Business Continuity Planning and Disaster Recovery

(1)

Dr. Szenes 1

Business Continuity Planning and Disaster Recovery

Katalin Szenes Dr., PhD, CISA, CISM, CGEIT, CISSP szenes.katalin@nik.uni-obuda.hu

University Óbuda- Óbudai Egyetem

Faculty JvN - Neumann János Informatikai Kar Inst. Applied Informatics -

Alkalmazott Informatikai Intézet

Disclaimer

The followings represent my opinion on / interpretation of the subject.

Neither ISACA nor ITGI is liable for the followings or would be bound any way by its contents.

A következők saját véleményemet és értelmezésemet tükrözik.

Sem az ISACA, sem az ITGI nem felelős az itt következőkért, és nekik semmilyen kötelmet nem jelent.

Szenes Katalin

Note: the English formulation doesn't always follows the original either.

Megjegyzés: az angol fogalmazás sem mindig egyezik az eredetivel.

My comments inserted in quotations are denoted by [ ].

(2)

Dr. Szenes 3

Table of Contents

•

purpose and main aspects

•

definitions - BCP, disaster, DRP, IT BCP, IT DRP

•

tasks of the IS auditor

example on these tasks: CISA Q no 6-3 on audit concerns: CISA Q no 6-10

•

consequences concerning the acceptance of the risks

•

other planning issues

•

preliminaries to be settled

•

preliminaries / insurance

•

emergency management team

•

CISA Q no 6-8 notification priorities

•

CISA Q NO 6-9 organizational unit IT & the BCP

Table of Contents z on the components

of the Information Systems Business Continuity Plan

o

some [development] phases

o

[development] process

o

categories of incidents & incident management

o

BIA & risk management

system risk ranking

issues in BIA phase

questions in BIA phase

example on risk aspects CISA Q no 6-1

- answer: see ISO/IEC 27001, 2, too

(3)

Dr. Szenes 5

Table of Contents z on the components

of the Information Systems Business Continuity Plan - cont'd

o

BCP documents

o

Infrastructure types - hot, warm, etc.

provisions for 3rd party agreements

on the audit of 3rd party agreements

infrastructure / telecommunications, networks

infrastructure / storage z control measures

o

management

o

technical

o

physical

Table of Contents

•

BCP plan - testing considerations

•

rulebook contents

•

recovery aspects (RPO, RTO, etc.)

•

The IS BCP of the Individual Systems

•

COBIT 3, 4 support of IS audit and IT security the processes of Delivery & Support

DS4 - Ensure Continuous Service DS4 control objectives

•

on the COBIT 5 support

•

ISACA CRM case study

•

(4)

Dr. Szenes 7

purpose:

z to enable a business to continue offering critical services in the event of a disruption and to survive even a disastrous interruption of its activities the business continuity planning has to take into consideration:

z the market & strategy goals of the corporate Î

z the strategic business processes Î

z those key operations that are most necessary to the survival of the organization

z the human/material resources supporting them Note:

z ?? business continuity plan must be based on the long-range IT plan ??

the business continuity plan includes:

z the disaster recovery plan to recover a facility rendered inoperable, including relocating operations into a new location

for the recovered "normal" use

z the restoration plan that is used to return operations to normality whether in a restored or new facility

only after mitigating the effect of the disruption by restarting the business applications involved

(5)

Dr. Szenes 9

- as an operation, maintenance, and service delivery issue

task 4.10 of Domain 4 Evaluate

z IT continuity and resilience z backups/restores,

z disaster recovery plan - DRP to determine whether

z they are controlled effectively and

z continue to support the organization’s objectives

- as an operation, maintenance, and service delivery issue

related auditors' task in Domain 4:

The IS auditor needs to understand and be able to evaluate the following:

z the applicable regulatory and contractual environment

z the disaster recovery strategies needed to enable the organization to meet these requirements

- regardless of the operational state of the IS environment

(6)

Dr. Szenes 11

Business Continuity Planning - Definition

The purpose of business continuity planning is

to enable a business to continue operations should any kind of disturbance arise.

Rigorous planning and commitment of resources is necessary to adequately plan for such an event. Business continuity planning is primarily the responsibility of senior management as they are

entrusted with the safeguarding of both the assets and the viability of the company.

The business continuity planning is to take into consideration:

• those key operations that are utmostly necessary to the survival and later to the market success of the organizations

• the human / material resources supporting them.

Business Continuity Planning - Definition

The second part, the operations part of the business continuity plan

should address all functions and assets required to continue as a viable organization and to keep acquiring market sucess.

The extent of provision for reserve facilities depends on the cost / effectivity considerations of the top management.

(7)

Dr. Szenes 13

Disaster Recovery Plan - Definition

Disasters

are disruptions that cause critical information resources to be inoperative for a period of time, e.g. (weather, terrorism, disruption in expected services, human error, etc.)

(this disaster def. & examples are from the CISA®Review Course transparents)

The business continuity plan includes:

•

the disaster recovery plan

that is generally the plan to be followed by the business units to recovera harmed / demolished facility or business functionality, or an operational facility and

•

the operations plan that is to be followed by the business units

to "get by" whilerecovery is taking place.

Information Systems Business Continuity Planning / Information Systems Disaster Recovery Plan - Definition

Everything is the same as in the case of the

Business Continuity Planning / Disaster Recovery Plan

with the exception that the continuity of the information systems processing is threatened.

Information systems processing is one operations

of many that keep the organization not only alive but also successful thus it is of strategic importance.

Thus the event to be controlled is such a disruption and the objective of the control measure is to survive an interruption of the

information systems processing.

