Business Continuity Planning Seminar

3,071
-1

Published on

The product of a best practices and knowledge sharing event I led a few years back.

Published in: Business, Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,071
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
306
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Business Continuity Planning Seminar

  1. 1. xbñÉÅìíáîÉ=oÉëÉ~êÅÜ=`çìåÅáä=içÖçz Operations and Technology Research Interest Group Business Continuity Planning Seminar y g Authored and presented by: Charles C. McKinney EXECUTIVE RESEARCH COUNCIL léÉê~íáçåë=~åÇ=qÉÅÜåçäçÖó=péÉÅá~ä=fåíÉêÉëí=dêçìéW=mêçàÉÅí=j~å~ÖÉãÉåí=qççäâáí===ö===M
  2. 2. Discussion Roadmap i Introduction to business continuity (2-8) i Initiating business continuity governance (9-15) i Risk assessment (16-21) i Business Impact Analysis (22-26) i Business continuity strategy (27-32) i Implementing business continuity plans (33-37) i Awareness, testing and exercise (38-41) i Self assessment guide (42-55) Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 1
  3. 3. Introduction to Business Continuity i Introduction to the discipline i Process characteristics i Key outcomes i Strategic scope i Evolving aspirations i Argument in brief Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 2
  4. 4. Introduction to the Discipline i Organizations need risk management processes to deal with disasters: – Disruptions to business operations – Damage to physical and intangible assets – Loss of human life and well-being (9/11, Katrina) – Business continuity planning establishes and maintains contingency plans for disasters i Since the 1960s it has developed into a discipline, and today there are: – P f Professional associations (e.g., DRII) i l i ti ( – Industry roundtables (e.g., FSTC SCOM) – Professional certifications (e.g., CBCP, MBCP) – Trade publications and conferences (e.g., CP&M) – Best practices and industry regulations Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 3
  5. 5. Process Characteristics i Business continuity planning is a process, characterized by: – Defined inputs, outputs and critical success factors – Interdependencies with other planning and control processes – Dependence on people, technology, culture and managerial systems i Process capability depends on sensing and responding to: – Internal strengths and weaknesses – E t External threats, opportunities and conventions l th t t iti d ti Risks t th Enterprise Ri k to the E t i Value Chain – Ecosystem Inbound bou d Outbou d Outbound Sa es and Sales a d Distribution st but o End User d Use Suppliers S pplie s Purchasing P chasin Production P od ction Logistics Logistics Marketing System Customers Demand Chain Supply Chain Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 4
  6. 6. Key Outcomes Focus of business continuity planning is preventing and managing impact of disasters, so risk exposure is kept to an acceptable level. Disasters can cause unexpected . . . . . . and destroy shareholder value, public confidence, and competitive Loss of revenue L f position over the long run. Loss of productivity Unusual expenses According to Gartner Group, 40% of A di t G t G f Customer defection businesses that go through a disaster fail Market share decline within two years. Early estimates of the economic impact of 9/11 ranged from $16 Brand deterioration billion to $83 billion. $ Penalties, fines and liabilities Knowledge@Wharton estimated the Harm to employee safety, morale impact of Katrina at $200 billion. Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 5
  7. 7. Strategic Scope A comprehensive strategy covers mitigation, planning and critical resources. Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 6
  8. 8. Strategic Aspirations Organizations increasingly use real-time information and operations to compete, and their survival depends on availability of these resources. Source: Campbell, Alonso, McKinney et al. (KPMG 2001) Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 7
  9. 9. Argument in Brief i Organizations aspire to change how they plan for business continuity i Planning and control systems tend to under-perform in key areas: – Institutionalizing governance of the business continuity process – Understanding risks and defining requirements – Making business continuity investments within a coherent strategy – Monitoring and stress-testing organizational readiness for a disaster i Business and risk managers need to plug themselves into the “vital few” root-cause issues, so they can motivate performance improvement in their enterprises Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 8
  10. 10. Initiating Business Continuity Governance i Initiation activities i Chartering a steering group i Articulating standards and policy i Organizational design considerations i Building momentum for change i Process deployment planning Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 9
