SlideShare a Scribd company logo

BCP-DRP Audit.ppt

Download as PPT, PDF
L
LukmanPatel7

audit

Technology
1 of 58
1 of 62 Chapter 6 Learning Objectives • Evaluate the adequacy of backup and restore provisions to ensure the availability of information required to resume processing • Evaluate the organization's disaster recovery plan to ensure that it enables the recovery of IT processing capabilities in the event of a disaster • Evaluate the organization's business continuity plan to ensure the organization's ability to continue essential business operations during the period of an IT disruption
2 of 62 6.2 Business Continuity / Disaster Recovery Planning • Business continuity planning (BCP) is a process designed to reduce the organization’s business risk • A BCP is much more than just a plan for the information systems
3 of 62 Corporate risks could cause an organization to suffer • Inability to maintain critical customer services • Damage to market share, reputation or brand • Failure to protect the company assets including intellectual properties and personnel • Business control failure • Failure to meet legal or regulatory requirements 6.2 Business Continuity / Disaster Recovery Planning (continued)
4 of 62 Practice Question 6-1 During an audit of a large bank, the IS auditor observes that no formal risk assessment exercise has been carried out for the various business applications to arrive at their relative importance and recovery time requirements. The risk to which the bank is exposed is that the: A. business continuity plan may not have been calibrated to the relative risk that disruption of each application poses to the organization. B. business continuity plan may not include all relevant applications and, therefore, may lack completeness in terms of its coverage. C. business impact of a disaster may not have been accurately understood by the management. D. business continuity plan may lack an effective ownership by the business owners of such applications.
5 of 62 Practice Question 6-2 Which of the following is necessary to have FIRST in the development of a business continuity plan? A. Risk-based classification of systems B. Inventory of all assets C. Complete documentation of all disasters D. Availability of hardware and software
6 of 62 Practice Question 6-3 An IS auditor should be involved in: A. observing tests of the disaster recovery plan. B. developing the disaster recovery plan. C. maintaining the disaster recovery plan. D. reviewing the disaster recovery requirements of supplier contracts.
7 of 62 IS processing is of strategic importance • Critical component of overall BCP • Most key business processes depend on the availability of key systems and infrastructure components 6.2.1 IS Business Continuity / Disaster Recovery Planning
8 of 62 • Disasters are disruptions that cause critical information resources to be inoperative for a period of time • Good BCP will take into account impacts on IS processing facilities 6.2.2 Disasters and Other Disruptive Events
9 of 62 6.2.3 Business Continuity Planning Process
10 of 62 • Defines the extent and scope of business continuity for both internal and external stakeholders • Should be proactive 6.2.4 Business Continuity Policy
11 of 62 All types of incidents should be categorized • Negligible • Minor • Major • Crisis 6.2.5 Business Continuity Planning Incident Management
12 of 62 6.2.5 Business Continuity Planning Incident Management
13 of 62 • Critical step in developing the business continuity plan • Three main questions to consider during BIA phase: 1. What are the different business processes? 2. What are the critical information resources related to an organization’s critical business processes? 3. What is the critical recovery time period for information resources in which business processing must be resumed before significant or unacceptable losses are suffered? 6.2.6 Business Impact Analysis
14 of 62 6.2.6 Business Impact Analysis (continued)
15 of 62 What is the system’s risk ranking? • Critical • Vital • Sensitive • Non-sensitive 6.2.6 Business Impact Analysis (continued)
16 of 62 Practice Question 6-4 The window of time for recovery of information processing capabilities is based on the: A. criticality of the processes affected. B. quality of the data to be processed. C. nature of the disaster. D. applications that are mainframe-based.
17 of 62 • Recovery Point Objective (RPO) – Based on acceptable data loss – Indicates earliest point in time in which it is acceptable to recover the data • Recovery Time Objective (RTO) – Based on acceptable downtime – Indicates earliest point in time at which the business operations must resume after a disaster 6.2.7 Recovery Point Objective and Recovery Time Objective
18 of 62 6.2.7 Recovery Point Objective and Recovery Time Objective (continued)
19 of 62 Additional parameters important in defining recovery strategies • Interruption window • Service delivery objective (SDO) • Maximum tolerable outages 6.2.7 Recovery Point Objective and Recovery Time Objective (continued)
20 of 62 Practice Question 6-5 Data mirroring should be implemented as a recovery strategy when: A. recovery point objective (RPO) is low. B. RPO is high. C. recovery time objective (RTO) is high. D. disaster tolerance is high.
21 of 62 Practice Question 6-6 When preparing a business continuity plan, which of the following MUST be known to establish a recovery point objective (RPO)? A. The acceptable data loss in case of disruption of operations B. The acceptable downtime in case of disruption of operations C. Types of offsite backup facilities available D. Types of IT platforms supporting critical business functions
22 of 62 • A recovery strategy is a combination of preventive, detective and corrective measures • The selection of a recovery strategy would depend upon: – The criticality of the business process and the applications supporting the processes – Cost – Time required to recover – Security 6.2.8 Recovery Strategies