(8)

Dr. Szenes 15

Information Systems Business Continuity Planning / Information Systems Disaster Recovery Plan - Definition

Throughout the planning process of business continuity

the overall plan of the organization should be taken into consideration.

All IS plans must be consistent with and support the corporate business continuity plan.

This means that especially those information processing systems must have the more elaborated and ready-to-start reserve processing facilities that support key operations.

the tasks of the auditor

to the tasks of the auditor belong:

z Evaluate the adequacy of backup and restore provisions to ensure the availability of informationrequiredto resume processing

z Evaluate the organization's disaster recovery plan to ensure that it enables the recovery of IT processing capabilities in the event of a disaster

z Evaluate the organization's business continuity plan to ensure the organization's ability to continue essential business operations during the period of an IT disruption

./.

(9)

Dr. Szenes 17

auditors' tasks - cont'd

z Check if the BCP follows corporate strategy z Evaluate plans for

{accuracy {adequacy {effectiveness {etc.

Evaluate offsite storage

z Evaluate ability of IS and user personnel to respond effectively z Ensure plan maintenance is in place

z Evaluate readability of business continuity manuals and procedures

./.

z Check the documents from the viewpoint of

Currency

Effectiveness

Validity: interview personnel for appropriateness and completeness

z Evaluate the BCP quality, e.g.:

Determine whether corrective actions are in the plan

Evaluate thoroughness and accuracy

Determine problem trends and resolution of problems

./.

(10)

Dr. Szenes 19

z Evaluate media & documentation handling:

{what is available, {synchronization and

{currency of media and documentation z Perform a detailed inventory review z Review all documentation

{is it current, is it detailed enough?

{change management {configuration management {release management

./.

z Evaluate offsite storage facility - {if any, and what is there?

{evaluate the physical and environmental access controls

{examine the equipment for current inspection and calibration tags {etc.

z Key personnel must have an understanding of their responsibilities

./.

(11)

Dr. Szenes 21

questions for checking:

{Who is responsible for administration or coordination of the plan?

{Is the plan administrator/coordinator responsible for keeping the plan up-to-date?

{Is there a disaster recovery implementation team (i.e., the first response team members who will react to the emergency with immediate action steps)?

{Where is the disaster recovery plan stored?

{What critical systems are covered by the plan?

{What systems are not covered by the plan? Why not?

./.

questions for checking - cont'd

{What equipment is not covered by the plan? Why not?

{Does the plan operate under any assumptions? What are they?

{Does the plan identify rendezvous points for the disaster management committee or emergency management team to meet and decide if business continuity should be initiated?

{Are the documented procedures adequate for successful recovery?

{Does the plan address disasters of varying degrees?

{Are telecommunication’s backups (both data and voice line backups) addressed in the plan?

zand how? - see later: infrastructure / telecommunications

(12)

Dr. Szenes 23

questions for checking - cont'd {Is there a backup facility site?

{if not, then what are the plans for the case of disruption?

and / or: what kind of precautions are made?

(see later: different types of infrastructures)

{Does the plan address relocation to a new information processing facility in the event that the original center cannot be restored?

{Does the plan include procedures for zmerging master file data,

zautomated tape management system data, zetc., into pre-disaster files?

the tasks of the auditor - CISA Q no 6-3

(forrás: CISA®Review Course transparents, ISACA Business Continuity and Disaster Recovery)

An IS auditor should be involved in:

z A. observing tests of the disaster recovery plan.

z B. developing the disaster recovery plan.

z C. maintaining the disaster recovery plan.

z D. reviewing the disaster recovery requirements of supplier contracts.

(13)

Dr. Szenes 25

the tasks of the auditor - CISA Q no 6-3

(forrás: CISA®Review Course transparents, ISACA / Business Continuity and Disaster Recovery)

Answer: A

z The IS auditor should always be present when disaster recovery plans are tested to ensure that the test meets the required targets for restoration, ensure that recovery procedures are effective and efficient, and report on the results, as appropriate.

z IS auditors may be involved in overseeing plan development, but they are unlikely to be involved in the actual development process.

z Similarly, an audit of plan maintenance may be conducted, but the IS auditor normally would not have any responsibility for the actual maintenance.

z An IS auditor may be asked to comment upon various elements of a supplier contract, but, again, this is not always the case.

on audit concerns - CISA Q no 6-10

(forrás: CISA®Review Course transparents, ISACA / Business Continuity and Disaster Recovery)

version 1 - the transparents

In an audit of a business continuity plan, which of the following findings is of MOSTconcern?

z A. There is no insurance for the addition of assets during the year.

z B. The business continuity plan manual is not updated on a regular basis.

z C. Testing of the backup data has not been done regularly.

z D. Records for maintenance of the access system have not been maintained.

(14)

Dr. Szenes 27

version 1 - the transparents The correct answer is C

z The most vital assets for a company are data. In a business continuity plan, it is critical to ensure that data are available. Therefore, regular testing of the backup of data must be done. If testing is not done, the organization may not be able to retrieve data when required during a disaster; hence, the company may lose its most valuable asset and may not be able to recover from the disaster.

z A loss on account of lack of insurance is limited to the value of assets.

z If the business continuity plan manual is not updated, the company may find the manual not fully relevant for recovery during a disaster. However, recovery could be still possible.

z Non-maintenance of records in an access system will not directly impact the relevance of the business continuity plan.

version 2

In an audit of a business continuity plan, which of the following findings is of MOSTconcern?

z A. There is no insurance for the addition of assets during the year.

z B. The business continuity plan is not updated on a regular basis.

z C. Testing of the backup data has not been done regularly.

z D. Records for maintenance of the access system have not been maintained.

