Your SlideShare is downloading. ×
0
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Business Continuity Planning
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Business Continuity Planning

1,327

Published on

This file was presented by me during the study circle meeting at the Mangalore Branch of Southern India Regional Council of the Institute of Chartered Accountants of India.

This file was presented by me during the study circle meeting at the Mangalore Branch of Southern India Regional Council of the Institute of Chartered Accountants of India.

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,327
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
112
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • What would have happened if Facebook is hacked? Imagine you are the creator of facebook – mark zukerbergExtent of disaster and time taken to continue the businessControls of last resort
  • Planning is an activity performed before the disaster occurs Disaster is an Resulting outrage from disaster can have serious effects on the viability of firm’s operations, profitability, quality of service and convenienceDue to inadequate planningUnderstanding risks to operations and the measures that can minimize the risks and formulate DRP/BCPTake examples of fb disaster. Also quote twitter disaster too
  • The whole presentation in a nutshellBasically the steps involved in formulating a BCPInitiate Perform Risk Assessment  Choose Recovery Strategy  Test and Validate
  • Objectives:Primary Objective – Minimize loss……. – Minimize costs  Planning(assessing risks), Minimizing Losses that ariseEnable organization to survive a disaster – Assure that critical operations can resume normal processing within a reasonable time frame.
  • Understand the core and critical business processes and forecasted processesSteering Committee has a overall responsibility for providing direction and guidance to the bcp teamNext is Risk assessment
  • Similar to SA:315 and SA:330 but those relates to Financial statements of a entityRisks refer to those uncertanities of outcome, whether an opportunity or threat, arising out of actions and events or they are those uncertanities which impede the achievement of the objectiveA thorough assessment of the system’s security and communication environment should be completed including personnel practices; physical security; operating procedures; backup and contingency planning; systems development and maintenance; database security etcBIA helps to understand the degree of potential loss which could occur. This would also include issues as reputation damage, regulatory effects etc
  • Plan Development tasks would include identification of:Organizational risks, CBS, risks w.r.t terms of outrage and financial impactIdentify maximum allowable downtime, type and quantity of resources required for recoveryCan be done through: questionnaires, workshops, interviews, examination of documentsHave a detailed definition of requirements – develop a profile of recovery requirements – software, hardware, documents(user, procedures), outside support (public network), personnel
  • Goals are setAlternative testing strategies are evaluatedThere is no assurance that in the event when plan is activated, the organization would surviveEnsure that the recovery procedures are complete and workableCompetence of personnel and various resources function properly during recoverySuccess or failure of the business continuity training program is monitoredMaintenance of the plans is critical to the success of actual recoveryMust adapt to changes to the environmentRevisions should be made accordingly
  • Start from Business Risk Impact Assessment
  • Objective is to minimize threats Hence essential to evaluate potential threats to the systemIntergrity:
  • Policies usually can be obtained to cover the following resourcesStorage mediaAccounts receivableFacilitiesEquipmentMalpractice, errorsValuable paper and recordsMedia transportationBusiness interruption
  • Test boundaries are requied to satisfy the disaster recovery strategies. Management team must consider future test criteria to meet the end objectives. Opportunities to test actual recovery provcedures should be done wherever possibleSecnario: eg the scenario must outline what caused the disaster and the level of damage and whether or not anything can be salvaged purpose is to explain to all the participants the cause of the disaster and the planned recovery pointsTest criteria: Role of the observer is to give an unbiased view and to comment on the area of success or concern to assist in future testingAssumptions: eg all purchases (equipment, furniture etc) can be made in the recovery time requiredBriefing session: no matter is necessary. Boundaries are explained and opportunities to discuss any technical uncertanities are providedAnalysing the test: constructive analysis of each test and its result will lead to an effective recovery plan
  • Transcript