23 of 62 Recovery strategies based on the risk level identified for recovery would include developing: • Hot sites • Warm sites • Cold sites • Duplicate information processing facilities • Mobile sites • Reciprocal arrangements with other organizations 6.2.8 Recovery Strategies (continued)
24 of 62 Types of offsite backup facilities • Hot sites - Fully equipped facility • Warm sites - Partially equipped but lacking processing power • Cold sites - Basic environment • Duplicate (redundant) information processing facility • Mobile sites • Reciprocal agreement – Contract with hot, warm or cold site – Procuring alternative hardware facilities 6.2.9 Recovery Alternatives
25 of 62 6.2.9 Recovery Alternatives (continued) Types of offsite backup facilities • Hot sites - Fully equipped facility • Warm sites - Partially equipped but lacking processing power • Cold sites - Basic environment • Duplicate (redundant) information processing facility • Mobile sites • Reciprocal agreement – Contract with hot, warm or cold site – Procuring alternative hardware facilities
26 of 62 6.2.9 Recovery Alternatives (continued) Provisions for use of third-party sites should cover: • Configurations • Disaster • Speed of availability • Subscribers per site and area • Preference • Insurance • Audit • Reliability
27 of 62 Procuring alternative hardware facilities • Vendor or third-party • Off-the-shelf • Credit agreement or emergency credit cards 6.2.9 Recovery Alternatives (continued)
28 of 62 Practice Question 6-7 An IS auditor discovers that an organization’s business continuity plan provides for an alternate processing site that will accommodate 50 percent of the primary processing capability. Based on this, which of the following actions should the IS auditor take? A. Do nothing, because generally, less than 25 percent of all processing is critical to an organization’s survival and the backup capacity, therefore, is adequate. B. Identify applications that could be processed at the alternate site and develop manual procedures to back up other processing. C. Ensure that critical applications have been identified and that the alternate site could process all such applications. D. Recommend that the information processing facility arrange for an alternate processing site with the capacity to handle at least 75 percent of normal processing.
29 of 62 Factors to consider when developing the plans • Pre-disaster readiness • Evacuation procedures • Circumstances under which a disaster should be declared • Identification of plan responsibilities • Identification of contract information • Recovery option explanations • Identification of resources for recovery and continued operation of the organization • Application of the constitution phase 6.2.10 Development of Business Continuity and Disaster Recovery Plans
30 of 62 The emergency management team coordinates the activities of all other recovery teams. This team oversees: • Retrieving critical and vital data from offsite storage • Installing and testing systems software and applications at the systems recovery • Identifying, purchasing, and installing hardware at the system recovery site • Operating from the system recovery site • Rerouting network communications traffic 6.2.11 Organization and Assignment of Responsibilities
31 of 62 The emergency management team coordinates the activities of all other recovery teams. This team oversees: • Reestablishing the user/system network • Transporting users to the recovery facility • Reconstructing databases • Supplying necessary office goods, i.e., special forms, check stock, paper • Arranging and paying for employee relocation expenses at the recovery facility • Coordinating systems use and employee work schedules 6.2.11 Organization and Assignment of Responsibilities (continued)
32 of 62 • Management and user involvement is vital to the success of BCP – Essential to the identification of critical systems, recovery times and resources – Involvement from support services, business operations and information processing support • Entire organization needs to be considered for BCP 6.2.12 Other Issues in Plan Development
33 of 62 A business continuity plan may consist of more than one plan document • Continuity of operations plan (COOP) • Disaster recovery plan (DRP) • Business resumption plan • Continuity of support plan / IT contingency plan • Crisis communications plan • Incident response plan • Transportation plan • Occupant emergency plan (OEP) 6.2.13 Components of a Business Continuity Plan
34 of 62 Components of the plan • Key decision-making personnel • Backup of required supplies • Telecommunication networks disaster recovery methods • Redundant array of inexpensive disks (RAID) • Insurance 6.2.13 Components of a Business Continuity Plan (continued)
35 of 62 Practice Question 6-8 In a business continuity plan, which of the following notification directories is the MOST important? A. Equipment and supply vendors B. Insurance company agents C. Contract personnel services D. A prioritized contact list
36 of 62 Practice Question 6-9 Which of the following components of a business continuity plan is PRIMARILY the responsibility of an organization’s IS department? A. Developing the business continuity plan B. Selecting and approving the strategy for the business continuity plan C. Declaring a disaster D. Restoring the IS systems and data after a disaster
37 of 62 Telecommunication networks disaster recovery methods • Redundancy • Alternative routing • Diverse routing • Long haul network diversity • Last mile circuit protection • Voice recovery 6.2.13 Components of a Business Continuity Plan (continued)
38 of 62 Redundant array of inexpensive disks (RAID) • Provide performance improvements and fault tolerant capabilities via hardware or software solutions • Provide the potential for cost-effective mirroring offsite for data back-up 6.2.13 Components of a Business Continuity Plan (continued)
39 of 62 Insurance • IS equipment and facilities • Media (software) reconstruction • Extra expense • Business interruption • Valuable papers and records • Errors and omissions • Fidelity coverage • Media transportation 6.2.13 Components of a Business Continuity Plan (continued)
