Business Continuity Planning and Disaster Recovery

Business Continuity Planning and
Disaster Recovery
Business Continuity Planning and
Disaster Recovery
Katalin Szenes Dr., CISA, CISM, CGEIT, CISSP
szenes.katalin@nik.uni-obuda.hu
University Óbuda- Óbudai Egyetem
Faculty JvN - Neumann János Informatikai Kar
Inst. SW Technology - Szoftvertechnológiai Intézet
Dr. Szenes
1
Table of Contents
•
•
•
•
•
•
•
•
•
•
Dr. Szenes
purpose and main aspects
definitions - BCP, disaster, DRP, IT BCP, IT DRP
tasks of the IS auditor
example on these tasks: CISA Q no 6-3
on audit concerns: CISA Q no 6-10
Consequences Concerning the Acceptance of the Risks
other planning issues
preliminaries to be settled
preliminaries / insurance
emergency management team
CISA Q no 6-8 notification priorities
CISA Q NO 6-9 organizational unit IT & the BCP
2
1
Business Continuity Planning and
Disaster Recovery
Table of Contents
z
On the Components
of the Information Systems Business Continuity Plan
o
some [development] phases
o
[development] process
o
o
categories of incidents & incident management
ƒ
ƒ
ƒ
ƒ
ƒ
BIA & risk management
system risk ranking
issues in BIA phase
questions in BIA phase
example on risk aspects CISA Q no 6-1
- answer: see ISO/IEC 27001, 2, too
Dr. Szenes
3
Table of Contents
z
On the Components
of the Information Systems Business Continuity Plan
- cont'd
o
o
Dr. Szenes
ƒ
ƒ
ƒ
ƒ
BCP documents
Infrastructure types - hot, warm, etc.
provisions for 3rd party agreements
on the audit of 3rd party agreements
infrastructure / telecommunications, networks
infrastructure / storage
4
2
Business Continuity Planning and
Disaster Recovery
Table of Contents
•
•
•
•
•
•
•
BCP plan - testing considerations
rulebook contents
recovery aspects (RPO, RTO, etc.)
The IS BCP of the Individual Systems
COBIT 3, 4 support of IS audit and IT security
the processes of Delivery & Support
DS4 - Ensure Continuous Service
DS4 control objectives
ISACA CRM case study
references
Dr. Szenes
5
purpose and main aspects
(forrás, többek között: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
purpose:
z to enable a business to continue offering critical services in the event of a
disruption and to survive even a disastrous interruption of its activities
the business continuity planning has to take into consideration:
z the market & strategy goals of the corporate
Î
z the strategic business processes
Î
z those key operations that are most necessary to the survival of the
organization
z the human/material resources supporting them
Note:
z ?? business continuity plan must be based on the long-range IT plan ??
Dr. Szenes
6
3
Business Continuity Planning and
Disaster Recovery
purpose and main aspects
(forrás, többek között: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
the business continuity plan includes:
z the disaster recovery plan to recover a facility rendered inoperable,
including relocating operations into a new location
- for later use
z the restoration plan that is used to return operations to normality whether in
a restored or new facility
- only after mitigating the effect of the disruption
by restarting the business applications involved
Dr. Szenes
7
Business Continuity Planning - Definition
The purpose of business continuity planning is
to enable a business to continue operations should any
kind of disturbance arise.
Rigorous planning and commitment of resources is necessary to
adequately plan for such an event. Business continuity planning is
primarily the responsibility of senior management as they are
entrusted with the safeguarding of both the assets and the viability of
the company.
The business continuity planning is to take into consideration:
• those key operations that are utmostly necessary to the survival and
later to the market success of the organizations
• the human / material resources supporting them.
Dr. Szenes
8
4
Business Continuity Planning and
Disaster Recovery
Business Continuity Planning - Definition
The second part, the operations part of the
business continuity plan
should address all functions and assets required to continue
as a viable organization and to keep acquiring market sucess.
The extent of provision for reserve facilities depends on the
cost / effectivity considerations of the top management.
Dr. Szenes
9
Disaster Recovery Plan - Definition
Disasters
are disruptions that cause critical information resources to be inoperative for a
period of time, e.g. (weather, terrorism, disruption in expected services, human
error, etc.)
(this disaster def. & examples are from the CISA® Review Course transparents)
The business continuity plan includes:
• the disaster recovery plan
that is generally the plan to be followed by the business units to recover a
harmed / demolished facility or business functionality, or an operational facility
and
• the operations plan that is to be followed by the business units
to "get by" while recovery is taking place.
Dr. Szenes
10
5
Business Continuity Planning and
Disaster Recovery
Information Systems Business Continuity Planning
/ Information Systems Disaster Recovery Plan
- Definition
Everything is the same as in the case of the
Business Continuity Planning / Disaster Recovery Plan
with the exception that the continuity of the information systems
processing is threatened.
Information systems processing is one operations
of many that keep the organization not only alive but also successful
thus it is of strategic importance.
Thus the event to be controlled is such a disruption and the objective of
the control measure is to survive an interruption of the
information systems processing.
Dr. Szenes
11
Information Systems Business Continuity Planning
/ Information Systems Disaster Recovery Plan - Definition
Throughout the planning process of business continuity
the overall plan of the organization should be taken into consideration.
All IS plans must be consistent with and support the corporate
business continuity plan.
This means that especially those information processing systems must
have the more elaborated and ready-to-start reserve processing
facilities that support key operations.
Dr. Szenes
12
6
Business Continuity Planning and
Disaster Recovery
the tasks of the auditor
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery / Learning Objectives)
the tasks of the auditor:
z Evaluate the adequacy of backup and restore provisions to ensure the
availability of information required to resume processing
z Evaluate the organization's disaster recovery plan to ensure that it enables
the recovery of IT processing capabilities in the event of a disaster
z Evaluate the organization's business continuity plan to ensure the
organization's ability to continue essential business operations during the
period of an IT disruption
./.
Dr. Szenes
13
the tasks of the auditor
(forrás, többek között: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
the tasks of the auditor
- cont'd
z Check if the BCP follows corporate strategy
z Evaluate plans for
{ accuracy
{ adequacy
{ effectiveness
{ etc.
Evaluate offsite storage
z Evaluate ability of IS and user personnel to respond effectively
z Ensure plan maintenance is in place
z Evaluate readability of business continuity manuals and procedures
./.
Dr. Szenes
14
7
Business Continuity Planning and
Disaster Recovery
the tasks of the auditor
(forrás, többek között: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
the tasks of the auditor
- cont'd
z Check the documents from the viewpoint of
ƒ
ƒ
ƒ
Currency
Effectiveness
Validity: interview personnel for appropriateness and completeness
z Evaluate the BCP quality, e.g.:
ƒ
ƒ
ƒ
Determine whether corrective actions are in the plan
Evaluate thoroughness and accuracy
Determine problem trends and resolution of problems
./.
