Upload
prashanth-narayan
View
223
Download
0
Embed Size (px)
Citation preview
8/9/2019 DRI International ISACA Spring Seminar Apr2013
1/117
Disaster/Emergency
Management &
Business Continuity
Auditor Training
BCLE-AUD (NFPA 1600)
National Fire Protection Association
DRI International
Copyright DRI International and National Fire Protection Association, All Rights Reserved
8/9/2019 DRI International ISACA Spring Seminar Apr2013
2/117
This page left blank intentionally.
8/9/2019 DRI International ISACA Spring Seminar Apr2013
3/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 01Page 1
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 1-1
Disaster/Emergency
Management & BusinessContinuity Auditor Training
BCLE-AUD Slide 1-2
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
Instructor Introduction
Insert instructor introduction notes here
Background
Education
Experience in the BCM field
Etc
BCLE-AUD Slide 1-3
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
Housekeeping
Fire Alarm & Exits
Breaks & Lunch
Cell Phones & PDAs
Audio or Video Recording
Restrooms
Attendance
Tent Cards
The Parking Lot
8/9/2019 DRI International ISACA Spring Seminar Apr2013
4/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 01Page 2
BCLE-AUD Slide 1-4
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0
Introductions & Experience
What organization
do you represent?
What is your role?
What is your
experience in
emergency
management and
business continuity?
What is your
auditing experience?
BCLE-AUD Slide 1-5
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
Objectives
Learn the elements of an disaster/emergencymanagement and business continuity programas defined by NFPA1600 Standard onDisaster/Emergency Management andBusiness Continuity Programs
Understand audit concepts as documented inThe Institute of Internal Auditors InternationalProfessional Practices Framework (IPPF)
Learn how to use the audit framework andNFPA 1600 to audit a preparedness programand determine conformity to the standard
Prepare you for the CBCA/CBCLA qualifying
examination
BCLE-AUD Slide 1-6
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
Program Agenda
Day 1
Introduction
Auditing basics
Program management
Planning process Risk assessment
Business impact analysis
Day 2
Prevention & mitigation
Resource management
Operational procedures
Communications & warning
Incident management
Emergency operations/response
8/9/2019 DRI International ISACA Spring Seminar Apr2013
5/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 01Page 3
BCLE-AUD Slide 1-7
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0
Program Agenda
Day 3
Business continuity and Informationtechnology disaster recovery planning
Crisis communications and publicinformation
Employee assistance and support
Day 4
Training and education
Testing & exercises
Program improvement
Reporting audit findings &recommendations
Examination review
BCLE-AUD Slide 1-8
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
Program Agenda
Day 5
DRI InternationalCBCA/CBCLA QualifyingExamination
Begins: 8:00 AMEnds: 10:30 AM
BCLE-AUD Slide 1-9
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
How to Use NFPA 1600
Introduction
Important Notices and Disclaimers
Additional Notices and Disclaimers
Standard
Chapters 1 9
Annex A (Explanatory Material)
Annex B (Resources)
Annex C (Conformity Self-Assessment)
Annex D (Plan-Do-Check-Act Cycle)
Annex E (Standards Crosswalk)
Annex F (Management System Standard)
Annex H (Awareness and Preparedness
for Emergencies at the Local Level)
Annex I (Family Preparedness)
Annex J (Informational References)
8/9/2019 DRI International ISACA Spring Seminar Apr2013
6/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 01Page 4
BCLE-AUD Slide 1-10
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0
Terminology
3.3.1 All-Hazards.An approach for prevention, mitigation,preparedness, response, continuity, and recovery that addressesa full range of threats and hazards, including natural, human-caused, and technology-caused.
3.3.2* Business Continuity.An ongoing process to ensure thatthe necessary steps are taken to identify the impact of potentiallosses and maintain viable recovery strategies, recovery plans,and continuity of services.
3.3.8 Crisis Management.The ability of an entity to manageincidents that have the potential to cause significant security,financial, or reputational impacts.
3.3.10 Disaster/Emergency Management.An ongoing processto prevent, mitigate, prepare for, respond to, maintain continuityduring, and recover from an incident that threatens life, property,operations, or the environment.
BCLE-AUD Slide 1-11
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
Audit Guide
Ordered to follow
NFPA 1600s
chapters and
sections
Will be used for
class exercises
Reference for your
future audits
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
BCLE-AUD Slide 1-12
Title IX of Public Law 110-53PS-PREP
8/9/2019 DRI International ISACA Spring Seminar Apr2013
7/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 01Page 5
BCLE-AUD Slide 1-13
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0
Voluntary Certification Program
Establish and implement a voluntary private
sector preparedness accreditation and
certification program
Designate an officer responsible for theaccreditation and certification program
Support the development and updating of
voluntary preparedness standards
Develop and promote a program to certify
the preparedness of private sector entities
that voluntarily choose to seek certification
BCLE-AUD Slide 1-14
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
PS-PREP Program
Private Sector EntitiesSelect Standard to be Certified To;Seek certification by demonstrating conformity to selected standard
Certifying Bodies
Certify Compliant PS Preparedness Programs
ANAB (ANSI-ASQ National Accreditation Board)Committee of Experts
Requirements for CertifyingBodiesAccredit Qualified Third
PartiesListing of Certified Entities
U.S. Dept. of Homeland SecurityFederal Officer/Private Sector
Preparedness CouncilDesignate the Standard(s) Select the Accrediting Body
BCLE-AUD Slide 1-15
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
PS-PREP Designated* Standards
* DHS Secretary Napolitano announced the adoption of the following
standards for the PS-Prep program on June 15, 2010:
8/9/2019 DRI International ISACA Spring Seminar Apr2013
8/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 01 Page 6
Notes:
8/9/2019 DRI International ISACA Spring Seminar Apr2013
9/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 02Page 1
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 2-1
Auditing Basics
Disaster/Emergency Management & Business
Continuity Auditor Training
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 2-2
Audit
systematic,
independent and
documented process
for obtaining audit
evidence and
evaluating it
objectively to
determine the extent to
which the audit
criteria are fulfilled
ISO/DIS 19011
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 2-3
Internal Auditing
Internal auditing is anindependent, objective
assurance and consultingactivity designed to addvalue and improve anorganizations operations. Ithelps an organizationaccomplish its objectives bybringing a systematic,disciplined approach toevaluate and improve theeffectiveness of riskmanagement, control, andgovernance processes.
International Professional Practices
Framework, Institute of Internal Auditors
8/9/2019 DRI International ISACA Spring Seminar Apr2013
10/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 02Page 2
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 2-4
Audit Definitions
Audit
Criteriaset of policies, procedures or requirementsAudit criteria are used as a reference against which audit
evidence is compared.
If the audit criteria are selected f rom legal or other
requirements, the audit finding is termed compliance or
non-compliance.Audit
Evidence
records, statements of fact or other information,which are relevant to the audit criteria and verifiableAudit evidence may be qualitative or quantitative.
