This file was presented by me during the study circle meeting at the Mangalore Branch of Southern India Regional Council of the Institute of Chartered Accountants of India.
2. Bbharathrao.wordpress.com
Business Continuity Plan
BCP is the creation and
validation of a practical
logistical plan for how an
organization will recover
and restore partially or
completely within a
predetermined time after
a disaster has occurred.
6. Bbharathrao.wordpress.com
Objectives Goals Areas
Minimize loss by
Minimizing the cost
associated with
disruptions
Identify weaknesses Business Resumption
Planning
Enable the
Organization to
survive a disaster
Minimize the
duration of a serious
disruption to b/s
operations
Disaster Recovery
Planning
Facilitate effective
co-ordination of
recovery tasks
Crisis Management
Reduce the
complexity of the
recovery effort
10. Bbharathrao.wordpress.com
Choose Recovery Strategy
Plan Development
• Determine all available
options and strategies
• Business – Logistics, HR,
Accounting
• Technical – IT (Client –
Server, Mainframes,
Databases, Networks
Identify Recovery Strategy
• Recovery plan components
and standards are defined,
developed and
documented
• Define notification
procedures
• Establish Business recovery
teams for each CBS
11. Bbharathrao.wordpress.com
Test and Validate
• Validate the BCP
• Develop and document contingency test
plans
• Prepare and execute tests
• Maintenance
• Update disaster recovery plans and
procedures
13. Bbharathrao.wordpress.com
Differentiation of BCP and DRP
Business Continuity Plan: It is the process of
defining arrangements and procedures that
enable an organization to continue as a
viable entity. It addresses the recovery of a
company’s critical business functions after an
interruption
Disaster Recovery Plan: It involves making
preparations for a disaster and also
addresses the procedures to be followed
during and after a loss. It is specific to the
information system function
14. Bbharathrao.wordpress.com
Types of Disaster Recovery Plans
Emergency Plan Backup Plan
It specifies actions to be
undertaken when the disaster
happen
It specifies the type of backup to
be kept, frequency of backup to be
undertaken, procedures, location,
personnel, priorities assigned and a
time frame
Identification of situations which
requires plan to be invoked
It needs continuous updates as
changes occur
15. Bbharathrao.wordpress.com
Types of Disaster Recovery Plans
Recovery Plan Test Plan
It specifies procedures to restore full
information system capabilities
Final Component
Formation of a recovery committee,
specify responsibilities and guidelines
for proper functioning
Identification of deficiencies in
the emergency, backup or
recovery plans or tin the
preparation of an organization for
facing a disaster
16. Bbharathrao.wordpress.com
Threats and Risk Management
•Lack of Integrity
•Lack of
Confidentiality
•Unauthorized
Access
•Hostile Software
•Disgruntled
Employees
•Hackers and
computer crimes
•Terrorism and
Industrial
espionage
17. Bbharathrao.wordpress.com
Types of Backup
Full Backup Incremental Backup Differential Backup Mirror Backup
IT captures
all files on
the disk or
within the
folder
selected for
backup
It captures files that
were created or
changed since the
last backup,
regardless the
backup type
It stores files that
have changed since
the last full backup.
It is identical
to a full
backup, with
the exception
that the files
are not
compressed in
zip files and
they cannot be
protected with
a password
18. Bbharathrao.wordpress.com
Alternative Processing Facility
Arrangements
It is useful when
the organization
can tolerate some
downtime
Organization
requires minimum
facilities at an
alternative location
to run its regular
operations
It is inexpensive
Cold
site Useful when fast
recovery is critical
Organization
requires all the
facilities at an
alternative location
It is expensive
Hot
site
19. Bbharathrao.wordpress.com
Provides intermediate
level of backup
Organization can
tolerate some downtime
Organization requires
only essential facilities
at an alternative location
Warm
Site
Two or more
organizations might
agree to provide backup
facilities to each other in
the event of one
suffering a disaster
It is relatively cheap
Each participant must
maintain sufficient
capacity to operate
another’s critical system
Reciprocal
Agreement
Alternative Processing Facility
Arrangements
20. Bbharathrao.wordpress.com
Insurance
• The purpose of insurance is to spread the
economic cost and risk loss from an individual
or business to a large number of people.
