SlideShare a Scribd company logo

Auditing BCM Pondurance ISACA Presentation

Download as PPTX, PDF
K
Kathy Pelletier

Ron Pelletier delivers a presentation on Auditing Business Continuity Management at the June Indianapolis Chapter meeting for ISACA.

Business
1 of 26
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE Ron Pelletier, CISSP, CBCP, CISA, QSA VP and Executive Manager AN AUDITOR’S PERSPECTIVE BUSINESS CONTINUITY MANAGEMENT (BCM) Central Indiana ISACA – June 25, 2015
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE WHY ARE WE HERE? PONDURANCE 2 “Business continuity is not a project with a beginning and ending date, it is a program to be managed indefinitely.” - Unknown, on Business Continuity Management Only 31 percent of business continuity management programs have a high level of integration with the organization's strategic planning capabilities. - KPMG 2013-2014 Global BCM Benchmarking Study This dropped 3% from the 2012-2013 survey!!
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE AGENDA • BCM Overview • General BCM Audit Considerations • A Simple Audit Methodology • Trends and Standards • Questions PONDURANCE 3
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 4 A BUSINESS CONTINUITY MANAGEMENT OVERVIEW
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE COMMON COMPONENTS OF BCM PONDURANCE 5 BCM Business Continuity Planning Disaster Recovery Planning High Availability Risk Management Incident Response Crisis Management (general, not all inclusive)
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE SIMPLIFIED BCM TERMS PONDURANCE 6 Business Continuity – Planning to sustain business viability. Disaster Recovery – Planning to sustain supporting technology & data. Crisis Management – Preserving life safety and business image. Business Impact Analysis – Establish the organization’s critical path. Recovery Time Objective – When do the systems/processes need to be restored? Recovery Point Objective – How much data can you stand to lose? Maximum Tolerable Downtime – What is the point of unacceptable risk? Risk Tolerance – Collective picture of risk management and BCM. High Availability – When downtime of systems/data is not an option. Minimum Operating Requirements – What do you need, and when, to get by.
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE TRADITIONAL THINKING ON BCM PONDURANCE 7 Disaster Recovery vs. Business Continuity PEOPLE BUSINESS PROCESSES PROCESS CONTINUITY BUSINESS PROCESSES DRPDRPDRP Disaster Recovery Business Continuity TECH/DATA RESTORE B U S I N E S S C O N T I N U I T Y B U S I E N S S C O N T I N U I T Y
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE THE INTEGRATED PERSPECTIVE PONDURANCE 8 Defined Tolerance for Risk Program Exercising, Change Management, Maintenance (BCP) Business Continuity Planning (DRP) Disaster Recovery Planning DRP Strategies BCP Strategies DRP Documentation BCP Documentation The Risk Analysis Phase Current State Assessment Threat and Risk Assessment Business Impact Analysis CRISIS MANAGEMENT • Owns Initial and Ongoing Response • Allocates Emergency Resources • MAKES DECISIONS AS REQUIRED • Functions as Steering Committee
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE UNDERSTANDING RISK TOLERANCE PONDURANCE 9 $ and Operational Impacts Manual Processing Application ‘X’ in 72 Hours Application ‘X’ in24 Hours Management Negotiation Based on Risk Tolerance Recovery Time Objectives (RTO’s) Current Recovery Capabilities (CRC’s) Information Technology Group Current State Assessment Maximum Tolerable Downtimes (MTD’s) Business Unit Personnel Business Impact Analysis
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 10 GENERAL BCM AUDIT CONSIDERATIONS
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE THE POLICY IS YOUR FIRST CLUE…TO WHETHER THE COMPANY HAS A CLUE PONDURANCE 11 • Many auditors go right for the plan, forgetting that a policy might provide useful information, if a policy exists • The policy may provide you with references to other BCM documents, team members, crisis plans, etc. • The policy may also provide objectives for the plan, scope or rationale for strategy (e.g., High Availability), etc. • …Then again, the policy may indicate a large disconnect between management and those tasked with developing and/or executing the planBe sure to look for cobwebs!
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE THE BIGGER THE PLAN…THE BIGGER THE BINDER PONDURANCE 12 • Regulatory frameworks generally do not provide requirements beyond creation, sustainment of a plan • The size and thickness of a documented plan DOES NOT reflect its effectiveness • Large plans can easily be over-engineered and may be discarded in a disaster situation • The plans should identify roles, responsibilities and immediate action steps (i.e., the critical path) • The plans should exist or be accessible outside of the physical or logical confines of the facility or domainIf the plan requires a dolly to lug around, it might need some reengineering
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE THE LACK OF A BIA…CAN RENDER YOUR PLAN KIA PONDURANCE 13 • A plan that is not predicated on some level of precision analysis is not a plan but a guess • An effective BIA does NOT require a long, drawn out process that can take months • According to KPMG’s BCM Survey, 38% of respondents do not know the financial impact of a five-day disruption or outage • Be wary of sole reliance on survey results…business unit managers may inflate their criticality to align with their MBOs • The end state of a BIA should draw attention to management’s risk tolerance and critical path When the plates start to fall, knowing which to catch and which to drop will determine success or failure
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE AVOID RISK…BECAUSE RISK WILL NOT AVOID YOU PONDURANCE 14 • PREPARE TO AVOID BUT PLAN TO RESPOND!! • Human, technical, operational and strategic threats MUST be considered to formulate a viable avoidance and/or response posture • Look for single points of failure that might not have been considered • Do not discard “Black Swan” Events, but don’t put all your focus on them (pandemic flu? Not many actually going in to work) • According to KPMG’s BCM Survey Only 41% of Companies integrate BCM with Cyber Security • Be sure to account for environmental and physical controls as part of the organization’s risk management plan, too (see spaghetti) Uh…would you like some sauce to go with that spaghetti?
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE DATA BACKUPS…OFTEN FULL OF HICCUPS PONDURANCE 15 • Ensure the backup scheme complement the Recovery Time and Recovery Point Objectives (RTOs & RPOs) • Tapes are fine, but often they are either not removed from the site or are taken offsite 1x per week • If the backups (tape or disk) are not tested periodically to verify full restoration, the capability to restore is questionable • It is entirely possible that a replication or high availability strategy encompasses too much, does not justify expense Tapes kept onsite? Soooo…what happens if the data center burns down?