Audit
Findingsresults of the evaluation of the collected audit
evidence against audit criteriaAudit findings may indicate conformity, nonconformity,
and opportunities for improvement or good
practices.
Audit
Conclusion
outcome of an audit, after consideration of the auditobjectives and all audit findings
ISO/DIS 19011
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 2-5
Types of Audits
FirstParty
Internal audits, sometimes called first party audits,are conducted by, or on behalf of, the organization
itself for management review and other internal
purposes and may form the basis for anorganizations self-declaration of conformity.
SecondParty
External audits include second and third party audits.
Second party audits are conducted by parties having
an interest in the organization, such as customers,
or by other persons on their behalf.
ThirdParty
Third party audits are conducted by independentauditing organizations, such as regulators or those
providing registration or certification.ISO/DIS 19011
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 2-6
Auditing Standards & Guidance
Institute of Internal Auditors Internal Auditors Professional Framework
International Organization for Standards ISO 19011 Guidelines for auditing managementsystems
Information Systems Audit and ControlAssociation (ISACA)
U.S. Government Accountability Office
Federal Information Security Management Act(FISMA)
Committee of Sponsoring Organizations of theTreadway Commission (COSO) Guidance on internal controls and enterprise risk
management
8/9/2019 DRI International ISACA Spring Seminar Apr2013
11/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 02Page 3
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 2-7
Internal Auditors Professional Framework
Institute of Internal Auditors (IIA) Mandatory Guidance
Definition of internal auditing
Code of Ethics
Standards Strongly Recommended Guidance
Practice Advisories
Position Papers
Practice Guides
Professional Certifications Certification in Control Self Assessment
Certified Financial Services Advisor
Certified Government Auditing Professional
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 2-8
Government Auditing Standards
Commonly called theYellow Book
Yellow Book standardsapply to U.S. federalfinancial audits,performance or operationsaudits and other auditrelated activities
Federal regulations requirethat both federal and non-federal auditors comply withYellow Book standards foraudits of federal
organizations, programs andfunctions
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 2-9
Information Technology
ISACA
IT Audit and Assurance Standards, Guidelines,
Tools and Techniques
COBIT IT governance framework and toolset
FISMA
Risk Management Framework; Security
Assessment; Controls
NIST Computer Security Division
Special Publications
8/9/2019 DRI International ISACA Spring Seminar Apr2013
12/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 02Page 4
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 2-10
Auditing & Governance
Governance begins with the board of
directors and its committees
Day to day governance is executed by the
management of the organization Internal and external parties such as
auditors provide management and the
board of directors with assurances
regarding the effectiveness of the
governance activities.
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 2-11
Risk Management & Controls
Risk Management Effective Controls
Organizational objectivessupport and align with the
organizations mission
Significant risks are identified
and assessed
Appropriate risk responses are
selected that align risks with the
organizations risk appetite
Relevant risk information is
captured and communicated ona timely basis enabling staff,
management and the board tocarry out their responsibilities
Reliability and integrity offinancial and operational
information
Effectiveness and efficiency
of operations
Safeguarding of assets
Compliance with laws,regulations and contracts
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 2-12
Auditor Attributes
Independence. Independent free fromconditions that threaten the ability to carry outresponsibilities in an unbiased manner
Objectivity. Highest level of professionalobjectivity gathering, evaluating, andcommunicating information. Balanced assessmentof all relevant circumstances not unduly influencedby their own interests or others
Confidentiality. Respect the value and ownershipof information received; no disclosure withoutappropriate authority unless legal or professionalobligation to do so
Proficiency and Professional Due Care. Applythe knowledge, skills, and experience needed
8/9/2019 DRI International ISACA Spring Seminar Apr2013
13/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 02Page 5
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 2-13
Required Knowledge
Risk, resilience, security, preparedness, crisismanagement, emergency management,business continuity, and IT disaster recoveryplanning
Principles of risk identification, analysis andevaluation, and risk communication Asset protection and physical security Loss prevention, deterrence, and risk mitigation
Incident response, crisis management, crisiscommunications
Emergency operations/response; businesscontinuity
ISO 19011 A.5
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 2-14
Phases of Engagement
Planning
Objectives & Scope
Resource Allocation
Work program
Performance
Identifying Information
Analysis & Evaluation
Documenting Information
CommunicatingResults
Criteria for Communications
Quality
Disseminating
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 2-15
Engagement Planning
Objectives
1st, 2nd or 3rd party
audit
What is to be
achieved by the
engagement
What is the
deliverable
Who is the audience
Scope
Areas to be audited
Must be sufficient tosatisfy the objectives
Includes: Organizational and
functional units
Facilities to survey
Documents
Interviews
Witnessing of training,drills, testing, exercises
IPPF 2200
8/9/2019 DRI International ISACA Spring Seminar Apr2013
14/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 02Page 6
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 2-16
Resource Allocation
Appropriate and sufficient
resources to achieve the
objective of the
engagement
Nature and complexity of
each resource to be
engaged
Time constraints
Resource availability
IPPF Advisory 2230-1
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 2-17
Work Program
Develop and document work
programs that achieve the
engagement objectives:
Procedures for identifying,
analyzing, evaluating and
documenting information
Plan, timetable, status
reporting
Supervision of work
performed
IPPF 2240
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 2-18
Engagement Planning
Select the audit team;assign responsibilities
Determine audit methods
Request programdocuments
Research standards andregulations
Identify sites to visit
Schedule interviews
Prepare for on-site activities
8/9/2019 DRI International ISACA Spring Seminar Apr2013
15/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 02Page 7
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 2-19
Performing the Engagement
Identify information: sufficient, reliable,
relevant and useful to achieve objectives:
Analyze and evaluate: Base conclusions
and results on appropriate analysis andevaluations
Document information: to support
conclusions and engagement results
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 2-20
Performing the Engagement
Identify information: Program Documentation
Facility information
Policy statement
Program objectives,development plan, schedule,budget, and milestones
Program committee/steeringcommittee (rosters, agendas,meeting minutes, action items,communications with management)
Finance & administrationframework and procedures
Records management policiesand practices:
Program reviews and audits
Corrective action procedures,plans and status reports
Risk assessmentdocumentation
Prevention and mitigationstrategies, plans and status
Resource inventory
Mutual aid agreements
Plan documents:
emergency operations
business continuity
crisis management and crisiscommunications
Training, drill, and exerciserecords including action
items Incident reports and post
incident critiques
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 2-21
Research Regulatory Requirements
Regulations
Fire prevention code
Life Safety Code Occupational safety & health
Environmental
Hazardous materials
Industry specific
Information security
Criteria
Construction
Height (e.g., high-rise) Size
Use or Occupancy
Hazards
Hazardous materials
Hazardous processes
Location
Proximity to waterways
Scope of emergency
response operations
8/9/2019 DRI International ISACA Spring Seminar Apr2013
16/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 02Page 8
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 2-22
Performing the Engagement
Interviewswith employees and other persons;
Observationsof activities
Documents, such as policies, objectives, plans,procedures, specifications, drawings, contracts etc.