• Policies are contracts that obligate the insurer
to indemnify the policyholder from specific
risks in exchange of a premium
• Adequate insurance coverage is a key
consideration while developing a BRP/DRP and
performing a risk analysis
22. Bbharathrao.wordpress.com
Audit of DR/BR plan
• Based on the BIA
• Key employees
have participated
in the development
• Plan is simple and
is realistic in
assumptions
• Review the existing
DR/BR plan
• Gather background
info regarding its
preparation
• Does the DR/BR
plan include
provisions for
personnel,
building, utilities
and transportation
and IT
• Does the BR/DR
plan include
contact details of
of suppliers of
essential
equipment
• Does the DR/BR
plans include
provisions for the
approval to expend
funds that were not
budgeted for the
period? Recovery
may be costly
23. Bbharathrao.wordpress.com
Sources
• ISCA Study Material – Volume 1 – ICAI Publication
• Comprehensive Guide on Information Systems Audit
– Volume II – Commissioned by IT Committee of ICAI
• Guide to Implementing Enterprise Risk Management
– Internal Standards Board - ICAI
• Information Systems Control Audit – Prof.Jignesh
Chhedda – VORA Book Agency
What would have happened if Facebook is hacked? Imagine you are the creator of facebook – mark zukerbergExtent of disaster and time taken to continue the businessControls of last resort
Planning is an activity performed before the disaster occurs Disaster is an Resulting outrage from disaster can have serious effects on the viability of firm’s operations, profitability, quality of service and convenienceDue to inadequate planningUnderstanding risks to operations and the measures that can minimize the risks and formulate DRP/BCPTake examples of fb disaster. Also quote twitter disaster too
The whole presentation in a nutshellBasically the steps involved in formulating a BCPInitiate Perform Risk Assessment Choose Recovery Strategy Test and Validate
Objectives:Primary Objective – Minimize loss……. – Minimize costs Planning(assessing risks), Minimizing Losses that ariseEnable organization to survive a disaster – Assure that critical operations can resume normal processing within a reasonable time frame.
Understand the core and critical business processes and forecasted processesSteering Committee has a overall responsibility for providing direction and guidance to the bcp teamNext is Risk assessment
Similar to SA:315 and SA:330 but those relates to Financial statements of a entityRisks refer to those uncertanities of outcome, whether an opportunity or threat, arising out of actions and events or they are those uncertanities which impede the achievement of the objectiveA thorough assessment of the system’s security and communication environment should be completed including personnel practices; physical security; operating procedures; backup and contingency planning; systems development and maintenance; database security etcBIA helps to understand the degree of potential loss which could occur. This would also include issues as reputation damage, regulatory effects etc
Plan Development tasks would include identification of:Organizational risks, CBS, risks w.r.t terms of outrage and financial impactIdentify maximum allowable downtime, type and quantity of resources required for recoveryCan be done through: questionnaires, workshops, interviews, examination of documentsHave a detailed definition of requirements – develop a profile of recovery requirements – software, hardware, documents(user, procedures), outside support (public network), personnel
Goals are setAlternative testing strategies are evaluatedThere is no assurance that in the event when plan is activated, the organization would surviveEnsure that the recovery procedures are complete and workableCompetence of personnel and various resources function properly during recoverySuccess or failure of the business continuity training program is monitoredMaintenance of the plans is critical to the success of actual recoveryMust adapt to changes to the environmentRevisions should be made accordingly
Start from Business Risk Impact Assessment
Objective is to minimize threats Hence essential to evaluate potential threats to the systemIntergrity:
Policies usually can be obtained to cover the following resourcesStorage mediaAccounts receivableFacilitiesEquipmentMalpractice, errorsValuable paper and recordsMedia transportationBusiness interruption
Test boundaries are requied to satisfy the disaster recovery strategies. Management team must consider future test criteria to meet the end objectives. Opportunities to test actual recovery provcedures should be done wherever possibleSecnario: eg the scenario must outline what caused the disaster and the level of damage and whether or not anything can be salvaged purpose is to explain to all the participants the cause of the disaster and the planned recovery pointsTest criteria: Role of the observer is to give an unbiased view and to comment on the area of success or concern to assist in future testingAssumptions: eg all purchases (equipment, furniture etc) can be made in the recovery time requiredBriefing session: no matter is necessary. Boundaries are explained and opportunities to discuss any technical uncertanities are providedAnalysing the test: constructive analysis of each test and its result will lead to an effective recovery plan