Dr. Szenes
15
the tasks of the auditor
(forrás, többek között: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
the tasks of the auditor
- cont'd
z Evaluate media & documentation handling:
{ presence,
{ synchronization and
{ currency of media and documentation
z Perform a detailed inventory review
z Review all documentation
{ is it current, is it detailed enough?
{ change management
{ configuration management
./.
Dr. Szenes
16
8
Business Continuity Planning and
Disaster Recovery
the tasks of the auditor
(forrás, többek között: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
the tasks of the auditor
- cont'd
z Evaluate offsite storage facility { if any, and what is there?
{ evaluate the physical and environmental access controls
{ examine the equipment for current inspection and calibration tags
{ etc.
z Key personnel must have an understanding of their responsibilities
./.
Dr. Szenes
17
the tasks of the auditor
(forrás, többek között: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
questions for checking:
{ Who is responsible for administration or coordination of the plan?
{ Is the plan administrator/coordinator responsible for keeping the plan
up-to-date?
{ Is there a disaster recovery implementation team (i.e., the first response
team members who will react to the emergency with immediate action
steps)?
{ Where is the disaster recovery plan stored?
{ What critical systems are covered by the plan?
{ What systems are not covered by the plan? Why not?
./.
Dr. Szenes
18
9
Business Continuity Planning and
Disaster Recovery
the tasks of the auditor
(forrás, többek között: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
questions for checking
- cont'd
{ What equipment is not covered by the plan? Why not?
{ Does the plan operate under any assumptions? What are they?
{ Does the plan identify rendezvous points for the disaster management
committee or emergency management team to meet and decide if
business continuity should be initiated?
{ Are the documented procedures adequate for successful recovery?
{ Does the plan address disasters of varying degrees?
{ Are telecommunication’s backups (both data and voice line backups)
addressed in the plan?
z and how? - see later: infrastructure / telecommunications
./.
Dr. Szenes
19
the tasks of the auditor
(forrás, többek között: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
questions for checking
- cont'd
{ Is there a backup facility site?
and / or: what kind of precautions are made?
(see later: different types of infrastructures)
{ Does the plan address relocation to a new information processing
facility in the event that the original center cannot be restored?
{ Does the plan include procedures for
z merging master file data,
z automated tape management system data,
z etc., into pre-disaster files?
Dr. Szenes
20
10
Business Continuity Planning and
Disaster Recovery
the tasks of the auditor - CISA Q no 6-3
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
An IS auditor should be involved in:
z A. observing tests of the disaster recovery plan.
z B. developing the disaster recovery plan.
z C. maintaining the disaster recovery plan.
z D. reviewing the disaster recovery requirements of supplier
contracts.
Dr. Szenes
21
the tasks of the auditor - CISA Q no 6-3
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
Answer: A
z The IS auditor should always be present when disaster recovery plans are
tested to ensure that the test meets the required targets for restoration,
ensure that recovery procedures are effective and efficient, and report on
the results, as appropriate.
z IS auditors may be involved in overseeing plan development, but they are
unlikely to be involved in the actual development process.
z Similarly, an audit of plan maintenance may be conducted, but the IS
auditor normally would not have any responsibility for the actual
maintenance.
z An IS auditor may be asked to comment upon various elements of a
supplier contract, but, again, this is not always the case.
Dr. Szenes
22
11
Business Continuity Planning and
Disaster Recovery
on audit concerns - CISA Q no 6-10
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
version 1 - the transparents
In an audit of a business continuity plan, which of the following findings is of
MOST concern?
z A. There is no insurance for the addition of assets during the year.
z B. The business continuity plan manual is not updated on a regular
basis.
z C. Testing of the backup data has not been done regularly.
z D. Records for maintenance of the access system have not been
maintained.
Dr. Szenes
23
on audit concerns - CISA Q no 6-10
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
version 1 - the transparents
The correct answer is C
z The most vital assets for a company are data. In a business continuity plan,
it is critical to ensure that data are available. Therefore, regular testing of
the backup of data must be done. If testing is not done, the organization
may not be able to retrieve data when required during a disaster; hence, the
company may lose its most valuable asset and may not be able to recover
from the disaster.
z A loss on account of lack of insurance is limited to the value of assets.
z If the business continuity plan manual is not updated, the company may find
the manual not fully relevant for recovery during a disaster. However,
recovery could be still possible.
z Non-maintenance of records in an access system will not directly impact the
relevance of the business continuity plan.
Dr. Szenes
24
12
Business Continuity Planning and
Disaster Recovery
on audit concerns - CISA Q no 6-10
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
version 2
In an audit of a business continuity plan, which of the following findings is of
MOST concern?
z A. There is no insurance for the addition of assets during the year.
z B. The business continuity plan is not updated on a regular
basis.
z C. Testing of the backup data has not been done regularly.
z D. Records for maintenance of the access system have not been
maintained.
The correct answer is?
Dr. Szenes
25
Consequences Concerning the Acceptance of the Risks
The alternatives of the elimination of the risks are determined by the
resources that the management wants to spend on the "safety".
The management classifies according to business
importance the
assets
processes
data
and the data processing systems importance is equal to the importance
of the element they support.
•
•
•
Dr. Szenes
26
13
Business Continuity Planning and
Disaster Recovery
other planning issues
(forrás -többek közt: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
the entire organization needs to be considered for BCP
the personnel has to
z classify critical systems, resources
z to determine acceptable recovery times
z react
the personnel who must react to the interruption/disaster scenarios are those
who are responsible for the most critical resources
Î management and user involvement is vital to the success of the business
continuity plan
Dr. Szenes
27
other planning issues
(forrás -többek közt: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
User management involvement is essential to the identification of critical
systems, their associated critical recovery times and the specification of
needed resources.
z The three major divisions that require involvement in the formulation of the
business continuity plan are
{ support services,
{ business operations and
{ information processing support.
z as the underlying purpose of business continuity planning is the resumption
of business operations, every organizational unit should give aspects / and or /help in the development of the BCP, IT BCP, etc., already in the
planning phase
Dr. Szenes
28
14
Business Continuity Planning and
Disaster Recovery
other planning issues
(forrás -többek közt: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
the BCP, IT BCP, etc., are to be based on
z the risk assessment results, and the BIA
z the business goals & strategy
z all issues involved in interruption to business processes,
z including recovering from a disaster
Important:
z The plan should be documented and written in a simple language
understandable to all.
z Copies of the plan should be maintained offsite.