Records, such as minutes of meetings, audit
reports, records of exercise programs and the
results, plan summaries, business impact analyses
reports etc.
ISO 19011 C.2
Identifying Information
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 2-23
Performing the Engagement
Is the information provided complete? (all expectedcontent is contained in the document); correct (the content is compliant to other reliable sources
such as standards and regulations);
consistent (the document is consistent in itself and torelated documents);
current (the content is up to date).
Does the information reviewed cover the auditscope and is it capable of providing sufficientinformation to support the audit objectives?
Specific care is needed for information security dueto applicable regulations on protection of data (in
particular for information, which lies outside theaudit scope but is also contained in the document).
Analyze and Evaluate
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 2-24
Conducting Interviews
Interview persons from levels andfunctions performing activities ortasks within the scope of the audit;
Conduct during normal workinghours and, where practical, at thenormal workplace;
Put the person at ease prior to andduring the interview;
Explain the reason for theinterview and any note taking;
Initiate by asking the persons todescribe their work;
Avoid questions that bias theanswer (i.e., leading questions);
Summarize results and reviewwith the interviewed person;
Thank the person interviewed.
8/9/2019 DRI International ISACA Spring Seminar Apr2013
17/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 02Page 9
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 2-25
Site Visits
Ensure that the audit team is using PPEproperly;
Adapt audit team size and number of guidesand observers to avoid interference ofoperational processes;
Do not touch or manipulate any equipment,unless explicitly permitted, even whencompetent and/or licensed;
If taking pictures, seek managementauthorization in advance and considersecurity and confidentiality. Avoidphotographing persons without theirpermission;
If taking copies of documents of any kind, askfor permission in advance and considerconfidentiality and security matters;
When taking notes, avoid collecting personalinformation unless required by the auditobjectives and/or audit criteria
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 2-26
Engagement Supervision & Conduct
Engagement supervision (IPPF 2340-1) Engagements must be properly superv ised to
ensure objectives are achieved, quality is assuredand staff is developed
Audit conduct (ISO 19011-6.4)
Opening meeting
Document Review (ISO 19011 C.3)
Conduct Interviews (ISO 19011 C.7)
Conduct site visits (ISO 19011 C.6)
Collection and verification of information
Communications during the audit
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 2-27
Communicating the Results
Criteria for communications Include objectives, scope, conclusions, recommendations, and
action plans
Include relevant information to support the conclusions andengagement results
Include overall opinion and/or conclusions where appropriate
Identify and comply with limitations on distribution
Quality of Communications Accurate, objective, clear, concise, constructive, complete and
timely
Minimize the risk of misinterpretation
Correct errors promptly
Disseminating results Outcomes of the engagement must be communicated timely to
the appropriate parties more on this on Day 4
8/9/2019 DRI International ISACA Spring Seminar Apr2013
18/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 02Page 10
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 2-28
Discussion
1. What is auditing?
2. What is internal auditing?
3. Discuss the following types of audits:a. First Party
b. Second Party
c. Third Party
4. Name some prominent regulations and
standards that can be used in audits.
8/9/2019 DRI International ISACA Spring Seminar Apr2013
19/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 03Page 1
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 3-1
Program Management
Disaster/Emergency Management & Business
Continuity Auditor Training
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 3-2
Program Administration
1.1* Scope. This standard shall establish a common
set of criteriafor all hazards disaster/emergency
management and business continuity programs,
hereinafter referred to as the program.
1.2* Purpose. This standard provides the
fundamental criteria to develop, implement, assess,
and maintain the program for prevention, mitigation,
preparedness, response, continuity, and recovery.
1.3* Application. This document shall apply to public,
not-for profit, and nongovernmental organizations
(NGOs) and to private entities.
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 3-3
Program Management
Leadership andCommitment
Program Coordinator
Program Committee
Program Administration
Laws and Authorities
Performance Objectives
Finance andAdministration
Records managementprogram
8/9/2019 DRI International ISACA Spring Seminar Apr2013
20/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 03Page 2
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 3-4
4.1 Leadership and Commitment
4.1.1The entity leadership shall demonstrate commitment to theprogram to prevent, mitigate the consequences of, prepare
for, respond to, maintain continuity during, and recover
from incidents.
4.1.2 The leadership commitment shall include the following:(1) Policies, plans, and procedures to develop, implement, and
maintain the program
(2) Resources to support the program
(3) Reviews and evaluations to ensure program effectiveness
(4) Correction of deficiencies
4.1.3 The entity shall adhere to policies, execute plans, and follow
procedures developed to support the program.
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 3-5
Leadership and Commitment
Interviews/Surveys/Documents
Interviews Entity leadership
Program coordinator
Team members
Survey Facility survey
Documents Program documents
Program budget
Policy statement
Training, drill, testing, andexercise records
Evidence of Conformity
Policy statement signedby senior leader andwidely disseminated
Sufficient fundsbudgeted
Periodic communicationinvolves seniorleadership
Senior leadershipattendance at keyactivities
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 3-6
4.2 Program Coordinator
The program coordinator
shall be appointed by
the entitys leadershipand authorized to
develop, implement,
administer, evaluate,
and maintain the
program.
8/9/2019 DRI International ISACA Spring Seminar Apr2013
21/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 03Page 3
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 3-7
Program Coordinator
Interviews/Surveys/Documents
Interviews Entity leadership
Program coordinator
Leaders of emergencyresponse, business continuity,
IT DRP, and crisis
communications team
Documents Program plans and
procedures
Evidence of Conformity
Program coordinatorappointed?
Vested with sufficient
authority? Exhibiting appropriate
leadership?
Communicatingeffectively?
Moving the programforward?
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 3-8
4.3 Program Committee
4.3.1*A program committee shall be established by the entity inaccordance with its policy.
4.3.2 The program committee shall provide input for, and/or assist inthe coordination of the preparation, development, implementation,evaluation, and maintenance of the program.
4.3.3* The program committee shall include the program coordinatorand others who have the expertise, the knowledge of the entity, andthe capability to identify resources from all key functional areaswithin the entity and shall solicit applicable external representation.
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 3-9
Internal Participants
Management
Legal
Environmental Health& Safety (EHS)
Human Resources
Public Relations or
Public Affairs
Regulatory Affairs
Risk Management
Finance
Labor Relations
Operations
Facilities or Property
Management Engineering
Security
Medical
Information Technology
Purchasing, Supply
Chain, & Distribution
Quality
Employees
Audit
8/9/2019 DRI International ISACA Spring Seminar Apr2013
22/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 03Page 4
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 3-10
External Representation
Law enforcement
Fire Department
Rescue service
Emergency MedicalServices
Hazardous Materialscontractor
Local EmergencyPlanning Committee(LEPC)
EmergencyManagement
Agency
Public Health Public Works
Contractors
Vendors
Customers
Others
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 3-11
Program Committee
Interviews/Surveys/Documents
Interviews Program coordinator
Program committee members
Documents Company organization chart
Meeting minutes
Communications betweenteam members
Communications with external
representatives
Evidence of Conformity
Program committeemembership documentedand current?
