The document discusses business continuity and disaster recovery planning from an information systems auditing perspective. It covers key areas such as developing business continuity plans, evaluating backup and restoration procedures, reviewing disaster recovery plans, and auditing business continuity and disaster recovery processes. The case study describes an organization that needs to update its business continuity and disaster recovery plans given significant growth. The IS auditor needs to evaluate the plans and make recommendations.

1. 2007 CISA  Review Course Business Continuity and Disaster Recovery Chapter 6

2. Process Area Overview Business Continuity/Disaster Recovery Planning IS Business Continuity/Disaster Recovery Planning Disasters and Other Disruptive Events BCP Process Business Continuity and Disaster Recovery Policy BCP Incident Management Business Impact Analysis Recovery Point Objective and Recovery Time Objective Recovery Strategies Recovery Alternatives

3. Process Area Overview Business Continuity/Disaster Recovery Planning (cont) Development of Business Continuity and Disaster Recovery Plans Organization and Assignment of Responsibilities Other Issues in Plan Development Components of a BCP Plan Testing Backup and Restoration

4. Process Area Overview Auditing Disaster Recovery and Business Continuity Reviewing the BCP Evaluation of Prior Test Results Evaluation of Offsite Storage Interviewing Key Personnel Evaluation of Security at Offsite Facility Reviewing Alternative Processing Contract Reviewing Insurance Coverage

5. Chapter Objective Ensure that the IS Auditor “ understands and can provide assurance that in the event of a disruption the business continuity and disaster recovery processes will ensure the timely resumption of IT services while minimizing the business impact”

6. There are three (3) tasks within this content area: 1. Evaluate the adequacy of backup and restore provisions to ensure the availability of information required to resume processing. 2. Evaluate the organization’s disaster recovery plan to ensure that it enables the recovery of IT processing capabilities in the event of a disaster. 3. Evaluate the organization’s business continuity plan to ensure its ability to continue essential business operations during the period of an IT disruption. Chapter Objective

7. Chapter Summary According to the CISA Certification Board, this Content Area will represent approximately 14% of the CISA examination (approximately 28 questions)

8. 6.1 Business Continuity / Disaster Recovery Planning Corporate risks could cause an organization to suffer: Inability to maintain critical customer services Damage to market share, reputation or brand Failure to protect the company assets including intellectual properties and personnel Business control failure Failure to meet legal or regulatory requirements Business continuity planning (BCP) is a process designed to reduce the organization’s business risk A BCP is much more than just a plan for the information systems

9. Business’ Ability to Continue Operations requires: Rigorous planning & commitment of resources Risk assessment to identify critical business processes Reduction of risk for unexpected disruption to critical functions Assure continuity of minimum level of service for critical operations Responsibility of senior management Address all functions & assets to continue as viable organization 6.1 Business Continuity / Disaster Recovery Planning

10. IS BCP/DRP is a component of the overall Business Continuity and Disaster Recovery strategy Imperative to have a ready-to-start reserved facility IS plan must support the corporate BCP 6.1.1 IS Business Continuity / Disaster Recovery Planning

11. 6.1.2 Disasters and other Disruptive Events Disasters Disrupt the operation of critical information processing Adversely impact business operations Not all disruptions are disasters Causes of service disruption Natural Expected services no longer supplied BCP must take into account all types of events impacting IS processing facilities and end users functionality

12. Phases of the Business Continuity Planning Process Creation of a business continuity and disaster recovery policy Business impact analysis Classification of operations and criticality analysis Development of a business continuity plan and disaster recovery procedures Training and awareness program Testing and implementation of plan Monitoring 6.1.3 BCP Process

13. 6.1.4 Business Continuity and Disaster Recovery Policy Policies need to be proactive and encompass preventative, detective and corrective controls BCP is the most critical corrective control BCP needs to be well designed, documented, drill tested, funded and audited Incident management group needs to be adequately staffed, supported and trained

14. 6.1.5 BCP Incident Management The management of incidents need be dynamic, proactive and documented All types of incidents need to be categorized negligible: causing no significant damage minor: produce no negative material or financial impact major: cause negative material impact on business processes crisis: serious material impact on the functioning of the business

