Business continuity planning and disaster recovery

Business Continuity Planning andDisaster Recovery

1

Dr. Szenes 1


Katalin Szenes Dr., CISA, CISM, CGEIT, CISSP

[email protected]

University Óbuda- Óbudai Egyetem Faculty JvN - Neumann János Informatikai KarInst. SW Technology - Szoftvertechnológiai Intézet

Dr. Szenes 2

Table of Contents

• purpose and main aspects• definitions - BCP, disaster, DRP, IT BCP, IT DRP• tasks of the IS auditorexample on these tasks: CISA Q no 6-3on audit concerns: CISA Q no 6-10

• Consequences Concerning the Acceptance of the Risks • other planning issues• preliminaries to be settled• preliminaries / insurance• emergency management team• CISA Q no 6-8 notification priorities• CISA Q NO 6-9 organizational unit IT & the BCP


2

Dr. Szenes 3

Table of Contents

On the Components of the Information Systems Business Continuity Plan

o some [development] phaseso [development] processo categories of incidents & incident management

o BIA & risk managementsystem risk rankingissues in BIA phasequestions in BIA phaseexample on risk aspects CISA Q no 6-1- answer: see ISO/IEC 27001, 2, too

Dr. Szenes 4

Table of Contents

On the Components of the Information Systems Business Continuity Plan- cont'd

o BCP documents o Infrastructure types - hot, warm, etc.

provisions for 3rd party agreementson the audit of 3rd party agreementsinfrastructure / telecommunications, networksinfrastructure / storage


3

Dr. Szenes 5

Table of Contents

• BCP plan - testing considerations• rulebook contents

• recovery aspects (RPO, RTO, etc.)• The IS BCP of the Individual Systems

• COBIT 3, 4 support of IS audit and IT securitythe processes of Delivery & SupportDS4 - Ensure Continuous ServiceDS4 control objectives

• ISACA CRM case study• references

Dr. Szenes 6

purpose and main aspects(forrás, többek között: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

purpose:to enable a business to continue offering critical services in the event of a disruption and to survive even a disastrous interruption of its activities

the business continuity planning has to take into consideration:the market & strategy goals of the corporatethe strategic business processes

those key operations that are most necessary to the survival of the organizationthe human/material resources supporting them

Note:?? business continuity plan must be based on the long-range IT plan ??


4

Dr. Szenes 7

purpose and main aspects(forrás, többek között: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

the business continuity plan includes:the disaster recovery plan to recover a facility rendered inoperable, including relocating operations into a new location

- for later use

the restoration plan that is used to return operations to normality whether in a restored or new facility

- only after mitigating the effect of the disruption by restarting the business applications involved

Dr. Szenes 8

Business Continuity Planning - Definition

The purpose of business continuity planning is to enable a business to continue operations should anykind of disturbance arise.

Rigorous planning and commitment of resources is necessary toadequately plan for such an event. Business continuity planning is primarily the responsibility of senior management as they areentrusted with the safeguarding of both the assets and the viability ofthe company.

The business continuity planning is to take into consideration:• those key operations that are utmostly necessary to the survival and

later to the market success of the organizations• the human / material resources supporting them.


5

Dr. Szenes 9

Business Continuity Planning - Definition

The second part, the operations part of the

business continuity plan

should address all functions and assets required to continue as a viable organization and to keep acquiring market sucess. The extent of provision for reserve facilities depends on the cost / effectivity considerations of the top management.

Dr. Szenes 10

Disaster Recovery Plan - Definition

Disastersare disruptions that cause critical information resources to be inoperative for a period of time, e.g. (weather, terrorism, disruption in expected services, human error, etc.)(this disaster def. & examples are from the CISA® Review Course transparents)

The business continuity plan includes:• the disaster recovery plan

that is generally the plan to be followed by the business units to recover a harmed / demolished facility or business functionality, or an operational facility

and• the operations plan that is to be followed by the business units

to "get by" while recovery is taking place.


6

Dr. Szenes 11

Information Systems Business Continuity Planning / Information Systems Disaster Recovery Plan- Definition

Everything is the same as in the case of theBusiness Continuity Planning / Disaster Recovery Plan

with the exception that the continuity of the information systems processing is threatened.

Information systems processing is one operationsof many that keep the organization not only alive but also successful thus it is of strategic importance.

Thus the event to be controlled is such a disruption and the objective of the control measure is to survive an interruption of theinformation systems processing.

Dr. Szenes 12

Information Systems Business Continuity Planning / Information Systems Disaster Recovery Plan - Definition

Throughout the planning process of business continuitythe overall plan of the organization should be taken into consideration.

All IS plans must be consistent with and support the corporatebusiness continuity plan.

This means that especially those information processing systems must have the more elaborated and ready-to-start reserve processingfacilities that support key operations.


7

Dr. Szenes 13

the tasks of the auditor(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery / Learning Objectives)

the tasks of the auditor:

Evaluate the adequacy of backup and restore provisions to ensure the availability of information required to resume processingEvaluate the organization's disaster recovery plan to ensure that it enables the recovery of IT processing capabilities in the event of a disasterEvaluate the organization's business continuity plan to ensure the organization's ability to continue essential business operations during the period of an IT disruption

. / .

Dr. Szenes 14

the tasks of the auditor(forrás, többek között: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

the tasks of the auditor - cont'd

Check if the BCP follows corporate strategyEvaluate plans for

accuracy adequacyeffectivenessetc.

Evaluate offsite storageEvaluate ability of IS and user personnel to respond effectivelyEnsure plan maintenance is in place Evaluate readability of business continuity manuals and procedures

./.