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE DRP STRATEGIES…MAY NOT ALIGN WITH BCP STRATEGIES PONDURANCE 16 • Some organizations will stop their planning efforts once restoration of applications, infrastructure and data are complete • …But forget to consider where ALLLL those business people are going to go work in order to access it! • Don’t blindly accept the “work at home” strategy…if the infrastructure cannot support multiple remote users it ain’t happening • The strategies should consider the dependencies on vendors for either technologies, special equipment, etc. The DR Hot Site! The BCP Not Site!
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE IF THE PLANS ARE NOT TESTED…WELL, YOU KNOW WHERE I’M GOING PONDURANCE 17 • 84% of KPMG’s 2011-2012 BCM Survey respondents tested their plans within the last year – GREAT! • …But be sure to note legit testing took place! Simply opening the binder is not an effective test • Tests should range in complexity (e.g., table-top, partial exercises, full scale exercises, etc.) • Participants should vary as well, include IT, business units, crisis or incident teams, etc. • The tests should be planned in advance (or surprise tests are okay), and should end with an after action review to facilitate improvement Failure is OKAY during a test…not so okay when the chairman of the board calls you at 3 a.m.
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE DURING AN EMERGENCY…THE AVERAGE IQ GOES TO “0” PONDURANCE 18 • Be sure the plan considers an immediate response to a given situation • Crisis Management and Incident Response Teams are a crucial component of BCM, make decisions, allocate resources • If management is not integrated in the plan, they will NEVER follow the plan…but that won’t stop them from making one up as they go! • Again…if the Crisis Management and Incident Response Teams are not tested… Crisis Management may be the missing link to most plans
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 19 A SIMPLE AUDIT METHODOLOGY
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE 6 DOMAINS TO CONSIDER FOR AUDIT PONDURANCE 20 Assess the entity controls that integrate, manage, and sustain a viable BCM throughout the enterprise 1. Program Management •Program Definition – Establish the program is formally developed and integrated •Support and Accountability – Establish the program is supported at the highest level of the org •Budget Planning and Program Evaluation – The org is committed to sustaining program viability The organization has defined its recovery, restoration, and high availability requirements related to business processes, applications, infrastructure & data 2. Requirements Definition •Risk Analysis and Treatment – Establish the org has analyzed its risk posture, reasonably reduce risk •The BIA Methodology – Establish the org maintains formal method to define impacts, prioritize criticality •Data Flows and Dependencies – Establish that dependencies (internal/external) are documented •Analysis and Reporting – Establish that BIA results are aggregated, prioritized, and approved Assess the organization’s method for developing continuity and availability strategies, within its maximum tolerable downtime. 3. Strategy Selection •Staff and Support Requirements – Establish that strategies are developed based on defined requirements •Course of Action Analysis – Establish that the cost to maintain strategies in line with risk tolerance •Monitor, Evaluate for Change – Establish that strategies are periodically evaluated for change
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE 6 DOMAINS TO CONSIDER FOR AUDIT PONDURANCE 21 Assess the sufficiency, completeness, applicability, and implementation of the organization’s documented BCP/DRP plans.4. Plan Development •Plan Components & Framework – Establish plans are documented, align with requirements •Supporting, Storing Plans – Establish plans are accessible, assigned to process owners •Plan Updates – Establish plans change as processes, technologies, people change Assess the organization’s method for vendor selection and oversight relevant to the BCM program.5. Vendor Management •Vendor Contracting – Establish vendors are screened, will meet contractual requirements •Critical Vendor Dependencies – Establish critical dependencies are known, accounted for •Vendor Integration, Testing – Establish vendors occasionally participate in tests/exercises Assess the organization’s capability to test and maintain the viability of its BCM program. 6. Implementation, Maintenance •Testing and Validation – Establish plans are valid through scheduled, ongoing testing •Change Management – Establish changes required to BCM are formalized •Workforce Awareness – Establish workforce members are aware of the BCM program
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE CONSIDER A MATURITY MODEL APPROACH PONDURANCE 22 As of: SEPTEMBER 2012 Client: Affiliate: Maturity Rating Not Addressed Minimally Addressed Emerging Managed 1 41% 0 0 5 7 1.1 25% 0 0 1 2 1.2 45% 0 0 2 3 1.3 54% 0 0 2 2 2 46% 0 2 10 4 2.1 25% 0 1 3 0 2.2 59% 0 0 0 4 2.3 25% 0 1 3 0 2.4 75% 0 0 4 0 3 61% 0 1 6 4 3.1 56% 0 0 3 3 3.2 47% 0 1 2 0 3.3 80% 0 0 1 1 4 38% 0 0 6 5 4.1 50% 0 0 4 2 4.2 40% 0 0 0 2 4.3 25% 0 0 2 1 5 30% 0 4 2 3 5.1 25% 0 0 1 2 5.2 40% 0 3 0 1 5.3 25% 0 1 1 0 6 67% 0 0 4 7 6.1 75% 0 0 1 3 6.2 50% 0 0 3 0 6.3 75% 0 0 0 4 47% 0 7 33 30 CLIENT NAME SUB ORGANIZATION QUANTIFIED BCM FINDINGS (# of findings per maturity level) Vendor Contracting Data Flows and Dependencies Plan Updates Supporting and Storing the Plans Program Definition REQUIREMENTS DEFINITION The BIA Methodology Support and Accountability Budget Planning and Program Evaluation Risk Analysis and Treatment Analysis and Reporting STRATEGY SELECTION Change Management Workforce Awareness Enterprise BCM Principles Critical Vendor Dependencies Vendor Integration and Testing PLAN IMPLEMENTATION & MAINTENANCE Testing and Validation Scoring PROGRAM MANAGEMENT Staff and Support Requirements VENDOR MANAGEMENT Course of Action Analysis Monitor and Evaluate for Change PLAN DEVELOPMENT Plan Components and Framework • Facilitates Scalable Program • Isolates Highest Risk Areas • Accounts for areas to sustain • Incorporates All Findings from the Audit
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 23 TRENDS & STANDARDS
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE EMERGING TRENDS IN BCM PONDURANCE 24 • Virtualization helps reduce number of overall IT assets, improves system uptime…but beware of single points of failure! • Cloud computing provides a viable outsourcing option for production technologies…but be sure your cloud vendor is capable of meeting your RTOs, RPOs! • Mobile devices provide a means of portability for documented plans, communications, and rapid response…but be sure phones are secure, encrypt if possible! • Social networking provides an effective way to broadcast incidents, particularly for crisis management…but be sure that the messages are controlled!
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE CURRENT AND EMERGING STANDARDS PONDURANCE 25 • Business Continuity Institute - Good Practice Guideline (2010) • BS 25999 Business Continuity – BSI’s practices guideline • Disaster Recovery Institute (DRI) – Professional Practices for BCM • ISO/IEC 22301:2012 – One of the newest, aligned with the ISO27k set of standards
BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE Ron Pelletier, CISSP, CBCP, CISA, QSA VP and Executive Manager QUESTIONS ron.pelletier@pondurance.com www.pondurance.com Pondurance 3105 East 98th Street Suite 120 Indianapolis, IN 46280