40 of 62 • Schedule testing at a time that will minimize disruptions to normal operations • Test must simulate actual processing conditions • Test execution: – Documentation of results – Results analysis – Recovery / continuity plan maintenance 6.2.14 Plan Testing
41 of 62 Practice Question 6-10 In an audit of a business continuity plan, which of the following findings is of MOST concern? A. There is no insurance for the addition of assets during the year. B. The business continuity plan manual is not updated on a regular basis. C. Testing of the backup data has not been done regularly. D. Records for maintenance of the access system have not been maintained.
42 of 62 • Offsite library controls • Security and control of offsite facilities • Media and documentation backup • Periodic backup procedures • Frequency of rotation • Types of media and documentation rotated • Record keeping for offsite storage • Business continuity management best practices 6.2.15 Backup and Restoration
43 of 62 • Business continuity plan must: – Be based on the long-range IT plan – Comply with the overall business continuity strategy 6.2.16 Summary of Business Continuity and Disaster Recovery
44 of 62 • Process for developing and maintaining the BCP/DRP – Business impact analysis – Identify and prioritize systems – Choose appropriate strategies – Develop the detailed plan for IS facilities – Develop the detailed BCP – Test the plans – Maintain the plans 6.2.16 Summary of Business Continuity and Disaster Recovery (continued)
45 of 62 • Understand and evaluate business continuity strategy • Evaluate plans for accuracy and adequacy • Verify plan effectiveness • Evaluate offsite storage • Evaluate ability of IS and user personnel to respond effectively • Ensure plan maintenance is in place • Evaluate readability of business continuity manuals and procedures 6.3 Auditing Business Continuity
46 of 62 IS auditors should verify that basic elements of a well-developed plan are evident including: • Currency of documents • Effectiveness of documents • Interview personnel for appropriateness and completeness 6.3.1 Reviewing the Business Continuity Plan
47 of 62 IS auditors must review the test results to: • Determine whether corrective actions are in the plan • Evaluate thoroughness and accuracy • Determine problem trends and resolution of problems 6.3.2 Evaluation of Prior Test Results
48 of 62 An IS auditor must: • Evaluate presence, synchronization and currency of media and documentation • Perform a detailed inventory review • Review all documentation • Evaluate availability of facility 6.3.3 Evaluation of Offsite Storage
49 of 62 • Key personnel must have an understanding of their responsibilities • Current detailed documentation must be kept 6.3.4 Interviewing Key Personnel
50 of 62 An IS auditor must: • Evaluate the physical and environmental access controls • Examine the equipment for current inspection and calibration tags 6.3.5 Evaluation of Security at Offsite Facility
51 of 62 • An IS auditor should obtain a copy of the contract with the vendor • The contract should be reviewed against a number of guidelines – Contract is clear and understandable – Organization’s agreement with the rules 6.3.6 Reviewing Alternative Processing Contract
52 of 62 • Insurance coverage must reflect actual cost of recovery • Coverage of the following must be reviewed for adequacy – Media damage – Business interruption – Equipment replacement – Business continuity processing 6.3.7 Reviewing Insurance Coverage
53 of 62 • Organization revising BCP and DRP for headquarters (750 employees) and 16 branches (each with 20–35 employees and mail and file / print server) • Current plans not updated in more than 8 years • Organization has grown by 300% • Staff connect via LAN to more than 60 applications, databases and print servers in the corporate data centre • Staff connect via a frame relay network to the branches • Traveling users connect over the Internet using VPN • Critical applications have RTO of 3–5 days Case Study Scenario
54 of 62 • All users in the headquarters and branches connect to the Internet through a firewall and proxy server located in the data center • Branch offices are located between 30 and 50 miles from one another, with none closer to the headquarters' facility than 25 miles • Backup media for the data center are stored at a third-party facility 35 miles away • Backups for servers located at the branch offices are stored at nearby branch offices using reciprocal agreements between offices Case Study Scenario (continued)
55 of 62 Current contract with third party hot site • 3 year term, with equipment upgrades occurring at renewal time • 25 servers • Work area space with PCs for 100 employees • Separate agreement to ship 2 servers and 10 PCs to any branch declaring a disaster • Hot site provider has multiple sites in case the primary site is in use by another customer or rendered unavailable by the disaster Case Study Scenario (continued)
56 of 62 Case Study Question 1. On the basis of the above information, which of the following should the IS auditor recommend concerning the hot site? A. Desktops at the hot site should be increased to 750. B. An additional 35 servers should be added to the hot site contract. C. All backup media should be stored at the hot site to shorten the RTO. D. Desktop and server equipment requirements should be reviewed quarterly.
57 of 62 Case Study Question 2. On the basis of the above information, which of the following should the IS auditor recommend concerning branch office recovery? A. Add each of the branches to the existing hot site contract. B. Ensure branches have sufficient capacity to back each other up. C. Relocate all branch mail and file / print servers to the data center. D. Add additional capacity to the hot site contract equal to the largest branch.
58 of 62 Conclusion • Quick Reference Review – Page 369 of the CISA Review Manual 2010