  11. 11. Initiation Activities i Business continuity plans often evolve through decentralized efforts i Whether starting fresh or working to improve legacy capabilities, initiating business continuity can promote good governance and it benefits ti it t d d its b fit i Initiation activities typically include: – Chartering a steering group to oversee business continuity planning – Assigning roles and responsibilities to process actors – Agreeing on high-level standards and articulating a policy – Assigning executive oversight, staff resources and line accountabilities – Building momentum through dialogue and by achieving quick wins – Sequencing to deploy process capabilities Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 10
  12. 12. Chartering a Steering Group i A steering group exists to guide process implementation, resolve conflict and monitor performance – not to manage the process i Obj ti Objectives for a steering group may include: f t i i l d – Recommend a policy to the CEO and Board – Approve priorities, investments and resource allotments – Approve business continuity strategy and standards – Monitor business continuity projects and process capabilities – Provide direction to the business continuity manager – Participate in or review efforts to exercise and test capabilities – Perform defined roles during a disaster or crisis i St k h ld coordination and lateral processes indispensable Stakeholder di ti dl t l i di bl Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 11
  13. 13. Articulating Standards and Policy i At this stage, standards frame the process and educate executives (see example of a process definition template) i P li articulates expectations and may include: Policy ti l t t ti d i l d – Key terms and definitions – Policy statement (intent) – Objectives (measurable outcomes) – Minimum standards (due care) – Chain of command for crisis management i Standards can help to define the policy; need to be consistent with corporate governance Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 12
  14. 14. Organizational Design Considerations The best organizational model supports an organization’s priorities, aligns its stakeholders, and is appropriate for its risk profile (Motorola case study). Source: Corporate Executive Board Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 13
  15. 15. Building Momentum for Change i Momentum can be built through: – Dialogue in the organization – Attainment of quick wins (see handout) i Business continuity planning requires long-term commitment without tangible outcomes unless a disaster strikes Kotter’s Eight Step Change Model 1. Establish a sense of urgency 5. Empower others to act on vision 2. Form powerful guiding coalition 6. Plan for and create short-term wins 3. Create a vision 7. Consolidate improvements 4. Communicate the vision 8. Institutionalize new approaches Source: John Kotter, The Heart of Change (2002) Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 14
  16. 16. Process Deployment Planning Funding Business Continuity Implementation Planning i Business continuity costs: i Process charter – Staff function (headcount) i Sequencing plans: – Standby sites (IT facilities) – Deployment schedule – IT infrastructure – Project mix – Third-party services – Interdependencies – BU and d d department planning t t l i – Resources – Testing and exercise – Project management – Other costs i Communications i Funding and chargeback methods i Change management i Infrastructure profiles (tiered service level standards) Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 15
  17. 17. Risk Assessment i Risk assessment purpose i Key activities and outcomes i Process case study i Risk categories i Complementary tools Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 16
  18. 18. Risk Assessment Purpose i Identify threats to the organization i Understand vulnerability to these threats i Determine risk exposure (e.g., ALE) i Produce requirements to mitigate risk i Track changes in risk profile over time Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 17
  19. 19. Key Activities and Outcomes i Key activities in a risk assessment: – Select risk categories and threats – Determine fact finding methods fact-finding – Produce data collection form – Gather data for the assessment – Complete and collate forms – Finalize threat assessment – Estimate risk exposure – Communicate work products i Key outcomes: – Catalog of threats and risks – Risk exposure matrix – Risk assessment report i Activities and outcomes will depend on process design Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 18
  20. 20. Process Case Study Intel provides a case study of implementing a global, centrally coordinated process to periodically assess risk and pursue targeted mitigation. Source: Corporate Executive Board, Intel Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 19
  21. 21. Risk Categories i Traditional risk assessments examined manmade and natural disasters and political acts (terrorism) iD Due t complexity of th to l it f threats, many organizations now consider: t i ti id – Operational risks – Strategic risks – Composite risks i Framework provides way to quantify and stratify exposure Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 20
