the recovery of critical systems, not necessarily all systems. z Perhaps only 50 percent of the company’s systems are critical; therefore, careful assessment of critical systems and capacity requirements should be part of the IS auditor’s test of the plan. Dr. Szenes 70 35 Business Continuity Planning and Disaster Recovery BCP plan - testing considerations (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) one of the purposes of the business continuity test is to determine how well the plan works or which portions of the plan need improvement. the test must simulate actual processing conditions z The test should be scheduled during a time that will minimize disruptions to normal operations. Weekends are generally a good time to conduct tests. z It is important that the key recovery team members be involved in the test process and allotted the necessary time to put their full effort into it. z The test should address all critical components and z simulate actual primetime processing conditions, even if it is conducted in off hours. z Test Execution – . /. Dr. Szenes 71 BCP plan - testing considerations (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) the test - cont'd z Test Execution – To perform testing, each of the following test phases should be completed: Pretest, Test, Post-Test. z Documentation of Results – During every phase of the test, detailed documentation of observations, problems and resolutions should be maintained. z Results Analysis – It is important to have ways to measure the success of the plan and test against the stated objectives. Therefore, results must be quantitatively gauged as opposed to an evaluation based only on observation. z Recovery/Continuity plan maintenance – Plans and strategies for business continuity should be reviewed and updated on a scheduled basis to reflect continuing recognition of changing requirements. Dr. Szenes 72 36 Business Continuity Planning and Disaster Recovery On the Components of the Information Systems Business Continuity Plan - considerations only ! Rulebook Contents z z z z z - some of the important points Detailed Plan Organization and Assignment of Responsibilities Emergency Response Team Key Decision-making Personnel what will employees do? - CISA® Review Course transparents were also used here { where will employees report to work, { how will orders be taken while the computer system is being restored, { who is responsible that which vendors should be called to provide needed supplies Dr. Szenes 73 On the Components of the Information Systems Business Continuity Plan - considerations only ! Rulebook Contents - some of the important points z z Insurance z Recovery/Continuity Plan Testing: { Plan and Actual Tests { Documentation of the Test Results { Results Analysis z xx Dr. Szenes 74 37 Business Continuity Planning and Disaster Recovery On the Components of the Information Systems Business Continuity Plan - considerations only ! Rulebook Contents z z z z z - cont'd Recovery/Continuity Plan Maintenance Periodic Backup Procedures Record Keeping for Offsite Storage xx Dr. Szenes 75 recovery aspects (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery z z z z z z Recovery Point Objective (RPO) Recovery Time Objective (RTO) Interruption window Service delivery objective - SDO Maximum tolerable outage Disaster tolerance Dr. Szenes 76 38 Business Continuity Planning and Disaster Recovery recovery aspects (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery disaster here: disaster AFTER the interrupt Recovery Point Objective (RPO) { Based on acceptable data loss { Indicates earliest point in time in which it is acceptable to recover the data z acceptable data loss: For example, if the process can afford to lose the data up to four hours before disaster, then the latest backup available should be up to four hours before disaster or interruption and the transactions during RPO and interruption need to be entered after recovery (known as catch-up data). Dr. Szenes 77 recovery aspects (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery disaster here: disaster AFTER the interrupt - ?? Recovery Point Objective (RPO) { Based on acceptable data loss { Indicates earliest point in time in which it is acceptable to recover the data z RPO effectively quantifies the permissible amount of data loss in case of interruption. It is almost impossible to recover the data completely. Even after entering catch-up data, some data are still lost and are referred to as orphan data. z If RPO is very low, say in minutes, it means that the process cannot afford to lose the data in such a short time. In such cases, data mirroring should be used as a recovery strategy. If RPO is high, say in hours, then other backup procedures, such