8

Dr. Szenes 15



Check the documents from the viewpoint ofCurrency Effectiveness Validity: interview personnel for appropriateness and completeness

Evaluate the BCP quality, e.g.: Determine whether corrective actions are in the planEvaluate thoroughness and accuracyDetermine problem trends and resolution of problems

./.

Dr. Szenes 16



Evaluate media & documentation handling:presence, synchronization and currency of media and documentation

Perform a detailed inventory reviewReview all documentation

is it current, is it detailed enough? change managementconfiguration management

./.


9

Dr. Szenes 17



Evaluate offsite storage facility -if any, and what is there?evaluate the physical and environmental access controlsexamine the equipment for current inspection and calibration tagsetc.

Key personnel must have an understanding of their responsibilities

./.

Dr. Szenes 18


questions for checking:

Who is responsible for administration or coordination of the plan?Is the plan administrator/coordinator responsible for keeping the plan up-to-date?Is there a disaster recovery implementation team (i.e., the first response team members who will react to the emergency with immediate action steps)?Where is the disaster recovery plan stored?What critical systems are covered by the plan?What systems are not covered by the plan? Why not?

./.


10

Dr. Szenes 19


questions for checking - cont'd

What equipment is not covered by the plan? Why not?Does the plan operate under any assumptions? What are they?Does the plan identify rendezvous points for the disaster management committee or emergency management team to meet and decide if business continuity should be initiated?Are the documented procedures adequate for successful recovery?Does the plan address disasters of varying degrees?Are telecommunication’s backups (both data and voice line backups) addressed in the plan?

and how? - see later: infrastructure / telecommunications

./.

Dr. Szenes 20


questions for checking - cont'd

Is there a backup facility site?and / or: what kind of precautions are made?

(see later: different types of infrastructures)

Does the plan address relocation to a new information processingfacility in the event that the original center cannot be restored?Does the plan include procedures for

merging master file data, automated tape management system data, etc., into pre-disaster files?


11

Dr. Szenes 21

the tasks of the auditor - CISA Q no 6-3(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

An IS auditor should be involved in:

A. observing tests of the disaster recovery plan.

B. developing the disaster recovery plan.

C. maintaining the disaster recovery plan.

D. reviewing the disaster recovery requirements of supplier contracts.

Dr. Szenes 22

the tasks of the auditor - CISA Q no 6-3(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

Answer: A

The IS auditor should always be present when disaster recovery plans are tested to ensure that the test meets the required targets for restoration, ensure that recovery procedures are effective and efficient, and report on the results, as appropriate.IS auditors may be involved in overseeing plan development, but they are unlikely to be involved in the actual development process. Similarly, an audit of plan maintenance may be conducted, but the IS auditor normally would not have any responsibility for the actual maintenance. An IS auditor may be asked to comment upon various elements of asupplier contract, but, again, this is not always the case.


12

Dr. Szenes 23

on audit concerns - CISA Q no 6-10(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

version 1 - the transparents

In an audit of a business continuity plan, which of the following findings is of MOST concern?

A. There is no insurance for the addition of assets during the year.B. The business continuity plan manual is not updated on a regular

basis.C. Testing of the backup data has not been done regularly.D. Records for maintenance of the access system have not been

maintained.

Dr. Szenes 24


version 1 - the transparentsThe correct answer is C

The most vital assets for a company are data. In a business continuity plan, it is critical to ensure that data are available. Therefore, regular testing of the backup of data must be done. If testing is not done, the organization may not be able to retrieve data when required during a disaster; hence, the company may lose its most valuable asset and may not be able to recover from the disaster. A loss on account of lack of insurance is limited to the value of assets. If the business continuity plan manual is not updated, the company may find the manual not fully relevant for recovery during a disaster. However, recovery could be still possible. Non-maintenance of records in an access system will not directly impact the relevance of the business continuity plan.


13

Dr. Szenes 25


version 2

In an audit of a business continuity plan, which of the following findings is of MOST concern?

A. There is no insurance for the addition of assets during the year.B. The business continuity plan is not updated on a regular

basis.C. Testing of the backup data has not been done regularly.D. Records for maintenance of the access system have not been

maintained.

The correct answer is?

Dr. Szenes 26

Consequences Concerning the Acceptance of the Risks

The alternatives of the elimination of the risks are determined by the resources that the management wants to spend on the "safety".

The management classifies according to businessimportance the

• assets• processes• data

and the data processing systems importance is equal to the importance of the element they support.


14

Dr. Szenes 27

other planning issues(forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

the entire organization needs to be considered for BCP

the personnel has toclassify critical systems, resourcesto determine acceptable recovery timesreact

the personnel who must react to the interruption/disaster scenarios are those who are responsible for the most critical resourcesmanagement and user involvement is vital to the success of the business continuity plan

Dr. Szenes 28


User management involvement is essential to the identification of critical systems, their associated critical recovery times and the specification of needed resources.

The three major divisions that require involvement in the formulation of the business continuity plan are

support services, business operations and information processing support.

as the underlying purpose of business continuity planning is the resumption of business operations, every organizational unit should give aspects / and -or /help in the development of the BCP, IT BCP, etc., already in the planning phase


15

Dr. Szenes 29


the BCP, IT BCP, etc., are to be based onthe risk assessment results, and the BIAthe business goals & strategyall issues involved in interruption to business processes, including recovering from a disaster

Important:The plan should be documented and written in a simple language understandable to all. Copies of the plan should be maintained offsite.

