Business Continuity Planning


Published on

This file was presented by me during the study circle meeting at the Mangalore Branch of Southern India Regional Council of the Institute of Chartered Accountants of India.

Published in: Business, Technology
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • What would have happened if Facebook is hacked? Imagine you are the creator of facebook – mark zukerbergExtent of disaster and time taken to continue the businessControls of last resort
  • Planning is an activity performed before the disaster occurs Disaster is an Resulting outrage from disaster can have serious effects on the viability of firm’s operations, profitability, quality of service and convenienceDue to inadequate planningUnderstanding risks to operations and the measures that can minimize the risks and formulate DRP/BCPTake examples of fb disaster. Also quote twitter disaster too
  • The whole presentation in a nutshellBasically the steps involved in formulating a BCPInitiate Perform Risk Assessment  Choose Recovery Strategy  Test and Validate
  • Objectives:Primary Objective – Minimize loss……. – Minimize costs  Planning(assessing risks), Minimizing Losses that ariseEnable organization to survive a disaster – Assure that critical operations can resume normal processing within a reasonable time frame.
  • Understand the core and critical business processes and forecasted processesSteering Committee has a overall responsibility for providing direction and guidance to the bcp teamNext is Risk assessment
  • Similar to SA:315 and SA:330 but those relates to Financial statements of a entityRisks refer to those uncertanities of outcome, whether an opportunity or threat, arising out of actions and events or they are those uncertanities which impede the achievement of the objectiveA thorough assessment of the system’s security and communication environment should be completed including personnel practices; physical security; operating procedures; backup and contingency planning; systems development and maintenance; database security etcBIA helps to understand the degree of potential loss which could occur. This would also include issues as reputation damage, regulatory effects etc
  • Plan Development tasks would include identification of:Organizational risks, CBS, risks w.r.t terms of outrage and financial impactIdentify maximum allowable downtime, type and quantity of resources required for recoveryCan be done through: questionnaires, workshops, interviews, examination of documentsHave a detailed definition of requirements – develop a profile of recovery requirements – software, hardware, documents(user, procedures), outside support (public network), personnel
  • Goals are setAlternative testing strategies are evaluatedThere is no assurance that in the event when plan is activated, the organization would surviveEnsure that the recovery procedures are complete and workableCompetence of personnel and various resources function properly during recoverySuccess or failure of the business continuity training program is monitoredMaintenance of the plans is critical to the success of actual recoveryMust adapt to changes to the environmentRevisions should be made accordingly
  • Start from Business Risk Impact Assessment
  • Objective is to minimize threats Hence essential to evaluate potential threats to the systemIntergrity:
  • Policies usually can be obtained to cover the following resourcesStorage mediaAccounts receivableFacilitiesEquipmentMalpractice, errorsValuable paper and recordsMedia transportationBusiness interruption
  • Test boundaries are requied to satisfy the disaster recovery strategies. Management team must consider future test criteria to meet the end objectives. Opportunities to test actual recovery provcedures should be done wherever possibleSecnario: eg the scenario must outline what caused the disaster and the level of damage and whether or not anything can be salvaged purpose is to explain to all the participants the cause of the disaster and the planned recovery pointsTest criteria: Role of the observer is to give an unbiased view and to comment on the area of success or concern to assist in future testingAssumptions: eg all purchases (equipment, furniture etc) can be made in the recovery time requiredBriefing session: no matter is necessary. Boundaries are explained and opportunities to discuss any technical uncertanities are providedAnalysing the test: constructive analysis of each test and its result will lead to an effective recovery plan
  • Business Continuity Planning