as reel backup, could be used. Dr. Szenes 78 39 Business Continuity Planning and Disaster Recovery recovery aspects (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery disaster here: disaster caused by the interrupt z Recovery Time Objective (RTO) { Based on acceptable downtime { Indicates earliest point in time at which the business operations must resume after a disaster z The RTO is determined based on the acceptable downtime in case of a disruption of operations. It indicates the earliest point in time at which the business operations must resume after disaster. z A high RTO will mean that so much additional time would be available for the recovery strategy. Dr. Szenes 79 recovery aspects (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery relation between RPO / RTO - which recovery strategies would be best with different RTO and RPO parameters? Dr. Szenes 80 40 Business Continuity Planning and Disaster Recovery recovery aspects (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery z Interruption window—The time the organization can wait from the point of failure to the critical services/applications restoration. After this time, the progressive losses caused by the interruption are unaffordable. z Service delivery objective (SDO)—Level of services to be reached during the alternate process mode until the normal situation is restored. This is directly related to the business needs. z Maximum tolerable outages—Maximum time the organization can support processing in alternate mode. After this point, different problems may arise, especially if the alternate SDO is lower than the usual SDO, and the information pending to be updated can become unmanageable. z Disaster tolerance is the time gap within which the business can accept non-availability of IT facilities. If this time gap is high, recovery strategies that take a longer time can be used. Dr. Szenes 81 recovery aspects (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery Q 6-5 Data mirroring should be implemented as a recovery strategy when: Dr. Szenes z A. recovery point objective (RPO) is low. z B. RPO is high. z C. recovery time objective (RTO) is high. z D. disaster tolerance is high. 82 41 Business Continuity Planning and Disaster Recovery recovery aspects (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery Q 6-5 The correct Answer is A z z z z RPO is the earliest point in time to which it is acceptable to recover the data. If RPO is very low, say in minutes, it means that the process cannot afford to lose the data in such a short time. In such cases, data mirroring should be used as a recovery strategy. If RPO is high, say in hours, then other backup procedures, such as reel backup, could be used. A high RTO will mean that so much additional time would be available for the recovery strategy. Disaster tolerance is the time gap within which the business can accept non-availability of IT facilities. If this time gap is high, recovery strategies that take a longer time can be used. Dr. Szenes 83 The IS BCP of the Individual Systems The most important part of the business continuity plan consists of those of the individual systems. The table of contents of the systems business continuity plan contains (at least): • • • • • The description of the system The members of the emergency team (name, every par.) The key users (name, every par.) The places ! of the systems documentation (at least 2 media) nn Dr. Szenes 84 42 Business Continuity Planning and Disaster Recovery The IS BCP of the Individual Systems The table of contents for the systems business continuity plan contains (at least) -cont'd • The databases, their config., and their settings • The archives • The typical operations fallbacks • Manual / alternative operations • Software & hardware resource requirements minimum, presently available, maximum • Communications requirements • Recovery to normal state • nn Dr. Szenes 85 COBIT 3, 4 support of IS Audit and IT Security { 34 IS processes { 7 IS (evaluation) criteria { control objectives { control measures / procedures { Balanced Scorecard { Capability Maturity Model tailored to the 34 processes Dr. Szenes 86 43 Business Continuity Planning and Disaster Recovery COBIT 3, 4 support of IS Audit and IT Security the processes of delivery and support: { { { { { { { { { { { { { DS1 - Define and Manage Service Levels DS2 - Manage Third-party Services DS3 - Manage Performance and Capacity DS4 - Ensure Continuous Service DS5 - Ensure Systems Security DS6 - Identify and Allocate Costs DS7 - Educate and Train Users DS8 - Manage Service Desk and Incidents DS9 - Manage the Configuration DS10 - Manage Problems DS11 - Manage Data DS12 - Manage the Physical Environment DS13 - Manage Operations Dr. Szenes 87 DS4 - Ensure Continuous Service Control Objectives - forrás, többek között: COBIT 4.1 important: even if this is all about IT - all business-critical human and infrastructural assets should be taken care of DS4.1 IT Continuity Framework z Develop a framework for IT continuity to support enterprisewide business continuity management using a consistent process. The objective of the framework : z to assist in determining the required resilience of the infrastructure and z to drive the development of disaster recovery and IT contingency plans ./. Dr. Szenes 88 44 Business Continuity Planning and Disaster Recovery DS4 - Ensure Continuous Service Control Objectives - forrás , többek között : COBIT 4.1 DS4.1 IT Continuity Framework - cont'd The framework [and the plan] should address: z the organisational structure for continuity management, z on internal and external service providers { their management { and their customers z these: { roles, { tasks and { responsibilities ./. Dr. Szenes 89 DS4 - Ensure Continuous Service Control Objectives - forrás , többek között : COBIT 4.1 DS4.1 IT Continuity Framework The framework [and the plan] should address: - cont'd z the planning processes that create { the rules and { structures z in order to { document, { test and { execute the disaster recovery and IT contingency plans ./. Dr. Szenes 90 45 Business Continuity Planning and Disaster Recovery DS4 - Ensure Continuous Service Control Objectives - forrás , többek között : COBIT 4.1 DS4.1 IT Continuity Framework The framework [and the plan] should address: - cont'd z [based on risk assessment] { the identification of critical resources, { noting key dependencies, { [personal responsibilities] z the monitoring and z reporting of the availability of { critical resources, { alternative processing, z and [other] principles, [important info on] backup and recovery. Dr. Szenes 91 DS4 - Ensure Continuous Service Control Objectives - forrás , többek között : COBIT 4.1 DS4.2 IT Continuity Plans z Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on { key business functions { and processes. z The plans should be based on risk understanding of potential business impacts -- see framework, DS 4.1, both IT BCP - BCP should be risk assessment-based ./. Dr. Szenes 92 46 Business Continuity Planning and Disaster Recovery DS4 - Ensure Continuous Service Control Objectives - forrás , többek között : COBIT 4.1 DS4.2 IT Continuity Plans - cont'd z The plan should address requirements for { resilience - flexibility!, { alternative processing and { recovery capability of all critical IT services. z The plan should contain { usage guidelines, { roles and responsibilities, { procedures, { communication processes, and { the testing approach - test plan, + procedure !. Dr. Szenes 93 DS4 - Ensure Continuous Service Control Objectives - forrás , többek között : COBIT 4.1 DS4.3 Critical IT Resources z Focus attention on items specified as most critical in the IT continuity plan { to build in resilience and { establish priorities in recovery situations. z Avoid the distraction of recovering less-critical items and z ensure response and recovery in line with prioritised business needs, z ensure that costs are kept at an acceptable level z ensure compliance { with regulatory and { contractual requirements. z Consider resilience, response and recovery requirements for different tiers, e.g., one to four hours, four to 24 hours, more than 24 hours and critical business operational periods. Dr. Szenes 94 47 Business Continuity Planning and Disaster Recovery DS4 - Ensure Continuous Service Control Objectives - forrás , többek között : COBIT 4.1 DS4.4 Maintenance of the IT Continuity Plan z Encourage IT management to define and execute { change control procedures to ensure that { the IT continuity plan is kept up to date { and continually reflects actual business requirements. z Communicate changes in { procedures and { responsibilities clearly and in timely manner. Dr. Szenes 95 DS4 - Ensure Continuous Service Control Objectives - forrás , többek között : COBIT 4.1 DS4.5 Testing of the IT Continuity Plan testing should be actually performed and documented together with the key business users & IT evaluated according to the results the plan should be updated 0 either forewarn the employees, or not z Test the IT continuity plan on a regular basis to ensure that { IT systems can be effectively recovered, { shortcomings are addressed { the plan remains relevant. ./. Dr. Szenes 96 48 Business Continuity Planning and Disaster Recovery DS4 - Ensure Continuous Service Control Objectives - forrás , többek között : COBIT 4.1 DS4.5 Testing of the IT Continuity Plan - cont'd z A successful test requires { careful preparation, { documentation, { reporting