Dr. Szenes 30


to the BCP, IT BCP, etc., the following other info are to be collected:

Pre-disaster readinesspossible Evacuation proceduresCircumstances under which a disaster should be declaredIdentification of contract informationsRecovery option explanationsIdentification of resources for recovery and continued operation of the organization


16

Dr. Szenes 31

preliminaries to be settled(forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

to the BCP, IT BCP, etc., the followings should be agreed upon:

The policies that will govern all of the continuity and recovery effortsThe goals/requirements/products for each phaseAlternate facilities to perform tasks and operationsCritical information resources to deploy (e.g., data and systems)Persons responsible for completionAvailable resources to aid in deployment (including human)The scheduling of activities with priorities establishedKey decision-making personnelBackup of required suppliesTelecommunication networks disaster recovery methodsRedundant array of inexpensive disks (RAID)Insurance . / .

Dr. Szenes 32

preliminaries / insurance(forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

Most insurance covers only financial losses, based upon the historical level of performance and not the existing level of performance.

Also, insurance does not compensate for loss of image/goodwill.

The Business Continuity Plan should contain:key information about the organization's insurance. it should take the corporate physical, logical, market, etc. environment into considerationetc.

IT BCP:The information systems processing insurance policy is usually a multi-peril policy designed to provide various types of IS coverage. It should be modularly constructed in modules, so that it can be adapted to the insured’s particular IT architecture, and requirements,etc.


17

Dr. Szenes 33

preliminaries / insurance(forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

(BCP / IT BCP) insurance is to cover, among others:

actual costs of recoveryreplacement / reconstruction of every kind of equipment and facilitiesIT losses, e.g.

IS Media & software & ... reconstructionExtra expenseBusiness interruptionValuable papers and recordsErrors and omissionsFidelity coverageMedia transportationetc., other kind of costs of business continuity

Dr. Szenes 34

emergency management team(forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

The emergency management team coordinates the activities of all other recovery teams. This team oversees:

• Retrieving critical and vital data from offsite storage

• Installing and

• testing systems software and applications at the systems recovery

• Identifying, purchasing, and installing hardware at the system recovery site

• Operating from the system recovery site

• Rerouting network communications traffic

• . / .


18

Dr. Szenes 35

emergency management team(forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

• emergency management team -cont'd

• Reestablishing the user/system network

• Transporting users to the recovery facility

• Reconstructing databases

• Supplying necessary office goods, i.e., special forms, check stock, paper

• Arranging and paying for employee relocation expenses at the recovery facility

• Coordinating systems use and employee work schedules

• etc.!

Dr. Szenes 36

CISA Q NO 6-8 notification priorities(forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

In a business continuity plan, which of the following notification directories is the MOST important?

A. Equipment and supply vendorsB. Insurance company agentsC. Contract personnel servicesD. A prioritized contact list


19

Dr. Szenes 37

CISA Q NO 6-8 notification priorities(forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

The correct answer is D

A prioritized list of contacts is most important since it will direct the process of communication and contact to various entities in order of priority.

Choices A, B and C are musts, but not as important as choice D.

Dr. Szenes 38

CISA Q NO 6-9 organizational unit IT & the BCP(forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

Which of the following components of a business continuity plan is PRIMARILYthe responsibility of an organization’s IS department?

A. Developing the business continuity plan

B. Selecting and approving the strategy for the business continuity plan

C. Declaring a disaster

D. Restoring the IS systems and data after a disaster


20

Dr. Szenes 39

CISA Q NO 6-9 organizational unit IT & the BCP(forrás -többek közt: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

The correct answer is D

The correct choice is restoring the IT systems and data after a disaster. The IT department of an organization is primarily responsible for restoring the IT systems and data after a disaster at the earliest possible time.

Members of the organization’s senior management are primarily responsible for developing the business continuity plan for an organization. Management is also responsible for selecting and approving the strategy for developing and implementing a detailed business continuity plan. The organization should identify a person in management as responsible for declaring a disaster. Although IT is involved in the three other choices, it is not primarily responsible for them.

Dr. Szenes 40

On the Components of the Information Systems Business Continuity Plan- considerations only !

[some] phases of development(forrás, többek között: CISA® Review Course transparents, ISACA 2010 )

based on business impact analysiscreation of a business continuity and disaster recovery policyclassification of operations and criticality analysisforming responsible teams and nominating responsible employees andcollecting their calling datadevelopment of a business continuity plan and disaster recovery procedures, andtraining and awareness programimplementation of the planregular testing and monitoring


21

Dr. Szenes 41


planning [or rather: development] process(forrás: CISA® Review Course transparents, ISACA 2010 )

Dr. Szenes 42

categories of incidents & incident management(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

Negligible incidents are those causing no perceptible or significant damage, such as very brief operating system (OS) crashes with full information recovery or momentary power outages with uninterruptible power supply (UPS) backup.Minor events are those that, while not negligible, produce no negative material (of relative importance) or financial impact.Major incidents cause a negative material impact on business processes and may affect other systems, departments or even outside clients.Crisis is a major incident that can have serious material (of relativeimportance) impact on the continued functioning of the business and may also adversely impact other systems or third parties. The severity of the impact depends on the industry and circumstances, but is generally directly proportional to the time elapsed from the inception of the incident to incident resolution.


22

Dr. Szenes 43

categories of incidents & incident management(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

Dr. Szenes 44

On the Components of the Information Systems Business Continuity Plan- considerations only !BIA and risk management

CISA CRM: Business Impact Analysis (BIA)

risk management business continuity plan development:risk assessmentincludes: system risk ranking

ranking:CriticalVitalSensitiveNon-sensitive

ranking in details:


23

Dr. Szenes 45

On the Components of the Information Systems Business Continuity Plan- considerations only !BIA and risk management(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

system risk ranking:

Critical – These functions cannot be performed unless they are replaced byidentical capabilities. Critical applications cannot be replaced by manual methods. Tolerance to interruption is very low; therefore, cost of interruption is very high.