    2. 2. Business Continuity Plan BCP is the creation and validation of a practical logistical plan for how an organization will recover and restore partially or completely within a predetermined time after a disaster has occurred.
    3. 3. GENERAL CONCEPT A common man’s view
    4. 4. Business Continuity Planning Lifecycle
    5. 5. Need for BCP/DRP
    6. 6. Objectives Goals Areas Minimize loss by Minimizing the cost associated with disruptions Identify weaknesses Business Resumption Planning Enable the Organization to survive a disaster Minimize the duration of a serious disruption to b/s operations Disaster Recovery Planning Facilitate effective co-ordination of recovery tasks Crisis Management Reduce the complexity of the recovery effort
    7. 7. Developing a BCP
    8. 8. Initiate Obtain understanding of the existing and projected systems Establish a ‘Steering Committee’ Develop a Master Schedule and milestones
    9. 9. Perform Risk Assessment
    10. 10. Choose Recovery Strategy Plan Development • Determine all available options and strategies • Business – Logistics, HR, Accounting • Technical – IT (Client – Server, Mainframes, Databases, Networks Identify Recovery Strategy • Recovery plan components and standards are defined, developed and documented • Define notification procedures • Establish Business recovery teams for each CBS
    11. 11. Test and Validate • Validate the BCP • Develop and document contingency test plans • Prepare and execute tests • Maintenance • Update disaster recovery plans and procedures
    12. 12. Working of a BCP Process
    13. 13. Differentiation of BCP and DRP Business Continuity Plan: It is the process of defining arrangements and procedures that enable an organization to continue as a viable entity. It addresses the recovery of a company’s critical business functions after an interruption Disaster Recovery Plan: It involves making preparations for a disaster and also addresses the procedures to be followed during and after a loss. It is specific to the information system function
    14. 14. Types of Disaster Recovery Plans Emergency Plan Backup Plan It specifies actions to be undertaken when the disaster happen It specifies the type of backup to be kept, frequency of backup to be undertaken, procedures, location, personnel, priorities assigned and a time frame Identification of situations which requires plan to be invoked It needs continuous updates as changes occur
    15. 15. Types of Disaster Recovery Plans Recovery Plan Test Plan It specifies procedures to restore full information system capabilities Final Component Formation of a recovery committee, specify responsibilities and guidelines for proper functioning Identification of deficiencies in the emergency, backup or recovery plans or tin the preparation of an organization for facing a disaster
    16. 16. Threats and Risk Management •Lack of Integrity •Lack of Confidentiality •Unauthorized Access •Hostile Software •Disgruntled Employees •Hackers and computer crimes •Terrorism and Industrial espionage
    17. 17. Types of Backup Full Backup Incremental Backup Differential Backup Mirror Backup IT captures all files on the disk or within the folder selected for backup It captures files that were created or changed since the last backup, regardless the backup type It stores files that have changed since the last full backup. It is identical to a full backup, with the exception that the files are not compressed in zip files and they cannot be protected with a password
    18. 18. Alternative Processing Facility Arrangements It is useful when the organization can tolerate some downtime Organization requires minimum facilities at an alternative location to run its regular operations It is inexpensive Cold site Useful when fast recovery is critical Organization requires all the facilities at an alternative location It is expensive Hot site
    19. 19. Provides intermediate level of backup Organization can tolerate some downtime Organization requires only essential facilities at an alternative location Warm Site Two or more organizations might agree to provide backup facilities to each other in the event of one suffering a disaster It is relatively cheap Each participant must maintain sufficient capacity to operate another’s critical system Reciprocal Agreement Alternative Processing Facility Arrangements
    20. 20. Insurance • The purpose of insurance is to spread the economic cost and risk loss from an individual or business to a large number of people. • Policies are contracts that obligate the insurer to indemnify the policyholder from specific risks in exchange of a premium • Adequate insurance coverage is a key consideration while developing a BRP/DRP and performing a risk analysis
    21. 21. Activities considered while testing BRP/DRP plan • Defining the boundaries • Scenario • Test Criteria • Assumptions • Briefing Session • Checklists • Analysing the test • Debriefing session
    22. 22. Audit of DR/BR plan • Based on the BIA • Key employees have participated in the development • Plan is simple and is realistic in assumptions • Review the existing DR/BR plan • Gather background info regarding its preparation • Does the DR/BR plan include provisions for personnel, building, utilities and transportation and IT • Does the BR/DR plan include contact details of of suppliers of essential equipment • Does the DR/BR plans include provisions for the approval to expend funds that were not budgeted for the period? Recovery may be costly
    23. 23. Sources • ISCA Study Material – Volume 1 – ICAI Publication • Comprehensive Guide on Information Systems Audit – Volume II – Commissioned by IT Committee of ICAI • Guide to Implementing Enterprise Risk Management – Internal Standards Board - ICAI • Information Systems Control Audit – Prof.Jignesh Chhedda – VORA Book Agency
    24. 24. Thanks Bharath Rao B +919611319421 /bharathraob