of test results and, according to the results, z implementation of an action plan z Consider the extent of testing: { recovery of single applications { integrated testing scenarios { end-to-end testing { integrated vendor testing. Dr. Szenes 97 DS4 - Ensure Continuous Service Control Objectives - forrás , többek között : COBIT 4.1 DS4.6 IT Continuity Plan Training z Provide all concerned parties with regular training sessions regarding the { procedures and { their roles and { responsibilities in case of an incident or disaster. z Verify and enhance training according to the results of the contingency tests. Dr. Szenes 98 49 Business Continuity Planning and Disaster Recovery DS4 - Ensure Continuous Service Control Objectives - forrás , többek között : COBIT 4.1 z DS4.7 Distribution of the IT Continuity Plan z Determine that a defined and z managed distribution strategy exists to ensure that plans are properly and securely distributed and z available to appropriately authorised interested parties when and where needed. z Attention should be paid to making the plans accessible under all disaster scenarios. Dr. Szenes 99 DS4 - Ensure Continuous Service Control Objectives - forrás , többek között : COBIT 4.1 DS4.8 IT Services Recovery and Resumption z Plan the actions to be taken for the period when IT is recovering and resuming services. This may include { activation of backup sites, { initiation of alternative processing, { customer and stakeholder communication, and { resumption procedures. z Ensure that the business understands { how to specufy for IT the recovery times they require { they have to help IT to buy the necessary technology investments to support business recovery and to provide for resumption needs. (thorough rewriting) Dr. Szenes 100 50 Business Continuity Planning and Disaster Recovery DS4 - Ensure Continuous Service Control Objectives - forrás , többek között : COBIT 4.1 DS4.9 Offsite Backup Storage z Store offsite { all critical backup media, { documentation and { other IT resources necessary for IT recovery and business continuity plans. ! develop and document processes to use all of these z business process owners and IT personnel should together determine { the content of backup storage { and its other parameters ./. Dr. Szenes 101 DS4 - Ensure Continuous Service Control Objectives - forrás , többek között : COBIT 4.1 DS4.9 Offsite Backup Storage - cont'd z Management of the offsite storage facility should comply to the { data classification policy and { the enterprise’s media storage practices. z IT management should ensure that offsite arrangements are periodically assessed, at least annually, for { content, { environmental protection and { security. z Ensure compatibility of hardware and software to restore archived data, z periodically test and refresh archived data. Dr. Szenes 102 51 Business Continuity Planning and Disaster Recovery DS4 - Ensure Continuous Service Control Objectives - forrás , többek között : COBIT 4.1 DS4.10 Post-resumption Review z Determine whether IT management has established procedures for { assessing the adequacy of the plan in regard to the successful resumption of the IT function after a disaster, and update the plan accordingly. Dr. Szenes 103 ISACA CRM Case Study (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) Case Study Scenario z Organization revising BCP and DRP for headquarters (750 employees) and 16 branches (each with 20–35 employees and mail and file / print server) z Current plans not updated in more than 8 years z Organization has grown by 300% z Staff connect via LAN to more than 60 applications, databases and print servers in the corporate data centre z Staff connect via a frame relay network to the branches z Traveling users connect over the Internet using VPN z Critical applications have RTO of 3–5 days ./. Dr. Szenes 104 52 Business Continuity Planning and Disaster Recovery ISACA CRM Case Study (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) Case Study Scenario - cont'd z All users in the headquarters and branches connect to the Internet through a firewall and proxy server located in the data center z Branch offices are located between 30 and 50 miles from one another, with none closer to the headquarters' facility than 25 miles z Backup media for the data center are stored at a third-party facility 35 miles away z Backups for servers located at the branch offices are stored at nearby branch offices using reciprocal agreements between offices ./. Dr. Szenes 105 ISACA CRM Case Study (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) Case Study Scenario - cont'd Current contract with third party hot site: • 3 year term, with equipment upgrades occurring at renewal time • 25 servers • Work area