Recommended

Modern management techniques
Modern management techniquesModern management techniques
Modern management techniquesdrravimr
 
Sto 3 Day Course Presentation
Sto 3 Day Course PresentationSto 3 Day Course Presentation
Sto 3 Day Course PresentationEdmund (Ted) Lister
 
PM Notebook - Chapter 3: The Process Framework
PM Notebook - Chapter 3: The Process FrameworkPM Notebook - Chapter 3: The Process Framework
PM Notebook - Chapter 3: The Process FrameworkMohammad Elsheimy
 
Project cost management-slides
Project cost management-slidesProject cost management-slides
Project cost management-slidesmasilamani ramasamy
 
Essential views of the IPMR
Essential views of the IPMREssential views of the IPMR
Essential views of the IPMRGlen Alleman
 
Unit v
Unit vUnit v
Unit vDevi Priya
 
PM Notebook - Chapter 6 - Schedule Management
PM Notebook - Chapter 6 - Schedule ManagementPM Notebook - Chapter 6 - Schedule Management
PM Notebook - Chapter 6 - Schedule ManagementMohammad Elsheimy
 
Forensic schedule analysis acesss
Forensic schedule analysis acesssForensic schedule analysis acesss
Forensic schedule analysis acesssMcLachlan Lister Pty Limited
 

Recommended

Modern management techniques
Modern management techniquesModern management techniques
Modern management techniquesdrravimr
 
Sto 3 Day Course Presentation
Sto 3 Day Course PresentationSto 3 Day Course Presentation
Sto 3 Day Course PresentationEdmund (Ted) Lister
 
PM Notebook - Chapter 3: The Process Framework
PM Notebook - Chapter 3: The Process FrameworkPM Notebook - Chapter 3: The Process Framework
PM Notebook - Chapter 3: The Process FrameworkMohammad Elsheimy
 
Project cost management-slides
Project cost management-slidesProject cost management-slides
Project cost management-slidesmasilamani ramasamy
 
Essential views of the IPMR
Essential views of the IPMREssential views of the IPMR
Essential views of the IPMRGlen Alleman
 
Unit v
Unit vUnit v
Unit vDevi Priya
 
PM Notebook - Chapter 6 - Schedule Management
PM Notebook - Chapter 6 - Schedule ManagementPM Notebook - Chapter 6 - Schedule Management
PM Notebook - Chapter 6 - Schedule ManagementMohammad Elsheimy
 