15. 6.1.5 BCP Incident Management Minor, major and crisis incidents must be documented, classified and revisted until corrected or resolved The SO should be notified of all incidents as soon as the trigger occurs. This will allow for a pre-established protocol to be followed. Service downtime determines the incident severity The severity should be reevaluated regularly

16. 6.1.6 Business Impact Analysis (BIA) Identifying the various events that could impact the continuity of operations and their impact on the organization Issues to consider for BIA Different business processes Critical information resources related to critical business processes Critical recovery time period before significant losses are incurred Systems risk ranking

17. 6.1.7 Recovery Point Objective and Recovery Time Objective Recovery Point Objective (RPO) based on acceptable data loss indicates earliest point in time in which it is acceptable to recover the data Recovery Time Objective (RTO) based on acceptable downtime indicates earliest point in time at which the business operations must resume after a disaster

18. 6.1.7 Recovery Point Objective and Recovery Time Objective RPO and RTO are based on time parameters The lower the time requirements, the higher the cost of recovery strategies Parameters to consider when defining recovery strategies: Interruption window Service delivery objective (SDO) Maximum tolerable outages

19. The window of time for recovery of information processing capabilities is based on the: criticality of the processes affected. quality of the data to be processed. nature of the disaster. applications that are mainframe-based. Chapter 6: Question?

20. When preparing a business continuity plan, which of the following must be known to establish a recovery point objective (RPO)? The acceptable data loss in case of disruption of operations The acceptable downtime in case of disruption of operations Types of offsite backup facilities available Types of IT platforms supporting critical business functions Chapter 6 Question 9

21. 6.1.8 Recovery Strategies Like all threats, the most effective action would be: To remove the threat altogether To minimize the likelihood and effect of occurrence A recovery strategy is a combination of preventive, detective and corrective measures. The selection of a recovery strategy would depend upon: The criticality of the business process and the applications supporting the processes Cost Time required to recover Security

22. Recovery strategies based on the risk level identified for recovery would include developing: Hot sites Warm sites Cold sites Duplicate information processing facilities Mobile sites Reciprocal arrangements with other organizations 6.1.8 Recovery Strategies

23. 6.1.9 Recovery Alternatives Types of Off-site Backup Facilities Hot sites - Fully equipped facility Warm sites - Partially equipped but lacking processing power Cold sites - Basic environment Duplicate information processing facility Mobile sites Reciprocal agreement Contract with hot, warm or cold site Procuring alternative hardware facilities

24. Procuring alternative hardware facilities Vendor or third-party Off-the-shelf Credit agreement or emergency credit cards 6.1.9 Recovery Alternatives

25. An IS auditor discovers that an organization’s business continuity plan provides for an alternate processing site that will accommodate 50 percent of the primary processing capability. Based on this, which of the following actions should the IS auditor take? Do nothing, because generally, less than 25 percent of all processing is critical to an organization’s survival and the backup capacity, therefore, is adequate. Identify applications that could be processed at the alternate site, and develop manual procedures to back up other processing. Ensure that critical applications have been identified and that the alternate site could process all such applications. Recommend that the information processing facility arrange for an alternate processing site with the capacity to handle at least 75 percent of normal processing. Chapter 6 Question 2

26. 6.1.10 Development of Business Continuity and Disaster Recovery Plan A detailed Business Recovery and Disaster Recovery Plan: Developed Based on Inputs received from Business Impact Analysis Criticality Analysis Recovery Strategy selected by management Must address all issues involved in interruption to Business Processes, including covering from a Disaster Should consider various factors while developing the plan

27. Chapter 6 Question 4 During an IT audit of a large bank, the IS auditor observes that no formal risk assessment exercise has been carried out for the various business applications to arrive at their relative importance and recovery time requirements. The risk that the bank is exposed to is that the: business continuity plan may not have been calibrated to the relative risk that disruption of each application poses to the organization. business continuity plan may not include all relevant applications and, therefore, may lack completeness in terms of its coverage. business impact of a disaster may not have been accurately understood by the management. business continuity plan may lack an effective ownership by the business owners of such applications.

