Upload
susheel-thakur
View
224
Download
0
Embed Size (px)
Citation preview
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 1/87
5% Extra Credit5% Extra Credit
Rick Valdez & Maria LopezRick Valdez & Maria Lopez
Contingency Planning Outsourcing (CPO)Contingency Planning Outsourcing (CPO)
Outsourcing to India for Over-night WorksOutsourcing to India for Over-night Works
For 90% Cost Saving & Twice The SpeedFor 90% Cost Saving & Twice The Speed By Professional Information Systems AuditorsBy Professional Information Systems Auditors
For Professional Information Systems AuditorsFor Professional Information Systems Auditors
4. Disaster Recovery and
Business Continuity (10%)
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 2/87
pp
The Cost Of DowntimeThe Cost Of Downtime
REVENUEDirect LossDeferred LossesCompensatory PaymentsLost Future Revenue
Billing LossesInvestment Losses
FINANCIAL
PERFORMANCELost Market ShareRevenue RecognitionCash Flow
Lost DiscountsPayment GuaranteesStock PriceCredit RatingOTHER EXPENSES
Temporary employees,Equipment Rental,Overtime,Extra Shipping Costs,Travel Expenses,Etc.
REPUTATIONCustomersSuppliersFinancial MarketsBanksBusiness PartnersEtc.
PRODUCTIVITYLoss Of ProductivityEmployees Impacted @ X
Burdened Hourly Rate
LEGAL/REGULATORYContractual RequirementsSLAsRegulatory Requirements
Why Business Continuity?
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 3/87
Business Continuity Program Pyramid
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 4/87
Steering CommitteeSteering Committee
WhoWho Senior personnel from all key entities with a stake in the ongoingSenior personnel from all key entities with a stake in the ongoing
program program Have the authority to make decisions, implement new policies, commitHave the authority to make decisions, implement new policies, commit
resources to support and implement the projects/programresources to support and implement the projects/program Charter Charter
Provides strategic direction and decision makingProvides strategic direction and decision making Approves annual program objectives and ensures appropriateApproves annual program objectives and ensures appropriate
commitment of resources to the programcommitment of resources to the program
BenefitBenefit Builds consensus, unit of effortBuilds consensus, unit of effort Project/Program policies, procedures, and guidance enforcementProject/Program policies, procedures, and guidance enforcement
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 5/87
Business Continuity Program Pyramid
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 6/87
Continuity Program OfficeContinuity Program Office WhoWho
Core dedicated staff with industry/governmentCore dedicated staff with industry/government andand business business
continuity expertisecontinuity expertise
Charter Charter Business Continuity Program project managementBusiness Continuity Program project management
Lifecycle Continuity Program oversight and managementLifecycle Continuity Program oversight and management
BenefitBenefit
Dedicated expertise and focusDedicated expertise and focus Continuity of planning and operationsContinuity of planning and operations
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 7/87
Business Continuity Program Pyramid
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 8/87
Continuity PlanningContinuity Planning
WhoWho All departments/entities of the corporation/governmentAll departments/entities of the corporation/government
Charter (read What)Charter (read What) The ongoing design, procurement, and use of robustThe ongoing design, procurement, and use of robust
systems, facilities, staffing models, and equipmentsystems, facilities, staffing models, and equipment totomitigate the risk of outagesmitigate the risk of outages,, or or thethe impact of outagesimpact of outages..
BenefitBenefit More robust processes, systems, facilitiesMore robust processes, systems, facilities Less downtimeLess downtime
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 9/87
Business Continuity Program Pyramid
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 10/87
Business Impact AnalysisBusiness Impact Analysis
WhoWho All business and support units/entitiesAll business and support units/entities
Charter Charter Identify/validate department/entity critical business and support functionsIdentify/validate department/entity critical business and support functions determine Information Technology and connectivity requirements to supportdetermine Information Technology and connectivity requirements to support
critical business/support functionscritical business/support functions determine the Recovery Time Objectives (RTO) for critical functionsdetermine the Recovery Time Objectives (RTO) for critical functions establish a Minimum Acceptable Recovery Configuration (MARC) for establish a Minimum Acceptable Recovery Configuration (MARC) for
business and support units/entities business and support units/entities
BenefitBenefit Know your businessKnow your business Establish recovery requirementsEstablish recovery requirements
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 11/87
Business Continuity Program Pyramid
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 12/87
Disaster Recovery/ BusinessDisaster Recovery/ Business
Resumption PlanningResumption Planning Disaster Recovery PlanningDisaster Recovery Planning
The strategic and detailedThe strategic and detailed
planning for the timely planning for the timely
restoration of informationrestoration of informationtechnology, network andtechnology, network and
telephony following a disaster.telephony following a disaster.