Committee reflect theentitys organization?
Include requiredinstitutional and technicalknowledge?
Periodic meetings held?
Communications betweencommittee membersrelated to achievingprogram goals?
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 3-12
4.4 Program Administration
(1) Executive policy, including vision,mission statement, roles andresponsibilities, and enablingauthority
(2)* Program scope, goals, objectives,and method of program evaluation
(3) Program plans and procedures thatinclude the following:(a) Anticipated cost(b) Priority(c) Time schedule(d) Resources required
(4) Applicable authorities, legislation,regulations, and industry codes ofpractice as required by Section 4.5
(5) Program budget and schedule,including milestones
(6) Records management practices asrequired by Section 4.8
8/9/2019 DRI International ISACA Spring Seminar Apr2013
23/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 03Page 5
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 3-13
Program Administration
Interviews/Surveys/Documents
Interviews Senior management
Program Coordinator
Documents Policy statement
Mission & vision statement
Program plans (roles,responsibilities, goals,objectives)
Program evaluation
Program development plan
Budget
Evidence of Conformity
Policy statement with vesting
of authority
Goals and objectives of
program consistent with
mission & vision
Roles and responsibilities
defined
Program development plan
with schedule supporting
budget
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 3-14
4.5 Laws and Authorities
4.5.1* The program shall comply with
applicable legislation, policies,
regulatory requirements, and
directives.
4.5.2* The entity shall establish and
maintain a procedure(s) to complywith applicable legislation, policies,
regulatory requirements, and
directives.
4.5.3* The entity shall implement a
strategy for addressing the need forrevisions to legislation, regulations,
directives, policies, and industry
codes of practice.
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 3-15
Laws & Authorities (USA)
Occupational Safety & Health
(OSHA) Standards Emergency Action Plans
Means of Egress Medical Services & First Aid; Blood
borne Pathogens
Permit-Required Confined Spaces
Process Safety Management
Hazardous Waste (HAZWOPER)
Fire brigades
Fire codes Model Codes (NFPA 1, International
Fire Code)
State or local fire prevention code
Life safety codes NFPA 101, Life Safety Code
Americans with Disabilities
Environmental Emergency Planning and Community
Right to Know Chemical Accident Prevention
Risk Management Plan
Spill Prevention Control &
Countermeasures
Oil Pollution Prevention (more)
Homeland Security
Local ordinances
Industry Regulations
8/9/2019 DRI International ISACA Spring Seminar Apr2013
24/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 03Page 6
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 3-16
Laws & Authorities: Industries
Banking Federal Financial Institutions
Examination Council (FFIEC)BCP Handbook
Electronic Funds Transfer Act
Securities NASD Rules 3510 and 3520 NYSE Rule 446 Business
Continuity
NFA Compliance Rule 2-38
Insurance National Association of
Insurance Commissioners(NAIC) Controls In InformationTechnology (IT)
All Industries Cyber security (protection of
customer information)
Health Care Health Insurance Portability
and Accountability Act of1996 (HIPAA)
HITECH Act of 2009HealthInformation Technology for
Economic and Clinical HealthAct
Pharmaceuticals U.S. FDA Good
Manufacturing Practices,Computerized Systems Usedin Clinical Trials
Electric Utility Industry Federal Electric Reliability
Councils (FERC) SecurityStandards
North American ElectricReliability Councils (NERC)Security Guidelines
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 3-17
Laws & Authorities
Interviews/Surveys/Documents
Interviews Program coordinator
Regulatory affairs
Legal
Documents Prevention & mitigation plans
EHS program
IT security
BCP and IT DRP plans
Organizational statements(Emergency response plan)
Crisis communications plan(mandatory reporting; recall)
Incident reports Training, drill, testing, and
exercise documents
Evidence of Conformity
Applicable Federal, state, and
local laws, regulations, and
ordinances are referenced in
the plan
Requirements have beenidentified and addressed in the
plans Plans and procedures
Resources
Training, drills, exercises
Reporting
Reporting requirements andtriggers specified
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 3-18
4.6 Finance and Administration
4.6.1 The entity shall develop financial and administrative proceduresto support the program before, during, and
after an incident.
4.6.2 There shall be a responsive finance and adm inistrative frameworkthat does the following:
(1) Complies with the entitys program requirements
(2) Is uniquely linked to response, continuity, and recovery operations
(3) Provides for maximum flexibility to expeditiously request, receive, manage, and apply funds in a
nonemergency environment and in emergency situations to ensure the timely delivery of assistance.
4.6.3 Procedures shall be created and maintained for expediting fiscal decisions in accordance with
established authorization levels, accounting principles, governance requirements, and fiscal policy .
4.6.4 Finance and administrative procedures shall include the following:
(1) Responsibilities for program finance authority, including reporting relationships to the program coordinator
(2)*Program procurement procedures
(3) Payroll
(4)*Accounting systems to track and document costs
(5) Management of funding from external sources
(6) Crisis management procedures that coordinate authorization levels and appropriate control measures
(7) Documenting financial expenditures incurred as a result of an incident and for compiling claims for future
cost recovery
(8) Identifying and accessing alternative funding sources
(9) Managing budgeted and specially appropriated funds
8/9/2019 DRI International ISACA Spring Seminar Apr2013
25/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 03Page 7
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 3-19
Finance and Administration
Interviews/Surveys/Documents
Interviews Program coordinator
CFO, Treasurer, AccountingManager
Risk or insurance manager
Documents Program documents (crisis
management, ERP, BCP)
Accounting procedures
Risk management orinsurance claims reporting andaccounting procedures
Evidence of Conformity
Budget specifically forprogram
Defined roles &responsibilities
Documented authorizationlevels and procedures forexpedited approvals
Risk management/insuranceprocedures for claimsmanagement
Documented accountingprocedures; pre-establishedaccounts
Oversight controls to preventfraud
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 3-20
4.7 Records Management
4.7.1 The entity shall develop, implement, and manage a records
management programto ensure that records are available tothe entity following an incident.
4.7.2 The program shall include the following:
(1) Identification of records (hard copy or electronic) v ital to
continue the operations of the entity
(2) Backup of records on a f requency necessary to meet program
goals and objectives
(3) Validation of the integrity of records backup
(4) Implementation of procedures to store, retrieve, and recover
records onsite or offsite
(5) Protection of records
(6) Implementation of a record review process
(7) Procedures coordinating records access
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 3-21
Records Management
Interviews/Surveys/Documents
Interviews
Program coordinator Person responsible for records
management
Survey Records storage area or site
Documents Program documents
Evidence of Conformity
Records management
practices specified? Records kept for
required time period?
Document controls
specified?
Access controls
enforced?
Required confidentiality
maintained?