Vital – These functions can be performed manually, but only for a brief period of time. There is a higher tolerance to interruption than with critical systems and, therefore, somewhat lower costs of interruption, provided that functions are restored within a certain time frame (usually five days or less).

./.

Dr. Szenes 46

On the Components of the Information Systems Business Continuity Plan- considerations only !BIA and risk management(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

system risk ranking - cont'd

Sensitive – These functions can be performed manually, at a tolerable cost and for an extended period of time. While they can be performed manually, it usually is a difficult process and requires additional staff to perform.

Non-sensitive – These functions may be interrupted for an extended period of time, at little or no cost to the company, and require little or no catching up when restored.


24

Dr. Szenes 47


issues in BIA phase

consequences on BCP, that is, on:alternatives - see infrastructure typesrecovery strategies & methods

risk management cycle

Dr. Szenes 48


questions in BIA phase

(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

What are the different business processes?What are the critical information resources related to an organization’s critical business processes?What is the critical recovery time period for information resources in which business processing must be resumed before significant or unacceptable losses are suffered?


25

Dr. Szenes 49

On the Components of the Information Systems Business Continuity Planexample on the risk aspect - CISA Q(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery )

6-1 During an audit of a large bank, the IS auditor observes that no formal risk assessment exercise has been carried out for the various business applications to arrive at their relative importance andrecovery time requirements. The risk to which the bank is exposed is that the:

business continuity plan may not have been calibrated to the relative risk that disruption of each application poses to the organization.business continuity plan may not include all relevant applications and, therefore, may lack completeness in terms of its coverage.business impact of a disaster may not have been accurately understood by the management.business continuity plan may lack an effective ownership by the business owners of such applications.

Dr. Szenes 50

On the Components of the Information Systems Business Continuity Planexample on the risk aspect - CISA Q(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

6-1 Answer: AThe first and key step in developing a business continuity plan is a risk assessment exercise that analyzes the various risks that an organization faces and the impact of non-availability of individual applications.

ISO: [I refer to 27001,2 ]


26

Dr. Szenes 51


ISO reference to 6-1 Answer/1 27002:Chapter 14: BUSINESS CONTINUITY MANAGEMENT

14.1 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT14.1.1 Including information security in the business continuity management process14.1.2 Business continuity and risk assessment.14.1.3 Developing and implementing continuity plans including information security 14.1.4 Business continuity planning framework.14.1.5 Testing, maintaining and re-assessing business continuity plans

on the standard, see the references ! to buy: www.mszt.hu !

Dr. Szenes 52


ISO reference to 6-1 Answer/2 27001: Annex A -Control Objectives and Control [Measure]sA.14 Business continuity management

A.14.1 Information security aspects of business continuity management

Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.see control measures A.14.1.1 - A.14.1.5 !

on the standard, see the references ! to buy: www.mszt.hu !


27

Dr. Szenes 53

On the Components of the Information Systems Business Continuity Plan(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

BCP documents

• Continuity of operations plan (COOP)• Disaster recovery plan (DRP)• Business resumption plan• Continuity of support plan / IT contingency plan• Crisis communications plan• Incident response plan• Transportation plan• Occupant emergency plan (OEP)

Dr. Szenes 54


Infrastructure Types:o Mirroringo Hot, Warm or Cold Site o Alternative Hardwareo Backup of Required Supplies o Telecommunication Networks o Servers, Storageo Offsite Libraries and Library Controlso Security and Control of Offsite Facilitieso Media and Documentation Backupo etc.

details: . / .


28

Dr. Szenes 55

infrastructure types(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

Mirroring[ parallel processing - special HW or organized]

Hot Sites – They are fully configured and ready to operate within several hours. The equipment, network and systems software must be compatible with the primary installation being backed up. The only additional needs are staff, programs, data files and documentation.

New definition for hot site:The hot site is intended for emergency operations of a limited time period and not for long-term extended use. Long-term use would impair the protection of other subscribers.

cont'd with consequences . / .

Dr. Szenes 56

infrastructure types(forrás, többek között: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

consequences of the new definition:

Therefore, the hot site should be viewed as a means of accomplishing the continuation of essential operations for a period of up to several weeks following a disaster or major emergency. Further plans are still necessary to provide for subsequent operations.

Several vendors offer warm- or cold-site facilities for a subscriber to migrate to after recovery of operations has been completed. This will free up the hot site for use by other subscribers.

cold site defintion also new, with suscribers!


29

Dr. Szenes 57


warm site:

Warm Sites – They are partially configured, usually with network connections and selected peripheral equipment, such as disk drives, tape drives and controllers, but without the main computer. Sometimes a warm site is equipped with a less powerful central processing unit (CPU), than the one generally used. The assumption behind the warm site concept is that the computer can usually be obtained quickly for emergency installation (provided it is a widely used model) and, since the computer is the most expensive unit, such an arrangement is less costly than a hot site. After the installation of the needed components, the site can be ready for service within hours; however, the location and installation of the CPU and other missing units could take several days or weeks.

Dr. Szenes 58


Cold Sites – These are sites that have only the basic environment (electrical wiring, air conditioning, flooring, etc.) to operate an IPF reducing the cost. The cold site is ready to receive equipment but does not offer any components at the site in advance of the need. Activation of the site may take several weeks.

Duplicate (redundant) Information Processing Facility – These are dedicated, self-developed recovery sites that can backup critical applications. They can range in form from a standby hot site to a reciprocal agreement with another company installation.