Forensic schedule analysis acesss
Forensic schedule analysis acesssForensic schedule analysis acesss
Forensic schedule analysis acesssMcLachlan Lister Pty Limited
 
3 secrets of successful strategy execution
3 secrets of successful strategy execution 3 secrets of successful strategy execution
3 secrets of successful strategy execution Grant Crow
 
Building Organizational Resilience Presentation - ISSA Special Interest Group...
Building Organizational Resilience Presentation - ISSA Special Interest Group...Building Organizational Resilience Presentation - ISSA Special Interest Group...
Building Organizational Resilience Presentation - ISSA Special Interest Group...Bryghtpath LLC
 
Planning management process
Planning management processPlanning management process
Planning management processRamasubramanian H (HRS)
 
The secret of a successful Crisis Management & Continuity Plan
The secret of a successful Crisis Management & Continuity PlanThe secret of a successful Crisis Management & Continuity Plan
The secret of a successful Crisis Management & Continuity PlanPECB
 
Policy management
Policy management Policy management
Policy management kjanand
 
Business continuity presentation
Business continuity presentationBusiness continuity presentation
Business continuity presentationSteveKutzer
 
110430 bcm presentation v0.1 mj
110430 bcm presentation v0.1 mj110430 bcm presentation v0.1 mj
110430 bcm presentation v0.1 mjMike Jackson - LION
 
The Disciplined Management Process
The Disciplined Management ProcessThe Disciplined Management Process
The Disciplined Management Processvcfo
 
How to integrate BCMS with Organization's culture?
How to integrate BCMS with Organization's culture?How to integrate BCMS with Organization's culture?
How to integrate BCMS with Organization's culture?Abdul Naseer
 
PECB Webinar: Continuous improvement and project measurements when implementi...
PECB Webinar: Continuous improvement and project measurements when implementi...PECB Webinar: Continuous improvement and project measurements when implementi...
PECB Webinar: Continuous improvement and project measurements when implementi...PECB
 
Best Practices in Financial Planning and Analysis | 2013 Business Analytics S...
Best Practices in Financial Planning and Analysis | 2013 Business Analytics S...Best Practices in Financial Planning and Analysis | 2013 Business Analytics S...
Best Practices in Financial Planning and Analysis | 2013 Business Analytics S...Cartegraph
 
Balance scorecard
Balance scorecardBalance scorecard
Balance scorecardPrashant Verma
 
BCM Institute MTE Jeremy Wong - Business Continuty Management Benchmarking i...
BCM Institute MTE Jeremy Wong - Business Continuty Management Benchmarking i...BCM Institute MTE Jeremy Wong - Business Continuty Management Benchmarking i...
BCM Institute MTE Jeremy Wong - Business Continuty Management Benchmarking i...BCM Institute
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity ManagementLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Top Ten Reasons For Project Failure - PMP Webinar
Top Ten Reasons For Project Failure - PMP WebinarTop Ten Reasons For Project Failure - PMP Webinar
Top Ten Reasons For Project Failure - PMP WebinarWhizlabs
 
WorldAtWorkConfernce_USBank_OS FINAL (no notes)
WorldAtWorkConfernce_USBank_OS FINAL (no notes)WorldAtWorkConfernce_USBank_OS FINAL (no notes)
WorldAtWorkConfernce_USBank_OS FINAL (no notes)Laura Roach
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity ManagementECC International
 
Simplifying Financial Performance Management
Simplifying Financial Performance ManagementSimplifying Financial Performance Management
Simplifying Financial Performance ManagementCFO Group
 
What’s & Why’s of Business Continuity Planning (BCP)
What’s & Why’s of Business Continuity Planning (BCP) What’s & Why’s of Business Continuity Planning (BCP)
What’s & Why’s of Business Continuity Planning (BCP) CBIZ, Inc.
 
CMMI ML5: How to Fail? High Maturity Pitfalls and Misconceptions - José Gonça...
CMMI ML5: How to Fail? High Maturity Pitfalls and Misconceptions - José Gonça...CMMI ML5: How to Fail? High Maturity Pitfalls and Misconceptions - José Gonça...
CMMI ML5: How to Fail? High Maturity Pitfalls and Misconceptions - José Gonça...Paula Gomes
 
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxContemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxMarkAnthonyAurellano
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 

More Related Content

Similar to Auditing BCM Pondurance ISACA Presentation

3 secrets of successful strategy execution
3 secrets of successful strategy execution 3 secrets of successful strategy execution
3 secrets of successful strategy execution Grant Crow
 
Building Organizational Resilience Presentation - ISSA Special Interest Group...
Building Organizational Resilience Presentation - ISSA Special Interest Group...Building Organizational Resilience Presentation - ISSA Special Interest Group...
Building Organizational Resilience Presentation - ISSA Special Interest Group...Bryghtpath LLC
 
The secret of a successful Crisis Management & Continuity Plan
The secret of a successful Crisis Management & Continuity PlanThe secret of a successful Crisis Management & Continuity Plan
The secret of a successful Crisis Management & Continuity PlanPECB
 
Policy management
Policy management Policy management
Policy management kjanand
 
Business continuity presentation
Business continuity presentationBusiness continuity presentation
Business continuity presentationSteveKutzer
 