The correct answer is?

(15)

Dr. Szenes 29

Consequences Concerning the Acceptance of the Risks ISACA:

The alternatives of the elimination of the risks are determined by the resources that the management wants to spend on the "safety".

The management classifies according to business importance the

•

^assets

•

^processes

•

^data

and the data processing systems importance is equal to the importance of the element they support.

but my risk definition:

./.

on the notion of risk

risk astrategic value of the asset * probability of the threatening goal-related asset risk is such a value, which

z is assigned to a pair of {corporate asset, and {operational objective

risk (asset, goal) ~ distance (asset, goal)

probability (asset, goal, attack) vulnerability (asset, goal, effort) Îtransparency

(16)

Dr. Szenes 31

other BCP planning issues

the entire organization needs to be considered for BCP the personnel has to

zclassify critical systems, resources zto determine acceptable recovery times zreact

the personnel who must react to the interruption/disaster scenarios are those who are responsible for the most critical resources

Îmanagement and user involvement is vital to the success of the business continuity plan

./.

User management involvement is essential to the identification of critical systems, their associated critical recovery times and the specification of needed resources.

z The three major divisions that require involvement in the formulation of the business continuity plan are

{support services, {business operations and {information processing support.

z as the underlying purpose of business continuity planning is the resumption of business operations, every organizational unit should give aspects / and - or /help in the development of the BCP, IT BCP, etc., already in the planning phase

./.

(17)

Dr. Szenes 33

the BCP, IT BCP, etc., are to be based on z the risk assessment results, and the BIA z the business goals & strategy

z all issues involved in interruption to business processes, z including recovering from a disaster

Important:

z The plan should be documented and written in a simple language understandable to all.

z Copies of the plan should be maintained offsite.

./.

to the BCP, IT BCP, etc., the following other info are to be collected:

z Pre-disaster readiness

z possible Evacuation procedures

z Circumstances under which a disaster should be declared z Identification of contract informations

z Recovery option explanations

z Identification of resources for recovery and continued operation of the organization

(18)

Dr. Szenes 35

preliminaries to be settled

to the BCP, IT BCP, etc., the followings should be agreed upon:

z The policies that will govern all of the continuity and recovery efforts z The goals/requirements/products for each phase

z Alternate facilities to perform tasks and operations

z Critical information resources to deploy (e.g., data and systems) z Persons responsible for completion

z Available resources to aid in deployment (including human) z The scheduling of activities with priorities established z Key decision-making personnel

z Backup of required supplies

z Telecommunication networks disaster recovery methods z Redundant array of inexpensive disks (RAID)

z Insurance

( . / .

Most insurance covers only financial losses, based upon the historical level of performance and not the existing level of performance.

Also, insurance does not compensate for loss of image/goodwill.

The Business Continuity Plan should contain:

z key information about the organization's insurance.

z it should take the corporate physical, logical, market, etc. environment into consideration

z etc.

IT BCP:

z The information systems processing insurance policy is usually a multi-peril policy designed to provide various types of IS coverage.

z It should be modularly constructed in modules, so that it can be adapted to the insured’s particular IT architecture, and requirements,

z etc.

( . / .

(19)

Dr. Szenes 37

(BCP / IT BCP) insurance is to cover, among others:

z actual costs of recovery

z replacement / reconstruction of every kind of equipment and facilities z IT losses, e.g.

{IS Media & software & ... reconstruction z Extra expense

z Business interruption z Valuable papers and records z Errors and omissions z Fidelity coverage z Media transportation

z etc., other kind of costs of business continuity

The emergency management team coordinates the activities of all other recovery teams. This team oversees:

•

Retrieving critical and vital data from offsite storage

•

Installing and

•

testing systems software and applications at the systems recovery

•

Identifying, purchasing, and installing hardware at the system recovery

•

siteOperating from the system recovery site

•

Rerouting network communications traffic

. / .

(20)

Dr. Szenes 39

•

emergency management team -cont'd

•

Reestablishing the user/system network

•

Transporting users to the recovery facility

•

Reconstructing databases

•

Supplying necessary office goods, i.e., special forms, check stock, paper

•

Arranging and paying for employee relocation expenses at the recovery facility

•

Coordinating systems use and employee work schedules

•

^etc.

!

CISA Q NO 6-8 notification priorities

(forrás -többek közt: CISA®Review Course transparents, ISACA / Business Continuity and Disaster Recovery)

In a business continuity plan, which of the following notification directories is the MOST important?

z A. Equipment and supply vendors z B. Insurance company agents z C. Contract personnel services z D. A prioritized contact list

(21)

Dr. Szenes 41

CISA Q NO 6-8 notification priorities

The correct answer is D

z A prioritized list of contacts is most important since it will direct the process of communication and contact to various entities in order of priority.

z Choices A, B and C are musts, but not as important as choice D.

Which of the following components of a business continuity plan is PRIMARILY the responsibility of an organization’s IS department?

z A. Developing the business continuity plan

z B. Selecting and approving the strategy for the business continuity plan

z C. Declaring a disaster

z D. Restoring the IS systems and data after a disaster

(22)

Dr. Szenes 43

The correct answer is D

z The correct choice is restoring the IT systems and data after a disaster.

The IT department of an organization is primarily responsible for restoring the IT systems and data after a disaster at the earliest possible time.

z Members of the organization’s senior management are primarily responsible for developing the business continuity plan for an organization. Management is also responsible for selecting and approving the strategy for developing and implementing a detailed business continuity plan. The organization should identify a person in management as responsible for declaring a disaster. Although IT is involved in the three other choices, it is not primarily responsible for them.