  22. 22. Complementary Tools i Complementary tools can further risk assessment activities: – Failure modes and effects analysis (FMEA) – Simulation and modeling exercises – Design of experiment methods i Tools employed in strategic planning and risk modeling groups may be worth exploring, depending on the complexity of an enterprise’s business model and risk profile. Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 21
  23. 23. Business Impact Analysis i Business impact analysis overview i Key activities and outcomes i Defining critical resource requirements i Prioritizing business functions Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 22
  24. 24. Business Impact Analysis Overview i Purpose of business impact analysis is to: – Assess impacts of a disaster to business areas (e.g., functions) – Determine criticality of business functions based on impact – Determine criticality of information systems that support business operations – Define critical resource requirements for disasters i Analysis ties estimates of impact to key performance indicators, such as: – Fi Financial i i l impact ( t (e.g., present value of projected revenue l t l f j t d loss)) – Customer impact (e.g., loss of existing customers and market share) – Compliance penalties (e.g., liability to pay fines, SLA penalties) – Unusual expenses (e.g., unplanned cost of facility repairs) – Shareholder value (i.e., loss of value because of factors attributable to disaster) (i e – Other intangible impacts i Contributes requirements for strategy to manage business continuity Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 23
  25. 25. Key Activities and Outcomes i Key activities in a business impact analysis: – Determine fact-finding and analytical methods – Prepare data collection form (see handout) – Gather and analyze data – Prioritize business functions – Determine critical resource requirements – Report preliminary observations – Obtain consensus on observations – Issue report to management i Key outcomes: – Analysis of tolerance for a disaster – Critical resource requirements i Terminology: RTO versus RPO Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 24
  26. 26. Defining Critical Resource Requirements i Requires use of a standard form to gather information provisioning requirements for: – Information technology applications – Server and network capacity – User desktop configurations – Vital records requirements – Staffing needs (including key persons) – Workspace, telecommunications, etc. i Definition of critical resource requirements is based on a determination of each department’s tolerance for a disaster i See critical resource requirements handout Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 25
  27. 27. Prioritizing Business Functions i Prioritization of business functions should occur for: – Tolerance for unplanned downtime (recovery time objective) – Tolerance for unexpected data loss (recovery point objective) i Organizations typically group their recovery time objectives into buckets that correspond how quickly business resumption should occur: – Platinum (zero to four hours) – Gold (four to twenty-four hours) twenty four – Silver (one day to three days) – Bronze (greater than five days) i These priorities are communicated to key stakeholders i Consensus is critical, especially when the analysis is qualitative (by necessity or design) Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 26
  28. 28. Business Continuity Strategy i Mitigation and planning i Organizational issues i Alternate site options i Alternate site provider considerations i Documentation standards Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 27
  29. 29. Mitigation and Planning Business continuity covers mitigation and planning but emphasizes corrective steps. Mitigation integrates with the enterprise architecture (i.e., hardened patterns) Application Services Business Services User User Business Business Common Information Access Interaction Process Function Services Management Services Services Choreography Services Services Services Information ER Business Integration USE Service Adaptation p Reporting p g Information Packaged Acquired Access Interaction Collaboration Choreography Applications Services Analytics Connectivity Presentation Business Rules Custom Personalization Applications Metadata Business Service … … … … … … Mediation, Messaging, Mediation Messaging Events Business Performance Enterprise Service Bus Management BUSINESS Business Connections Utility Business Services Metering Rating Billing Peering Settlement Business B i Services Service Service Level Automation and Orchestration Problem Security Workload Configuration Availability Data Management Services Services Services Services Placement … Business Resource Virtualization Services Service Server Storage Network Resource Mapping Information … Infrastructure Services Source: IBM Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 28