8/9/2019 DRI International ISACA Spring Seminar Apr2013
26/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 03 Page 8
Notes:
8/9/2019 DRI International ISACA Spring Seminar Apr2013
27/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 04Page 1
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 4-1
Program Planning
Disaster/Emergency Management & Business
Continuity Auditors Training
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 4-2
5.1 Planning Process
5.1.1* The program shall follow a planning
process that develops strategies, plans, and
required capabilities to execute the program.
5.1.2 Strategic planning shall define the
entitys vision, mission, and goals of the
program.
5.1.3A risk assessment and a business
impact analysis (BIA) shall develop
information to prepare prevention and
mitigation strategies.
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
BCLE-AUD Slide 4-3
5.1 Planning Process continued)
5.1.4A risk assessment, a BIA, and aresource needs assessment shall develop
information to prepare emergencyoperations/response, crisis communications,continuity, and recovery plans.
5.1.5 Crisis management planning shalladdress issues that threaten the strategic,reputational, and intangible elements of theentity.
5.1.6 The entity shall include key stakeholdersin the planning process.
8/9/2019 DRI International ISACA Spring Seminar Apr2013
28/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 04Page 2
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 4-4
Strategic Planning
Vision
Mission
Program goals Prevention & mitigation
Emergency response
Business continuity
Crisis communications
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 4-5
6.1 Common Plan Requirements
6.1.1* Plans shall address the health and safetyof personnel.
6.1.2 Plans shall identify and document the following:
(1) Assumptionsmade during the planning process
(2) Functional roles and responsibilitiesof internal andexternal agencies, organizations, departments, andpositions
(3) Lines of authority
(4) The process for delegation of authority
(5) Lines of successionfor the entity
(6) Liaisons to external entities
(7) Logistics support and resource requirements
6.1.3* Plans shall be individual, integrated into a single plan
document, or a combination of the two.6.1.4* The entity shall make sections of the plans available to
those assigned specific tasks and responsibilitiestherein and to key stakeholders as required
CB 4-2
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
BCLE-AUD Slide 4-6
Crisis Management Planning
Addresses issues that
threaten the brand,
organizational image,reputation, and
intangible elements of
the entity.
Crisis Management.The ability of an entity to manage incidents that
have the potential to cause significant security, financial, or reputationalimpacts. [NFPA 1600 3.3.8]
8/9/2019 DRI International ISACA Spring Seminar Apr2013
29/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 04Page 3
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 4-7
Interviews/Surveys/Documents Evidence of Conformity
Auditing the Planning Effort
Interviews
Program coordinator
Senior management
Planners
Communications
Documents
Strategic planning
Capital budget
All plans
Program goals and
objectives align with
strategic goals and
objectives of theentity
All Hazards
approach
Common plan
requirements met
within each plan
document
8/9/2019 DRI International ISACA Spring Seminar Apr2013
30/117
8/9/2019 DRI International ISACA Spring Seminar Apr2013
31/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 05Page 1
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 5-1
Risk Assessment
Disaster/Emergency Management & Business
Continuity Auditor Training
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 5-2
5.2 Risk Assessment
5.2.1* The entity shall conduct a risk assessmentto develop required strategies andplans.
5.2.2* The entity shall identify hazards and monitor those hazards and the likelihoodof their occurrence.
5.2.2.1* Hazards to be evaluated shall include the following:
(1) Natural hazards (geological, meteorological, and biological)
(2) Human-caused events (accidental and intentional)
(3) Technologically caused events (accidental and intentional)
5.2.2.2 The vulnerability of people, property, the environment, and the entity shall beidentified, evaluated, and monitored.
5.2.3* The entity shall conduct an analysis of the impact of the hazards identified in5.2.2 on the f ollowing:(1) Health and safety of persons in the affected area(2) Health and safety of personnel responding to the incident(3)* Continuity of operations(4)* Property, facilities, assets, and critical infrastructure(5) Delivery of the entitys services (6) Supply chain(7) Environment(8)* Economic and financial condition(9) Regulatory and contractual obligations(10) Reputation of or confidence in the entity
5.2.4* The analysis shall evaluate the potential effects of regional, national, orinternational incidentsthat could have cascading impacts.
5.2.5 The risk assessment shall evaluate the adequacy of existingprevention and mitigation strategies
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
BCLE-AUD Slide 5-3
Risk Assessment Process
Identify Hazards
Fire Explosion
Natural hazards
Hazardous materials
spill or release
Terrorism
Workplace violence
Pandemic disease
Utility outage
Mechanical
breakdown
Supplier failure
Cyber attack
Assets at Risk
People Property including
buildings, critical
infrastructure
Supply chain
Systems/equipment
Information Technology
Business operations
Reputation of or
confidence in entity
Regulatory and
contractual obligations
Environment
Impacts
Casualties Property damage
Business
interruption
Loss of customers
Financial loss
Environmental
contamination
Loss of confidence
in the organization
Fines and penalties
Lawsuits
Probability&Magnitude
Vulnerability
Hazard Identification Vulnerability Assessment Impact Analysis
8/9/2019 DRI International ISACA Spring Seminar Apr2013
32/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 05Page 2
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 5-4
Risk Assessment
Analyze the impacts of identified hazards on:
Health and safety ofpersons in the affectedarea and responding
personnel Property, facilities,
assets, and criticalinfrastructure
Continuity ofoperations/delivery ofservices
Supply chain
Environment
Economic andfinancial condition
Regulatory and
contractual obligations
Reputation of or
confidence in the
entity
Evaluate potential effects of regional, national, or international
incidents that could have cascading impacts.