The Disciplined Management Process
The Disciplined Management ProcessThe Disciplined Management Process
The Disciplined Management Processvcfo
 
How to integrate BCMS with Organization's culture?
How to integrate BCMS with Organization's culture?How to integrate BCMS with Organization's culture?
How to integrate BCMS with Organization's culture?Abdul Naseer
 
PECB Webinar: Continuous improvement and project measurements when implementi...
PECB Webinar: Continuous improvement and project measurements when implementi...PECB Webinar: Continuous improvement and project measurements when implementi...
PECB Webinar: Continuous improvement and project measurements when implementi...PECB
 
Best Practices in Financial Planning and Analysis | 2013 Business Analytics S...
Best Practices in Financial Planning and Analysis | 2013 Business Analytics S...Best Practices in Financial Planning and Analysis | 2013 Business Analytics S...
Best Practices in Financial Planning and Analysis | 2013 Business Analytics S...Cartegraph
 
BCM Institute MTE Jeremy Wong - Business Continuty Management Benchmarking i...
BCM Institute MTE Jeremy Wong - Business Continuty Management Benchmarking i...BCM Institute MTE Jeremy Wong - Business Continuty Management Benchmarking i...
BCM Institute MTE Jeremy Wong - Business Continuty Management Benchmarking i...BCM Institute
 
Top Ten Reasons For Project Failure - PMP Webinar
Top Ten Reasons For Project Failure - PMP WebinarTop Ten Reasons For Project Failure - PMP Webinar
Top Ten Reasons For Project Failure - PMP WebinarWhizlabs
 
WorldAtWorkConfernce_USBank_OS FINAL (no notes)
WorldAtWorkConfernce_USBank_OS FINAL (no notes)WorldAtWorkConfernce_USBank_OS FINAL (no notes)
WorldAtWorkConfernce_USBank_OS FINAL (no notes)Laura Roach
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity ManagementECC International
 
Simplifying Financial Performance Management
Simplifying Financial Performance ManagementSimplifying Financial Performance Management
Simplifying Financial Performance ManagementCFO Group
 
What’s & Why’s of Business Continuity Planning (BCP)
What’s & Why’s of Business Continuity Planning (BCP) What’s & Why’s of Business Continuity Planning (BCP)
What’s & Why’s of Business Continuity Planning (BCP) CBIZ, Inc.
 
CMMI ML5: How to Fail? High Maturity Pitfalls and Misconceptions - José Gonça...
CMMI ML5: How to Fail? High Maturity Pitfalls and Misconceptions - José Gonça...CMMI ML5: How to Fail? High Maturity Pitfalls and Misconceptions - José Gonça...
CMMI ML5: How to Fail? High Maturity Pitfalls and Misconceptions - José Gonça...Paula Gomes
 

Similar to Auditing BCM Pondurance ISACA Presentation (20)

3 secrets of successful strategy execution
3 secrets of successful strategy execution 3 secrets of successful strategy execution
3 secrets of successful strategy execution
 
Building Organizational Resilience Presentation - ISSA Special Interest Group...
Building Organizational Resilience Presentation - ISSA Special Interest Group...Building Organizational Resilience Presentation - ISSA Special Interest Group...
Building Organizational Resilience Presentation - ISSA Special Interest Group...
 
Planning management process
Planning management processPlanning management process
Planning management process
 
The secret of a successful Crisis Management & Continuity Plan
The secret of a successful Crisis Management & Continuity PlanThe secret of a successful Crisis Management & Continuity Plan
The secret of a successful Crisis Management & Continuity Plan
 
Policy management
Policy management Policy management
Policy management
 
Business continuity presentation
Business continuity presentationBusiness continuity presentation
Business continuity presentation
 
110430 bcm presentation v0.1 mj
110430 bcm presentation v0.1 mj110430 bcm presentation v0.1 mj
110430 bcm presentation v0.1 mj
 
The Disciplined Management Process
The Disciplined Management ProcessThe Disciplined Management Process
The Disciplined Management Process
 
How to integrate BCMS with Organization's culture?
How to integrate BCMS with Organization's culture?How to integrate BCMS with Organization's culture?
How to integrate BCMS with Organization's culture?
 
PECB Webinar: Continuous improvement and project measurements when implementi...
PECB Webinar: Continuous improvement and project measurements when implementi...PECB Webinar: Continuous improvement and project measurements when implementi...
PECB Webinar: Continuous improvement and project measurements when implementi...
 
Best Practices in Financial Planning and Analysis | 2013 Business Analytics S...
Best Practices in Financial Planning and Analysis | 2013 Business Analytics S...Best Practices in Financial Planning and Analysis | 2013 Business Analytics S...
Best Practices in Financial Planning and Analysis | 2013 Business Analytics S...
 