  30. 30. Organizational Issues i Incident command system: – Crisis management team – Business resumption teams – Information technology teams – Incident and emergency teams – Staff groups (e.g., legal counsel) i Implementation of a temporary structure to manage through a disaster i Assignment of decision rights and authorities in a crisis Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 29
  31. 31. Alternate Site Options i Today’s most common solutions address recovery of technology and facilities to support operations i Wh When considering them, ask: id i th k – How do people and processes factor into contingency plans? – How will operations return to normal? – How will customer satisfaction be maintained? – Does a business continuity solution support the productivity requirements of information assets? i Distance from the primary site is an important consideration, along with the logistics of cutting over to the alternate site in the case of a local or regional disruption Buy and Build Cold Site Hot Site Redundant Site Manual Automated Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 30
  32. 32. Alternate Site Provider Considerations i Site maintenance – Servicing and maintenance – Frequency of testing i Site services i Site resources and upgrade frequency i Disaster recovery support i Internal control audits and contingency plans i Over-subscription ratio and fallback locations i Exclusion zone for other subscribers Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 31
  33. 33. Documentation Standards i Organization of planning documentation – Incident response and emergency management – IT disaster recovery – Business resumption – Insurance and loss recovery – Human resources – Crisis communications i Overall guidance on management of business continuity i Usability of documentation and plan attachments i Ease of document management and maintenance g i Attention to industry regulations (e.g., SEC) Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 32
  34. 34. Implementing Business Continuity Plans i Implementation techniques i Plan element considerations i Plan sections and contents i Vital records protection Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 33
  35. 35. Implementation Techniques i Each organization is unique: – Tailoring contingency plans to requirements – Retaining flexibility to allow additions modifications and maintenance additions, modifications, i There is a need to minimize dependency on: – key persons – Third parties i Along with documenting contingency plans, procedures should be created to ensure: – Completeness and testing – Establishment of critical decisions – Plans are kept current in each department Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 34
  36. 36. Plan Element Considerations i Planning aids can assist stakeholders with learning and using business continuity plans i Aids to consider using include: – Job descriptions – Action plans – Checklists – Matrices – F Forms – Other supporting documentation i Plans should clearly articulate assignments and responsibilities i Site preparation must be completed in conjunction with documenting plans p p p j gp i Planning for IT must factor in restoration of general computing services, recovery of applications and resumption of transaction processing Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 35
  37. 37. Plan Sections and Contents i There is confusing terminology, including continuity of operations plans, disaster recovery plans, and business recovery/resumption plans iC Comprehensive b i h i business continuity plans typically cover ( ti it l t i ll (see h d t) handout): – Introduction and overall guidelines – Crisis management organization – Disaster notification and declaration – Standby site invocation – Human resources plan – IT disaster recovery plans – Business resumption plans – Satellite location (small office) plans – Crisis communications plan – Facilities assessment and salvage – Loss recovery i Many organizations maintain their plans with COTS software Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 36
  38. 38. Vital Records Protection i Backup and recovery procedures support vital records protection i Vital records protection procedures: – Protect against ordinary hazards of fire, water, mildew, light, dust, insects, rodents, acids and fumes, and excessive humidity. – Protect against human hazards of theft, misplacement, and unauthorized access. – Protect against disasters of earthquakes, wind storms, explosions, bombings, nuclear fallout, and radiation. – Purpose is to protect essential information i Best practices highlight the following key success factors: – Identify functions essential to the primary mission of the organization – Identify records whose informational value to the organization is so great (loss would be so severe) that special protection is justified – Have a classification scheme for organization documents/knowledge – Institute an enterprise service to manage vital records Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 37
  39. 39. Awareness, Testing and Exercise i Awareness Best Practices i Tailoring for the Audience i Testing Methods Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 38