Business ResumptionBusiness Resumption
PlanningPlanning The strategic and detailedThe strategic and detailed
planning for the timely planning for the timelyrestoration of vital business/restoration of vital business/
support functions following asupport functions following a
disaster.disaster.
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 13/87
Business Continuity Program Pyramid
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 14/87
Crisis Management ProgramCrisis Management Program
WhoWho All key business and support units/entitiesAll key business and support units/entities
Charter Charter
Provide policies, procedures and guidance, to organize, train, equip andProvide policies, procedures and guidance, to organize, train, equip andmanage staff, equipment, and facilities to ensure a capability to rapidlymanage staff, equipment, and facilities to ensure a capability to rapidlyevaluate and respond to significant incidents that impact, or may impact, anevaluate and respond to significant incidents that impact, or may impact, an
organization’s critical operationsorganization’s critical operations
BenefitsBenefits Rapid, coordinated identification and response to incidents in an effort toRapid, coordinated identification and response to incidents in an effort to
prevent the incidents from becoming disasters prevent the incidents from becoming disasters Protection of: life; corporate image, prestige, revenue, market shareProtection of: life; corporate image, prestige, revenue, market share Mitigation of incident generated legal and regulatory risksMitigation of incident generated legal and regulatory risks
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 15/87
IMT IMT
Sites A-n
Facilities Department
ADepartment
B
Department
n
SITE RECOVERY PLANS DATA CENTER DISASTER RECOVERY PLANS
DEPARTMENT SPECIFIC RECOVERY CHAPTERSBusinessResumptio
n/Disaste r
Recovery/ C
risisManagemen
tPlans
CORPO
RATECR
ISISMANAG
EMENT
PLAN
Corporate Crisis Management TeamCorporate Crisis Management Team
(CMT)(CMT)
Sites A-n
GENERAL
IT/DATA NETWORK BUSINESS RESUMPTION
SUPPORT PLANS
Integrated Response/Recovery Plan Structure
App
Group
Server
GroupTape
Group
Network
Group
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 16/87
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 17/87
Plan Scorecarding and TestingPlan Scorecarding and Testing WhatWhat
Crisis Management PlanCrisis Management Plan Business Resumption PlansBusiness Resumption Plans Disaster Recovery PlansDisaster Recovery Plans
Charter Charter
Scorecarding- Evaluate plan content for structure, scope, and breadth of Scorecarding- Evaluate plan content for structure, scope, and breadth of information in preparation for testing of plan for recovery operationsinformation in preparation for testing of plan for recovery operations
Testing- Evaluation of plan content for effectiveness/adequacy in recoveryTesting- Evaluation of plan content for effectiveness/adequacy in recoveryoperationsoperations
BenefitsBenefits Quality control of plansQuality control of plans
Training of personnelTraining of personnel ConfidenceConfidence
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 18/87
Business Continuity Program Pyramid
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 19/87
Certification ProgramCertification Program
WhatWhat Business Resumption PlansBusiness Resumption Plans Disaster Recovery PlansDisaster Recovery Plans
Charter Charter Annual, formal rating of Business Resumption and Disaster RecoveryAnnual, formal rating of Business Resumption and Disaster Recovery
Plans using scorecard results, testing results, and other criteria to assessPlans using scorecard results, testing results, and other criteria to assess plan readiness. plan readiness.