CISA Q Domain 5 Protection of Information Assets Question 21

forrás - CISA®Review Course transparents, ISACA

While designing the business continuity plan (BCP) for an airline reservation system, the MOSTappropriate method of data transfer/backup at an offsite location would be:

A. shadow file processing.

B. electronic vaulting.

C. hard-disk mirroring.

D. hot-site provisioning.

(23)

Dr. Szenes 45

CISA Q Domain 5 Protection of Information Assets Question 21

forrás - CISA®Review Course transparents, ISACA A is the correct answer:

A.In shadow file processing, exact duplicates of the files are maintained at the same site or at a remote site. The two files are processed concurrently. This is used for critical data files such as airline booking systems.

B.Electronic vaulting electronically transmits data either to direct access storage, an optical disc or another storage medium; this is a method used by banks. This is not usually in real time as much as a shadow file system is.

C.Hard-disk mirroring provides redundancy in case the primary hard disk fails. All transactions and operations occur on two hard disks in the same server.

D.A hot site is an alternate site ready to take over business operations within a few hours of any business interruption and is not a method for backing up data.

On the Components of the Information Systems Business Continuity Plan - considerations only !

z [some] phases of development

{based on business impact analysis

{creation of a business continuity and disaster recovery policy {classification of operations and criticality analysis

{forming responsible teams and {nominating responsible employees and {collecting their calling data

{development of a business continuity plan and disaster recovery procedures, and

{training and awareness program {implementation of the plan {regular testing and monitoring

(24)

Dr. Szenes 47

z planning [or rather: development] process

(forrás: CISA®Review Course transparents, ISACA )

categories of incidents & incident management

{Negligibleincidents are those causing no perceptible or significant damage, such as very brief operating system (OS) crashes with full information recovery or momentary power outages with uninterruptible power supply (UPS) backup.

{Minorevents are those that, while not negligible, produce no negative material (of relative importance) or financial impact.

{Majorincidents cause a negative material impact on business processes and may affect other systems, departments or even outside clients.

{Crisisis a major incident that can have serious material (of relative importance) impact on the continued functioning of the business and may also adversely impact other systems or third parties. The severity of the impact depends on the industry and circumstances, but is generally directly proportional to the time elapsed from the inception of the incident to incident resolution.

(25)

Dr. Szenes 49

categories of incidents & incident management (forrás: CISA®Review Course transparents, ISACA / Business Continuity and Disaster Recovery)

BIA and risk management

z CISA CRM: Business Impact Analysis (BIA)

risk management Ùbusiness continuity plan development:

z risk assessment

includes: system risk ranking ranking:

z Critical z Vital z Sensitive z Non-sensitive

. / .

(26)

Dr. Szenes 51

system risk ranking:

z Critical – These functions cannot be performed unless they are replaced by identical capabilities. Critical applications cannot be replaced by manual methods. Tolerance to interruption is very low; therefore, cost of interruption is very high.

z Vital – These functions can be performed manually, but only for a brief period of time. There is a higher tolerance to interruption than with critical systems and, therefore, somewhat lower costs of interruption, provided that functions are restored within a certain time frame (usually five days or less).

. / .

system risk ranking - cont'd

z Sensitive – These functions can be performed manually, at a tolerable cost and for an extended period of time. While they can be performed manually, it usually is a difficult process and requires additional staff to perform.

z Non-sensitive – These functions may be interrupted for an extended period of time, at little or no cost to the company, and require little or no catching up when restored.

(27)

Dr. Szenes 53

issues in BIA phase

z consequences on BCP, that is, on:

{alternatives - see infrastructure types {recovery strategies & methods z risk management cycle

questions in BIA phase

z Which are the different business processes?

z What are the critical information resources related to an organization’s critical business processes?

z What is the critical recovery time period for information resources in which business processing must be resumed before significant or unacceptable losses are suffered?

(28)

Dr. Szenes 55

On the Components of the Information Systems Business Continuity Plan example on the risk aspect - CISA Q

(forrás: CISA®Review Course transparents, ISACA / Business Continuity and Disaster Recovery )

6-1 During an audit of a large bank, the IS auditor observes that no formal risk assessment exercise has been carried out for the various

business applications to arrive at their relative importance and recovery time requirements. The risk to which the bank is exposed is that the:

z business continuity plan may not have been calibrated to the relative risk that disruption of each application poses to the organization.

z business continuity plan may not include all relevant

applications and, therefore, may lack completeness in terms of its coverage.

z business impact of a disaster may not have been accurately understood by the management.

z business continuity plan may lack an effective ownership by the business owners of such applications.

6-1 Answer:

A

z The first and key step in developing a business continuity plan is a risk assessment exercise that analyzes the various risks that an organization faces and the impact of non-availability of individual

applications.

z ISO: [I refer to 27001,2 ]

(29)

Dr. Szenes 57

ISO reference to 6-1 Answer (ISO 2005) /1 27002:

Chapter 14: BUSINESS CONTINUITY MANAGEMENT

14.1 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT

z 14.1.1 Including information security in the business continuity management process

z 14.1.2 Business continuity and risk assessment.

z 14.1.3 Developing and implementing continuity plans including information security 14.1.4 Business continuity planning framework.

z 14.1.5 Testing, maintaining and re-assessing business continuity plans on the standard, see the references ! to buy: www.mszt.hu !

ISO reference to 6-1 Answer

/2 27001: Annex A -Control Objectives and Control [Measure]s A.14 Business continuity management

A.14.1 Information security aspects of business continuity management

z Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.

z see control measures A.14.1.1 - A.14.1.5 ! on the standard, see the references !