Recommended

Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1 Ismail aboulezz
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Maganathin Veeraragaloo
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
CISA Review Course Slides - Part1
CISA Review Course Slides - Part1CISA Review Course Slides - Part1
CISA Review Course Slides - Part1Iyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 

Recommended

Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1 Ismail aboulezz
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Maganathin Veeraragaloo
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
CISA Review Course Slides - Part1
CISA Review Course Slides - Part1CISA Review Course Slides - Part1
CISA Review Course Slides - Part1Iyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016Hafiz Sheikh Adnan Ahmed
 
Soc
SocSoc
SocMukesh Chaudhari
 
Business Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationBusiness Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationPECB
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016Hafiz Sheikh Adnan Ahmed
 
Managing Information Asset Register
Managing Information Asset RegisterManaging Information Asset Register
Managing Information Asset RegisterBen Omoakin Oguntala, developingafrica(dot)net
 
CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016Hafiz Sheikh Adnan Ahmed
 
Disaster Recovery - Business & Technology
Disaster Recovery - Business & Technology Disaster Recovery - Business & Technology
Disaster Recovery - Business & Technology Andrew Miller
 
03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.360factors
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationCISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationInfosecTrain
 
Cisa domain 3
Cisa domain 3Cisa domain 3
Cisa domain 3ShivamSharma909
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationExigent Technologies LLC
 
Building a business impact analysis (bia) process a hands on blueprint
Building a business impact analysis (bia) process a hands on blueprintBuilding a business impact analysis (bia) process a hands on blueprint
Building a business impact analysis (bia) process a hands on blueprintluweinet
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
Helping Utilities with Cybersecurity Preparedness: The C2M2
Helping Utilities with Cybersecurity Preparedness: The C2M2Helping Utilities with Cybersecurity Preparedness: The C2M2
Helping Utilities with Cybersecurity Preparedness: The C2M2Smart Grid Interoperability Panel
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Cobit
CobitCobit
Cobitifourkhushbooshah
 
Business impact analysis
Business impact analysis Business impact analysis
Business impact analysis Shashwat Shankar
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsjayussuryawan
 

More Related Content

What's hot

Business Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationBusiness Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationPECB
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
Disaster Recovery - Business & Technology
Disaster Recovery - Business & Technology Disaster Recovery - Business & Technology
Disaster Recovery - Business & Technology Andrew Miller
 
03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.360factors
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationCISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationInfosecTrain
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationExigent Technologies LLC
 
Building a business impact analysis (bia) process a hands on blueprint
Building a business impact analysis (bia) process a hands on blueprintBuilding a business impact analysis (bia) process a hands on blueprint
Building a business impact analysis (bia) process a hands on blueprintluweinet
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 

What's hot (20)

CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
 
Soc
SocSoc
Soc
 
Business Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS ImplementationBusiness Impact Analysis - The Most Important Step during BCMS Implementation
Business Impact Analysis - The Most Important Step during BCMS Implementation
 
information security management
information security managementinformation security management
information security management
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
 
Managing Information Asset Register
Managing Information Asset RegisterManaging Information Asset Register
Managing Information Asset Register
 
CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016
 
Disaster Recovery - Business & Technology
Disaster Recovery - Business & Technology Disaster Recovery - Business & Technology
Disaster Recovery - Business & Technology
 
03.1 general control
03.1 general control03.1 general control
03.1 general control
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | Infosectrain
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationCISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
 
Cisa domain 3
Cisa domain 3Cisa domain 3
Cisa domain 3
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
 
Building a business impact analysis (bia) process a hands on blueprint
Building a business impact analysis (bia) process a hands on blueprintBuilding a business impact analysis (bia) process a hands on blueprint
Building a business impact analysis (bia) process a hands on blueprint
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
 
Helping Utilities with Cybersecurity Preparedness: The C2M2
Helping Utilities with Cybersecurity Preparedness: The C2M2Helping Utilities with Cybersecurity Preparedness: The C2M2
Helping Utilities with Cybersecurity Preparedness: The C2M2
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Cobit
CobitCobit
Cobit
 

Similar to BCP-DRP Audit.ppt

Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsjayussuryawan
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsTommy Zul Hidayat
 
Chap6 2007 C I S A Review Course
Chap6 2007 C I S A Review CourseChap6 2007 C I S A Review Course
Chap6 2007 C I S A Review CourseDesmond Devendran
 
Chap6 2007 Cisa Review Course
Chap6 2007 Cisa Review CourseChap6 2007 Cisa Review Course
Chap6 2007 Cisa Review CourseDesmond Devendran
 
Business Continuity Planning and Disaster Recovery Plannin.docx
Business Continuity Planning and Disaster Recovery Plannin.docxBusiness Continuity Planning and Disaster Recovery Plannin.docx
Business Continuity Planning and Disaster Recovery Plannin.docxfelicidaddinwoodie
 
AMC Optimized Data Protection Strategy
AMC Optimized Data Protection StrategyAMC Optimized Data Protection Strategy
AMC Optimized Data Protection Strategytcollins3413
 
Disaster Recovery & Business Continuity Overview
Disaster Recovery & Business Continuity Overview Disaster Recovery & Business Continuity Overview
Disaster Recovery & Business Continuity Overview Aventis Systems, Inc.
 