Dr. Szenes
29
other planning issues
(forrás -többek közt: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
to the BCP, IT BCP, etc., the following other info are to be collected:
z Pre-disaster readiness
z possible Evacuation procedures
z Circumstances under which a disaster should be declared
z Identification of contract informations
z Recovery option explanations
z Identification of resources for recovery and continued operation of the
organization
z
Dr. Szenes
30
15
Business Continuity Planning and
Disaster Recovery
preliminaries to be settled
(forrás -többek közt: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
to the BCP, IT BCP, etc., the followings should be agreed upon:
z
z
z
z
z
z
z
z
z
z
z
z
The policies that will govern all of the continuity and recovery efforts
The goals/requirements/products for each phase
Alternate facilities to perform tasks and operations
Critical information resources to deploy (e.g., data and systems)
Persons responsible for completion
Available resources to aid in deployment (including human)
The scheduling of activities with priorities established
Key decision-making personnel
Backup of required supplies
Telecommunication networks disaster recovery methods
Redundant array of inexpensive disks (RAID)
Insurance ( . / .
Dr. Szenes
31
preliminaries / insurance
(forrás -többek közt: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
Most insurance covers only financial losses, based upon the historical level of
performance and not the existing level of performance.
Also, insurance does not compensate for loss of image/goodwill.
The Business Continuity Plan should contain:
z key information about the organization's insurance.
z it should take the corporate physical, logical, market, etc. environment into
consideration
z etc.
IT BCP:
z The information systems processing insurance policy is usually a multi-peril
policy designed to provide various types of IS coverage.
z It should be modularly constructed in modules, so that it can be adapted to
the insured’s particular IT architecture, and requirements,
z etc.
Dr. Szenes
32
16
Business Continuity Planning and
Disaster Recovery
preliminaries / insurance
(forrás -többek közt: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
(BCP / IT BCP) insurance is to cover, among others:
z actual costs of recovery
z replacement / reconstruction of every kind of equipment and facilities
z IT losses, e.g.
{ IS Media & software & ... reconstruction
z Extra expense
z Business interruption
z Valuable papers and records
z Errors and omissions
z Fidelity coverage
z Media transportation
z etc., other kind of costs of business continuity
Dr. Szenes
33
emergency management team
(forrás -többek közt: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
The emergency management team coordinates the activities of all other
recovery teams. This team oversees:
• Retrieving critical and vital data from offsite storage
• Installing and
• testing systems software and applications at the systems recovery
• Identifying, purchasing, and installing hardware at the system recovery
site
• Operating from the system recovery site
• Rerouting network communications traffic
• ./.
Dr. Szenes
34
17
Business Continuity Planning and
Disaster Recovery
emergency management team
(forrás -többek közt: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
•
emergency management team -cont'd
• Reestablishing the user/system network
• Transporting users to the recovery facility
• Reconstructing databases
• Supplying necessary office goods, i.e., special forms, check stock,
paper
• Arranging and paying for employee relocation expenses at the recovery
facility
• Coordinating systems use and employee work schedules
• etc.!
Dr. Szenes
35
CISA Q NO 6-8 notification priorities
(forrás -többek közt: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
In a business continuity plan, which of the following notification directories is
the MOST important?
z
z
z
z
Dr. Szenes
A.
B.
C.
D.
Equipment and supply vendors
Insurance company agents
Contract personnel services
A prioritized contact list
36
18
Business Continuity Planning and
Disaster Recovery
CISA Q NO 6-8 notification priorities
(forrás -többek közt: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
The correct answer is D
z A prioritized list of contacts is most important since it will direct the process
of communication and contact to various entities in order of priority.
z Choices A, B and C are musts, but not as important as choice D.
Dr. Szenes
37
CISA Q NO 6-9 organizational unit IT & the BCP
(forrás -többek közt: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
Which of the following components of a business continuity plan is PRIMARILY
the responsibility of an organization’s IS department?
Dr. Szenes
z
A. Developing the business continuity plan
z
B. Selecting and approving the strategy for the business
continuity plan
z
C. Declaring a disaster
z
D. Restoring the IS systems and data after a disaster
38
19
Business Continuity Planning and
Disaster Recovery
CISA Q NO 6-9 organizational unit IT & the BCP
(forrás -többek közt: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
The correct answer is D
z
The correct choice is restoring the IT systems and data after a disaster.
The IT department of an organization is primarily responsible for restoring
the IT systems and data after a disaster at the earliest possible time.
z
Members of the organization’s senior management are primarily
responsible for developing the business continuity plan for an
organization. Management is also responsible for selecting and
approving the strategy for developing and implementing a detailed
business continuity plan. The organization should identify a person in
management as responsible for declaring a disaster. Although IT is
involved in the three other choices, it is not primarily responsible for
them.
Dr. Szenes
39
On the Components of the Information Systems Business Continuity Plan
- considerations only !
z [some] phases of development
(forrás, többek között: CISA® Review Course transparents, ISACA 2010 )
based on business impact analysis
creation of a business continuity and disaster recovery policy
classification of operations and criticality analysis
forming responsible teams and
nominating responsible employees and
collecting their calling data
development of a business continuity plan and disaster recovery
procedures, and
{ training and awareness program
{ implementation of the plan
{ regular testing and monitoring
{
{
{
{
{
{
{
Dr. Szenes
40
20
Business Continuity Planning and
Disaster Recovery
On the Components of the Information Systems Business Continuity Plan
- considerations only !
z planning [or rather: development] process
(forrás: CISA® Review Course transparents, ISACA 2010 )
Dr. Szenes
41
categories of incidents & incident management
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
{ Negligible incidents are those causing no perceptible or significant
damage, such as very brief operating system (OS) crashes with full
information recovery or momentary power outages with uninterruptible
power supply (UPS) backup.
{ Minor events are those that, while not negligible, produce no negative
material (of relative importance) or financial impact.
{ Major incidents cause a negative material impact on business
processes and may affect other systems, departments or even outside
clients.
{ Crisis is a major incident that can have serious material (of relative
importance) impact on the continued functioning of the business and
may also adversely impact other systems or third parties. The severity
of the impact depends on the industry and circumstances, but is
generally directly proportional to the time elapsed from the inception of
the incident to incident resolution.
Dr. Szenes
42
21
Business Continuity Planning and
Disaster Recovery
categories of incidents & incident management
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
Dr. Szenes
43
On the Components of the Information Systems Business Continuity Plan
- considerations only !
BIA and risk management
z CISA CRM: Business Impact Analysis (BIA)
risk management Ù business continuity plan development:
z risk assessment
includes: system risk ranking
ranking:
z Critical
z Vital
z Sensitive
z Non-sensitive
ranking in details:
Dr. Szenes
44
22
Business Continuity Planning and
Disaster Recovery
On the Components of the Information Systems Business Continuity Plan
- considerations only !
BIA and risk management
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
system risk ranking:
z Critical – These functions cannot be performed unless they are replaced by
identical capabilities. Critical applications cannot be replaced by manual
methods. Tolerance to interruption is very low; therefore, cost of interruption
is very high.
z Vital – These functions can be performed manually, but only for a brief
period of time. There is a higher tolerance to interruption than with critical
systems and, therefore, somewhat lower costs of interruption, provided that
functions are restored within a certain time frame (usually five days or less).
./.