28. 6.1.11 Organization and Assignment of Responsibilities Incidence Response Team Emergency Action Team Damage Assessment Team Emergency Management Team Off-site Storage Team Software Team Applications Team Security Team Emergency Operations Team Network Recovery Team Communications Team

29. 6.1.11 Organization and Assignment of Responsibilities Transportation Team User Hardware Team Data Preparation and Records Team Administration Support Team Supplies Team Salvage Team Relocation Team Coordination Team Legal Affairs Team Recovery Test Team Training Team

30. 6.1.12 Other Issues in Plan Development Management and user involvement is vital to the success of BCP essential to the identification of critical systems, recovery times and resources involvement from support services, business operations and information processing support Entire organisation needs to be considered for BCP

31. 6.1.12 Other Issues in Plan Development IS processing plan can be extended where a BCP does not exist for the entire organization Include the following in the plan: A list of detailed staff information The configuration of the building

32. 6.1.13 Components of a BCP A BCP may consist of more than one plan document: Business continuity plan (BCP) Business recovery (or resumption) plan (BRP) Continuity of operations plan (COOP) Continuity of support plan/IT contingency plan Crisis communications plan Incident response plan Disaster recovery plan (DRP) Occupant emergency plan (OEP)

33. 6.1.13 Components of a BCP Components of this Plan Key decision-making personnel Backup of required supplies Telecommunication networks disaster recovery methods Redundant array of inexpensive disks (RAID) Insurance

34. 6.1.13 Components of a BCP Telecommunication networks disaster recovery methods Redundancy Alternative routing Diverse routing Long haul network diversity Last mile circuit protection Voice recovery

35. 6.1.13 Components of a BCP Redundant array of inexpensive disks (RAID) Level 0, striped disk array without fault tolerance Level 1, mirroring Level 2, hamming code ECC Level 3, parallel transfer with parity Level 4, independent data disks with shared parity disk Level 5, independent data disks with distributed parity blocks Level 6, independent data disks with two independent distributed parity schemes

36. 6.1.13 Components of a BCP Redundant array of inexpensive disks (RAID) Level 7, optimized asynchrony for high I/O rates as well as high data transfer rates Level 10, very high reliability combined with high performance Level 53, high I/O rates and data transfer performance Level 0+1, high data transfer performance

37. Insurance IS equipment and facilities Media (software) reconstruction Extra expense Business interruption Valuable papers and records Errors and omissions Fidelity coverage Media transportation 6.1.13 Components of a BCP

38. Which of the following is necessary to have FIRST in the development of a business continuity plan? Risk-based classification of systems Inventory of all assets Complete documentation of all disasters Availability of hardware and software Chapter 6: Question 5

39. In business continuity plan (BCP) which of the following notification directories is the MOST important? Equipment and Supply vendors Insurance company agents Contract personnel services A prioritized contact list Chapter 6 Question 7

40. Data mirroring should be implemented as a recovery strategy when: recovery point objective (RPO) is low. recovery point objective (RPO) is high. recovery time objective (RTO) is high. disaster tolerance is high. Chapter 6 Question 1

41. Which of the following components of a business continuity plan is PRIMARILY the responsibility of an organization’s IS department? Developing the business continuity plan Selecting and approving the strategy for the business continuity plan Declaring a disaster Restoring the IS systems and data after a disaster Chapter 6 Question 8

42. 6.1.14 Plan Testing Schedule testing at a time that will minimize disruptions to normal operations Test must simulate actual processing conditions Test Execution Documentation of Results Results Analysis Recovery/Continuity Plan Maintenance

43. 6.1.15 Backup and Restoration Secondary storage media are used to allow for the un-interrupted profit-seeking activities of a business This media are stored in one or more physical facilities (referred to as offsite libraries) Offsite librarian’s responsibility to maintain inventory and access to the libraries Current copy of the business continuity plan needs to be maintained at the facility as well

44. 6.1.15 Backup and Restoration Off-site Library Controls Security and Control of Off-site Facilities Media and Documentation Back-up Periodic Back-up Procedures Frequency of Rotation Types of Media and Documentation Rotated Methods of Rotation Record Keeping for Off-site Storage Business Continuity Management (BCM) Best Practices