30

Dr. Szenes 59


Mobile Sites – This is a specially designed trailer that can be quickly transported to a business location or to an alternate site to provide a ready-conditioned information processing facility.

Reciprocal Agreement-with other organizations – This is a less frequently used method between two or more organizations with similar equipment or applications. Under the typical agreement, participants promise to provide computer time to each other when an emergency arises.

provisions for 3rd party agreements . / .

Dr. Szenes 60

infrastructure / provisions for 3rd party agreements(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

Configurations—Are the vendor’s hardware and software configurations adequate to meet company needs since these will vary over time?Disaster—Is the definition of disaster broad enough to meet anticipated needs?Speed of availability—How soon after a disaster will facilities be available?

Subscribers per site—Does the agreement limit the number of subscribers per site?Subscribers per area—Does the agreement limit the number of subscribers in a building or area?

Preference—Who gets preference if there are common or regional disasters? Is there backup for the backup facilities? Is use of the facility exclusive or does the customer have to share the available space if multiple customers simultaneously declare a disaster? Does the vendor have more than one facility available for subscriber use?


31

Dr. Szenes 61


Insurance—Is there adequate insurance coverage for company employees at the backup site? Will existing insurance reimburse those fees?

Usage period—How long is the facility available for use? Is this period adequate? What technical support will the site operator provide? Is this adequate?

Communications—Are the communications adequate? Are the communication connections to the backup site sufficient to permit unlimited communication with the alternate site if needed?

Dr. Szenes 62


Warranties—What warranties will the vendor make regarding availability of the site and the adequacy of the facilities? Are there liability limitations (there usually are) and is the company willing to live with them?

Audit—Is there a right-to-audit clause permitting an audit of the site to evaluate the logical, physical and environmental security?

Testing—What testing rights are included in the contract? Check with theinsurance company to determine any reduction of premiums that may be forthcoming due to the backup site availability.

Reliability—Can the vendor attest to the reliability of the site(s) being offered? Ideally, the vendor should have a UPS, limited subscribers, sound technical management, and guarantees of computer hardware and software compatibility.


32

Dr. Szenes 63

on the audit of 3rd party agreements(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

An IS auditor should obtain a copy of the contract with the vendor.

Ensure that the contract is written clearly and is understandable.Reexamine and confirm the organization’s agreement with the rules that apply to sites shared with other subscribers.Ensure that insurance coverage ties in with and covers all (or most) expenses of the disaster.Ensure that tests can be performed at the hot site at regular intervals.Review and evaluate communications requirements for the backup site.Ensure that enforceable source code escrow is reviewed by a lawyer specializing in such contracts.Determine the limitation recourse tolerance in the event of a breached agreement.The contract should be reviewed against a number of guidelines

Contract is clear and understandableOrganization’s agreement with the rulesetc.

Dr. Szenes 64

infrastructure / telecommunications, networks(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

[measures concerning networks include]:

– Alternative routing– Diverse routing– Long-haul network diversity– Protection of the local loop

[wire between the local switch and the end-user customer]– Voice recovery– Availability of appropriate circuits and adequate bandwidth

details: . / .


33

Dr. Szenes 65


details on the methods of providing telecommunications continuity:

Redundancy—Involves providing extra capacity with a plan to use the surplus capacity should the normal primary transmission capability not be available. In the case of a LAN, a second cable could be installed through an alternate route for use in the event the primary cable is damaged.

Alternative routing—The method of routing information via an alternate medium such as copper cable or fiber optics. This involves use of different networks, circuits or end points should the normal network be unavailable.

Diverse routing—The method of routing traffic through split cable facilities or duplicate cable facilities. This can be accomplished with different and/or duplicate cable sheaths.

Dr. Szenes 66


details on the methods of providing telecommunications continuity- cont'd

Long haul network diversity—Many recovery facilities vendors have provided diverse long-distance network availability utilizing T1 circuits among the major long-distance carriers. This ensures long-distance access should any one carrier experience a network failure. Several of the major carriers have now installed automatic re-routing software and redundant lines that provide instantaneous recovery should a break in their lines occur.

[T1 is what telephone companies have traditionally used to transport digitized telephone conversations between central offices

T2, T3 more than 1 T1 multiplexed higher speed]


34

Dr. Szenes 67


details on the methods of providing telecommunications continuity- cont'd

Last mile circuit protection—Many recovery facilities provide a redundant combination of local carrier T1s, microwave and/or coaxial cable access to the local communications loop. This enables the facility to have access during a local carrier communication disaster. Alternate local carrier routing is also utilized.

Voice recovery—With many service, financial and retail industries dependent on voice communication, redundant cabling and alternative routing should be provided for voice communication lines as well as data communication lines.

Dr. Szenes 68

infrastructure / storage(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

Redundant array of inexpensive disks (RAID)

• Provide performance improvements and fault tolerant capabilities via hardware or software solutions

• Provide the potential for cost-effective mirroring offsite for data back-up


35

Dr. Szenes 69

infrastructure (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

Q 6-7An IS auditor discovers that an organization’s business continuity plan provides

for an alternate processing site that will accommodate 50 percent of the primary processing capability. Based on this, which of the following actions should the IS auditor take?

A - Do nothing, because generally, less than 25 percent of all processing is critical to an organization’s survival and the backup capacity, therefore, is adequate.B - Identify applications that could be processed at the alternate site and develop manual procedures to back up other processing.C - Ensure that critical applications have been identified and that the alternate site could process all such applications.D - Recommend that the information processing facility arrange for an alternate processing site with the capacity to handle at least 75 percent of normal processing.