  40. 40. Awareness Best Practices i Inform staff of importance of business continuity i Make line management responsible for orientation i Use in house newsletters and magazines to feature business continuity i Periodically distribute emails to employees i Use corporate intranet to post business continuity plans i Make mention of business continuity part of performance appraisal i Use management meetings to communicate issues i Periodically test and give honest, objective feedback about results i Involve vendor managers and account managers in the process (extended enterprise impacts) Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 39
  41. 41. Awareness Best Practices (Continued) Leading organizations tailor their awareness-building activities by segmenting their audience and tailoring materials for each group. Source: Corporate Executive Board, HSBC Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 40
  42. 42. Testing and Exercise Methods i Many organizations focus testing on proving their information systems will work at the alternate site i Th They do this at the expense of: d thi t th f – Reviewing the usability of documentation – Role-playing disasters (scenario planning) – Testing organizational capacity and logistics – Stress testing their business continuity plans Stress-testing i Organizations can complement traditional disaster recovery tests with a four-type approach: – Documentation review – V lid ti Validation exercise i – Partial simulation exercise – Full disaster simulation i Scarcity of scheduling options with alternate sites is a complicating factor Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 41
  43. 43. Self Assessment Guide Step 1. Develop an understanding of the business continuity planning strategy and approach to understanding risks, determining priorities and setting objectives. Review Steps Observations 1.1 Review past reports for outstanding audit issues or previous problems. Examine: ▪ Regulatory reports ▪ Internal and external audit reports, including SAS 70 reports ▪ Business continuity test results ▪ Organization’s overall risk assessment and profile. 1.2 Review management’s response to issues brought up during the last review of disaster recovery and service continuity, including: ▪ Adequacy and timing of corrective action; ▪ Resolution of root causes rather than just specific issues; and ▪ Existence of any outstanding issues. 1.3 Interview management and review documentation to identify: ▪ Any significant changes in business strategy or activities that could affect the business recovery process; ▪ Any material changes in the audit program, scope, or schedule related to business continuity activities; ▪ Changes to internal business processes; ▪ Key management changes; ▪ Information technology (IT) environments and changes to configuration or components; ▪ Changes in key service providers (technology, communication, back- up/recovery, etc.) and software vendor listings; and Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 42
  44. 44. Self Assessment Guide (Continued) Review Steps Observations ▪ Any other internal or external factors that could affect the business continuity process. 1.4 Determine consideration of newly identified threats and vulnerabilities to the organization’s business continuity process, including: ▪ Technological and security vulnerabilities ▪ Internally identified threats ▪ Externally identified threats (including known threats published by information sharing organizations) Step 2. Determine the existence of an appropriate business continuity plan (BCP). Review Steps Observations 2.1 Review the written BCP and verify that the BCP: ▪ Addresses the recovery of each business unit/department/ function according to its priority ranking in the risk assessment ▪ Considers interdependencies among systems and provisions for recovery of these interdependencies ▪ Takes into account: - Personnel - Facilities - Technology (hardware, software and other equipment) - Telecommunications and network services - Vendors - Utilities Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 43
  45. 45. Self Assessment Guide (Continued) Review Steps Observations - Documentation (data and records) - Law enforcement - Security - Media - Customers - Shareholders/stakeholders ▪ Addresses emergency response and crisis management, including: Existence of call trees for managers, employees, suppliers and customers Existence of decision-making authorities for designated teams, staff and managers Establishment of authority for declaring a disaster Existence of contingency plans for specific emergency situations Designation of public relations and customer relations spokespersons Provisioning for temporary office space for key personnel Provisioning for replacement equipment from vendors 2.2 Review the organization and scope of documented disaster recovery and business continuity plans to determine if: ▪ Disaster recovery procedures for IT systems are clearly delineated ▪ Business resumption procedures for critical departments/functions are clearly delineated ▪ Emergency response plans are clearly delineated ▪ Documentation of standards for emergency response, disaster recovery and business resumption provides guidance to individual(s) serving in crisis management, disaster recovery coordination and team leadership roles 2.2 Determine if resources are assigned to ensure the BCP is maintained and Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 44