(30)

Dr. Szenes 59

On the Components of the Information Systems Business Continuity Plan

BCP documents

•

Continuity of operations plan

•

Disaster recovery plan (DRP)

•

Business resumption plan

•

Continuity of support plan / IT contingency plan

•

Crisis communications plan

•

Incident response plan

•

Transportation plan

•

Occupant emergency plan

z Infrastructure Types:

o Mirroring

o Hot, Warm or Cold Site o Alternative Hardware

o Backup of Required Supplies o Telecommunication Networks o Servers, Storage

o Offsite Libraries and Library Controls o Security and Control of Offsite Facilities o Media and Documentation Backup o etc.

details: . / .

(31)

Dr. Szenes 61

infrastructure types

z Mirroring

[ parallel processing - special HW or organized]

z Hot Sites – They are fully configured and ready to operate within several hours. The equipment, network and systems software must be compatible with the primary installation being backed up. The only additional needs are staff, programs, data files and documentation.

another, new definition for hot site:

z The hot site is intended for emergency operations of a limited time period and not for long-term extended use. Long-term use would impair the protection of other subscribers.

cont'd with consequences . / .

consequences of the new definition:

z Therefore, the hot site should be viewed as a means of accomplishing the continuation of essential operations for a period of up to several weeks following a disaster or major emergency. Further plans are still necessary to provide for subsequent operations.

z Several vendors offer warm- or cold-site facilities for a subscriber to migrate to after recovery of operations has been completed. This will free up the hot site for use by other subscribers.

cold site defintion also has another version, with subscribers!

(32)

Dr. Szenes 63

warm site:

z Warm Sites – They are partially configured, usually with network

connections and selected peripheral equipment, such as disk drives, tape drives and controllers, but without the main computer. Sometimes a warm site is equipped with a less powerful central processing unit (CPU), than the one generally used. The assumption behind the warm site concept is that the computer can usually be obtained quickly for emergency installation (provided it is a widely used model) and, since the computer is the most expensive unit, such an arrangement is less costly than a hot site. After the installation of the needed components, the site can be ready for service within hours; however, the location and installation of the CPU and other missing units could take several days or weeks.

z Cold Sites – These are sites that have only the basic environment (electrical wiring, air conditioning, flooring, etc.) to operate an IPF reducing the cost.

The cold site is ready to receive equipment but does not offer any components at the site in advance of the need. Activation of the site may take several weeks.

z Duplicate (redundant) Information Processing Facility – These are dedicated, self-developed recovery sites that can backup critical

applications. They can range in form from a standby hot site to a reciprocal agreement with another company installation.

(33)

Dr. Szenes 65

z Mobile Sites – This is a specially designed trailer that can be quickly transported to a business location or to an alternate site to provide a ready- conditioned information processing facility.

z Reciprocal Agreement-with other organizations – This is a less frequently used method between two or more organizations with similar equipment or applications. Under the typical agreement, participants promise to provide computer time to each other when an emergency arises.

provisions for 3rd party agreements . / .

infrastructure / provisions for 3rd party agreements (forrás: CISA®Review Course transparents, ISACA / Business Continuity and Disaster Recovery)

z Configurations—Are the vendor’s hardware and software configurations adequate to meet company needs since these will vary over time?

z Disaster—Is the definition of disaster broad enough to meet anticipated needs?

z Speed of availability—How soon after a disaster will facilities be available?

z Subscribers per site—Does the agreement limit the number of subscribers per site?

z Subscribers per area—Does the agreement limit the number of subscribers in a building or area?

z Preference—Who gets preference if there are common or regional disasters? Is there backup for the backup facilities? Is use of the facility exclusive or does the customer have to share the available space if multiple customers simultaneously declare a disaster? Does the vendor have more than one facility available for subscriber use?

(34)

Dr. Szenes 67

z Insurance—Is there adequate insurance coverage for company employees at the backup site? Will existing insurance reimburse those fees?

z Usage period—How long is the facility available for use? Is this period adequate? What technical support will the site operator provide? Is this adequate?

z Communications—Are the communications adequate? Are the

communication connections to the backup site sufficient to permit unlimited communication with the alternate site if needed?

z Warranties—What warranties will the vendor make regarding availability of the site and the adequacy of the facilities? Are there liability limitations (there usually are) and is the company willing to live with them?

z Audit—Is there a right-to-audit clause permitting an audit of the site to evaluate the logical, physical and environmental security?

z Testing—What testing rights are included in the contract? Check with the insurance company to determine any reduction of premiums that may be forthcoming due to the backup site availability.

z Reliability—Can the vendor attest to the reliability of the site(s) being offered? Ideally, the vendor should have a UPS, limited subscribers, sound technical management, and guarantees of computer hardware and software compatibility.

(35)

Dr. Szenes 69

on the audit of 3rd party agreements

z An IS auditor should obtain a copy of the contract with the vendor.

z Ensure that the contract is written clearly and is understandable.

z Reexamine and confirm the organization’s agreement with the rules that apply to sites shared with other subscribers.

z Ensure that insurance coverage ties in with and covers all (or most) expenses of the disaster.

z Ensure that tests can be performed at the hot site at regular intervals.

z Review and evaluate communications requirements for the backup site.

z Ensure that enforceable source code escrow is reviewed by a lawyer specializing in such contracts.

z Determine the limitation recourse tolerance in the event of a breached agreement.

z The contract should be reviewed against a number of guidelines {Contract is clear and understandable

{Organization’s agreement with the rules {etc.

infrastructure / telecommunications, networks (forrás: CISA®Review Course transparents, ISACA / Business Continuity and Disaster Recovery)

z [measures concerning networks include]:

{– Alternative routing {– Diverse routing

{– Long-haul network diversity {– Protection of the local loop

[wire between the local switch and the end-user customer]

{– Voice recovery

{– Availability of appropriate circuits and adequate bandwidth details:

. / .