Solving the maintain vs. modernization equation
Solving the maintain vs. modernization equationSolving the maintain vs. modernization equation
Solving the maintain vs. modernization equationSchneider Electric
 
MAINTENANCE MANAGEMENT
MAINTENANCE MANAGEMENT MAINTENANCE MANAGEMENT
MAINTENANCE MANAGEMENT MANIKANDANC43
 
aggregate planning.ppt
aggregate planning.pptaggregate planning.ppt
aggregate planning.pptShitalVyas3
 
Whitepaper: Datacenter Migration - Happiest Minds
Whitepaper: Datacenter Migration - Happiest MindsWhitepaper: Datacenter Migration - Happiest Minds
Whitepaper: Datacenter Migration - Happiest MindsHappiest Minds Technologies
 
CIS 2303 LO2 Part 2
CIS 2303 LO2 Part 2CIS 2303 LO2 Part 2
CIS 2303 LO2 Part 2Ahmad Ammari
 
Business continuity planning
Business continuity planningBusiness continuity planning
Business continuity planningSandeep Kashyap
 
Cissp Week 24
Cissp Week 24Cissp Week 24
Cissp Week 24jemtallon
 

Similar to BCP-DRP Audit.ppt (20)

Business impact analysis
Business impact analysis Business impact analysis
Business impact analysis
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controls
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controls
 
Chap6 2007 C I S A Review Course
Chap6 2007 C I S A Review CourseChap6 2007 C I S A Review Course
Chap6 2007 C I S A Review Course
 
Chap6 2007 Cisa Review Course
Chap6 2007 Cisa Review CourseChap6 2007 Cisa Review Course
Chap6 2007 Cisa Review Course
 
Business Continuity Planning and Disaster Recovery Plannin.docx
Business Continuity Planning and Disaster Recovery Plannin.docxBusiness Continuity Planning and Disaster Recovery Plannin.docx
Business Continuity Planning and Disaster Recovery Plannin.docx
 
AMC Optimized Data Protection Strategy
AMC Optimized Data Protection StrategyAMC Optimized Data Protection Strategy
AMC Optimized Data Protection Strategy
 
Disaster Recovery & Business Continuity Overview
Disaster Recovery & Business Continuity Overview Disaster Recovery & Business Continuity Overview
Disaster Recovery & Business Continuity Overview
 
Solving the maintain vs. modernization equation
Solving the maintain vs. modernization equationSolving the maintain vs. modernization equation
Solving the maintain vs. modernization equation
 
MAINTENANCE MANAGEMENT
MAINTENANCE MANAGEMENT MAINTENANCE MANAGEMENT
MAINTENANCE MANAGEMENT
 
Itrisksisaudit1
Itrisksisaudit1Itrisksisaudit1
Itrisksisaudit1
 
aggregate planning.ppt
aggregate planning.pptaggregate planning.ppt
aggregate planning.ppt
 
Maintenace management and TPM
Maintenace management and TPMMaintenace management and TPM
Maintenace management and TPM
 
Bcp drp
Bcp drpBcp drp
Bcp drp
 
Unit 1 manufacturing system design
Unit 1 manufacturing system designUnit 1 manufacturing system design
Unit 1 manufacturing system design
 
Whitepaper: Datacenter Migration - Happiest Minds
Whitepaper: Datacenter Migration - Happiest MindsWhitepaper: Datacenter Migration - Happiest Minds
Whitepaper: Datacenter Migration - Happiest Minds
 
CIS 2303 LO2 Part 2
CIS 2303 LO2 Part 2CIS 2303 LO2 Part 2
CIS 2303 LO2 Part 2
 
Business continuity planning
Business continuity planningBusiness continuity planning
Business continuity planning
 
Cissp Week 24
Cissp Week 24Cissp Week 24
Cissp Week 24
 
Building cbis, mis, csvtu
Building cbis, mis, csvtuBuilding cbis, mis, csvtu
Building cbis, mis, csvtu
 