  46. 46. Self Assessment Guide (Continued) Review Steps Observations periodically updated. Step 3. Assess corporate governance of business continuity planning, including direction, oversight and support from the board of directors and senior management. Review Steps Observations 3.1 Determine if the board or senior management has established an enterprise-wide business continuity planning process appropriate for the size and complexity of the organization, which defines the organization’s business continuity strategy. 3.2 Determine if a senior manager has been assigned responsibility to oversee the development, implementation, testing, and maintenance of the BCP. 3.3 Determine if the board has ensured that adequate resources, including sufficient human resources, are devoted to the business continuity process. 3.4 Determine if senior management reviews and approves the written BCP(s) and testing results at least annually. 3.5 Determine if senior management periodically reviews each business unit, business process, department, and subsidiary to prioritize its criticality for disaster recovery and business resumption importance and recovery prioritization. 3.6 If applicable, determine if senior management has confirmed the existence and evaluated the adequacy of BCPs for its external service providers. Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 45
  47. 47. Self Assessment Guide (Continued) Step 4. Determine if a business impact analysis (BIA) and risk assessment have been completed and are adequate. Review Steps Observations 4.1 Determine if all functions and departments were included in the BIA. 4.2 Determine if the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, and the cost and recovery time objectives associated with unplanned downtime. 4.3 Review the risk assessment and determine if it includes scenarios and probability of occurrence of disruptions of information services, technology, personnel, facilities, and external service provisioning from internal and external sources, including: ▪ Natural events such as fires, floods, and severe weather; ▪ Technical events such as communication failure, power out-ages, and equipment and soft-ware failure; and ▪ Malicious activity including network security attacks, fraud, and terrorism. 4.4 Determine if the risk assessment and BIA have been reviewed and approved by senior management and the board. 4.5 Evaluate if the business impact analysis includes financial and non-financial impact indicators, including revenue loss, unusual expenses, customer impact, operational impact, and compliance with laws, regulations, contracts and other legal obligations. Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 46
  48. 48. Self Assessment Guide (Continued) Step 5. Determine if appropriate risk management over the business continuity process is in place. Review Steps Observations 5.1 Determine if adequate risk mitigation strategies have been considered for: ▪ Alternate locations and service provisioning capacity for: ▪ Data centers and computer operations ▪ Work locations for business functions ▪ Telecommunications ▪ Backup of: - Data - Operating systems - Applications - Utility programs - Telecommunications and networking components ▪ Offsite storage of: - Backup media - Supplies - Documentation of disaster recovery plans, standard operating procedures, and other information deemed critical for business resumptions ▪ Alternate power supplies, including uninterruptible power supplies (UPS) and backup generators in the data center 5.2 Determine if consideration has been given to geographic diversity for: ▪ Alternate processing locations ▪ Alternate locations for business processes and functions Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 47
  49. 49. Self Assessment Guide (Continued) Review Steps Observations ▪ Off-site storage 5.3 Determine if appropriate policies, standards, and processes address business continuity planning issues, including: ▪ Systems development lifecycle ▪ Change control process ▪ Data synchronization, back up, and recovery ▪ Employee training and awareness ▪ Insurance ▪ Customer relations, public relations and crisis communications 5.4 Evaluate if the business continuity strategy includes alternatives for interdependent components and stakeholders, including: ▪ Utilities ▪ Telecommunications ▪ Third-party technology providers ▪ Key suppliers/business partners ▪ Customers/members 5.5 Determine if processes exist to ensure that BCPs remain accurate and current, and that: ▪ Designated personnel are responsible for maintaining changes in processes, personnel, and environment(s). ▪ Senior management reviews and approves the plan(s) annually and after significant changes and up-dates. ▪ There is notification and distribution of revised plans to personnel and Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 48