(36)

Dr. Szenes 71

details on the methods of providing telecommunications continuity:

z Redundancy—Involves providing extra capacity with a plan to use the surplus capacity should the normal primary transmission capability not be available. In the case of a LAN, a second cable could be installed through an alternate route for use in the event the primary cable is damaged.

z Alternative routing—The method of routing information via an alternate medium such as copper cable or fiber optics. This involves use of different networks, circuits or end points should the normal network be unavailable.

z Diverse routing—The method of routing traffic through split cable facilities or duplicate cable facilities. This can be accomplished with different and/or duplicate cable sheaths.

details on the methods of providing telecommunications continuity - cont'd

z Long haul network diversity—Many recovery facilities vendors have provided diverse long-distance network availability utilizing T1 circuits among the major long-distance carriers. This ensures long-distance access should any one carrier experience a network failure. Several of the major carriers have now installed automatic re-routing software and redundant lines that provide instantaneous recovery should a break in their lines occur.

[T1 is what telephone companies have traditionally used to transport digitized telephone conversations between central offices]

(37)

Dr. Szenes 73

details on the methods of providing telecommunications continuity - cont'd

z Last mile circuit protection—Many recovery facilities provide a redundant combination of local carrier T1s, microwave and/or coaxial cable access to the local communications loop. This enables the facility to have access during a local carrier communication disaster. Alternate local carrier routing is also utilized.

z Voice recovery—With many service, financial and retail industries dependent on voice communication, redundant cabling and alternative routing should be provided for voice communication lines as well as data communication lines.

infrastructure / storage

Redundant array of inexpensive disks (RAID)

•

Provide performance improvements and fault tolerant capabilities via hardware or software solutions

•

Provide the potential for cost-effective mirroring offsite for data back-up

(38)

Dr. Szenes 75

infrastructure

Q 6-7

An IS auditor discovers that an organization’s business continuity plan provides for an alternate processing site that will accommodate 50 percent of the primary processing capability. Based on this, which of the following actions should the IS auditor take?

z A - Do nothing, because generally, less than 25 percent of all processing is critical to an organization’s survival and the backup capacity, therefore, is adequate.

z B - Identify applications that could be processed at the alternate site and develop manual procedures to back up other processing.

z C - Ensure that critical applications have been identified and that the alternate site could process all such applications.

z D - Recommend that the information processing facility arrange for an alternate processing site with the capacity to handle at least 75 percent of normal processing.

infrastructure

Q 6-7

The correct answer is C

z A business continuity plan should provide for the recovery of critical systems, not necessarily all systems.

z Perhaps only 50 percent of the company’s systems are critical; therefore, careful assessment of critical systems and capacity requirements should be part of the IS auditor’s test of the plan.

(39)

Dr. Szenes 77

control measures

management z oversight and z reporting,

on the procedures and operations of the processes

the items to be checked include:

z policy, z procedures, z balancing,

z employee development z compliance reporting

control measures technical

these are actually logical controls, that are provided through the use of ztechnology,

zpiece of equipment / device Examples include:

zfirewalls,

znetwork or host-based intrusion detection systems (IDSs), zpasswords

zantivirus software

zetc.! (inserted into a more or less original parahraph: szk)

a technical control MEASURE (inserted into a more or less original parahraph: szk)

requires:

•

(40)

Dr. Szenes 79

control measures

physical z locks z fences,

z closed-circuit TV (CCTV)

z devices that are installed to physically restrict access to a facility or hardware

physical controls require:

z maintenance z monitoring

z ability to assess and react to an alert should a problem be indicated

BCP plan - testing considerations

one of the purposes of the business continuity test is to determine how well the plan works or which portions of the plan need improvement.

the test must simulate actual processing conditions

z The test should be scheduled during a time that will minimize disruptions to normal operations. Weekends are generally a good time to conduct tests.

z It is important that the key recovery team members be involved in the test process and allotted the necessary time to put their full effort into it.

z The test should address all critical components and

z simulate actual primetime processing conditions, even if it is conducted in off hours.

z Test Execution –

. /.

(41)

Dr. Szenes 81

BCP plan - testing considerations

the test - cont'd

z Test Execution – To perform testing, each of the following test phases should be completed: Pretest, Test, Post-Test.

z Documentation of Results – During every phase of the test, detailed documentation of observations, problems and resolutions should be maintained.

z Results Analysis – It is important to have ways to measure the success of the plan and test against the stated objectives. Therefore, results must be quantitatively gauged as opposed to an evaluation based only on

observation.

z Recovery/Continuity plan maintenance – Plans and strategies for business continuity should be reviewed and updated on a scheduled basis to reflect continuing recognition of changing requirements.

Rulebook Contents - some of the important points z Detailed Plan

z Organization and Assignment of Responsibilities z Emergency Response Team

z Key Decision-making Personnel z what will employees do?