BenefitsBenefits a standardized assessment of plan quality and readinessa standardized assessment of plan quality and readiness targeted program planning and budgetingtargeted program planning and budgeting confidence in plan readiness and qualityconfidence in plan readiness and quality
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 20/87
Maintain-•Testing Metrics/Program•Maintenance Program,•Change Management Program;•Audit,
•Certification Program5
Develop & Implement-
An Enterprise Recovery
Management Process
4
1
Understand Your Business-
Accomplish A Business Impact Analysis
3Develop-•IT Disaster Recovery Plans;•Business Resumption Plans;
•Testing and Certification Program
2Develop-IT Disaster Recovery And
Business Resumption
StrategiesCPO
Continuity Program Development Cycle
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 21/87
Initiation
Controlling
Planning
INITIATION PROCESSES
•Feasibility
•High Level Planning
•Charter Definition
CLOSING
PROCESSES
EXECUTION PROCESSES
•Information Coordination and Distribution
•Risk Response
•Risk Estimation
•Resource Management
•Issue Resolution
CONTROLLING PROCESSES
•Quality, Scope, Change, Risk, Schedule,
Performance Control
•Analysis and Reporting
PLANNING PROCESSES
•Plan Development
•Policies, Procedures, Guidance
•Communications Planning
•QC Planning
•Risk Management Plan
•Contract/Project Change Management
•Deliverable Acceptance Criteria
CPO Project Responsibilities
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 22/87
CPO
Recovery
Plan Scorecarding
& Certification
Training /
Awareness Program
Plan Development/
Maintenance
Program
Methodology,Policies, Procedures,
& Guidance Change Control-
New Systems
New Functions
New Designs
Etc.
Testing-
Metrics,
Accomplishment,
And Required
Plan Changes
Strategy Validation/
Updates
Initial and OngoingCritical Vendor
Qualification and
SLA/
Contract Review
Crisis Management
&
Recovery Plan
Implementation
CPO Lifecycle Responsibilities
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 23/87
PROJECT PP&Gs
•Project initiation
•Project planning
•Execution and control
•Closure
•Evaluate Business Needs
•Business Cases
•Project Justification
•RecommendationsContractor
Database
Contractor and Corp
Resource Pool
Knowledge
Library
Training, Awareness
And Education Program
Steering Committee
Project Managers
R e
p o
r t s
Requirements
•Work with CPO
•Customize Project WBS/Schedule
•Daily Project Management•Identify Issues
• Incorporates Best Practices
•Updates Templates
•Evaluates Project Results•Maintains Knowledge Library
Decisions
•Policy
•Vision
•Strategy
•Direction
Guidance/Oversight/
Analysis
PROGRAM PP&Gs
•Methodology,
•Plan development templates
•Change control
•Communications management
•Crisis management
•Plan scorecards and certification
•Vendor qualification, SLAs•Recovery strategies
•Risk management
•Testing and metrics
•Software
SLAs And Access
Provides
Provides
P r o v i d
e s R e s o u r c e s
T o P r o j e c t
CRISIS MANAGEMENT
Planning & Execution
CONTINUITY PROGRAM
OFFICE
IT and Business Units
Recovery Planning & Testing
P o
l i c i e
s ,
P r o
c e d u
r e s
,
G u
i d a
n c e
CPO Summary Chart Of
Responsibilities
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 24/87
CPO Staffing- Executive Sponsor
STAFFING PLANNING ROLE IMPLEMENTATION ROLE
ExecutiveSponsor
Secure funding and resources.Make Go/No-Go decisions.
Link to Executive SteeringCommitteeProvide strategic guidance toCPO
Integration with other corporatestrategic initiatives.
Issue resolution.Resource commitment.Approval authority for changerequests.Link to Executive SteeringCommittee
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 25/87
CPO Staffing- CPO Leader STAFFING PLANNING ROLE IMPLEMENTATION ROLE
CPO Lead Oversee development andapproval of project managementand Enterprise RecoveryManagement Process (ERMP) policies, procedures, methodologyand guidance.Develop CPO & project staffing
models.Project Initiation and Planning.Development of IssueResolution Plan.Development of deliverableacceptance procedures.
Design of vendor qualification program.Design and administration of thecorporate Crisis Management Plan.
Daily leadership, oversight, andmanagement of CPO staff.Responsible for CPO performanceand deliverables.Champion project managementmethodology implementation andERMP.