Recently uploaded

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

BCP-DRP Audit.ppt

  • 1. 1 of 62 Chapter 6 Learning Objectives • Evaluate the adequacy of backup and restore provisions to ensure the availability of information required to resume processing • Evaluate the organization's disaster recovery plan to ensure that it enables the recovery of IT processing capabilities in the event of a disaster • Evaluate the organization's business continuity plan to ensure the organization's ability to continue essential business operations during the period of an IT disruption
  • 2. 2 of 62 6.2 Business Continuity / Disaster Recovery Planning • Business continuity planning (BCP) is a process designed to reduce the organization’s business risk • A BCP is much more than just a plan for the information systems
  • 3. 3 of 62 Corporate risks could cause an organization to suffer • Inability to maintain critical customer services • Damage to market share, reputation or brand • Failure to protect the company assets including intellectual properties and personnel • Business control failure • Failure to meet legal or regulatory requirements 6.2 Business Continuity / Disaster Recovery Planning (continued)
  • 4. 4 of 62 Practice Question 6-1 During an audit of a large bank, the IS auditor observes that no formal risk assessment exercise has been carried out for the various business applications to arrive at their relative importance and recovery time requirements. The risk to which the bank is exposed is that the: A. business continuity plan may not have been calibrated to the relative risk that disruption of each application poses to the organization. B. business continuity plan may not include all relevant applications and, therefore, may lack completeness in terms of its coverage. C. business impact of a disaster may not have been accurately understood by the management. D. business continuity plan may lack an effective ownership by the business owners of such applications.
  • 5. 5 of 62 Practice Question 6-2 Which of the following is necessary to have FIRST in the development of a business continuity plan? A. Risk-based classification of systems B. Inventory of all assets C. Complete documentation of all disasters D. Availability of hardware and software
  • 6. 6 of 62 Practice Question 6-3 An IS auditor should be involved in: A. observing tests of the disaster recovery plan. B. developing the disaster recovery plan. C. maintaining the disaster recovery plan. D. reviewing the disaster recovery requirements of supplier contracts.
  • 7. 7 of 62 IS processing is of strategic importance • Critical component of overall BCP • Most key business processes depend on the availability of key systems and infrastructure components 6.2.1 IS Business Continuity / Disaster Recovery Planning
  • 8. 8 of 62 • Disasters are disruptions that cause critical information resources to be inoperative for a period of time • Good BCP will take into account impacts on IS processing facilities 6.2.2 Disasters and Other Disruptive Events
  • 9. 9 of 62 6.2.3 Business Continuity Planning Process
  • 10. 10 of 62 • Defines the extent and scope of business continuity for both internal and external stakeholders • Should be proactive 6.2.4 Business Continuity Policy
  • 11. 11 of 62 All types of incidents should be categorized • Negligible • Minor • Major • Crisis 6.2.5 Business Continuity Planning Incident Management
  • 12. 12 of 62 6.2.5 Business Continuity Planning Incident Management
  • 13. 13 of 62 • Critical step in developing the business continuity plan • Three main questions to consider during BIA phase: 1. What are the different business processes? 2. What are the critical information resources related to an organization’s critical business processes? 3. What is the critical recovery time period for information resources in which business processing must be resumed before significant or unacceptable losses are suffered? 6.2.6 Business Impact Analysis
  • 14. 14 of 62 6.2.6 Business Impact Analysis (continued)
  • 15. 15 of 62 What is the system’s risk ranking? • Critical • Vital • Sensitive • Non-sensitive 6.2.6 Business Impact Analysis (continued)
  • 16. 16 of 62 Practice Question 6-4 The window of time for recovery of information processing capabilities is based on the: A. criticality of the processes affected. B. quality of the data to be processed. C. nature of the disaster. D. applications that are mainframe-based.
  • 17. 17 of 62 • Recovery Point Objective (RPO) – Based on acceptable data loss – Indicates earliest point in time in which it is acceptable to recover the data • Recovery Time Objective (RTO) – Based on acceptable downtime – Indicates earliest point in time at which the business operations must resume after a disaster 6.2.7 Recovery Point Objective and Recovery Time Objective
  • 18. 18 of 62 6.2.7 Recovery Point Objective and Recovery Time Objective (continued)
  • 19. 19 of 62 Additional parameters important in defining recovery strategies • Interruption window • Service delivery objective (SDO) • Maximum tolerable outages 6.2.7 Recovery Point Objective and Recovery Time Objective (continued)
  • 20. 20 of 62 Practice Question 6-5 Data mirroring should be implemented as a recovery strategy when: A. recovery point objective (RPO) is low. B. RPO is high. C. recovery time objective (RTO) is high. D. disaster tolerance is high.
  • 21. 21 of 62 Practice Question 6-6 When preparing a business continuity plan, which of the following MUST be known to establish a recovery point objective (RPO)? A. The acceptable data loss in case of disruption of operations B. The acceptable downtime in case of disruption of operations C. Types of offsite backup facilities available D. Types of IT platforms supporting critical business functions
  • 22. 22 of 62 • A recovery strategy is a combination of preventive, detective and corrective measures • The selection of a recovery strategy would depend upon: – The criticality of the business process and the applications supporting the processes – Cost – Time required to recover – Security 6.2.8 Recovery Strategies