Dr. Szenes 70

infrastructure (forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

Q 6-7The correct answer is C

A business continuity plan should provide for the recovery of critical systems, not necessarily all systems.

Perhaps only 50 percent of the company’s systems are critical; therefore, careful assessment of critical systems and capacity requirements should be part of the IS auditor’s test of the plan.


36

Dr. Szenes 71

BCP plan - testing considerations(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

one of the purposes of the business continuity test is to determine how well the plan works or which portions of the plan need improvement.

the test must simulate actual processing conditions

The test should be scheduled during a time that will minimize disruptions to normal operations. Weekends are generally a good time to conduct tests. It is important that the key recovery team members be involved in the test process and allotted the necessary time to put their full effort into it. The test should address all critical components and simulate actual primetime processing conditions, even if it is conducted in off hours.

Test Execution – . /.

Dr. Szenes 72

BCP plan - testing considerations(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

the test - cont'd

Test Execution – To perform testing, each of the following test phases should be completed: Pretest, Test, Post-Test.Documentation of Results – During every phase of the test, detailed documentation of observations, problems and resolutions should be maintained. Results Analysis – It is important to have ways to measure the success of the plan and test against the stated objectives. Therefore, results must be quantitatively gauged as opposed to an evaluation based only on observation.Recovery/Continuity plan maintenance – Plans and strategies for business continuity should be reviewed and updated on a scheduled basis to reflect continuing recognition of changing requirements.


37

Dr. Szenes 73


Rulebook Contents - some of the important points

Detailed Plan Organization and Assignment of ResponsibilitiesEmergency Response TeamKey Decision-making Personnel what will employees do? - CISA® Review Course transparents were also used here

where will employees report to work, how will orders be taken while the computer system is being restored, who is responsible thatwhich vendors should be called to provide needed supplies

Dr. Szenes 74


Rulebook Contents - some of the important points

Insurance Recovery/Continuity Plan Testing:

Plan and Actual Tests Documentation of the Test Results Results Analysis

xx


38

Dr. Szenes 75


Rulebook Contents - cont'd

Recovery/Continuity Plan MaintenancePeriodic Backup Procedures Record Keeping for Offsite Storagexx

Dr. Szenes 76

recovery aspects(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery

Recovery Point Objective (RPO)Recovery Time Objective (RTO)Interruption windowService delivery objective - SDOMaximum tolerable outageDisaster tolerance


39

Dr. Szenes 77


disaster here: disaster AFTER the interrupt

Recovery Point Objective (RPO)Based on acceptable data lossIndicates earliest point in time in which it is acceptable to recover the data

acceptable data loss:

For example, if the process can afford to lose the data up to four hours before disaster, then the latest backup available should be up to four hours before disaster or interruption and the transactions during RPO and interruption need to be entered after recovery (known as catch-up data).

Dr. Szenes 78


disaster here: disaster AFTER the interrupt - ??

Recovery Point Objective (RPO)Based on acceptable data lossIndicates earliest point in time in which it is acceptable to recover the data

RPO effectively quantifies the permissible amount of data loss in case of interruption. It is almost impossible to recover the data completely. Even after entering catch-up data, some data are still lost and are referred to as orphan data. If RPO is very low, say in minutes, it means that the process cannot afford to lose the data in such a short time. In such cases, data mirroring should be used as a recovery strategy. If RPO is high, say in hours, then other backup procedures, such as reel backup, could be used.


40

Dr. Szenes 79


disaster here: disaster caused by the interrupt

Recovery Time Objective (RTO)Based on acceptable downtimeIndicates earliest point in time at which the business operations must resume after a disaster

The RTO is determined based on the acceptable downtime in case of a disruption of operations. It indicates the earliest point in time at which the business operations must resume after disaster.A high RTO will mean that so much additional time would be available for the recovery strategy.

Dr. Szenes 80


relation between RPO / RTO - which recovery strategies would be best with different RTO and RPO parameters?


41

Dr. Szenes 81


Interruption window—The time the organization can wait from the point of failure to the critical services/applications restoration. After this time, the progressive losses caused by the interruption are unaffordable.

Service delivery objective (SDO)—Level of services to be reached during the alternate process mode until the normal situation is restored. This is directly related to the business needs.

Maximum tolerable outages—Maximum time the organization can support processing in alternate mode. After this point, different problems may arise, especially if the alternate SDO is lower than the usual SDO, and the information pending to be updated can become unmanageable.

Disaster tolerance is the time gap within which the business can accept non-availability of IT facilities. If this time gap is high, recovery strategies that take a longer time can be used.

Dr. Szenes 82


Q 6-5

Data mirroring should be implemented as a recovery strategy when:

A. recovery point objective (RPO) is low.

B. RPO is high.

C. recovery time objective (RTO) is high.

D. disaster tolerance is high.


42

Dr. Szenes 83


Q 6-5

The correct Answer is A

RPO is the earliest point in time to which it is acceptable to recover the data. If RPO is very low, say in minutes, it means that the process cannot afford to lose the data in such a short time. In such cases, data mirroring should be used as a recovery strategy. If RPO is high, say in hours, then other backup procedures, such as reel backup, could be used. A high RTO will mean that so much additional time would be available for the recovery strategy. Disaster tolerance is the time gap within which the business can accept non-availability of IT facilities. If this time gap is high, recovery strategies that take a longer time can be used.

Dr. Szenes 84

The IS BCP of the Individual Systems

The most important part of the business continuity plan consists of those of the individual systems.

The table of contents of the systems business continuity plan contains (at least):

• The description of the system• The members of the emergency team (name, every par.)• The key users (name, every par.)