Project Implementation, Control, andClosure.Responsible for implementation andmanagement of program/projectCommunications Plan, CertificationProgram, Awareness and Training
Program, Change Control, and Risk Management Program.Leadership, or administration of, thecorporate Crisis Management Team.
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 26/87
CPO Staffing- CPO Leader STAFFING PLANNING ROLE IMPLEMENTATION ROLE
CPO Staff Develop program/projectmanagement books, forms,templates, etc.Develop plan CertificationProgram; Training and AwarenessProgram; Communications
Management Plan; Risk Management Plan.Develop Change ManagementProgram.Program budget.Business continuity risk analysisof new facilities design, hardware purchases, software, network design, business processes,vendors, etc.Project Initiation and Planning.
Tracking of project and program progress against plans/schedule(project/ program implementation andcontrol).Maintain recovery plan CertificationProgram database.
Implement Awareness and TrainingProgram.Set-up and maintenance of programKnowledge Library.Ensure compliance with programERMP.Issue/problem resolution.Support Executive Sponsor with presentations and reports.Vendor qualification program.Support for corporate CrisisManagement Team.
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 27/87
Establishing a CPOEstablishing a CPO
Identify and define measures of success for theIdentify and define measures of success for theCPOCPO Define goals and objectives of the CPODefine goals and objectives of the CPO
Codify the charter of the CPOCodify the charter of the CPO
Write a vision and mission statement for the CPOWrite a vision and mission statement for the CPO
Document the purpose of the initiative and what value isDocument the purpose of the initiative and what value is
to be createdto be created
Determine how return-on-investment will be measuredDetermine how return-on-investment will be measured
Determine what other metrics and measurements shouldDetermine what other metrics and measurements should
be used (e.g., quality, customer satisfaction, productivity) be used (e.g., quality, customer satisfaction, productivity)
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 28/87
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 29/87
Establishing a CPOEstablishing a CPO
Define leadership and communications PP&GsDefine leadership and communications PP&Gs Establish how information, status updates and decisionsEstablish how information, status updates and decisions
will be communicatedwill be communicated
Determine how and who will make key decisionsDetermine how and who will make key decisions
Define risks and develop mitigation strategyDefine risks and develop mitigation strategy Identify risks to program successIdentify risks to program success
Determine how risks will be mitigatedDetermine how risks will be mitigated
Establish how additional risks that may arise later will beEstablish how additional risks that may arise later will be
identified and mitigatedidentified and mitigated
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 30/87
Establishing a CPOEstablishing a CPO
Define program supportDefine program support Identify support requirements for each CPO project, andIdentify support requirements for each CPO project, and
lifecycle functions assigned the CPOlifecycle functions assigned the CPO
Identify standard methods and procedure for project andIdentify standard methods and procedure for project and
program execution, reporting and management program execution, reporting and management
Develop process for the creation of additional standards asDevelop process for the creation of additional standards as
the need arisesthe need arises
Decide if CPO should create a Disaster Recovery/BusinessDecide if CPO should create a Disaster Recovery/Business
Resumption Center of Excellence for critical technicalResumption Center of Excellence for critical technical
knowledge that will be shared by multiple projectsknowledge that will be shared by multiple projects
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 31/87
Establishing a CPOEstablishing a CPO
Define integration approach and methodsDefine integration approach and methods How will programs and projects that haveHow will programs and projects that have
interrelationships and dependencies be identifiedinterrelationships and dependencies be identified
and integratedand integrated
How well does the portfolio of programs andHow well does the portfolio of programs and
projects assigned to the CPO support the projects assigned to the CPO support the
business goals and objectives of the corporation business goals and objectives of the corporation