  • 23. 23 of 62 Recovery strategies based on the risk level identified for recovery would include developing: • Hot sites • Warm sites • Cold sites • Duplicate information processing facilities • Mobile sites • Reciprocal arrangements with other organizations 6.2.8 Recovery Strategies (continued)
  • 24. 24 of 62 Types of offsite backup facilities • Hot sites - Fully equipped facility • Warm sites - Partially equipped but lacking processing power • Cold sites - Basic environment • Duplicate (redundant) information processing facility • Mobile sites • Reciprocal agreement – Contract with hot, warm or cold site – Procuring alternative hardware facilities 6.2.9 Recovery Alternatives
  • 25. 25 of 62 6.2.9 Recovery Alternatives (continued) Types of offsite backup facilities • Hot sites - Fully equipped facility • Warm sites - Partially equipped but lacking processing power • Cold sites - Basic environment • Duplicate (redundant) information processing facility • Mobile sites • Reciprocal agreement – Contract with hot, warm or cold site – Procuring alternative hardware facilities
  • 26. 26 of 62 6.2.9 Recovery Alternatives (continued) Provisions for use of third-party sites should cover: • Configurations • Disaster • Speed of availability • Subscribers per site and area • Preference • Insurance • Audit • Reliability
  • 27. 27 of 62 Procuring alternative hardware facilities • Vendor or third-party • Off-the-shelf • Credit agreement or emergency credit cards 6.2.9 Recovery Alternatives (continued)
  • 28. 28 of 62 Practice Question 6-7 An IS auditor discovers that an organization’s business continuity plan provides for an alternate processing site that will accommodate 50 percent of the primary processing capability. Based on this, which of the following actions should the IS auditor take? A. Do nothing, because generally, less than 25 percent of all processing is critical to an organization’s survival and the backup capacity, therefore, is adequate. B. Identify applications that could be processed at the alternate site and develop manual procedures to back up other processing. C. Ensure that critical applications have been identified and that the alternate site could process all such applications. D. Recommend that the information processing facility arrange for an alternate processing site with the capacity to handle at least 75 percent of normal processing.
  • 29. 29 of 62 Factors to consider when developing the plans • Pre-disaster readiness • Evacuation procedures • Circumstances under which a disaster should be declared • Identification of plan responsibilities • Identification of contract information • Recovery option explanations • Identification of resources for recovery and continued operation of the organization • Application of the constitution phase 6.2.10 Development of Business Continuity and Disaster Recovery Plans
  • 30. 30 of 62 The emergency management team coordinates the activities of all other recovery teams. This team oversees: • Retrieving critical and vital data from offsite storage • Installing and testing systems software and applications at the systems recovery • Identifying, purchasing, and installing hardware at the system recovery site • Operating from the system recovery site • Rerouting network communications traffic 6.2.11 Organization and Assignment of Responsibilities
  • 31. 31 of 62 The emergency management team coordinates the activities of all other recovery teams. This team oversees: • Reestablishing the user/system network • Transporting users to the recovery facility • Reconstructing databases • Supplying necessary office goods, i.e., special forms, check stock, paper • Arranging and paying for employee relocation expenses at the recovery facility • Coordinating systems use and employee work schedules 6.2.11 Organization and Assignment of Responsibilities (continued)
  • 32. 32 of 62 • Management and user involvement is vital to the success of BCP – Essential to the identification of critical systems, recovery times and resources – Involvement from support services, business operations and information processing support • Entire organization needs to be considered for BCP 6.2.12 Other Issues in Plan Development
  • 33. 33 of 62 A business continuity plan may consist of more than one plan document • Continuity of operations plan (COOP) • Disaster recovery plan (DRP) • Business resumption plan • Continuity of support plan / IT contingency plan • Crisis communications plan • Incident response plan • Transportation plan • Occupant emergency plan (OEP) 6.2.13 Components of a Business Continuity Plan
  • 34. 34 of 62 Components of the plan • Key decision-making personnel • Backup of required supplies • Telecommunication networks disaster recovery methods • Redundant array of inexpensive disks (RAID) • Insurance 6.2.13 Components of a Business Continuity Plan (continued)
  • 35. 35 of 62 Practice Question 6-8 In a business continuity plan, which of the following notification directories is the MOST important? A. Equipment and supply vendors B. Insurance company agents C. Contract personnel services D. A prioritized contact list
  • 36. 36 of 62 Practice Question 6-9 Which of the following components of a business continuity plan is PRIMARILY the responsibility of an organization’s IS department? A. Developing the business continuity plan B. Selecting and approving the strategy for the business continuity plan C. Declaring a disaster D. Restoring the IS systems and data after a disaster
  • 37. 37 of 62 Telecommunication networks disaster recovery methods • Redundancy • Alternative routing • Diverse routing • Long haul network diversity • Last mile circuit protection • Voice recovery 6.2.13 Components of a Business Continuity Plan (continued)
  • 38. 38 of 62 Redundant array of inexpensive disks (RAID) • Provide performance improvements and fault tolerant capabilities via hardware or software solutions • Provide the potential for cost-effective mirroring offsite for data back-up 6.2.13 Components of a Business Continuity Plan (continued)
  • 39. 39 of 62 Insurance • IS equipment and facilities • Media (software) reconstruction • Extra expense • Business interruption • Valuable papers and records • Errors and omissions • Fidelity coverage • Media transportation 6.2.13 Components of a Business Continuity Plan (continued)