- CISA®Review Course transparents were also used here {where will employees report to work,

{how will orders be taken while the computer system is being restored, {who is responsible that

which vendors should be called to provide needed supplies

(42)

Dr. Szenes 83

Rulebook Contents - some of the important points, cont'd z

z Insurance

z Recovery/Continuity Plan Testing:

{ Plan and Actual Tests

{ Documentation of the Test Results { Results Analysis

z Recovery/Continuity Plan Maintenance z Periodic Backup Procedures

z Record Keeping for Offsite Storage

recovery aspects

(forrás: CISA®Review Course transparents, ISACA / Business Continuity and Disaster Recovery

z Recovery Point Objective (RPO) z Recovery Time Objective (RTO) z Interruption window

z Service delivery objective - SDO z Maximum tolerable outage z Disaster [problem] tolerance

(43)

Dr. Szenes 85

Recovery Point Objective (RPO) {Based on acceptable data loss

{Indicates earliest point in time in which it is acceptable to recover the data

z acceptable data loss:

For example, if the process can afford to lose the data up to four hours before disaster, then the latest backup available should be up to four hours before disaster or interruption and the transactions during RPO and interruption need to be entered after recovery (known as catch-up data).

Recovery Point Objective (RPO) {Based on acceptable data loss

{Indicates earliest point in time in which it is acceptable to recover the data

z RPO effectively quantifies the permissible amount of data loss in case of interruption. It is almost impossible to recover the data completely. Even after entering catch-up data, some data are still lost and are referred to as orphan data.

z If RPO is very low, say in minutes, it means that the process cannot afford to lose the data in such a short time. In such cases, data mirroring should be used as a recovery strategy. If RPO is high, say in hours, then other backup procedures, such as reel backup, could be used.

(44)

Dr. Szenes 87

disaster here: disaster caused by the interrupt z Recovery Time Objective (RTO)

{Based on acceptable downtime

{Indicates earliest point in time at which the business operations must resume after a disaster

z The RTO is determined based on the acceptable downtime in case of a disruption of operations. It indicates the earliest point in time at which the business operations must resume after disaster.

z A high RTO will mean that so much additional time would be available for the recovery strategy.

relation between RPO / RTO - which recovery strategies would be best with different RTO and RPO parameters?

(45)

Dr. Szenes 89

z Interruption window—The time the organization can wait from the point of failure to the critical services/applications restoration. After this time, the progressive losses caused by the interruption are unaffordable.

z Service delivery objective (SDO)—Level of services to be reached during the alternate process mode until the normal situation is restored. This is directly related to the business needs.

z Maximum tolerable outages—Maximum time the organization can support processing in alternate mode. After this point, different problems may arise, especially if the alternate SDO is lower than the usual SDO, and the information pending to be updated can become unmanageable.

z Disaster [problem] tolerance is the time gap within which the business can accept non-availability of IT facilities. If this time gap is high, recovery strategies that take a longer time can be used.

Q 6-5

Data mirroring should be implemented as a recovery strategy when:

z A. recovery point objective (RPO) is low.

z B. RPO is high.

z C. recovery time objective (RTO) is high.

z D. disaster tolerance is high.

(46)

Dr. Szenes 91

Q 6-5

The correct Answer is A

z RPO is the earliest point in time to which it is acceptable to recover the data. If RPO is very low, say in minutes, it means that the process cannot afford to lose the data in such a short time. In such cases, data mirroring should be used as a recovery strategy.

z If RPO is high, say in hours, then other backup procedures, such as reel backup, could be used.

z A high RTO will mean that so much additional time would be available for the recovery strategy.

z Disaster tolerance is the time gap within which the business can accept non-availability of IT facilities. If this time gap is high, recovery strategies that take a longer time can be used.

The most important part of the business continuity plan consists of those of the individual systems.

The table of contents of the systems business continuity plan contains (at least):

•

The description of the system

•

The members of the emergency team (name, every par.)

•

The key users (name, every par.)

•

^{The place}

^s

! of the systems documentation (at least 2 media)

. / .

(47)

Dr. Szenes 93

The table of contents for the

systems business continuity plan contains (at least) -cont'd

•

The databases, their config., and their settings

•

The archives

•

The typical operations fallbacks

•

Manual / alternative operations

•

Software & hardware resource requirements

minimum, presently available, maximum

•

Communications requirements

•

Recovery to normal state

COBIT 3, 4 support of IS Audit and IT Security

{34 IS processes {7 IS (evaluation) criteria {control objectives

{control measures / procedures {Balanced Scorecard

{Capability Maturity Model tailored to the 34 processes

(48)

Dr. Szenes 95

COBIT 3, 4 support of IS Audit and IT Security

the processes of delivery and support:

{DS1 - Define and Manage Service Levels {DS2 - Manage Third-party Services {DS3 - Manage Performance and Capacity {DS4 - Ensure Continuous Service {DS5 - Ensure Systems Security {DS6 - Identify and Allocate Costs {DS7 - Educate and Train Users

{DS8 - Manage Service Desk and Incidents {DS9 - Manage the Configuration

{DS10 - Manage Problems {DS11 - Manage Data

{DS12 - Manage the Physical Environment {DS13 - Manage Operations

DS4 - Ensure Continuous Service

Control Objectives - forrás, többek között:COBIT 4.1 important: even if this is all about IT

- all business-critical human and infrastructural assets should be taken care of

DS4.1 IT Continuity Framework

z Develop a framework for IT continuity to support enterprisewide business continuity management using a consistent process.

The objective of the framework :

z to assist in determining the required resilience of the infrastructure and z to drive the development of disaster recovery and IT contingency plans ./.

(49)

Dr. Szenes 97

Control Objectives -forrás , többek között :COBIT 4.1 DS4.1 IT Continuity Framework - cont'd The framework [and the plan] should address:

z the organisational structure for continuity management, z on internal and external service providers

{their management {and their customers z these:

{roles, {tasks and {responsibilities ./.