Dr. Szenes
45
On the Components of the Information Systems Business Continuity Plan
- considerations only !
BIA and risk management
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
system risk ranking
- cont'd
z Sensitive – These functions can be performed manually, at a tolerable cost
and for an extended period of time. While they can be performed manually,
it usually is a difficult process and requires additional staff to perform.
z Non-sensitive – These functions may be interrupted for an extended period
of time, at little or no cost to the company, and require little or no catching
up when restored.
Dr. Szenes
46
23
Business Continuity Planning and
Disaster Recovery
On the Components of the Information Systems Business Continuity Plan
- considerations only !
BIA and risk management
issues in BIA phase
z consequences on BCP, that is, on:
{ alternatives - see infrastructure types
{ recovery strategies & methods
z risk management cycle
Dr. Szenes
47
On the Components of the Information Systems Business Continuity Plan
- considerations only !
BIA and risk management
questions in BIA phase
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
z What are the different business processes?
z What are the critical information resources related to an organization’s
critical business processes?
z What is the critical recovery time period for information resources in which
business processing must be resumed before significant or unacceptable
losses are suffered?
Dr. Szenes
48
24
Business Continuity Planning and
Disaster Recovery
On the Components of the Information Systems Business Continuity Plan
example on the risk aspect - CISA Q
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery )
6-1 During an audit of a large bank, the IS auditor observes that no formal
risk assessment exercise has been carried out for the various
business applications to arrive at their relative importance and
recovery time requirements. The risk to which the bank is exposed is
that the:
z business continuity plan may not have been calibrated to the
relative risk that disruption of each application poses to the
organization.
z business continuity plan may not include all relevant
applications and, therefore, may lack completeness in terms of
its coverage.
z business impact of a disaster may not have been accurately
understood by the management.
z business continuity plan may lack an effective ownership by
the business owners of such applications.
Dr. Szenes
49
On the Components of the Information Systems Business Continuity Plan
example on the risk aspect - CISA Q
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
6-1 Answer:
A
z The first and key step in developing a business
continuity plan is a risk assessment exercise that
analyzes the various risks that an organization faces
and the impact of non-availability of individual
applications.
z ISO: [I refer to 27001,2 ]
Dr. Szenes
50
25
Business Continuity Planning and
Disaster Recovery
On the Components of the Information Systems Business Continuity Plan
example on the risk aspect - CISA Q
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
ISO reference to 6-1 Answer
/1 27002:
Chapter 14: BUSINESS CONTINUITY MANAGEMENT
14.1 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY
MANAGEMENT
z 14.1.1 Including information security in the business continuity management
process
z 14.1.2 Business continuity and risk assessment.
z 14.1.3 Developing and implementing continuity plans including information
security 14.1.4 Business continuity planning framework.
z 14.1.5 Testing, maintaining and re-assessing business continuity plans
on the standard, see the references ! to buy: www.mszt.hu !
Dr. Szenes
51
On the Components of the Information Systems Business Continuity Plan
example on the risk aspect - CISA Q
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
ISO reference to 6-1 Answer
/2 27001: Annex A -Control Objectives and Control [Measure]s
A.14 Business continuity management
A.14.1 Information security aspects of business continuity management
z Objective: To counteract interruptions to business activities and to protect
critical business processes from the effects of major failures of information
systems or disasters and to ensure their timely resumption.
z see control measures A.14.1.1 - A.14.1.5 !
on the standard, see the references !
to buy: www.mszt.hu !
Dr. Szenes
52
26
Business Continuity Planning and
Disaster Recovery
On the Components of the Information Systems Business Continuity Plan
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
BCP documents
•
•
•
•
•
•
•
•
Continuity of operations plan (COOP)
Disaster recovery plan (DRP)
Business resumption plan
Continuity of support plan / IT contingency plan
Crisis communications plan
Incident response plan
Transportation plan
Occupant emergency plan (OEP)
Dr. Szenes
53
On the Components of the Information Systems Business Continuity Plan
- considerations only !
z Infrastructure Types:
o Mirroring
o Hot, Warm or Cold Site
o Alternative Hardware
o Backup of Required Supplies
o Telecommunication Networks
o Servers, Storage
o Offsite Libraries and Library Controls
o Security and Control of Offsite Facilities
o Media and Documentation Backup
o etc.
details: . / .
Dr. Szenes
54
27
Business Continuity Planning and
Disaster Recovery
infrastructure types
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
z Mirroring
[ parallel processing - special HW or organized]
z Hot Sites – They are fully configured and ready to operate within several
hours. The equipment, network and systems software must be compatible
with the primary installation being backed up. The only additional needs are
staff, programs, data files and documentation.
New definition for hot site:
z The hot site is intended for emergency operations of a limited time period
and not for long-term extended use. Long-term use would impair the
protection of other subscribers.
cont'd with consequences
./.
Dr. Szenes
55
infrastructure types
(forrás, többek között: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
consequences of the new definition:
z Therefore, the hot site should be viewed as a means of accomplishing the
continuation of essential operations for a period of up to several weeks
following a disaster or major emergency. Further plans are still necessary to
provide for subsequent operations.
z Several vendors offer warm- or cold-site facilities for a subscriber to migrate
to after recovery of operations has been completed. This will free up the hot
site for use by other subscribers.
cold site defintion also new, with suscribers!
Dr. Szenes
56
28
Business Continuity Planning and
Disaster Recovery
infrastructure types
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
warm site:
z Warm Sites – They are partially configured, usually with network
connections and selected peripheral equipment, such as disk drives, tape
drives and controllers, but without the main computer. Sometimes a warm
site is equipped with a less powerful central processing unit (CPU), than the
one generally used. The assumption behind the warm site concept is that
the computer can usually be obtained quickly for emergency installation
(provided it is a widely used model) and, since the computer is the most
expensive unit, such an arrangement is less costly than a hot site. After the
installation of the needed components, the site can be ready for service
within hours; however, the location and installation of the CPU and other
missing units could take several days or weeks.
Dr. Szenes
57
infrastructure types
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
z Cold Sites – These are sites that have only the basic environment (electrical
wiring, air conditioning, flooring, etc.) to operate an IPF reducing the cost.
The cold site is ready to receive equipment but does not offer any
components at the site in advance of the need. Activation of the site may
take several weeks.
z Duplicate (redundant) Information Processing Facility – These are
dedicated, self-developed recovery sites that can backup critical
applications. They can range in form from a standby hot site to a reciprocal
agreement with another company installation.
Dr. Szenes
58
29
Business Continuity Planning and
Disaster Recovery
infrastructure types
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
z Mobile Sites – This is a specially designed trailer that can be quickly
transported to a business location or to an alternate site to provide a readyconditioned information processing facility.
z Reciprocal Agreement-with other organizations – This is a less frequently
used method between two or more organizations with similar equipment or
applications. Under the typical agreement, participants promise to provide
computer time to each other when an emergency arises.
provisions for 3rd party agreements . / .