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 32/87
Meetings
Organizational Entities
Change Triggers
• Recovery Objectives Change• Organizational Changes•
Network Changes• Vault List• Software Upgrades• Database Changes• Hardware Changes• Operating System Upgrades• Restoration Procedure Changes• Changes in Disaster Declaration Authority• Off-site Storage Access• Off-site Storage
• Hardware/Inventory• Recovery Site Changes• Hot Site Changes• Process and Sub-process Owner Changes• Client Server Interfaces• All Technology Profile “fields”• Changes to Standards• Backups Procedures• Modifications Resulting from Tests
CHANGE
TRIGGERSAnalysis Of Actions
Required By Change
Trigger
Analysis Of Actions
Required By Change
Trigger
FACILITIES
INFOTECHNOLOGY BUSINESS
UNITS
OTHER
DIVISIONS
REQUESTS FOR CHANGES
COORDINATED CHANGES TO
Disaster Recovery Information
Technology
Profile
Recovery
Plans
Recovery
StrategyInfrastructure
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 33/87
Corporate
Regions
Markets
RCMT Tasks To Market CMTs
Regional Objectives
Regional CMT Response Planning/Execution Flow
Market CMT Tasking Out
RCMT Taskings Received
Market CMTs Response/Execution Flow
Objectives
Received From
CMT Response
Planning
RCMT Tasks To Market CMTsRCMT Tasks To Market CMTs
Regional Objectives
Regional CMT Response Planning/Execution Flow
Market CMT Tasking Out
RCMT Taskings Received
Market CMTs Response/Execution Flow
Objectives
Received From
CMT Response
Planning
Corporate
Response
Plan
Corporate Strategy ObjectivesCMT
Planning
Cell
CMT
Ops Cell
Situation Report
Department
Tasks To
The Field
Regional Objectives
To
Regional CMTs
Department/Regional Objectives
Corporate
Response
Plan
Corporate Strategy ObjectivesCMT
Planning
Cell
CMT
Ops Cell
Situation Report
Department
Tasks To
The Field
Regional Objectives
To
Regional CMTs
Department
Tasks To
The Field
Regional Objectives
To
Regional CMTs
Department/Regional Objectives
Corporate Response Flow - CMT Activated
Response
Plan
Implementation
CRISIS RESPONSE PLANNING
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 34/87
CPA’s Role in DRP, BCP & BIACPA’s Role in DRP, BCP & BIA
Disaster Recover Plan (DRP),Business Improvement Area (BIA)Information Systems Auditing & Control Association (ISACA)business continuity plan (BCP)
COSO-Committee Of SponsoringOrganizationsControl Objectives for Information and related Technology (CobIT)
IT IS Information Technology InformationSystems
Business Continuity Management (BCM)
Business Continuity (BC)
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 35/87
Disaster Recovery andDisaster Recovery andBusiness Continuity PlanningBusiness Continuity Planning
in a University Environmentin a University Environment
Mardecia BellMardecia Bell
Ann HarrisAnn Harris
Copyright Mardecia Bell/Ann Harris 2005. This work is the intellectual property of the authors. Permissionis granted for this material to be shared for non-commercial, educational purposes, provided that thiscopyright statement appears on the reproduced materials and notice is given that the copying is bypermission of the authors. To disseminate otherwise or to republish requires written permission from theauthors.
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 36/87
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 37/87
History/TimelineHistory/Timeline
1997 Initiated with the administrative environment
Mainframe environment recovery test
1999 Y2K - Business Continuity conceptAcquired central repository software (LDRPS)
2001 Scheduled annual Mainframe recovery testIncluded communications & academic environment
2002 Expanded to include Enterprise BusinessContinuity/Disaster Recovery Planning
2004 Successful DR test of ERP systems2005 Co-processing of production services began in Data
Center II
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 38/87
Implementation StepsImplementation Steps
Gain SponsorshipGain Sponsorship
Establish Steering CommitteesEstablish Steering Committees
Develop University Policy/RegulationDevelop University Policy/Regulation Create DR Structure/Establish StaffingCreate DR Structure/Establish Staffing
Market ProgramMarket Program
Establish Central RepositoryEstablish Central Repository Review & Test Plans RegularlyReview & Test Plans Regularly
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 39/87
Gain SponsorshipGain Sponsorship
Office of the President – University SystemOffice of the President – University System
Chancellor Chancellor
Executive ManagementExecutive Management Present your Business CasePresent your Business Case
Identify the roles involvedIdentify the roles involved
Provide Executive Summary of BC/DR ProgramProvide Executive Summary of BC/DR Program