45. 6.1.16 Summary of Business Continuity and Disaster Recovery Business Continuity Plan must be based on the long-range IT plan comply with the overall business continuity strategy Process for developing and maintaining the BCP/DRP: Business Impact Analysis Identify and prioritize systems Choose appropriate strategies Develop the detailed plan for IS facilities Develop the detailed BCP Test the plans Maintain the plans

46. 6.2 Auditing Recovery / Continuity Plans Review Business Continuity Plan Evaluate Prior Test Results Evaluate Off-site Storage Interview Key Personnel Evaluate Security at Off-site Facility Review Alternative Processing Contract Review Insurance Coverage

47. 6.2.1 Review Business Continuity Plan When reviewing the developed plan, IS auditors should verify that basic elements of a well-developed plan are evident. Basic elements include: currency of documents effectiveness of documents interview personnel for appropriateness and completeness etc

48. 6.2.2 Evaluate Prior Test Results Historical documentation of prior tests must be kept IS Auditor must review the test results to: determine whether corrective actions are in the plan evaluate thoroughness and accuracy determine problem trends and resolution of problems

49. 6.2.3 Evaluate Off-site Storage The IS Auditor must evaluate presence, synchronization and currency of media and documentation perform a detailed inventory review review all documentation evaluate availability of facility

50. 6.2.4 Interview Key Personnel Key personnel must have an understanding of their responsibilities Current detailed documentation must be kept

51. 6.2.5 Evaluate Security at Off-site Storage The IS Auditor must evaluate the physical and environmental access controls examine the equipment for current inspection and calibration tags

52. 6.2.6 Review Alternative Processing Contract The references listed in the contract with the vendor of the alternative processing facility must be checked; and vendor’s promises verified in writing The contract should be reviewed against a number of guidelines contract is clear and understandable organization’s agreement with the rules etc

53. 6.2.7 Review Insurance Coverage Insurance coverage must reflect actual cost of recovery Coverage of the following must be reviewed for adequacy media damage business interruption equipment replacement business continuity processing

54. An IS auditor should be involved in: observing tests of the disaster recovery plan. developing the disaster recovery plan. maintaining the disaster recovery plan. reviewing the disaster recovery requirements of supplier contracts. Chapter 6 Question 6

55. In an audit of a business continuity plan, which of the following findings is of MOST concern? There is no insurance for the addition of assets during the year. The BCP manual is not updated on a regular basis. Testing of the backup of data has not been done regularly. Records for maintenance of the access system have not been maintained Chapter 6 Question 10

56. Chapter 6: Case Study Organisation revising BCP and DRP for headquarters (750 employees) and 16 branches (each with 20 – 35 employees and mail and file/print server) Current plans not updated in more than 8 years Organisation has grown by 300% Staff connect via LAN to more than 60 applications, databases and print servers in the corporate data centre Staff connect via a frame relay network to the branches Travelling users connect over the Internet using VPN

57. Chapter 6: Case Study All users in the headquarters and branches connect to the Internet through a firewall and proxy server located in the data centre Critical applications have RTO of 3 – 5 days Branch offices are located between 30 and 50 miles from one another, with none closer to the headquarters' facility than 25 miles Backup media for the data center are stored at a third-party facility 35 miles away Backups for servers located at the branch offices are stored at nearby branch offices using reciprocal agreements between offices

58. Chapter 6: Case Study Current contract with third party hot-site 3 year term, with equipment upgrades occurring at renewal time 25 servers work area space with PC’s for 100 employees separate agreement to ship 2 servers and 10 PC’s to any branch declaring a disaster hot site provider has multiple sites in case the primary site is in use by another customer or rendered unavailable by the disaster

59. Chapter 6: Case Study Question 1 On the basis of the above information, which of the following should the IS auditor recommend concerning the hot site? Desktops at the hot site should be increased to 750. An additional 35 servers should be added to the hot site contract. All backup media should be stored at the hot site to shorten the RTO. Desktop and server equipment requirements should be reviewed quarterly.

60. Chapter 6: Case Study Question 2 On the basis of the above information, which of the following should the IS auditor recommend concerning branch office recovery? Add each of the branches to the existing hot site contract. Ensure branches have sufficient capacity to back each other up. Relocate all branch mail and file/print servers to the Data Center. Add additional capacity to the hot site contract equal to the largest branch.