• The places ! of the systems documentation (at least 2 media) • nn


43

Dr. Szenes 85

The IS BCP of the Individual Systems

The table of contents for the systems business continuity plan contains (at least) -cont'd

• The databases, their config., and their settings• The archives• The typical operations fallbacks• Manual / alternative operations• Software & hardware resource requirements

minimum, presently available, maximum• Communications requirements• Recovery to normal state• nn

Dr. Szenes 86

COBIT 3, 4 support of IS Audit and IT Security

34 IS processes

7 IS (evaluation) criteria

control objectives

control measures / procedures

Balanced Scorecard

Capability Maturity Model tailored to the 34 processes


44

Dr. Szenes 87

COBIT 3, 4 support of IS Audit and IT Security

the processes of delivery and support:

DS1 - Define and Manage Service Levels DS2 - Manage Third-party ServicesDS3 - Manage Performance and CapacityDS4 - Ensure Continuous ServiceDS5 - Ensure Systems SecurityDS6 - Identify and Allocate CostsDS7 - Educate and Train UsersDS8 - Manage Service Desk and IncidentsDS9 - Manage the ConfigurationDS10 - Manage ProblemsDS11 - Manage DataDS12 - Manage the Physical EnvironmentDS13 - Manage Operations

Dr. Szenes 88

DS4 - Ensure Continuous ServiceControl Objectives - forrás, többek között: COBIT 4.1

important: even if this is all about IT - all business-critical human and infrastructural assets should be taken care of

DS4.1 IT Continuity Framework

Develop a framework for IT continuity to support enterprisewide business continuity management using a consistent process.

The objective of the framework :

to assist in determining the required resilience of the infrastructure and to drive the development of disaster recovery and IT contingency plans

./.


45

Dr. Szenes 89

DS4 - Ensure Continuous ServiceControl Objectives - forrás , többek között : COBIT 4.1

DS4.1 IT Continuity Framework - cont'd

The framework [and the plan] should address:

the organisational structure for continuity management, on internal and external service providers

their management and their customers

these:roles, tasks and responsibilities

./.

Dr. Szenes 90



The framework [and the plan] should address: - cont'd

the planning processes that createthe rules and structures

in order todocument, test and execute

the disaster recovery and IT contingency plans

./.


46

Dr. Szenes 91



The framework [and the plan] should address: - cont'd

[based on risk assessment]the identification of critical resources, noting key dependencies, [personal responsibilities]

the monitoring and reporting of the availability of

critical resources, alternative processing,

and [other] principles, [important info on] backup and recovery.

Dr. Szenes 92


DS4.2 IT Continuity Plans

Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on

key business functions and processes.

The plans should be based on risk understanding of potential business impacts-- see framework, DS 4.1,

both IT BCP - BCP should be risk assessment-based

./.


47

Dr. Szenes 93


DS4.2 IT Continuity Plans - cont'd

The plan should address requirements for resilience - flexibility!, alternative processing and recovery capability of all critical IT services.

The plan should containusage guidelines, roles and responsibilities, procedures, communication processes, and the testing approach - test plan, + procedure !.

Dr. Szenes 94


DS4.3 Critical IT Resources

Focus attention on items specified as most critical in the IT continuity planto build in resilience and establish priorities in recovery situations.

Avoid the distraction of recovering less-critical items and ensure response and recovery in line with prioritised business needs, ensure that costs are kept at an acceptable levelensure compliance

with regulatory and contractual requirements.

Consider resilience, response and recovery requirements for different tiers, e.g., one to four hours, four to 24 hours, more than 24 hours and critical business operational periods.


48

Dr. Szenes 95


DS4.4 Maintenance of the IT Continuity Plan

Encourage IT management to define and execute change control procedures to ensure that the IT continuity plan is kept up to dateand continually reflects actual business requirements.

Communicate changes in procedures and responsibilities

clearly and in timely manner.

Dr. Szenes 96


DS4.5 Testing of the IT Continuity Plan

testing should be actually performed and documentedtogether with the key business users & IT evaluatedaccording to the results the plan should be updated

either forewarn the employees, or not

Test the IT continuity plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed the plan remains relevant.

./.


49

Dr. Szenes 97


DS4.5 Testing of the IT Continuity Plan - cont'd

A successful test requires careful preparation, documentation, reporting of test results and,

according to the results,implementation of an action plan

Consider the extent of testing:recovery of single applications integrated testing scenarios end-to-end testing integrated vendor testing.

Dr. Szenes 98


DS4.6 IT Continuity Plan Training

Provide all concerned parties with regular training sessions regarding the procedures and their roles and responsibilities

in case of an incident or disaster.

Verify and enhance training according to the results of the contingency tests.


50

Dr. Szenes 99


DS4.7 Distribution of the IT Continuity Plan

Determine that a defined and managed distribution strategy exists to ensure that plans are properly and securely distributed and

available to appropriately authorised interested parties when and where needed.

Attention should be paid to making the plans accessible under all disaster scenarios.

Dr. Szenes 100


DS4.8 IT Services Recovery and Resumption

Plan the actions to be taken for the period when IT is recovering and resuming services. This may include

activation of backup sites,initiation of alternative processing, customer and stakeholder communication, and resumption procedures.

Ensure that the business understands how to specufy for IT the recovery times they requirethey have to help IT to buy the necessary technology investments to support business recovery and to provide for resumption needs.

(thorough rewriting)


51

Dr. Szenes 101


DS4.9 Offsite Backup Storage

Store offsite all critical backup media, documentation and other IT resources

necessary for IT recovery and business continuity plans.

! develop and document processes to use all of these

business process owners and IT personnel should together determine the content of backup storageand its other parameters

./.