Balance scorecard
Balance scorecardBalance scorecard
Balance scorecard
 
BCM Institute MTE Jeremy Wong - Business Continuty Management Benchmarking i...
BCM Institute MTE Jeremy Wong - Business Continuty Management Benchmarking i...BCM Institute MTE Jeremy Wong - Business Continuty Management Benchmarking i...
BCM Institute MTE Jeremy Wong - Business Continuty Management Benchmarking i...
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity Management
 
Top Ten Reasons For Project Failure - PMP Webinar
Top Ten Reasons For Project Failure - PMP WebinarTop Ten Reasons For Project Failure - PMP Webinar
Top Ten Reasons For Project Failure - PMP Webinar
 
WorldAtWorkConfernce_USBank_OS FINAL (no notes)
WorldAtWorkConfernce_USBank_OS FINAL (no notes)WorldAtWorkConfernce_USBank_OS FINAL (no notes)
WorldAtWorkConfernce_USBank_OS FINAL (no notes)
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity Management
 
Simplifying Financial Performance Management
Simplifying Financial Performance ManagementSimplifying Financial Performance Management
Simplifying Financial Performance Management
 
What’s & Why’s of Business Continuity Planning (BCP)
What’s & Why’s of Business Continuity Planning (BCP) What’s & Why’s of Business Continuity Planning (BCP)
What’s & Why’s of Business Continuity Planning (BCP)
 
CMMI ML5: How to Fail? High Maturity Pitfalls and Misconceptions - José Gonça...
CMMI ML5: How to Fail? High Maturity Pitfalls and Misconceptions - José Gonça...CMMI ML5: How to Fail? High Maturity Pitfalls and Misconceptions - José Gonça...
CMMI ML5: How to Fail? High Maturity Pitfalls and Misconceptions - José Gonça...
 

Recently uploaded

Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxContemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxMarkAnthonyAurellano
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / NcrCall Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncrdollysharma2066
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfrichard876048
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Anamaria Contreras
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfpollardmorgan
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationAnamaria Contreras
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMintel Group
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...ssuserf63bd7
 
Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionFuture Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionMintel Group
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCRashishs7044
 
Islamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in IslamabadIslamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in IslamabadAyesha Khan
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Seta Wicaksana
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchirictsugar
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMVoces Mineras
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy Verified Accounts
 

Recently uploaded (20)

Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxContemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
 
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / NcrCall Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdf
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.
 
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCREnjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement Presentation
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 Edition
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...
 
Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionFuture Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted Version
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR
 
Islamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in IslamabadIslamabad Escorts | Call 03070433345 | Escort Service in Islamabad
Islamabad Escorts | Call 03070433345 | Escort Service in Islamabad
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchir
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQM
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail Accounts
 