  • 40. 40 of 62 • Schedule testing at a time that will minimize disruptions to normal operations • Test must simulate actual processing conditions • Test execution: – Documentation of results – Results analysis – Recovery / continuity plan maintenance 6.2.14 Plan Testing
  • 41. 41 of 62 Practice Question 6-10 In an audit of a business continuity plan, which of the following findings is of MOST concern? A. There is no insurance for the addition of assets during the year. B. The business continuity plan manual is not updated on a regular basis. C. Testing of the backup data has not been done regularly. D. Records for maintenance of the access system have not been maintained.
  • 42. 42 of 62 • Offsite library controls • Security and control of offsite facilities • Media and documentation backup • Periodic backup procedures • Frequency of rotation • Types of media and documentation rotated • Record keeping for offsite storage • Business continuity management best practices 6.2.15 Backup and Restoration
  • 43. 43 of 62 • Business continuity plan must: – Be based on the long-range IT plan – Comply with the overall business continuity strategy 6.2.16 Summary of Business Continuity and Disaster Recovery
  • 44. 44 of 62 • Process for developing and maintaining the BCP/DRP – Business impact analysis – Identify and prioritize systems – Choose appropriate strategies – Develop the detailed plan for IS facilities – Develop the detailed BCP – Test the plans – Maintain the plans 6.2.16 Summary of Business Continuity and Disaster Recovery (continued)
  • 45. 45 of 62 • Understand and evaluate business continuity strategy • Evaluate plans for accuracy and adequacy • Verify plan effectiveness • Evaluate offsite storage • Evaluate ability of IS and user personnel to respond effectively • Ensure plan maintenance is in place • Evaluate readability of business continuity manuals and procedures 6.3 Auditing Business Continuity
  • 46. 46 of 62 IS auditors should verify that basic elements of a well-developed plan are evident including: • Currency of documents • Effectiveness of documents • Interview personnel for appropriateness and completeness 6.3.1 Reviewing the Business Continuity Plan
  • 47. 47 of 62 IS auditors must review the test results to: • Determine whether corrective actions are in the plan • Evaluate thoroughness and accuracy • Determine problem trends and resolution of problems 6.3.2 Evaluation of Prior Test Results
  • 48. 48 of 62 An IS auditor must: • Evaluate presence, synchronization and currency of media and documentation • Perform a detailed inventory review • Review all documentation • Evaluate availability of facility 6.3.3 Evaluation of Offsite Storage
  • 49. 49 of 62 • Key personnel must have an understanding of their responsibilities • Current detailed documentation must be kept 6.3.4 Interviewing Key Personnel
  • 50. 50 of 62 An IS auditor must: • Evaluate the physical and environmental access controls • Examine the equipment for current inspection and calibration tags 6.3.5 Evaluation of Security at Offsite Facility
  • 51. 51 of 62 • An IS auditor should obtain a copy of the contract with the vendor • The contract should be reviewed against a number of guidelines – Contract is clear and understandable – Organization’s agreement with the rules 6.3.6 Reviewing Alternative Processing Contract
  • 52. 52 of 62 • Insurance coverage must reflect actual cost of recovery • Coverage of the following must be reviewed for adequacy – Media damage – Business interruption – Equipment replacement – Business continuity processing 6.3.7 Reviewing Insurance Coverage
  • 53. 53 of 62 • Organization revising BCP and DRP for headquarters (750 employees) and 16 branches (each with 20–35 employees and mail and file / print server) • Current plans not updated in more than 8 years • Organization has grown by 300% • Staff connect via LAN to more than 60 applications, databases and print servers in the corporate data centre • Staff connect via a frame relay network to the branches • Traveling users connect over the Internet using VPN • Critical applications have RTO of 3–5 days Case Study Scenario
  • 54. 54 of 62 • All users in the headquarters and branches connect to the Internet through a firewall and proxy server located in the data center • Branch offices are located between 30 and 50 miles from one another, with none closer to the headquarters' facility than 25 miles • Backup media for the data center are stored at a third-party facility 35 miles away • Backups for servers located at the branch offices are stored at nearby branch offices using reciprocal agreements between offices Case Study Scenario (continued)
  • 55. 55 of 62 Current contract with third party hot site • 3 year term, with equipment upgrades occurring at renewal time • 25 servers • Work area space with PCs for 100 employees • Separate agreement to ship 2 servers and 10 PCs to any branch declaring a disaster • Hot site provider has multiple sites in case the primary site is in use by another customer or rendered unavailable by the disaster Case Study Scenario (continued)
  • 56. 56 of 62 Case Study Question 1. On the basis of the above information, which of the following should the IS auditor recommend concerning the hot site? A. Desktops at the hot site should be increased to 750. B. An additional 35 servers should be added to the hot site contract. C. All backup media should be stored at the hot site to shorten the RTO. D. Desktop and server equipment requirements should be reviewed quarterly.
  • 57. 57 of 62 Case Study Question 2. On the basis of the above information, which of the following should the IS auditor recommend concerning branch office recovery? A. Add each of the branches to the existing hot site contract. B. Ensure branches have sufficient capacity to back each other up. C. Relocate all branch mail and file / print servers to the data center. D. Add additional capacity to the hot site contract equal to the largest branch.
  • 58. 58 of 62 Conclusion • Quick Reference Review – Page 369 of the CISA Review Manual 2010