Control Objectives -forrás , többek között :COBIT 4.1 DS4.1 IT Continuity Framework

The framework [and the plan] should address: - cont'd z the planning processes that create

{the rules and {structures z in order to

{document, {test and {execute

the disaster recovery and IT contingency plans

(50)

Dr. Szenes 99

Control Objectives -forrás , többek között :COBIT 4.1 DS4.1 IT Continuity Framework

The framework [and the plan] should address: - cont'd z [based on risk assessment]

{the identification of critical resources, {noting key dependencies,

{[personal responsibilities]

z the monitoring and

z reporting of the availability of {critical resources, {alternative processing,

z and [other] principles, [important info on] backup and recovery.

Control Objectives -forrás , többek között :COBIT 4.1 DS4.2 IT Continuity Plans

z Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on

{key business functions {and processes.

z The plans should be based on risk understanding of potential business impacts

-- see framework, DS 4.1,

both IT BCP - BCP should be risk assessment-based ./.

(51)

Dr. Szenes 101

Control Objectives -forrás , többek között :COBIT 4.1 DS4.2 IT Continuity Plans - cont'd z The plan should address requirements for

{resilience - flexibility!, {alternative processing and

{recovery capability of all critical IT services.

z The plan should contain {usage guidelines, {roles and responsibilities, {procedures,

{communication processes, and

{the testing approach - test plan, + procedure !.

Control Objectives -forrás , többek között :COBIT 4.1 DS4.3 Critical IT Resources

z Focus attention on items specified as most critical in the IT continuity plan {to build in resilience and

{establish priorities in recovery situations.

z Avoid the distraction of recovering less-critical items and

z ensure response and recovery in line with prioritised business needs, z ensure that costs are kept at an acceptable level

z ensure compliance {with regulatory and {contractual requirements.

z Consider resilience, response and recovery requirements for different tiers, e.g., one to four hours, four to 24 hours, more than 24 hours and critical

(52)

Dr. Szenes 103

Control Objectives -forrás , többek között :COBIT 4.1 DS4.4 Maintenance of the IT Continuity Plan

z Encourage IT management to define and execute {change control procedures to ensure that {the IT continuity plan is kept up to date

{and continually reflects actual business requirements.

z Communicate changes in {procedures and {responsibilities

clearly and in timely manner.

Control Objectives -forrás , többek között :COBIT 4.1 DS4.5 Testing of the IT Continuity Plan

testing should be actually performed and documented together with the key business users & IT evaluated according to the results the plan should be updated 0either forewarn the employees, or not

z Test the IT continuity plan on a regular basis to ensure that {IT systems can be effectively recovered,

{shortcomings are addressed {the plan remains relevant.

./.

(53)

Dr. Szenes 105

Control Objectives -forrás , többek között :COBIT 4.1 DS4.5 Testing of the IT Continuity Plan - cont'd z A successful test requires

{careful preparation, {documentation,

{reporting of test results and, according to the results,

z implementation of an action plan z Consider the extent of testing:

{recovery of single applications {integrated testing scenarios {end-to-end testing

{integrated vendor testing.

Control Objectives -forrás , többek között :COBIT 4.1 DS4.6 IT Continuity Plan Training

z Provide all concerned parties with regular training sessions regarding the {procedures and

{their roles and {responsibilities

in case of an incident or disaster.

z Verify and enhance training according to the results of the contingency tests.

(54)

Dr. Szenes 107

Control Objectives -forrás , többek között :COBIT 4.1 z DS4.7 Distribution of the IT Continuity Plan z Determine that a defined and

z managed distribution strategy exists

to ensure that plans are properly and securely distributed and z available to appropriately authorised interested parties

when and where needed.

z Attention should be paid to making the plans accessible under all disaster scenarios.

Control Objectives -forrás , többek között :COBIT 4.1 DS4.8 IT Services Recovery and Resumption

z Plan the actions to be taken for the period when IT is recovering and resuming services. This may include

{activation of backup sites,

{initiation of alternative processing,

{customer and stakeholder communication, and {resumption procedures.

z Ensure that the business understands

{how to specufy for IT the recovery times they require

{they have to help IT to buy the necessary technology investments to support business recovery and to provide for resumption needs.

(thorough rewriting)

(55)

Dr. Szenes 109

Control Objectives -forrás , többek között :COBIT 4.1 DS4.9 Offsite Backup Storage

z Store offsite

{all critical backup media, {documentation and {other IT resources

necessary for IT recovery and business continuity plans.

!develop and document processes to use all of these

z business process owners and IT personnel should together determine {the content of backup storage

{and its other parameters

./.

Control Objectives -forrás , többek között :COBIT 4.1 DS4.9 Offsite Backup Storage - cont'd z Management of the offsite storage facility should comply to the

{data classification policy and

{the enterprise’s media storage practices.

z IT management should ensure that

offsite arrangements are periodically assessed, at least annually, for {content,

{environmental protection and {security.

z Ensure compatibility of hardware and software to restore archived data, z periodically test and refresh archived data.

(56)

Dr. Szenes 111

Control Objectives -forrás , többek között :COBIT 4.1 DS4.10 Post-resumption Review

z Determine whether IT management has established procedures for {assessing the adequacy of the plan in regard to

the successful resumption of the IT function after a disaster, and

update the plan accordingly.

BCP in COBIT 5

quotations from COBIT 5 Transforming Cybersecurity...

z"cybersecurity requires a strategic component that deals with the unexpected and unknown and contains elements of business continuity and IT service continuity"

L

"the security strategies and management activities" [in the COBIT 5 books]

"address unknown threats and incidents, making reference z to concepts of business continuity management (BCM) z IT service continuity management (ITSCM)"

Business Continuity Planning and Disaster Recovery