Dr. Szenes
59
infrastructure / provisions for 3rd party agreements
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
z Configurations—Are the vendor’s hardware and software configurations
adequate to meet company needs since these will vary over time?
z Disaster—Is the definition of disaster broad enough to meet anticipated
needs?
z Speed of availability—How soon after a disaster will facilities be available?
z Subscribers per site—Does the agreement limit the number of subscribers
per site?
z Subscribers per area—Does the agreement limit the number of subscribers
in a building or area?
z Preference—Who gets preference if there are common or regional
disasters? Is there backup for the backup facilities? Is use of the facility
exclusive or does the customer have to share the available space if multiple
customers simultaneously declare a disaster? Does the vendor have more
than one facility available for subscriber use?
Dr. Szenes
60
30
Business Continuity Planning and
Disaster Recovery
infrastructure / provisions for 3rd party agreements
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
z Insurance—Is there adequate insurance coverage for company employees
at the backup site? Will existing insurance reimburse those fees?
z Usage period—How long is the facility available for use? Is this period
adequate? What technical support will the site operator provide? Is this
adequate?
z Communications—Are the communications adequate? Are the
communication connections to the backup site sufficient to permit unlimited
communication with the alternate site if needed?
Dr. Szenes
61
infrastructure / provisions for 3rd party agreements
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
z Warranties—What warranties will the vendor make regarding availability of
the site and the adequacy of the facilities? Are there liability limitations
(there usually are) and is the company willing to live with them?
z Audit—Is there a right-to-audit clause permitting an audit of the site to
evaluate the logical, physical and environmental security?
z Testing—What testing rights are included in the contract? Check with the
insurance company to determine any reduction of premiums that may be
forthcoming due to the backup site availability.
z Reliability—Can the vendor attest to the reliability of the site(s) being
offered? Ideally, the vendor should have a UPS, limited subscribers, sound
technical management, and guarantees of computer hardware and software
compatibility.
Dr. Szenes
62
31
Business Continuity Planning and
Disaster Recovery
on the audit of 3rd party agreements
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
z An IS auditor should obtain a copy of the contract with the vendor.
z Ensure that the contract is written clearly and is understandable.
z Reexamine and confirm the organization’s agreement with the rules that
apply to sites shared with other subscribers.
z Ensure that insurance coverage ties in with and covers all (or most)
expenses of the disaster.
z Ensure that tests can be performed at the hot site at regular intervals.
z Review and evaluate communications requirements for the backup site.
z Ensure that enforceable source code escrow is reviewed by a lawyer
specializing in such contracts.
z Determine the limitation recourse tolerance in the event of a breached
agreement.
z The contract should be reviewed against a number of guidelines
{ Contract is clear and understandable
{ Organization’s agreement with the rules
{ etc.
Dr. Szenes
63
infrastructure / telecommunications, networks
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
z [measures concerning networks include]:
– Alternative routing
– Diverse routing
– Long-haul network diversity
– Protection of the local loop
[wire between the local switch and the end-user customer]
{ – Voice recovery
{ – Availability of appropriate circuits and adequate bandwidth
{
{
{
{
details: .
Dr. Szenes
/.
64
32
Business Continuity Planning and
Disaster Recovery
infrastructure / telecommunications, networks
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
details on the methods of providing telecommunications continuity:
z Redundancy—Involves providing extra capacity with a plan to use the
surplus capacity should the normal primary transmission capability not be
available. In the case of a LAN, a second cable could be installed through
an alternate route for use in the event the primary cable is damaged.
z Alternative routing—The method of routing information via an alternate
medium such as copper cable or fiber optics. This involves use of different
networks, circuits or end points should the normal network be unavailable.
z Diverse routing—The method of routing traffic through split cable facilities or
duplicate cable facilities. This can be accomplished with different and/or
duplicate cable sheaths.
Dr. Szenes
65
infrastructure / telecommunications, networks
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
details on the methods of providing telecommunications continuity
- cont'd
z Long haul network diversity—Many recovery facilities vendors have
provided diverse long-distance network availability utilizing T1 circuits
among the major long-distance carriers. This ensures long-distance access
should any one carrier experience a network failure. Several of the major
carriers have now installed automatic re-routing software and redundant
lines that provide instantaneous recovery should a break in their lines occur.
[T1 is what telephone companies have traditionally used to transport
digitized telephone conversations between central offices
T2, T3 more than 1 T1 multiplexed Î higher speed]
Dr. Szenes
66
33
Business Continuity Planning and
Disaster Recovery
infrastructure / telecommunications, networks
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
details on the methods of providing telecommunications continuity
- cont'd
z Last mile circuit protection—Many recovery facilities provide a redundant
combination of local carrier T1s, microwave and/or coaxial cable access to
the local communications loop. This enables the facility to have access
during a local carrier communication disaster. Alternate local carrier routing
is also utilized.
z Voice recovery—With many service, financial and retail industries
dependent on voice communication, redundant cabling and alternative
routing should be provided for voice communication lines as well as data
communication lines.
Dr. Szenes
67
infrastructure / storage
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
Redundant array of inexpensive disks (RAID)
• Provide performance improvements and fault tolerant capabilities via
hardware or software solutions
• Provide the potential for cost-effective mirroring offsite for data back-up
Dr. Szenes
68
34
Business Continuity Planning and
Disaster Recovery
infrastructure
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
Q 6-7
An IS auditor discovers that an organization’s business continuity plan provides
for an alternate processing site that will accommodate 50 percent of the
primary processing capability. Based on this, which of the following actions
should the IS auditor take?
z A - Do nothing, because generally, less than 25 percent of all
processing is critical to an organization’s survival and the backup
capacity, therefore, is adequate.
z B - Identify applications that could be processed at the alternate site
and develop manual procedures to back up other processing.
z C - Ensure that critical applications have been identified and that
the alternate site could process all such applications.
z D - Recommend that the information processing facility arrange for
an alternate processing site with the capacity to handle at least 75
percent of normal processing.
Dr. Szenes
69
infrastructure
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
Q 6-7
The correct answer is C
z A business continuity plan should provide for the recovery of critical
systems, not necessarily all systems.
z Perhaps only 50 percent of the company’s systems are critical; therefore,
careful assessment of critical systems and capacity requirements should be
part of the IS auditor’s test of the plan.
Dr. Szenes
70
35
Business Continuity Planning and
Disaster Recovery
BCP plan - testing considerations
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
one of the purposes of the business continuity test is to determine how well the
plan works or which portions of the plan need improvement.
the test must simulate actual processing conditions
z The test should be scheduled during a time that will minimize disruptions to
normal operations. Weekends are generally a good time to conduct tests.
z It is important that the key recovery team members be involved in the test
process and allotted the necessary time to put their full effort into it.
z The test should address all critical components and
z simulate actual primetime processing conditions, even if it is conducted in
off hours.
z Test Execution – . /.