  50. 50. Self Assessment Guide (Continued) Review Steps Observations recovery locations. 5.6 Evaluate the existence and adequacy of employee training and awareness capabilities to: ▪ Familiarize employees with BCPs ▪ Provide key personnel with knowledge of their roles and responsibilities ▪ Monitor the effectiveness of employee knowledge, either as part of periodic tests of BCPs or through other mechanisms 5.7 Determine if policies and controls exist, which ensure: • Workstation, server and network device images are documented and maintained as part of a configuration management library. • Separate development, testing and production environments are maintained. • System, integration and user-acceptance testing is performed for all production environment configuration changes prior to their release. • Operational responsibility for production environment configuration items in the IT environment is assigned and documented. • Back-out plans are established for configuration changes, unless an exception is authorized by an appropriate senior manager. • Unplanned downtime is coordinated to minimize disruption of business services. Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 49
  51. 51. Self Assessment Guide (Continued) Step 6. Determine whether disaster recovery and business continuity plans undergo periodic testing and exercises to evaluate if the organization can recover from a disaster as planned. Review Steps Observations 6.1 Determine if the BCP is tested at least annually. 6.2 Verify that all critical departments and business functions are included in BCP tests and exercises. 6.3 Determine if BCP tests and exercises address the following: • Setting goals and objectives in advance • Realistic conditions and activity volumes • Use of actual back-up system and data files while maintaining off-site back-up copies for use in case of an event concurrent with the testing • A post-test analysis report and re-view process that includes a comparison of test results to the original goals • Development of a corrective action plan(s) for all problems encountered • Reviews by senior management and the board of directors 6.4 Verify the involvement of critical external service providers in testing of disaster recovery and business continuity plans. 6.5 Evaluate if testing of disaster recovery plans for IT includes: • Testing the operating systems, utilities and network connectivity • Testing of transaction processing by all critical applications • Testing data transfer between applications • Testing customer access to critical applications • Testing processing of interfaces to third parties or substitute workarounds Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 50
  52. 52. Self Assessment Guide (Continued) Review Steps Observations • Testing the environment and workload 6.6 Evaluate whether BCP tests and exercises rotate involvement of personnel from technology areas and business functions 6.7 Evaluate if senior management has evaluated and/or approved testing and exercising BCPs in collaboration with: ▪ External service providers ▪ Customers ▪ Affiliates and alliance partners ▪ Other business process stakeholders 6.8 Determine if BCP tests and exercises address crisis communications by: • Reviewing the adequacy of customer contact procedures • Verifying the accuracy of customer records • Simulating customer contact in a crisis to assess the effectiveness of crisis communications plans 6.9 Evaluate lessons learned follow-ups to BCP tests and exercises to determine if: • Post mortem analysis and lessons learned review are defined milestones • A standard process is employed to identify, capture and track lessons learned • Participant feedback is solicited through post-test meetings, focus groups, surveys or other methods • A lessons learned report is sent to senior management and other stakeholders Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 51
  53. 53. Self Assessment Guide (Continued) Step 7. Evaluate if data backup and recovery and vital records protection procedures are adequate to ensure the operating effectiveness of disaster recovery plans. Review Steps Observations 7.1 Determine if backup and recovery procedures are in place to ensure nightly backup of critical application and business data 7.2 Evaluate if the frequency and scope of backups are adequate to ensure: ▪ The loss of any data caused by a system failure or outage does not surpass tolerance for unplanned data loss ▪ Application, database and system data backups conform to internal or vendor technical specifications ▪ Backup logs are reviewed for incomplete backups. ▪ Recoverability of data from tape backups is tested monthly or more often. ▪ Off-site tape inventory audits are conducted quarterly or more often. ▪ At a minimum, daily incremental backups are taken, and there is an adequate inventory of tapes available for offsite rotation. ▪ At a minimum, full weekly backups are taken and there is an adequate inventory of tapes available for offsite rotation. ▪ Desktop workstations are configured to require end users to save data to a file server or periodically back up local hard drives. ▪ hEnd users with portable computers have procedures to follow for backing up locally stored computer data onto a central file server. 7.3 Determine if procedures for protecting vital records in paper format are documented and address all critical record types. Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 52
