1. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
Ron Pelletier, CISSP, CBCP, CISA, QSA
VP and Executive Manager
AN AUDITOR’S PERSPECTIVE
BUSINESS CONTINUITY MANAGEMENT (BCM)
Central Indiana ISACA – June 25, 2015
2. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
WHY ARE WE HERE?
PONDURANCE 2
“Business continuity is not a project with a beginning
and ending date, it is a program to be managed
indefinitely.”
- Unknown, on Business Continuity Management
Only 31 percent of business continuity
management programs have a high level of
integration with the organization's strategic
planning capabilities.
- KPMG 2013-2014 Global BCM Benchmarking Study
This dropped 3% from the 2012-2013 survey!!
3. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
AGENDA
• BCM Overview
• General BCM Audit Considerations
• A Simple Audit Methodology
• Trends and Standards
• Questions
PONDURANCE 3
4. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 4
A BUSINESS CONTINUITY MANAGEMENT
OVERVIEW
5. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
COMMON COMPONENTS OF BCM
PONDURANCE 5
BCM
Business
Continuity
Planning
Disaster
Recovery
Planning
High
Availability
Risk
Management
Incident
Response
Crisis
Management
(general, not all inclusive)
6. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
SIMPLIFIED BCM TERMS
PONDURANCE 6
Business Continuity – Planning to sustain business viability.
Disaster Recovery – Planning to sustain supporting technology & data.
Crisis Management – Preserving life safety and business image.
Business Impact Analysis – Establish the organization’s critical path.
Recovery Time Objective – When do the systems/processes need to be restored?
Recovery Point Objective – How much data can you stand to lose?
Maximum Tolerable Downtime – What is the point of unacceptable risk?
Risk Tolerance – Collective picture of risk management and BCM.
High Availability – When downtime of systems/data is not an option.
Minimum Operating Requirements – What do you need, and when, to get by.
7. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
TRADITIONAL THINKING ON BCM
PONDURANCE 7
Disaster Recovery vs. Business Continuity
PEOPLE
BUSINESS
PROCESSES
PROCESS
CONTINUITY
BUSINESS
PROCESSES
DRPDRPDRP
Disaster
Recovery
Business
Continuity
TECH/DATA
RESTORE
B
U
S
I
N
E
S
S
C
O
N
T
I
N
U
I
T
Y
B
U
S
I
E
N
S
S
C
O
N
T
I
N
U
I
T
Y
8. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
THE INTEGRATED PERSPECTIVE
PONDURANCE 8
Defined Tolerance for Risk
Program Exercising, Change Management, Maintenance
(BCP)
Business
Continuity
Planning
(DRP)
Disaster
Recovery
Planning
DRP
Strategies
BCP
Strategies
DRP
Documentation
BCP
Documentation
The Risk Analysis Phase
Current
State
Assessment
Threat and
Risk
Assessment
Business
Impact
Analysis
CRISIS MANAGEMENT
• Owns Initial and Ongoing Response
• Allocates Emergency Resources
• MAKES DECISIONS AS REQUIRED
• Functions as Steering Committee
9. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
UNDERSTANDING RISK TOLERANCE
PONDURANCE 9
$ and Operational Impacts
Manual Processing
Application ‘X’ in 72 Hours Application ‘X’ in24 Hours
Management Negotiation
Based on Risk Tolerance
Recovery Time Objectives (RTO’s)
Current Recovery Capabilities
(CRC’s)
Information Technology Group
Current State Assessment
Maximum Tolerable Downtimes
(MTD’s)
Business Unit Personnel
Business Impact Analysis
10. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 10
GENERAL BCM AUDIT CONSIDERATIONS
11. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
THE POLICY IS YOUR FIRST CLUE…TO WHETHER THE COMPANY HAS A
CLUE
PONDURANCE 11
• Many auditors go right for the plan, forgetting that a
policy might provide useful information, if a policy exists
• The policy may provide you with references to other
BCM documents, team members, crisis plans, etc.
• The policy may also provide objectives for the plan,
scope or rationale for strategy (e.g., High Availability),
etc.
• …Then again, the policy may indicate a large disconnect
between management and those tasked with
developing and/or executing the planBe sure to look for
cobwebs!
12. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
THE BIGGER THE PLAN…THE BIGGER THE BINDER
PONDURANCE 12
• Regulatory frameworks generally do not provide
requirements beyond creation, sustainment of a plan
• The size and thickness of a documented plan DOES
NOT reflect its effectiveness
• Large plans can easily be over-engineered and may
be discarded in a disaster situation
• The plans should identify roles, responsibilities and
immediate action steps (i.e., the critical path)
• The plans should exist or be accessible outside of the
physical or logical confines of the facility or domainIf the plan requires a
dolly to lug around, it
might need some
reengineering
13. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
THE LACK OF A BIA…CAN RENDER YOUR PLAN KIA
PONDURANCE 13
• A plan that is not predicated on some level of
precision analysis is not a plan but a guess
• An effective BIA does NOT require a long, drawn
out process that can take months
• According to KPMG’s BCM Survey, 38% of
respondents do not know the financial impact of a
five-day disruption or outage
• Be wary of sole reliance on survey results…business
unit managers may inflate their criticality to align
with their MBOs
• The end state of a BIA should draw attention to
management’s risk tolerance and critical path
When the plates start
to fall, knowing which
to catch and which to
drop will determine
success or failure
14. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
AVOID RISK…BECAUSE RISK WILL NOT AVOID YOU
PONDURANCE 14
• PREPARE TO AVOID BUT PLAN TO RESPOND!!
• Human, technical, operational and strategic
threats MUST be considered to formulate a
viable avoidance and/or response posture
• Look for single points of failure that might not
have been considered
• Do not discard “Black Swan” Events, but don’t
put all your focus on them (pandemic flu? Not
many actually going in to work)
• According to KPMG’s BCM Survey Only 41% of
Companies integrate BCM with Cyber Security
• Be sure to account for environmental and
physical controls as part of the organization’s
risk management plan, too (see spaghetti)
Uh…would you like
some sauce to go with
that spaghetti?
15. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
DATA BACKUPS…OFTEN FULL OF HICCUPS
PONDURANCE 15
• Ensure the backup scheme complement the Recovery
Time and Recovery Point Objectives (RTOs & RPOs)
• Tapes are fine, but often they are either not removed
from the site or are taken offsite 1x per week
• If the backups (tape or disk) are not tested
periodically to verify full restoration, the capability to
restore is questionable
• It is entirely possible that a replication or high
availability strategy encompasses too much, does not
justify expense
Tapes kept onsite?
Soooo…what happens if
the data center burns
down?
16. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
DRP STRATEGIES…MAY NOT ALIGN WITH BCP STRATEGIES
PONDURANCE 16
• Some organizations will stop their planning efforts
once restoration of applications, infrastructure and
data are complete
• …But forget to consider where ALLLL those business
people are going to go work in order to access it!
• Don’t blindly accept the “work at home” strategy…if
the infrastructure cannot support multiple remote
users it ain’t happening
• The strategies should consider the dependencies on
vendors for either technologies, special equipment,
etc.
The DR Hot Site!
The BCP Not Site!
17. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
IF THE PLANS ARE NOT TESTED…WELL, YOU KNOW WHERE I’M GOING
PONDURANCE 17
• 84% of KPMG’s 2011-2012 BCM Survey respondents
tested their plans within the last year – GREAT!
• …But be sure to note legit testing took place! Simply
opening the binder is not an effective test
• Tests should range in complexity (e.g., table-top, partial
exercises, full scale exercises, etc.)
• Participants should vary as well, include IT, business
units, crisis or incident teams, etc.
• The tests should be planned in advance (or surprise
tests are okay), and should end with an after action
review to facilitate improvement
Failure is OKAY during a
test…not so okay when
the chairman of the
board calls you at 3 a.m.
18. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
DURING AN EMERGENCY…THE AVERAGE IQ GOES TO “0”
PONDURANCE 18
• Be sure the plan considers an immediate
response to a given situation
• Crisis Management and Incident Response
Teams are a crucial component of BCM, make
decisions, allocate resources
• If management is not integrated in the plan,
they will NEVER follow the plan…but that won’t
stop them from making one up as they go!
• Again…if the Crisis Management and Incident
Response Teams are not tested…
Crisis Management may be
the missing link to most
plans
19. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 19
A SIMPLE AUDIT METHODOLOGY
20. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
6 DOMAINS TO CONSIDER FOR AUDIT
PONDURANCE 20
Assess the entity controls that integrate, manage, and sustain a viable BCM
throughout the enterprise
1. Program Management
•Program Definition – Establish the program is formally developed and integrated
•Support and Accountability – Establish the program is supported at the highest level of the org
•Budget Planning and Program Evaluation – The org is committed to sustaining program viability
The organization has defined its recovery, restoration, and high availability
requirements related to business processes, applications, infrastructure & data
2. Requirements
Definition
•Risk Analysis and Treatment – Establish the org has analyzed its risk posture, reasonably reduce risk
•The BIA Methodology – Establish the org maintains formal method to define impacts, prioritize criticality
•Data Flows and Dependencies – Establish that dependencies (internal/external) are documented
•Analysis and Reporting – Establish that BIA results are aggregated, prioritized, and approved
Assess the organization’s method for developing continuity and availability strategies,
within its maximum tolerable downtime.