Dr. Szenes
71
BCP plan - testing considerations
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
the test - cont'd
z Test Execution – To perform testing, each of the following test phases
should be completed: Pretest, Test, Post-Test.
z Documentation of Results – During every phase of the test, detailed
documentation of observations, problems and resolutions should be
maintained.
z Results Analysis – It is important to have ways to measure the success of
the plan and test against the stated objectives. Therefore, results must be
quantitatively gauged as opposed to an evaluation based only on
observation.
z Recovery/Continuity plan maintenance – Plans and strategies for business
continuity should be reviewed and updated on a scheduled basis to reflect
continuing recognition of changing requirements.
Dr. Szenes
72
36
Business Continuity Planning and
Disaster Recovery
On the Components of the Information Systems Business Continuity Plan
- considerations only !
Rulebook Contents
z
z
z
z
z
- some of the important points
Detailed Plan
Organization and Assignment of Responsibilities
Emergency Response Team
Key Decision-making Personnel
what will employees do?
- CISA® Review Course transparents were also used here
{ where will employees report to work,
{ how will orders be taken while the computer system is being restored,
{ who is responsible that
which vendors should be called to provide needed supplies
Dr. Szenes
73
On the Components of the Information Systems Business Continuity Plan
- considerations only !
Rulebook Contents
- some of the important points
z
z Insurance
z Recovery/Continuity Plan Testing:
{ Plan and Actual Tests
{ Documentation of the Test Results
{ Results Analysis
z xx
Dr. Szenes
74
37
Business Continuity Planning and
Disaster Recovery
On the Components of the Information Systems Business Continuity Plan
- considerations only !
Rulebook Contents
z
z
z
z
z
- cont'd
Recovery/Continuity Plan Maintenance
Periodic Backup Procedures
Record Keeping for Offsite Storage
xx
Dr. Szenes
75
recovery aspects
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery
z
z
z
z
z
z
Recovery Point Objective (RPO)
Recovery Time Objective (RTO)
Interruption window
Service delivery objective - SDO
Maximum tolerable outage
Disaster tolerance
Dr. Szenes
76
38
Business Continuity Planning and
Disaster Recovery
recovery aspects
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery
disaster here: disaster AFTER the interrupt
Recovery Point Objective (RPO)
{ Based on acceptable data loss
{ Indicates earliest point in time in which it is acceptable to recover the
data
z acceptable data loss:
For example, if the process can afford to lose the data up to four hours before
disaster, then the latest backup available should be up to four hours before
disaster or interruption and the transactions during RPO and interruption
need to be entered after recovery (known as catch-up data).
Dr. Szenes
77
recovery aspects
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery
disaster here: disaster AFTER the interrupt - ??
Recovery Point Objective (RPO)
{ Based on acceptable data loss
{ Indicates earliest point in time in which it is acceptable to recover the
data
z RPO effectively quantifies the permissible amount of data loss in case of
interruption. It is almost impossible to recover the data completely. Even
after entering catch-up data, some data are still lost and are referred to as
orphan data.
z If RPO is very low, say in minutes, it means that the process cannot afford
to lose the data in such a short time. In such cases, data mirroring should
be used as a recovery strategy. If RPO is high, say in hours, then other
backup procedures, such as reel backup, could be used.
Dr. Szenes
78
39
Business Continuity Planning and
Disaster Recovery
recovery aspects
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery
disaster here: disaster caused by the interrupt
z Recovery Time Objective (RTO)
{ Based on acceptable downtime
{ Indicates earliest point in time at which the business operations must
resume after a disaster
z The RTO is determined based on the acceptable downtime in case of a
disruption of operations. It indicates the earliest point in time at which the
business operations must resume after disaster.
z A high RTO will mean that so much additional time would be available for
the recovery strategy.
Dr. Szenes
79
recovery aspects
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery
relation between RPO / RTO - which recovery strategies would be best with
different RTO and RPO parameters?
Dr. Szenes
80
40
Business Continuity Planning and
Disaster Recovery
recovery aspects
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery
z Interruption window—The time the organization can wait from the point of
failure to the critical services/applications restoration. After this time, the
progressive losses caused by the interruption are unaffordable.
z Service delivery objective (SDO)—Level of services to be reached during
the alternate process mode until the normal situation is restored. This is
directly related to the business needs.
z Maximum tolerable outages—Maximum time the organization can support
processing in alternate mode. After this point, different problems may arise,
especially if the alternate SDO is lower than the usual SDO, and the
information pending to be updated can become unmanageable.
z Disaster tolerance is the time gap within which the business can accept
non-availability of IT facilities. If this time gap is high, recovery strategies
that take a longer time can be used.
Dr. Szenes
81
recovery aspects
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery
Q 6-5
Data mirroring should be implemented as a recovery strategy when:
Dr. Szenes
z
A. recovery point objective (RPO) is low.
z
B. RPO is high.
z
C. recovery time objective (RTO) is high.
z
D. disaster tolerance is high.
82
41
Business Continuity Planning and
Disaster Recovery
recovery aspects
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery
Q 6-5
The correct Answer is A
z
z
z
z
RPO is the earliest point in time to which it is acceptable to recover the
data. If RPO is very low, say in minutes, it means that the process cannot
afford to lose the data in such a short time. In such cases, data mirroring
should be used as a recovery strategy.
If RPO is high, say in hours, then other backup procedures, such as reel
backup, could be used.
A high RTO will mean that so much additional time would be available for
the recovery strategy.
Disaster tolerance is the time gap within which the business can accept
non-availability of IT facilities. If this time gap is high, recovery strategies
that take a longer time can be used.
Dr. Szenes
83
The IS BCP of the Individual Systems
The most important part of the business continuity plan consists of
those of the individual systems.
The table of contents of the systems business continuity plan
contains (at least):
•
•
•
•
•
The description of the system
The members of the emergency team (name, every par.)
The key users (name, every par.)
The places ! of the systems documentation (at least 2 media)
nn
Dr. Szenes
84
42
Business Continuity Planning and
Disaster Recovery
The IS BCP of the Individual Systems
The table of contents for the
systems business continuity plan contains (at least)
-cont'd
• The databases, their config., and their settings
• The archives
• The typical operations fallbacks
• Manual / alternative operations
• Software & hardware resource requirements
ƒ minimum, presently available, maximum
• Communications requirements
• Recovery to normal state
• nn
Dr. Szenes
85
COBIT 3, 4 support of IS Audit and IT Security
{ 34 IS processes
{ 7 IS (evaluation) criteria
{ control objectives
{ control measures / procedures
{ Balanced Scorecard
{ Capability Maturity Model tailored to the 34 processes
Dr. Szenes
86
43
Business Continuity Planning and
Disaster Recovery
COBIT 3, 4 support of IS Audit and IT Security
the processes of delivery and support:
{
{
{
{
{
{
{
{
{
{
{
{
{
DS1 - Define and Manage Service Levels
DS2 - Manage Third-party Services
DS3 - Manage Performance and Capacity
DS4 - Ensure Continuous Service
DS5 - Ensure Systems Security
DS6 - Identify and Allocate Costs
DS7 - Educate and Train Users
DS8 - Manage Service Desk and Incidents
DS9 - Manage the Configuration
DS10 - Manage Problems
DS11 - Manage Data
DS12 - Manage the Physical Environment
DS13 - Manage Operations
Dr. Szenes
87
DS4 - Ensure Continuous Service
Control Objectives - forrás, többek között: COBIT 4.1
important: even if this is all about IT
- all business-critical human and infrastructural
assets should be taken care of
DS4.1 IT Continuity Framework
z Develop a framework for IT continuity to support enterprisewide business
continuity management using a consistent process.