space with PCs for 100 employees • Separate agreement to ship 2 servers and 10 PCs to any branch declaring a disaster • Hot site provider has multiple sites in case the primary site is in use by another customer or rendered unavailable by the disaster Dr. Szenes 106 53 Business Continuity Planning and Disaster Recovery ISACA CRM Case Study - Q (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) Q1 On the basis of the above information, which of the following should the IS auditor recommend concerning the hot site? z A. Desktops at the hot site should be increased to 750. z B. An additional 35 servers should be added to the hot site contract. z C. All backup media should be stored at the hot site to shorten the RTO. z D. Desktop and server equipment requirements should be reviewed quarterly. Dr. Szenes 107 ISACA CRM Case Study (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) The correct answer to Q1 is D z As equipment needs in a rapidly growing business are subject to frequent change, quarterly reviews are necessary to ensure that the recovery capability keeps pace with the organization. z Since not all employee job functions are critical during a disaster, it is not necessary to contact the same number of desktops at a recovery facility as the number of employees. Similarly, not every server is critical to the continued operation of the business. z In both cases, only a subset will be required. z Since there is no assurance that the hot site will not already be occupied, it would not be advisable to store backup media at the facility. These facilities are generally not designed to provide extensive media storage, and frequent testing by other customers could compromise the security of the media. Dr. Szenes 108 54 Business Continuity Planning and Disaster Recovery ISACA CRM Case Study - Q (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) Q2 On the basis of the above information, which of the following should the IS auditor recommend concerning branch office recovery? z A. Add each of the branches to the existing hot site contract. z B. Ensure branches have sufficient capacity to back each other up. z C. Relocate all branch mail and file / print servers to the data center. z D. Add additional capacity to the hot site contract equal to the largest branch. Dr. Szenes 109 ISACA CRM Case Study (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery) The correct answer to Q2 is B z The most cost-effective solution is to recommend that branches have sufficient capacity to accommodate critical personnel from another branch. z Since critical job functions would represent only perhaps 20 percent of the staff from the affected branch, accommodations for only four to seven critical staff members would be needed. z Adding each of the branches to the hot site contract would be far more expensive, while adding capacity to the hot site contract would not provide coverage as hot site contracts base their pricing on each location covered. z Finally, relocating branch servers to the data center could result in performance issues, and would not address the question of where to locate displaced employees. Dr. Szenes 110 55 Business Continuity Planning and Disaster Recovery References z CRM 20xx CISA Review Technical Information Manual editor: Information Systems Audit and Control Association Rolling Meadows, Illinois, USA, 20xx-1 z COBIT® 4.0 Control Objectives, Management Guidelines, Maturity Models Copyright © IT Governance Institute® , 2005 z COBIT® 4.1 Framework, Management Guidelines, Maturity Models Copyright © IT Governance Institute® , 2007 Dr. Szenes 111 References z Az Informatikai biztonság kézikönyve szerkesztő és lektor: Szenes Katalin Verlag Dashöfer, Budapest z K. Szenes: "IT GRC versus ? Enterprise GRC but: IT GRC is a Basis of Strategic Governance2 EuroCACS 2010 - Conference on Computer Audit, Control and Security Copyright 2010 ISACA, Rolling Meadows, Illinois, USA 23-25 March 2010, Budapest, Hungary Tutorial, Stream #1 IT Governance, #311 z CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery z CISA® see ISACA.org Dr. Szenes 112 56 Business Continuity Planning and Disaster Recovery References z the predecessors of ISO 27001, ISO 27002 are: CRAMM, ISO/IEC 17799 z ISO 27001 International Standard ISO/IEC 27001 First edition 2005-10-15 Information technology - Security techniques - Information security management systems - Requirements Reference number: ISO/IEC 27001:2005 (E) Copyright © ISO/IEC 2005 z ISO 27002 International Standard ISO/IEC 27002 First edition 2005-06-15 Information technology — Security techniques — Code of practice for information security management Reference number: ISO/IEC 27002:2005(E) Copyright © ISO/IEC 2005 Dr. Szenes 113 57
© Copyright 2024