Auditing BCM Pondurance ISACA Presentation

  • 1. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE Ron Pelletier, CISSP, CBCP, CISA, QSA VP and Executive Manager AN AUDITOR’S PERSPECTIVE BUSINESS CONTINUITY MANAGEMENT (BCM) Central Indiana ISACA – June 25, 2015
  • 2. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE WHY ARE WE HERE? PONDURANCE 2 “Business continuity is not a project with a beginning and ending date, it is a program to be managed indefinitely.” - Unknown, on Business Continuity Management Only 31 percent of business continuity management programs have a high level of integration with the organization's strategic planning capabilities. - KPMG 2013-2014 Global BCM Benchmarking Study This dropped 3% from the 2012-2013 survey!!
  • 3. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE AGENDA • BCM Overview • General BCM Audit Considerations • A Simple Audit Methodology • Trends and Standards • Questions PONDURANCE 3
  • 4. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 4 A BUSINESS CONTINUITY MANAGEMENT OVERVIEW
  • 5. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE COMMON COMPONENTS OF BCM PONDURANCE 5 BCM Business Continuity Planning Disaster Recovery Planning High Availability Risk Management Incident Response Crisis Management (general, not all inclusive)
  • 6. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE SIMPLIFIED BCM TERMS PONDURANCE 6 Business Continuity – Planning to sustain business viability. Disaster Recovery – Planning to sustain supporting technology & data. Crisis Management – Preserving life safety and business image. Business Impact Analysis – Establish the organization’s critical path. Recovery Time Objective – When do the systems/processes need to be restored? Recovery Point Objective – How much data can you stand to lose? Maximum Tolerable Downtime – What is the point of unacceptable risk? Risk Tolerance – Collective picture of risk management and BCM. High Availability – When downtime of systems/data is not an option. Minimum Operating Requirements – What do you need, and when, to get by.
  • 7. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE TRADITIONAL THINKING ON BCM PONDURANCE 7 Disaster Recovery vs. Business Continuity PEOPLE BUSINESS PROCESSES PROCESS CONTINUITY BUSINESS PROCESSES DRPDRPDRP Disaster Recovery Business Continuity TECH/DATA RESTORE B U S I N E S S C O N T I N U I T Y B U S I E N S S C O N T I N U I T Y
  • 8. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE THE INTEGRATED PERSPECTIVE PONDURANCE 8 Defined Tolerance for Risk Program Exercising, Change Management, Maintenance (BCP) Business Continuity Planning (DRP) Disaster Recovery Planning DRP Strategies BCP Strategies DRP Documentation BCP Documentation The Risk Analysis Phase Current State Assessment Threat and Risk Assessment Business Impact Analysis CRISIS MANAGEMENT • Owns Initial and Ongoing Response • Allocates Emergency Resources • MAKES DECISIONS AS REQUIRED • Functions as Steering Committee
  • 9. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE UNDERSTANDING RISK TOLERANCE PONDURANCE 9 $ and Operational Impacts Manual Processing Application ‘X’ in 72 Hours Application ‘X’ in24 Hours Management Negotiation Based on Risk Tolerance Recovery Time Objectives (RTO’s) Current Recovery Capabilities (CRC’s) Information Technology Group Current State Assessment Maximum Tolerable Downtimes (MTD’s) Business Unit Personnel Business Impact Analysis
  • 10. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 10 GENERAL BCM AUDIT CONSIDERATIONS
  • 11. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE THE POLICY IS YOUR FIRST CLUE…TO WHETHER THE COMPANY HAS A CLUE PONDURANCE 11 • Many auditors go right for the plan, forgetting that a policy might provide useful information, if a policy exists • The policy may provide you with references to other BCM documents, team members, crisis plans, etc. • The policy may also provide objectives for the plan, scope or rationale for strategy (e.g., High Availability), etc. • …Then again, the policy may indicate a large disconnect between management and those tasked with developing and/or executing the planBe sure to look for cobwebs!
  • 12. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE THE BIGGER THE PLAN…THE BIGGER THE BINDER PONDURANCE 12 • Regulatory frameworks generally do not provide requirements beyond creation, sustainment of a plan • The size and thickness of a documented plan DOES NOT reflect its effectiveness • Large plans can easily be over-engineered and may be discarded in a disaster situation • The plans should identify roles, responsibilities and immediate action steps (i.e., the critical path) • The plans should exist or be accessible outside of the physical or logical confines of the facility or domainIf the plan requires a dolly to lug around, it might need some reengineering
  • 13. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE THE LACK OF A BIA…CAN RENDER YOUR PLAN KIA PONDURANCE 13 • A plan that is not predicated on some level of precision analysis is not a plan but a guess • An effective BIA does NOT require a long, drawn out process that can take months • According to KPMG’s BCM Survey, 38% of respondents do not know the financial impact of a five-day disruption or outage • Be wary of sole reliance on survey results…business unit managers may inflate their criticality to align with their MBOs • The end state of a BIA should draw attention to management’s risk tolerance and critical path When the plates start to fall, knowing which to catch and which to drop will determine success or failure
  • 14. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE AVOID RISK…BECAUSE RISK WILL NOT AVOID YOU PONDURANCE 14 • PREPARE TO AVOID BUT PLAN TO RESPOND!! • Human, technical, operational and strategic threats MUST be considered to formulate a viable avoidance and/or response posture • Look for single points of failure that might not have been considered • Do not discard “Black Swan” Events, but don’t put all your focus on them (pandemic flu? Not many actually going in to work) • According to KPMG’s BCM Survey Only 41% of Companies integrate BCM with Cyber Security • Be sure to account for environmental and physical controls as part of the organization’s risk management plan, too (see spaghetti) Uh…would you like some sauce to go with that spaghetti?
  • 15. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE DATA BACKUPS…OFTEN FULL OF HICCUPS PONDURANCE 15 • Ensure the backup scheme complement the Recovery Time and Recovery Point Objectives (RTOs & RPOs) • Tapes are fine, but often they are either not removed from the site or are taken offsite 1x per week • If the backups (tape or disk) are not tested periodically to verify full restoration, the capability to restore is questionable • It is entirely possible that a replication or high availability strategy encompasses too much, does not justify expense Tapes kept onsite? Soooo…what happens if the data center burns down?
  • 16. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE DRP STRATEGIES…MAY NOT ALIGN WITH BCP STRATEGIES PONDURANCE 16 • Some organizations will stop their planning efforts once restoration of applications, infrastructure and data are complete • …But forget to consider where ALLLL those business people are going to go work in order to access it! • Don’t blindly accept the “work at home” strategy…if the infrastructure cannot support multiple remote users it ain’t happening • The strategies should consider the dependencies on vendors for either technologies, special equipment, etc. The DR Hot Site! The BCP Not Site!