The objective of the framework :
z to assist in determining the required resilience of the infrastructure and
z to drive the development of disaster recovery and IT contingency plans
./.
Dr. Szenes
88
44
Business Continuity Planning and
Disaster Recovery
DS4 - Ensure Continuous Service
Control Objectives - forrás , többek között : COBIT 4.1
DS4.1 IT Continuity Framework
- cont'd
The framework [and the plan] should address:
z the organisational structure for continuity management,
z on internal and external service providers
{ their management
{ and their customers
z these:
{ roles,
{ tasks and
{ responsibilities
./.
Dr. Szenes
89
DS4 - Ensure Continuous Service
Control Objectives - forrás , többek között : COBIT 4.1
DS4.1 IT Continuity Framework
The framework [and the plan] should address:
- cont'd
z the planning processes that create
{ the rules and
{ structures
z in order to
{ document,
{ test and
{ execute
the disaster recovery and IT contingency plans
./.
Dr. Szenes
90
45
Business Continuity Planning and
Disaster Recovery
DS4 - Ensure Continuous Service
Control Objectives - forrás , többek között : COBIT 4.1
DS4.1 IT Continuity Framework
The framework [and the plan] should address:
- cont'd
z [based on risk assessment]
{ the identification of critical resources,
{ noting key dependencies,
{ [personal responsibilities]
z the monitoring and
z reporting of the availability of
{ critical resources,
{ alternative processing,
z and [other] principles, [important info on] backup and recovery.
Dr. Szenes
91
DS4 - Ensure Continuous Service
Control Objectives - forrás , többek között : COBIT 4.1
DS4.2 IT Continuity Plans
z Develop IT continuity plans based on the framework and designed to
reduce the impact of a major disruption on
{ key business functions
{ and processes.
z The plans should be based on risk understanding of potential business
impacts
-- see framework, DS 4.1,
both IT BCP - BCP should be risk assessment-based
./.
Dr. Szenes
92
46
Business Continuity Planning and
Disaster Recovery
DS4 - Ensure Continuous Service
Control Objectives - forrás , többek között : COBIT 4.1
DS4.2 IT Continuity Plans
- cont'd
z The plan should address requirements for
{ resilience - flexibility!,
{ alternative processing and
{ recovery capability of all critical IT services.
z The plan should contain
{ usage guidelines,
{ roles and responsibilities,
{ procedures,
{ communication processes, and
{ the testing approach - test plan, + procedure !.
Dr. Szenes
93
DS4 - Ensure Continuous Service
Control Objectives - forrás , többek között : COBIT 4.1
DS4.3 Critical IT Resources
z Focus attention on items specified as most critical in the IT continuity plan
{ to build in resilience and
{ establish priorities in recovery situations.
z Avoid the distraction of recovering less-critical items and
z ensure response and recovery in line with prioritised business needs,
z ensure that costs are kept at an acceptable level
z ensure compliance
{ with regulatory and
{ contractual requirements.
z Consider resilience, response and recovery requirements for different tiers,
e.g., one to four hours, four to 24 hours, more than 24 hours and critical
business operational periods.
Dr. Szenes
94
47
Business Continuity Planning and
Disaster Recovery
DS4 - Ensure Continuous Service
Control Objectives - forrás , többek között : COBIT 4.1
DS4.4 Maintenance of the IT Continuity Plan
z Encourage IT management to define and execute
{ change control procedures to ensure that
{ the IT continuity plan is kept up to date
{ and continually reflects actual business requirements.
z Communicate changes in
{ procedures and
{ responsibilities
clearly and in timely manner.
Dr. Szenes
95
DS4 - Ensure Continuous Service
Control Objectives - forrás , többek között : COBIT 4.1
DS4.5 Testing of the IT Continuity Plan
testing should be actually performed and documented
together with the key business users & IT evaluated
according to the results the plan should be updated
0 either forewarn the employees, or not
z Test the IT continuity plan on a regular basis to ensure that
{ IT systems can be effectively recovered,
{ shortcomings are addressed
{ the plan remains relevant.
./.
Dr. Szenes
96
48
Business Continuity Planning and
Disaster Recovery
DS4 - Ensure Continuous Service
Control Objectives - forrás , többek között : COBIT 4.1
DS4.5 Testing of the IT Continuity Plan
- cont'd
z A successful test requires
{ careful preparation,
{ documentation,
{ reporting of test results and,
according to the results,
z implementation of an action plan
z Consider the extent of testing:
{ recovery of single applications
{ integrated testing scenarios
{ end-to-end testing
{ integrated vendor testing.
Dr. Szenes
97
DS4 - Ensure Continuous Service
Control Objectives - forrás , többek között : COBIT 4.1
DS4.6 IT Continuity Plan Training
z Provide all concerned parties with regular training sessions regarding the
{ procedures and
{ their roles and
{ responsibilities
in case of an incident or disaster.
z Verify and enhance training according to the results of the contingency
tests.
Dr. Szenes
98
49
Business Continuity Planning and
Disaster Recovery
DS4 - Ensure Continuous Service
Control Objectives - forrás , többek között : COBIT 4.1
z DS4.7 Distribution of the IT Continuity Plan
z Determine that a defined and
z managed distribution strategy exists
to ensure that plans are properly and securely distributed and
z available to appropriately authorised interested parties
when and where needed.
z Attention should be paid to making the plans accessible
under all disaster scenarios.
Dr. Szenes
99
DS4 - Ensure Continuous Service
Control Objectives - forrás , többek között : COBIT 4.1
DS4.8 IT Services Recovery and Resumption
z Plan the actions to be taken for the period when IT is recovering and
resuming services. This may include
{ activation of backup sites,
{ initiation of alternative processing,
{ customer and stakeholder communication, and
{ resumption procedures.
z Ensure that the business understands
{ how to specufy for IT the recovery times they require
{ they have to help IT to buy the necessary technology investments to
support business recovery and to provide for resumption needs.