  54. 54. Self Assessment Guide (Continued) Step 8. Determine whether disaster recovery and business continuity plans address critical outsourced activities. Review Steps Observations 8.1 Determine if BCPs address communications and connectivity with key business partners and external service providers in the event of a disruption affecting the organization or one of these third parties 8.2 Determine if there are documented procedures in place for accessing, downloading, and uploading information with business partners and external service providers, from primary and recovery locations, in the event of a disruption 8.3 Determine if the organization has documentation describing disaster recovery plans for its key business partners and external service providers and incorporates this information, as appropriate, into its BCPs 8.4 Evaluate if the organization monitors its external service providers’ disaster recovery and business continuity plans by requiring a SAS 70 report Step 9. Evaluate environmental controls and physical security in the organization’s data center. Review Steps Observations 9.1 Tour data center facilities and interview personnel evaluate physical security and determine if: ▪ Security patrols of computing areas are periodically conducted. ▪ Doors to critical areas are kept locked at all times. ▪ There is a corporate company security officer. Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 53
  55. 55. Self Assessment Guide (Continued) Review Steps Observations ▪ Access pathways to computer facilities are subject to video surveillance. ▪ Access to data center and IT workspace is controlled by electronic keycards. ▪ Access to offsite storage is limited to authorized personnel. ▪ All visitors are required to sign in and out of the data center by authorized personnel. ▪ Visitors are escorted at all times in the data center. ▪ Physical security logs are reviewed by an authorized security officer at least quarterly. 9.2 Verify documentation of the organization’s UPS capabilities specifies that: ▪ UPS or backup power sources are tested quarterly or more often. ▪ Emergency lighting exists in data center and surrounding office areas. ▪ Emergency lighting is tested quarterly or more often. ▪ Emergency shutdown procedures are documented for computer equipment in the event of a power 9.3 Tour the data center and verify that environmental controls and procedures ensure that: ▪ Data center has 7x24 air temperature, humidity and air quality control. ▪ Heat and humidity recorder is available. ▪ Data center has backup system in place to provide for critical environmental controls in the event of primary system failure. ▪ Shutdown alarms are installed. ▪ Shutdown alarms are tested at least quarterly. ▪ Emergency procedures are in place for IT personnel to contact facilities in the event of a shutdown. ▪ Environmental control shutdown procedures are documented and available to authorized personnel. Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 54
  56. 56. Self Assessment Guide (Continued) Step 10. Discuss, finalize and communicate observations from the review. Review Steps Observations 10.1 After completing fieldwork, prepare workpapers to conform to the organization’s internal audit documentation standards 10.2 Document a preliminary list of any exceptions, present the preliminary list to the Internal Audit Department for its review and comment, and update the list, as appropriate 10.3 Follow up with the appropriate manager(s) about any exceptions to: ▪ Bring the exception to their attention ▪ Verify the exception or identify clarifying information and facts ▪ Obtain management agreement with the exception or provide an opportunity for follow up 10.4 After reviewing any preliminary exceptions with the appropriate manager(s), finalize the list of exceptions and develop reportable observations 10.5 Working with the Internal Audit Department, develop a preliminary set of reportable observations and recommendations, which will be reviewed with management, edited and finalized for inclusion in an internal audit report 10.6 After finalizing reportable observations and recommendations, prepare a draft report for review by the Internal Audit Department and finalize the report to incorporate feedback and comments 10.7 Communicate final observations and recommendations to management through a meeting to close out the review Copyright 2006 Charles McKinney. All rights reserved. Executive Research Council Seminar: Business Continuity Planning 55
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×