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 5-5
Hazards: Natural Hazards
Geological
Earthquakes
Landslide
Subsidence/Sinkhole
Tsunami
Volcano
Meteorological Flooding
Hurricanes
Lightning
Tornadoes
Dam Failure
Severe Winter Storm Arctic freeze
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
BCLE-AUD Slide 5-6
Hazards: Natural Hazards
Biological Hazards
Pandemic Disease
Foodborne Illnesses
8/9/2019 DRI International ISACA Spring Seminar Apr2013
33/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 05Page 3
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 5-7
Hazards: Human-Caused Events
Fire & Explosion
Explosion
Fire
Wildfire
Buildings & Equipment
Structural Failure orCollapse
Entrapment
Mechanical Breakdown
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 5-8
Hazards: Human-Caused Events
Transportation Incidents
Motor Vehicle
Railroad
Watercraft
Aircraft
Pipeline
Hazardous Materials
Hazmat spill orrelease (on and off-site)
Natural Gas Leak
Nuclear Power PlantIncident
Radiological incident
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
BCLE-AUD Slide 5-9
Hazards: Human-Caused Events
Supply Chain Interruption
Loss of Shipping orTransportation
Vendor failure (single or solesource provider)
Loss of Key Customer
Utility Interruption or Failure
Telecommunications
Electrical Power Water
Gas
Steam
HVAC
Pollution control system
Sewerage system
Other critical infrastructure
8/9/2019 DRI International ISACA Spring Seminar Apr2013
34/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 05Page 4
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 5-10
Hazards: Human-Caused Events
Human Caused Intentional Acts
Arson Labor Strike Demonstrations Civil Disturbance (Riot)
Bomb Threat Lost Person Child Abduction Kidnap Extortion Hostage Incident Workplace Violence Robbery Sniper Incident Crime or Theft Sabotage or Vandalism
Terrorism
Chemical
Biological
Radiological
Nuclear
Explosives
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 5-11
Hazards: Human-Caused Events
Employment Practices
Privacy
Discrimination
Harassment
Liability
Product Liability or
Warranty
Professional Liability
Contractual Liability
Directors & Officers
Liability
Libel or Slander
Fraud
General Liability
Automobile Liability
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
BCLE-AUD Slide 5-12
Hazards: Technological
Computer Systems
Outages
Hardware failure
Data corruption, deletion, ortheft
Loss of network connectivity(Internet or intranet)
Loss of electronic datainterchange or eCommerce
Loss of domain name server(DNS)
Virus, worm, Trojan horse
Power surge; lightning
Host site interdependencies
Water damage
Cyber terrorism
Hacking
Computer fraud
Loss of encryption
Denial of service
Improper system use byemployee
Telecommunicationsinterruption or failure
Internet service provider
Electricity brownout orblackout
8/9/2019 DRI International ISACA Spring Seminar Apr2013
35/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 05Page 5
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 5-13
Example Probability of Occurrence
Low: Less than 10%annual probability or onaverage less than onceevery 10 years
Medium: Greater than orequal to 10% annualprobability or on averageat least once every 10years
High: 100% annualprobability of occurrence(expected to occur onaverage once each year)
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 5-14
Probability of Occurrence
Probabilities of some
natural hazards available
from government sources
Entity must assign
relative probabilities
For each hazard there
are many combinations
of probability and severity
Probabilities of some
threats (e.g., pandemic
flu and terrorism) are
hard to quantify
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
BCLE-AUD Slide 5-15
Assets at Risk
People Employees Visitors, guests, contractors
Neighbors/community Emergency responders
Property Buildings Machinery & Equipment Computer Systems Raw materials/finished goods Property on premises of others Vital records, drawings, data
Intellectual Property Utilities Critical Infrastructure
8/9/2019 DRI International ISACA Spring Seminar Apr2013
36/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 05Page 6
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 5-16
Assets at Risk
Business Operations Manufacturing processes Delivery of services Administrative services Research & development
Supply chain Environment
Air, Water, & Ground
Entity Economic and financial
condition Licenses, Patents, Trademarks Reputation and image Regulatory and contractual
obligations Relationships
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 5-17
Vulnerability Assessment
Vulnerability is a weakness,an inadequately protectedexposure, or susceptibility todamage or harm.
A vulnerability assessment isa process to identify,evaluate, and assess:
Susceptibility of a site to natural ormanmade hazards
Weaknesses in buildings,systems, equipment, managementprograms, and the capabilities ofpeople
Lack of, or inadequate protectionof, a hazard
Dependencies and
interdependencies
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
BCLE-AUD Slide 5-18
Severity of Impacts
How do you measure severity of impacts? Impact is relative to the size and resources of
the entity Interview senior management and experts
within the organization to obtain their opinionon the relative impact of various scenarios
8/9/2019 DRI International ISACA Spring Seminar Apr2013
37/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 05Page 7
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 5-19
Interviews/Surveys/Documents Evidence of Conformity
Auditing Risk Assessment
Interviews Program coordinator
Internal experts (EHS, security,IT, facilities, operations, supply
chain, etc.) Internal Audit
Risk management
Surveys Observations of site, facility, data
center, hazardous processes
Documents Risk assessments
Process hazard analysis
Risk management plan
Loss prevention reports (internal,insurer, consultant)
Risk assessment considersall hazards
Probabilities are estimated
Vulnerabilities are identified
Impacts of hazards areestimated People
Buildings
Operations
Environment
Image and reputation
Evaluates effects ofregional, national, orinternational incidents
Risk assessment used todevelop overall program
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 5-20
Discussion
1. What is All Hazards?
2. What does a Risk Assessment determine?
3. Define Vulnerability.
4. Describe the Risk Assessment Process.
8/9/2019 DRI International ISACA Spring Seminar Apr2013
38/117
8/9/2019 DRI International ISACA Spring Seminar Apr2013
39/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 06Page 1
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 6-1
Business Impact Analysis
Disaster/Emergency Management & Business
Continuity Auditor Training
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 6-2
5.3 Business Impact Analysis
5.3.1 The entity shall conduct a business impact analysis (BIA).
5.3.2 The BIA shall evaluate the potential impacts resulting from
interruption or disruption of individual functions, processes, and
applications.
5.3.3* The BIA shall identify those functions, processes, infrastructure,systems, and applications that are critical to the entity and the
point in time [recovery time objective (RTO)] when the impact of
the interruption or disruption becomes unacceptable to the entity.
5.3.4* The BIA shall identify dependencies and interdependencies across
functions, processes, and applications to determine the potential
for compounding impact in the event of an interruption or
disruption.
5.3.5 The BIA shall evaluate the potential loss of information and the
point in time [recovery point objective (RPO)] that defines the
potential gap between the last backup of information and the time
of the interruption or disruption.
5.3.6 The BIA shall be used in the development of recovery strategies andplans to support the program.
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
BCLE-AUD Slide 6-3
BIA Process
Determine Resource Requirements
Staff Workspace Machinery & Equipment Information Technology Vital Records
Determine Recovery Time Objectives
Point in time when impact(s) of the interruption or disruption becomes unacceptable
Identify & Analyze Impacts of Interruption/Disruption
Financial Customer Contractual Reputation Regulatory
Identify Interdependencies
Internal External
Identify Business Functions
Functions Processes Applications & Data
8/9/2019 DRI International ISACA Spring Seminar Apr2013
40/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 06Page 2
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 6-4
Business Functions
Groups of relatedactivities that enable the
entity to produce its
product(s) or provide its
service(s).
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 6-5
Interdependencies
Supply chain
Process diagram
Distribution
Information Technology
Order receipt
Order processing
Voice
Data
Manufacturing control
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
BCLE-AUD Slide 6-6
Impacts: Quantitative & Qualitative
Quantitative
Property damage
Revenue loss
Cash flow
Accounts receivable
Market share
Stock price
Fines
Legal liability
Extra expenses
Qualitative
Human resources
Morale Stakeholder
confidence
Image and reputation
Financial community
credibility
8/9/2019 DRI International ISACA Spring Seminar Apr2013
41/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 06Page 3
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 6-7
Impacts of Interruption/Disruption
Operational Availability of automated systems
and information
Reduced productivity andefficiency
Increased administrative costs
Management attention redirectedto continuity and recovery
Customer Customer relationships
Lost market share
Reputation or confidence inthe entity
Financial Lost revenue
Deferred revenue
Increased costs
Contractual Penalties
Loss of bonuses
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 6-8
Impacts of Interruption/Disruption
Legal (litigation)
Regulatory (fines or
penalties)
Failure to meet
reporting deadlines
Operational
Human resources
Environmental
Regional, national,
international impacts
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
BCLE-AUD Slide 6-9
Recovery Time Objective (RTO)
The recovery time objective isthe period of time within which
systems, applications, orfunctions must be recoveredafter an outage (e.g., onebusiness day).