    • 1. BUSINESS CONTINUITY PLANNING / DISASTER RECOVERY PLANNING Bbharathrao.wordpress.com
    • 2. Bbharathrao.wordpress.com Business Continuity Plan BCP is the creation and validation of a practical logistical plan for how an organization will recover and restore partially or completely within a predetermined time after a disaster has occurred.
    • 3. Bbharathrao.wordpress.com GENERAL CONCEPT A common man’s view
    • 4. Bbharathrao.wordpress.com Business Continuity Planning Lifecycle
    • 5. Bbharathrao.wordpress.com Need for BCP/DRP
    • 6. Bbharathrao.wordpress.com Objectives Goals Areas Minimize loss by Minimizing the cost associated with disruptions Identify weaknesses Business Resumption Planning Enable the Organization to survive a disaster Minimize the duration of a serious disruption to b/s operations Disaster Recovery Planning Facilitate effective co-ordination of recovery tasks Crisis Management Reduce the complexity of the recovery effort
    • 7. Bbharathrao.wordpress.com Developing a BCP
    • 8. Bbharathrao.wordpress.com Initiate Obtain understanding of the existing and projected systems Establish a ‘Steering Committee’ Develop a Master Schedule and milestones
    • 9. Bbharathrao.wordpress.com Perform Risk Assessment
    • 10. Bbharathrao.wordpress.com Choose Recovery Strategy Plan Development • Determine all available options and strategies • Business – Logistics, HR, Accounting • Technical – IT (Client – Server, Mainframes, Databases, Networks Identify Recovery Strategy • Recovery plan components and standards are defined, developed and documented • Define notification procedures • Establish Business recovery teams for each CBS
    • 11. Bbharathrao.wordpress.com Test and Validate • Validate the BCP • Develop and document contingency test plans • Prepare and execute tests • Maintenance • Update disaster recovery plans and procedures
    • 12. Bbharathrao.wordpress.com Working of a BCP Process
    • 13. Bbharathrao.wordpress.com Differentiation of BCP and DRP Business Continuity Plan: It is the process of defining arrangements and procedures that enable an organization to continue as a viable entity. It addresses the recovery of a company’s critical business functions after an interruption Disaster Recovery Plan: It involves making preparations for a disaster and also addresses the procedures to be followed during and after a loss. It is specific to the information system function
    • 14. Bbharathrao.wordpress.com Types of Disaster Recovery Plans Emergency Plan Backup Plan It specifies actions to be undertaken when the disaster happen It specifies the type of backup to be kept, frequency of backup to be undertaken, procedures, location, personnel, priorities assigned and a time frame Identification of situations which requires plan to be invoked It needs continuous updates as changes occur
    • 15. Bbharathrao.wordpress.com Types of Disaster Recovery Plans Recovery Plan Test Plan It specifies procedures to restore full information system capabilities Final Component Formation of a recovery committee, specify responsibilities and guidelines for proper functioning Identification of deficiencies in the emergency, backup or recovery plans or tin the preparation of an organization for facing a disaster
    • 16. Bbharathrao.wordpress.com Threats and Risk Management •Lack of Integrity •Lack of Confidentiality •Unauthorized Access •Hostile Software •Disgruntled Employees •Hackers and computer crimes •Terrorism and Industrial espionage
    • 17. Bbharathrao.wordpress.com Types of Backup Full Backup Incremental Backup Differential Backup Mirror Backup IT captures all files on the disk or within the folder selected for backup It captures files that were created or changed since the last backup, regardless the backup type It stores files that have changed since the last full backup. It is identical to a full backup, with the exception that the files are not compressed in zip files and they cannot be protected with a password
    • 18. Bbharathrao.wordpress.com Alternative Processing Facility Arrangements It is useful when the organization can tolerate some downtime Organization requires minimum facilities at an alternative location to run its regular operations It is inexpensive Cold site Useful when fast recovery is critical Organization requires all the facilities at an alternative location It is expensive Hot site
    • 19. Bbharathrao.wordpress.com Provides intermediate level of backup Organization can tolerate some downtime Organization requires only essential facilities at an alternative location Warm Site Two or more organizations might agree to provide backup facilities to each other in the event of one suffering a disaster It is relatively cheap Each participant must maintain sufficient capacity to operate another’s critical system Reciprocal Agreement Alternative Processing Facility Arrangements
    • 20. Bbharathrao.wordpress.com Insurance • The purpose of insurance is to spread the economic cost and risk loss from an individual or business to a large number of people. • Policies are contracts that obligate the insurer to indemnify the policyholder from specific risks in exchange of a premium • Adequate insurance coverage is a key consideration while developing a BRP/DRP and performing a risk analysis
    • 21. Bbharathrao.wordpress.com Activities considered while testing BRP/DRP plan • Defining the boundaries • Scenario • Test Criteria • Assumptions • Briefing Session • Checklists • Analysing the test • Debriefing session
    • 22. Bbharathrao.wordpress.com Audit of DR/BR plan • Based on the BIA • Key employees have participated in the development • Plan is simple and is realistic in assumptions • Review the existing DR/BR plan • Gather background info regarding its preparation • Does the DR/BR plan include provisions for personnel, building, utilities and transportation and IT • Does the BR/DR plan include contact details of of suppliers of essential equipment • Does the DR/BR plans include provisions for the approval to expend funds that were not budgeted for the period? Recovery may be costly
    • 23. Bbharathrao.wordpress.com Sources • ISCA Study Material – Volume 1 – ICAI Publication • Comprehensive Guide on Information Systems Audit – Volume II – Commissioned by IT Committee of ICAI • Guide to Implementing Enterprise Risk Management – Internal Standards Board - ICAI • Information Systems Control Audit – Prof.Jignesh Chhedda – VORA Book Agency
    • 24. Bbharathrao.wordpress.com Thanks Bharath Rao B +919611319421 b.bharath.r@gmail.com /bharathraob Bbharathrao.wordpress.com

    ×