3. Strategy Selection
•Staff and Support Requirements – Establish that strategies are developed based on defined requirements
•Course of Action Analysis – Establish that the cost to maintain strategies in line with risk tolerance
•Monitor, Evaluate for Change – Establish that strategies are periodically evaluated for change
21. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
6 DOMAINS TO CONSIDER FOR AUDIT
PONDURANCE 21
Assess the sufficiency, completeness, applicability, and implementation of the
organization’s documented BCP/DRP plans.4. Plan Development
•Plan Components & Framework – Establish plans are documented, align with requirements
•Supporting, Storing Plans – Establish plans are accessible, assigned to process owners
•Plan Updates – Establish plans change as processes, technologies, people change
Assess the organization’s method for vendor selection and oversight relevant to
the BCM program.5. Vendor Management
•Vendor Contracting – Establish vendors are screened, will meet contractual requirements
•Critical Vendor Dependencies – Establish critical dependencies are known, accounted for
•Vendor Integration, Testing – Establish vendors occasionally participate in tests/exercises
Assess the organization’s capability to test and maintain the viability of its BCM
program.
6. Implementation,
Maintenance
•Testing and Validation – Establish plans are valid through scheduled, ongoing testing
•Change Management – Establish changes required to BCM are formalized
•Workforce Awareness – Establish workforce members are aware of the BCM program
22. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
CONSIDER A MATURITY MODEL APPROACH
PONDURANCE 22
As of: SEPTEMBER 2012
Client:
Affiliate:
Maturity
Rating
Not Addressed
Minimally
Addressed
Emerging Managed
1 41% 0 0 5 7
1.1 25% 0 0 1 2
1.2 45% 0 0 2 3
1.3 54% 0 0 2 2
2 46% 0 2 10 4
2.1 25% 0 1 3 0
2.2 59% 0 0 0 4
2.3 25% 0 1 3 0
2.4 75% 0 0 4 0
3 61% 0 1 6 4
3.1 56% 0 0 3 3
3.2 47% 0 1 2 0
3.3 80% 0 0 1 1
4 38% 0 0 6 5
4.1 50% 0 0 4 2
4.2 40% 0 0 0 2
4.3 25% 0 0 2 1
5 30% 0 4 2 3
5.1 25% 0 0 1 2
5.2 40% 0 3 0 1
5.3 25% 0 1 1 0
6 67% 0 0 4 7
6.1 75% 0 0 1 3
6.2 50% 0 0 3 0
6.3 75% 0 0 0 4
47% 0 7 33 30
CLIENT NAME
SUB ORGANIZATION
QUANTIFIED BCM FINDINGS (# of findings per maturity level)
Vendor Contracting
Data Flows and Dependencies
Plan Updates
Supporting and Storing the Plans
Program Definition
REQUIREMENTS DEFINITION
The BIA Methodology
Support and Accountability
Budget Planning and Program Evaluation
Risk Analysis and Treatment
Analysis and Reporting
STRATEGY SELECTION
Change Management
Workforce Awareness
Enterprise BCM Principles
Critical Vendor Dependencies
Vendor Integration and Testing
PLAN IMPLEMENTATION & MAINTENANCE
Testing and Validation
Scoring
PROGRAM MANAGEMENT
Staff and Support Requirements
VENDOR MANAGEMENT
Course of Action Analysis
Monitor and Evaluate for Change
PLAN DEVELOPMENT
Plan Components and Framework
• Facilitates Scalable Program
• Isolates Highest Risk Areas
• Accounts for areas to sustain
• Incorporates All Findings from the Audit
23. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 23
TRENDS & STANDARDS
24. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
EMERGING TRENDS IN BCM
PONDURANCE 24
• Virtualization helps reduce number of overall IT assets, improves
system uptime…but beware of single points of failure!
• Cloud computing provides a viable outsourcing option for production
technologies…but be sure your cloud vendor is capable of meeting your
RTOs, RPOs!
• Mobile devices provide a means of portability for documented plans,
communications, and rapid response…but be sure phones are secure,
encrypt if possible!
• Social networking provides an effective way to broadcast incidents,
particularly for crisis management…but be sure that the messages are
controlled!
25. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
CURRENT AND EMERGING STANDARDS
PONDURANCE 25
• Business Continuity Institute - Good Practice Guideline (2010)
• BS 25999 Business Continuity – BSI’s practices guideline
• Disaster Recovery Institute (DRI) – Professional Practices for BCM
• ISO/IEC 22301:2012 – One of the newest, aligned with the ISO27k set of
standards
26. BUSINESS CONTINUIT Y MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
Ron Pelletier, CISSP, CBCP, CISA, QSA
VP and Executive Manager
QUESTIONS
ron.pelletier@pondurance.com
www.pondurance.com
Pondurance
3105 East 98th Street
Suite 120
Indianapolis, IN 46280