Dr. Szenes 102


DS4.9 Offsite Backup Storage - cont'd

Management of the offsite storage facility should comply to the data classification policy and the enterprise’s media storage practices.

IT management should ensure that offsite arrangements are periodically assessed, at least annually, for

content, environmental protection and security.

Ensure compatibility of hardware and software to restore archived data, periodically test and refresh archived data.


52

Dr. Szenes 103


DS4.10 Post-resumption Review

Determine whether IT management has established procedures forassessing the adequacy of the plan in regard to

the successful resumption of the IT function after a disaster, and update the plan accordingly.

Dr. Szenes 104

ISACA CRM Case Study(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

Case Study Scenario

Organization revising BCP and DRP for headquarters (750 employees) and 16 branches (each with 20–35 employees and mail and file / print server)Current plans not updated in more than 8 yearsOrganization has grown by 300%Staff connect via LAN to more than 60 applications, databases and print servers in the corporate data centreStaff connect via a frame relay network to the branchesTraveling users connect over the Internet using VPNCritical applications have RTO of 3–5 days

./.


53

Dr. Szenes 105


Case Study Scenario - cont'd

All users in the headquarters and branches connect to the Internet through a firewall and proxy server located in the data centerBranch offices are located between 30 and 50 miles from one another, with none closer to the headquarters' facility than 25 miles Backup media for the data center are stored at a third-party facility 35 miles awayBackups for servers located at the branch offices are stored at nearby branch offices using reciprocal agreements between offices

./.

Dr. Szenes 106


Case Study Scenario - cont'd

Current contract with third party hot site:• 3 year term, with equipment upgrades occurring at renewal time• 25 servers• Work area space with PCs for 100 employees• Separate agreement to ship 2 servers and 10 PCs to any branch

declaring a disaster• Hot site provider has multiple sites in case the primary site is in use by

another customer or rendered unavailable by the disaster


54

Dr. Szenes 107

ISACA CRM Case Study - Q(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

Q1 On the basis of the above information, which of the following should the IS auditor recommend concerning the hot site?

A. Desktops at the hot site should be increased to 750.

B. An additional 35 servers should be added to the hot site contract.

C. All backup media should be stored at the hot site to shorten the RTO.

D. Desktop and server equipment requirements should be reviewed quarterly.

Dr. Szenes 108


The correct answer to Q1 is DAs equipment needs in a rapidly growing business are subject to frequent change, quarterly reviews are necessary to ensure that the recovery capability keeps pace with the organization. Since not all employee job functions are critical during a disaster, it is not necessary to contact the same number of desktops at a recovery facility as the number of employees. Similarly, not every server is critical to the continued operation of the business. In both cases, only a subset will be required. Since there is no assurance that the hot site will not already be occupied, it would not be advisable to store backup media at the facility. These facilities are generally not designed to provide extensive media storage, and frequent testing by other customers could compromise the security of the media.


55

Dr. Szenes 109

ISACA CRM Case Study - Q(forrás: CISA® Review Course transparents, ISACA 2010 Chapter 6: Business Continuity and Disaster Recovery)

Q2 On the basis of the above information, which of the following should the IS auditor recommend concerning branch office recovery?

A. Add each of the branches to the existing hot site contract.

B. Ensure branches have sufficient capacity to back each other up.

C. Relocate all branch mail and file / print servers to the data center.

D. Add additional capacity to the hot site contract equal to the largest branch.

Dr. Szenes 110


The correct answer to Q2 is BThe most cost-effective solution is to recommend that branches have sufficient capacity to accommodate critical personnel from another branch. Since critical job functions would represent only perhaps 20 percent of the staff from the affected branch, accommodations for only four to seven critical staff members would be needed. Adding each of the branches to the hot site contract would be far more expensive, while adding capacity to the hot site contract would not provide coverage as hot site contracts base their pricing on each location covered. Finally, relocating branch servers to the data center could result in performance issues, and would not address the question of where to locate displaced employees.


56

Dr. Szenes 111

References

CRM 20xx CISA Review Technical Information Manualeditor: Information Systems Audit and Control AssociationRolling Meadows, Illinois, USA, 20xx-1

COBIT® 4.0 Control Objectives, Management Guidelines, Maturity ModelsCopyright © IT Governance Institute® , 2005

COBIT® 4.1 Framework, Management Guidelines, Maturity ModelsCopyright © IT Governance Institute® , 2007

Dr. Szenes 112

References

Az Informatikai biztonság kézikönyve szerkesztő és lektor: Szenes KatalinVerlag Dashöfer, Budapest

K. Szenes: "IT GRC versus ? Enterprise GRC but: IT GRC is a Basis of Strategic Governance2EuroCACS 2010 - Conference on Computer Audit, Control and SecurityCopyright 2010 ISACA, Rolling Meadows, Illinois, USA 23-25 March 2010, Budapest, Hungary Tutorial, Stream #1 IT Governance, #311

CISA® Review Course transparents, ISACA 2010Chapter 6: Business Continuity and Disaster Recovery

CISA® see ISACA.org


57

Dr. Szenes 113

References

the predecessors of ISO 27001, ISO 27002 are: CRAMM, ISO/IEC 17799

ISO 27001 International Standard ISO/IEC 27001 First edition 2005-10-15Information technology - Security techniques - Information security management systems - RequirementsReference number: ISO/IEC 27001:2005 (E)Copyright © ISO/IEC 2005

ISO 27002 International Standard ISO/IEC 27002 First edition 2005-06-15Information technology — Security techniques — Code of practice for information security managementReference number: ISO/IEC 27002:2005(E)Copyright © ISO/IEC 2005

Education

Business continuity planning and disaster recovery