  • 17. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE IF THE PLANS ARE NOT TESTED…WELL, YOU KNOW WHERE I’M GOING PONDURANCE 17 • 84% of KPMG’s 2011-2012 BCM Survey respondents tested their plans within the last year – GREAT! • …But be sure to note legit testing took place! Simply opening the binder is not an effective test • Tests should range in complexity (e.g., table-top, partial exercises, full scale exercises, etc.) • Participants should vary as well, include IT, business units, crisis or incident teams, etc. • The tests should be planned in advance (or surprise tests are okay), and should end with an after action review to facilitate improvement Failure is OKAY during a test…not so okay when the chairman of the board calls you at 3 a.m.
  • 18. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE DURING AN EMERGENCY…THE AVERAGE IQ GOES TO “0” PONDURANCE 18 • Be sure the plan considers an immediate response to a given situation • Crisis Management and Incident Response Teams are a crucial component of BCM, make decisions, allocate resources • If management is not integrated in the plan, they will NEVER follow the plan…but that won’t stop them from making one up as they go! • Again…if the Crisis Management and Incident Response Teams are not tested… Crisis Management may be the missing link to most plans
  • 19. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 19 A SIMPLE AUDIT METHODOLOGY
  • 20. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE 6 DOMAINS TO CONSIDER FOR AUDIT PONDURANCE 20 Assess the entity controls that integrate, manage, and sustain a viable BCM throughout the enterprise 1. Program Management •Program Definition – Establish the program is formally developed and integrated •Support and Accountability – Establish the program is supported at the highest level of the org •Budget Planning and Program Evaluation – The org is committed to sustaining program viability The organization has defined its recovery, restoration, and high availability requirements related to business processes, applications, infrastructure & data 2. Requirements Definition •Risk Analysis and Treatment – Establish the org has analyzed its risk posture, reasonably reduce risk •The BIA Methodology – Establish the org maintains formal method to define impacts, prioritize criticality •Data Flows and Dependencies – Establish that dependencies (internal/external) are documented •Analysis and Reporting – Establish that BIA results are aggregated, prioritized, and approved Assess the organization’s method for developing continuity and availability strategies, within its maximum tolerable downtime. 3. Strategy Selection •Staff and Support Requirements – Establish that strategies are developed based on defined requirements •Course of Action Analysis – Establish that the cost to maintain strategies in line with risk tolerance •Monitor, Evaluate for Change – Establish that strategies are periodically evaluated for change
  • 21. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE 6 DOMAINS TO CONSIDER FOR AUDIT PONDURANCE 21 Assess the sufficiency, completeness, applicability, and implementation of the organization’s documented BCP/DRP plans.4. Plan Development •Plan Components & Framework – Establish plans are documented, align with requirements •Supporting, Storing Plans – Establish plans are accessible, assigned to process owners •Plan Updates – Establish plans change as processes, technologies, people change Assess the organization’s method for vendor selection and oversight relevant to the BCM program.5. Vendor Management •Vendor Contracting – Establish vendors are screened, will meet contractual requirements •Critical Vendor Dependencies – Establish critical dependencies are known, accounted for •Vendor Integration, Testing – Establish vendors occasionally participate in tests/exercises Assess the organization’s capability to test and maintain the viability of its BCM program. 6. Implementation, Maintenance •Testing and Validation – Establish plans are valid through scheduled, ongoing testing •Change Management – Establish changes required to BCM are formalized •Workforce Awareness – Establish workforce members are aware of the BCM program
  • 22. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE CONSIDER A MATURITY MODEL APPROACH PONDURANCE 22 As of: SEPTEMBER 2012 Client: Affiliate: Maturity Rating Not Addressed Minimally Addressed Emerging Managed 1 41% 0 0 5 7 1.1 25% 0 0 1 2 1.2 45% 0 0 2 3 1.3 54% 0 0 2 2 2 46% 0 2 10 4 2.1 25% 0 1 3 0 2.2 59% 0 0 0 4 2.3 25% 0 1 3 0 2.4 75% 0 0 4 0 3 61% 0 1 6 4 3.1 56% 0 0 3 3 3.2 47% 0 1 2 0 3.3 80% 0 0 1 1 4 38% 0 0 6 5 4.1 50% 0 0 4 2 4.2 40% 0 0 0 2 4.3 25% 0 0 2 1 5 30% 0 4 2 3 5.1 25% 0 0 1 2 5.2 40% 0 3 0 1 5.3 25% 0 1 1 0 6 67% 0 0 4 7 6.1 75% 0 0 1 3 6.2 50% 0 0 3 0 6.3 75% 0 0 0 4 47% 0 7 33 30 CLIENT NAME SUB ORGANIZATION QUANTIFIED BCM FINDINGS (# of findings per maturity level) Vendor Contracting Data Flows and Dependencies Plan Updates Supporting and Storing the Plans Program Definition REQUIREMENTS DEFINITION The BIA Methodology Support and Accountability Budget Planning and Program Evaluation Risk Analysis and Treatment Analysis and Reporting STRATEGY SELECTION Change Management Workforce Awareness Enterprise BCM Principles Critical Vendor Dependencies Vendor Integration and Testing PLAN IMPLEMENTATION & MAINTENANCE Testing and Validation Scoring PROGRAM MANAGEMENT Staff and Support Requirements VENDOR MANAGEMENT Course of Action Analysis Monitor and Evaluate for Change PLAN DEVELOPMENT Plan Components and Framework • Facilitates Scalable Program • Isolates Highest Risk Areas • Accounts for areas to sustain • Incorporates All Findings from the Audit
  • 23. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 23 TRENDS & STANDARDS
  • 24. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE EMERGING TRENDS IN BCM PONDURANCE 24 • Virtualization helps reduce number of overall IT assets, improves system uptime…but beware of single points of failure! • Cloud computing provides a viable outsourcing option for production technologies…but be sure your cloud vendor is capable of meeting your RTOs, RPOs! • Mobile devices provide a means of portability for documented plans, communications, and rapid response…but be sure phones are secure, encrypt if possible! • Social networking provides an effective way to broadcast incidents, particularly for crisis management…but be sure that the messages are controlled!
  • 25. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE CURRENT AND EMERGING STANDARDS PONDURANCE 25 • Business Continuity Institute - Good Practice Guideline (2010) • BS 25999 Business Continuity – BSI’s practices guideline • Disaster Recovery Institute (DRI) – Professional Practices for BCM • ISO/IEC 22301:2012 – One of the newest, aligned with the ISO27k set of standards
  • 26. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE Ron Pelletier, CISSP, CBCP, CISA, QSA VP and Executive Manager QUESTIONS ron.pelletier@pondurance.com www.pondurance.com Pondurance 3105 East 98th Street Suite 120 Indianapolis, IN 46280