A.5.3.3 RTOs are often used asthe basis for the development ofrecovery strategies and as adeterminant as to when toimplement the recoverystrategies during a disastersituation.
8/9/2019 DRI International ISACA Spring Seminar Apr2013
42/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 06Page 4
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 6-10
Data Recovery Point Objective
A.5.3.5The RPO is the point in time from
which data are recovered, the last good
backup offsite at the time of the event.
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 6-11
Resource Requirements
Personnel
Facilities Alternate workspace
Data center hot site
Machinery & equipment
Information technology
Vital records
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
BCLE-AUD Slide 6-12
Vital Records
3.3.27 Information
critical to the continued
operation or survival ofan entity.
Includes records
required to be kept for
legal reasons
8/9/2019 DRI International ISACA Spring Seminar Apr2013
43/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 06Page 5
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 6-13
Paper Records
Paper Records
Work in process
Desks
Notebooks File cabinets
Backup Options:
Scanning
Photocopy
Microfilm/Fiche
Offsite storage
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 6-14
Interviews/Surveys/Documents Evidence of Conformity
Auditing the BIA
Interviews C Suite (COO, CFO, CIO)
Department heads
Business process managers
Program Coordinator
Business continuity team
IT Disaster recovery team
Surveys Manufacturing processes
Documents Business process flowchart
Questionnaires andworksheets
BIA report IT Disaster recovery plan
Systematicidentification offunctions, processes,and applications
Analysis of potentialimpacts
Determination ofrecovery timeobjectives
Identification ofresource requirements
Identification of lostdata potential
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
BCLE-AUD Slide 6-15
Evaluating the BIA Process
What were theassumptions?
What criteria wasdefined?
What method was used? Questionnaires
Interviews
Workshop
Who was interviewed?
How were resultsvalidated?
Who approved final BIAresults?
8/9/2019 DRI International ISACA Spring Seminar Apr2013
44/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 06Page 6
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 6-16
Evaluating the BIA Process
How were the potential financial and non-
financial impacts quantified and evaluated?
What were the requirements for
identification of qualitative impacts? What was the scale to define and prioritize
impacts?
Did management agreed with the
thresholds and criticality scale?
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 6-17
Evaluating the BIA Report
Criticality Rating
Recovery TimeObjectives (RTO)
Interdependencies -Internal and external
Resource requirements Minimum staff levels
Workspace
Information technologyincluding supportinginfrastructure
Electronic information
Vital Records
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
BCLE-AUD Slide 6-18
Discussion
1. Define and describe RTO.
2. Define and describe RPO.
3. Define qualitative and quantitative impacts.
4. Describe the BIA Process.
8/9/2019 DRI International ISACA Spring Seminar Apr2013
45/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 07Page 1
Copyright DRI
International, Inc.
All RightsReserved
Version 3.0.1BCLE-AUD Slide 7-1
Prevention & Mitigation
Disaster/Emergency Management & Business
Continuity Auditor Training
BCLE-AUD Slide 7-2
Copyright DRI
International, Inc.All RightsReserved
Version 3.0.1
6.2 Prevention
6.2.1* The entity shall develop a strategy to prevent anincident that threatens life, property, and theenvironment.
6.2.2* The prevention strategy shall be kept current usingthe information collection and intelligence techniques.
6.2.3The prevention strategy shall be based on the resultsof hazard identification and risk assessment, an analysis ofimpacts, program constraints, operational experience, anda cost-benefit analysis.
6.2.4The entity shall have a process to monitor theidentified hazards and adjust the level of preventivemeasures to be commensurate with the risk.
BCLE-AUD Slide 7-3
Copyright DRI
International, Inc.All RightsReserved
Version 3.0.1
Prevention Methods
Fire prevention
Injury & illness preventionprograms Safety/accident prevention
Occupational health
Immunizations, isolation, orquarantine
Physical & operational security Deterrence operations
Surveillance and securityoperations
Provision of protectivesystems or equipment forphysical risks
Computer/cyber security
8/9/2019 DRI International ISACA Spring Seminar Apr2013
46/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 07Page 2
BCLE-AUD Slide 7-4
Copyright DRI
International, Inc.
All RightsReserved
Version 3.0.1
Auditing Prevention Strategies
Interviews/Surveys/Documents
Interviews Program coordinator
EHS manager
Risk manager
Human resources IT manager
Facility, operations,engineering, fleet managers
Survey Facilities
Documents Risk assessment
Business impact analysis
Insurance loss preventionreports
Insurance claims
OSHA logs
Evidence of Conformity
Do strategies address: Life safety
Property protection Environmental protection?
Are there preventionstrategies to address theidentified hazards?
Is there a process to collectinformation and intelligenceto adjust preventivemeasures?
Is there an ongoing processto monitor hazardsin realtimeif required?
BCLE-AUD Slide 7-5
Copyright DRI
International, Inc.All RightsReserved
Version 3.0.1
6 3 Mitigation
6.3.1* The entity shall developand implement a mitigationstrategy that includes measuresto be taken to limit or controlthe consequences, extent, orseverity of an incident thatcannot be prevented.
6.3.2* The mitigation strategyshall be based on the results ofhazard identification and riskassessment, an analysis ofimpact, program constraints,operational experience, andcost-benefit analysis.6.3.3* The mitigation strategyshall include interim and long-
term actions to reducevulnerabilitiess.
BCLE-AUD Slide 7-6
Copyright DRI
International, Inc.All RightsReserved
Version 3.0.1
Hazard Mitigation
Compliance with building codes
Hazard avoidance through land-use practices
Removal or elimination of thehazard
Segregation of hazard
Modification of characteristics ofhazard
Control of rates of release of thehazard
Protective systems or equipmentfor physical risks
Hazard warning andcommunication
Redundancy or duplication ofessential personnel, criticalsystems, equipment
8/9/2019 DRI International ISACA Spring Seminar Apr2013
47/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 07Page 3
BCLE-AUD Slide 7-7
Copyright DRI
International, Inc.
All RightsReserved
Version 3.0.1
Financial Risk Mitigation
Insurance is financial riskmitigation
Lines of coverage: Property damage
Business interruption (timeelement)
Contingent businessinterruption
Liability
Endorsements Extra expense
Extended period ofindemnity
Is insurance
coverage aligned
with risk
assessment and
BIA?