(thorough rewriting)
Dr. Szenes
100
50
Business Continuity Planning and
Disaster Recovery
DS4 - Ensure Continuous Service
Control Objectives - forrás , többek között : COBIT 4.1
DS4.9 Offsite Backup Storage
z Store offsite
{ all critical backup media,
{ documentation and
{ other IT resources
necessary for IT recovery and business continuity plans.
! develop and document processes to use all of these
z business process owners and IT personnel should together determine
{ the content of backup storage
{ and its other parameters
./.
Dr. Szenes
101
DS4 - Ensure Continuous Service
Control Objectives - forrás , többek között : COBIT 4.1
DS4.9 Offsite Backup Storage
- cont'd
z Management of the offsite storage facility should comply to the
{ data classification policy and
{ the enterprise’s media storage practices.
z IT management should ensure that
offsite arrangements are periodically assessed, at least annually, for
{ content,
{ environmental protection and
{ security.
z Ensure compatibility of hardware and software to restore archived data,
z periodically test and refresh archived data.
Dr. Szenes
102
51
Business Continuity Planning and
Disaster Recovery
DS4 - Ensure Continuous Service
Control Objectives - forrás , többek között : COBIT 4.1
DS4.10 Post-resumption Review
z Determine whether IT management has established procedures for
{ assessing the adequacy of the plan in regard to
the successful resumption of the IT function after a disaster, and
update the plan accordingly.
ƒ
ƒ
Dr. Szenes
103
ISACA CRM Case Study
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
Case Study Scenario
z Organization revising BCP and DRP for headquarters (750 employees) and
16 branches (each with 20–35 employees and mail and file / print server)
z Current plans not updated in more than 8 years
z Organization has grown by 300%
z Staff connect via LAN to more than 60 applications, databases and print
servers in the corporate data centre
z Staff connect via a frame relay network to the branches
z Traveling users connect over the Internet using VPN
z Critical applications have RTO of 3–5 days
./.
Dr. Szenes
104
52
Business Continuity Planning and
Disaster Recovery
ISACA CRM Case Study
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
Case Study Scenario
- cont'd
z All users in the headquarters and branches connect to the Internet through
a firewall and proxy server located in the data center
z Branch offices are located between 30 and 50 miles from one another, with
none closer to the headquarters' facility than 25 miles
z Backup media for the data center are stored at a third-party facility 35 miles
away
z Backups for servers located at the branch offices are stored at nearby
branch offices using reciprocal agreements between offices
./.
Dr. Szenes
105
ISACA CRM Case Study
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
Case Study Scenario
- cont'd
Current contract with third party hot site:
• 3 year term, with equipment upgrades occurring at renewal time
• 25 servers
• Work area space with PCs for 100 employees
• Separate agreement to ship 2 servers and 10 PCs to any branch
declaring a disaster
• Hot site provider has multiple sites in case the primary site is in use by
another customer or rendered unavailable by the disaster
Dr. Szenes
106
53
Business Continuity Planning and
Disaster Recovery
ISACA CRM Case Study - Q
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
Q1
On the basis of the above information, which of the following should the
IS auditor recommend concerning the hot site?
z
A. Desktops at the hot site should be increased to 750.
z
B. An additional 35 servers should be added to the hot site
contract.
z
C. All backup media should be stored at the hot site to shorten
the RTO.
z
D. Desktop and server equipment requirements should be
reviewed quarterly.
Dr. Szenes
107
ISACA CRM Case Study
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
The correct answer to Q1 is D
z As equipment needs in a rapidly growing business are subject to frequent
change, quarterly reviews are necessary to ensure that the recovery
capability keeps pace with the organization.
z Since not all employee job functions are critical during a disaster, it is not
necessary to contact the same number of desktops at a recovery facility as
the number of employees. Similarly, not every server is critical to the
continued operation of the business.
z In both cases, only a subset will be required.
z Since there is no assurance that the hot site will not already be occupied, it
would not be advisable to store backup media at the facility. These facilities
are generally not designed to provide extensive media storage, and
frequent testing by other customers could compromise the security of the
media.
Dr. Szenes
108
54
Business Continuity Planning and
Disaster Recovery
ISACA CRM Case Study - Q
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
Q2
On the basis of the above information, which of the following should the
IS auditor recommend concerning branch office recovery?
z
A. Add each of the branches to the existing hot site contract.
z
B. Ensure branches have sufficient capacity to back each other
up.
z
C. Relocate all branch mail and file / print servers to the data
center.
z
D. Add additional capacity to the hot site contract equal to the
largest branch.
Dr. Szenes
109
ISACA CRM Case Study
(forrás: CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery)
The correct answer to Q2 is B
z The most cost-effective solution is to recommend that branches have
sufficient capacity to accommodate critical personnel from another branch.
z Since critical job functions would represent only perhaps 20 percent of the
staff from the affected branch, accommodations for only four to seven
critical staff members would be needed.
z Adding each of the branches to the hot site contract would be far more
expensive, while adding capacity to the hot site contract would not provide
coverage as hot site contracts base their pricing on each location covered.
z Finally, relocating branch servers to the data center could result in
performance issues, and would not address the question of where to locate
displaced employees.
Dr. Szenes
110
55
Business Continuity Planning and
Disaster Recovery
References
z CRM 20xx CISA Review Technical Information Manual
editor: Information Systems Audit and Control Association
Rolling Meadows, Illinois, USA, 20xx-1
z COBIT® 4.0
Control Objectives, Management Guidelines, Maturity Models
Copyright © IT Governance Institute® , 2005
z COBIT® 4.1
Framework, Management Guidelines, Maturity Models
Copyright © IT Governance Institute® , 2007
Dr. Szenes
111
References
z Az Informatikai biztonság kézikönyve
szerkesztő és lektor: Szenes Katalin
Verlag Dashöfer, Budapest
z
K. Szenes: "IT GRC versus ? Enterprise GRC
but: IT GRC is a Basis of Strategic Governance2
EuroCACS 2010 - Conference on Computer Audit, Control and Security
Copyright 2010 ISACA, Rolling Meadows, Illinois, USA
23-25 March 2010, Budapest, Hungary Tutorial, Stream #1 IT Governance, #311
z CISA® Review Course transparents, ISACA 2010
Chapter 6: Business Continuity and Disaster Recovery
z CISA® see ISACA.org
Dr. Szenes
112
56
Business Continuity Planning and
Disaster Recovery
References
z the predecessors of ISO 27001, ISO 27002 are:
CRAMM, ISO/IEC 17799
z ISO 27001 International Standard ISO/IEC 27001 First edition 2005-10-15
Information technology - Security techniques - Information security
management systems - Requirements
Reference number: ISO/IEC 27001:2005 (E)
Copyright © ISO/IEC 2005
z ISO 27002 International Standard ISO/IEC 27002 First edition 2005-06-15
Information technology — Security techniques — Code of practice for
information security management
Reference number: ISO/IEC 27002:2005(E)
Copyright © ISO/IEC 2005
Dr. Szenes
113
57