BCLE-AUD Slide 7-8
Copyright DRI
International, Inc.All RightsReserved
Version 3.0.1
Auditing Mitigation Strategies
Interviews/Surveys/Documents
Interviews Program coordinator
Strategic planner
EHS manager
Risk manager
Human resources
IT manager
Facility, operations, engineering,supply chain, fl eet managers
Survey Facilities
Documents Risk assessment Business impact analysis
EHS program documents Insurance loss prevention reports
Capital budget
Evidence of Conformity
Do strategies addressprotection of life, property,
and the environment?
Are there strategies to
mitigate potential
impacts?
Has money been
budgeted short-term andlong-term?
BCLE-AUD Slide 7-9
Copyright DRI
International, Inc.All RightsReserved
Version 3.0.1
Discussion
1. Discuss some of the prevention methods
used in Business Continuity andEmergency Management.
2. What is mitigation?
3. What are mitigation strategies?
8/9/2019 DRI International ISACA Spring Seminar Apr2013
48/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 07 Page 4
Notes:
8/9/2019 DRI International ISACA Spring Seminar Apr2013
49/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 08Page 1
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 8-1
Resource Management
Disaster/Emergency Management & Business
Continuity Auditor Training
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 8-2
Resource Management
6.7.7 Resource management shall include the following tasks:
(1) Establishing processes for describing, takinginventory of, requesting, and tracking resources
(2) Resource typing or categorizingby size, capacity,capability, and skill
(3) Mobilizing and demobilizing resourcesinaccordance with the established IMS
(4) Conducting contingency planningfor resourcedeficiencies
6.7.8 A current inventory of internal and external resourcesshall be maintained.
6.7.9 Donations of human resources, equipment, material,
and facilitiesshall be managed.
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
BCLE-AUD Slide 8-3
Resource Requirements
4.4.1(5)(c) entity shall have program plans andprocedures that include resources required
6.1.2(7) Plans shall identifylogistics support and
resource requirements.
What are the program goals and objectives? Protect the health and safety of people ___________________________________ ___________________________________ ___________________________________
What are the hazards impacting the entity?
8/9/2019 DRI International ISACA Spring Seminar Apr2013
50/117
8/9/2019 DRI International ISACA Spring Seminar Apr2013
51/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 08Page 3
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 8-7
Logistics Procedures
Locate, acquire,store, distribute,maintain, test, and
account for Services, personnel,
resources, materials,and facilities
Procured or donatedto support theprogram.
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 8-8
Resource Inventory
6.7.8 A currentinventory of internal andexternal resourcesshallbe maintained. Funding Trained staff, expert
knowledge Facilities Information technology Equipment Materials and supplies Information and
intelligence
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
BCLE-AUD Slide 8-9
Materials & Supplies
Consumable
Timely re-supply
needed to meet goalsand objectives
Procurementstrategies Purchase in advance
Quick ship contracts
Procure at the time ofdisaster
Risk management
Examples Extra batteries, battery
meters, and chargers Food, water, etc.
Medical or first aidsupplies
Fuel
Salvage covers
Cleanup supplies
Paper, pens, pencils
Checks
Paper Forms
8/9/2019 DRI International ISACA Spring Seminar Apr2013
52/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 08Page 4
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 8-10
Resource Requirements: Fire
Goals
Prevent fires Protect life Minimize property damage
Prevent businessinterruption Prevent environmental
contamination Protect image & reputation Comply with regulations
Selected Resources
Fire protection engineer Detection & suppression
systems Occupant notification system
Means of egress (exits) Evacuation team Fire brigade Crisis communications team Mutual Aid Emergency response plan Business continuity plan Alternate facilities Hazardous materials
containment Funding
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 8-11
Resource Requirements: Power Outage
Goals
Protect people
Protect property
Continue partial or fullbusiness functions
Protect the environment
Selected Resources
Trained personnel
Emergency lighting
Communicationscapability
Supplies for sheltering
Uninterruptible powersupplies
Generators
Fuel supply for 72hours
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
BCLE-AUD Slide 8-12
Mutual Aid Assistance
5.4.5* Agreements. The need for mutual
aid/assistance or partnership
agreements shall be determined; ifneeded, agreements shall be
established and documented.
The need for mutual aid/assistance should bedetermined for:
Private-Private Partnerships Public-Private Partnerships Public-Public Partnerships
8/9/2019 DRI International ISACA Spring Seminar Apr2013
53/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 08Page 5
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0BCLE-AUD Slide 8-13
Donations
6.7.9 Donations of
human resources,equipment, material,
and facilities shall bemanaged.
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 8-14
Auditing Resource Management
Interviews/Surveys/Documents Interviews
Program coordinator Team leaders and members Public services (fire, hazmat, police, health, emergency medical) Purchasing or procurement
Surveys Facilities (alternate workspaceoffices, call center, data center,
manufacturing, etc.) IT (hardware, networking, applications, data) Vital records Systems (detection, alarm, communication, and suppression; etc.) Life safety (exits, lighting, signs, etc.) Equipment, materials, and supplies
Documents Budget Rosters and contact lists Plans (Emergency response, business continuity, communications, DRP) Resource inventory Partnership/mutual aid agreements Vendor contracts (quick ship, hot site, etc.)
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
BCLE-AUD Slide 8-15
Auditing Resource Management
Evidence of Conformity
Needs assessment conforming to 6.7.5 has been
completed Needs assessment is based on risk assessment
Current resource inventory maintained
Verification that resources identified in plandocuments are available within required time frame
Resources have required capabilities
Resources are in reliable conditions
Logistics procedures to execute program
Procedures for donations management
8/9/2019 DRI International ISACA Spring Seminar Apr2013
54/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 08 Page 6
Notes:
8/9/2019 DRI International ISACA Spring Seminar Apr2013
55/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 09Page 1
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0
Communications & Warning
Operational Procedures
Incident Management
Disaster/Emergency Management & Business
Continuity Auditor Training
Copyright DRI
International, Inc.All RightsReserved
Version 4.0BCLE-AUD Slide 9-2
6.5 Warning, Notifications, and
Communications
6.5.1* The entity shall determine its warning, notification,and communications needs.
6.5.2* Warning, notification, and communications systemsshall be reliable, redundant, and interoperable.
6.5.3* Emergency warning, notification, and communicationsprotocols and procedures shall be developed,tested, and usedto alert stakeholders potentially at riskfrom an actual or impending incident.
6.5.4 Procedures shall include issuing warnings throughauthorized agenciesif required by law as well as theuse of prescripted information bulletins or templates.
Copyright DRI
International, Inc.All RightsReserved
Version 4.0
BCLE-AUD Slide 9-3
Communications & Warning
Alert Public emergency services
Emergency response, businesscontinuity, crisis management &communications
Management
Warn Building occupants
Community at risk Consumers
Communications Between and among teams Public agencies
Contractors and vendors
8/9/2019 DRI International ISACA Spring Seminar Apr2013
56/117
Disaster/Emergency Management & Business Continuity Auditor Training
2013, National Fire Protection Association and DRI, International, All Rights Reserved
Version 4.0 Module 09Page 2
Copyright DRI
International, Inc.
All RightsReserved
Version 4.0
Interviews/Surveys