Present Statement of Work and Project PlanPresent Statement of Work and Project Plan
Add responsibilities to staff work plansAdd responsibilities to staff work plans
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 40/87
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 41/87
Policy/Regulations/RulePolicy/Regulations/Rule
Develop a Policy or Regulation to affirm theDevelop a Policy or Regulation to affirm the
mandate and promote cooperationmandate and promote cooperation
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 42/87
Divide Campus Into GroupingsDivide Campus Into Groupings Space/FacilitiesSpace/Facilities Teaching and Academic ProgramsTeaching and Academic Programs
Academic ITAcademic IT
Administrative ITAdministrative IT Environmental Health and Public SafetyEnvironmental Health and Public Safety
Business AdministrationBusiness Administration
Research ProgramsResearch Programs Student AffairsStudent Affairs
Extension and EngagementExtension and Engagement
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 43/87
Resource ProjectionsResource Projections
Hire Full-Time Business Continuity and Disaster Hire Full-Time Business Continuity and Disaster
Recovery PersonnelRecovery Personnel Director of Business Continuity (plus 1 Business Analyst)Director of Business Continuity (plus 1 Business Analyst)
Admin IT DR Coordinator (plus 1 Business Analyst)Admin IT DR Coordinator (plus 1 Business Analyst)
Academic DR Coordinator (part-time)Academic DR Coordinator (part-time)
Add BC/DR responsibilities to work plan of existingAdd BC/DR responsibilities to work plan of existing
staff staff Identify Coordinators for each business unitIdentify Coordinators for each business unit
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 44/87
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 45/87
Establish Central InformationEstablish Central Information
RepositoryRepository
Continuous Implementation
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 46/87
AccomplishmentsAccomplishments
Disaster Recovery and Business Continuity PlanDisaster Recovery and Business Continuity Plan Risk Assessments for Critical Business UnitsRisk Assessments for Critical Business Units Successful Mainframe Recovery TestsSuccessful Mainframe Recovery Tests Designed and implemented infrastructure for Designed and implemented infrastructure for
central computing environment (academic ¢ral computing environment (academic &administrative) in secondary data center.administrative) in secondary data center. Implementation of recovery strategies inImplementation of recovery strategies in
secondary data center secondary data center
Creation of Administrative IT Disaster RecoveryCreation of Administrative IT Disaster RecoveryUnitUnit
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 47/87
Illustration of Various DRDeployments
Fault-tolerant cluster (file and print
services)A ProductionB Configuration
B ProductionA Configuration
B ProductionA Production
Distributed deployment (hosted
systems)A Production A Development A Production
Co-processing and load-balancing
(ERP)A ProductionA Production A Production
Data replication (mainframe)
Server Data Server Data Server Data
Enterprise Resource Planning
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 48/87
Enterprise Resource Planning(ERP) Deployment
DC II
Financial System
Human Resources (Version 8.8) Student Information System(under construction)
DC IWeb
Server
DB
Server
Application
Server
Batch
Server
Campus
Users
Web
Server
Application
Server
Batch
Server
Web
Server
Application
Server
Web
Server
Application
Server
Batch
Server
DB
Server
Batch
Server
Data
Storage
Area
Network
S d S
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 49/87
Summary and Future Steps
DC II
Hosted
systems
Infrastructure
DataData
Storage
Area
Network
Active Directory
/ Windows
Novell Directory
Services / Novell
Citrix
ERP
Web
ERP
Batch
ERP
Application
Data
Backup/vaulting
ERP DB
Server
DC I
Hosted
systems
Infrastructure
DataData
Data
Storage
Area
Network
Backup/vaulting
Active Directory
/ Windows
Novell Directory
Services / Novell
Citrix
ERP
Web
ERP
Batch
ERP DB
Server
ERP
Application
Development
Server Mainframe
Server
Email/Calendar
Anti-SPAMFile/Print,
User
Home
Web
Server
Database
Server Development
Server Mainframe
Server Web
Server
Database
Server
DataData
Storage
Area
Network
Data
Email/Calendar
Anti-SPAMFile/Print,
User
Home
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 50/87
Administrative IT Disaster Recovery Unit
Mission
• Ensure minimal risk of major disruptions to
critical University systems and processes
in the event that all or part of its computer
operations are rendered inoperable.
• Ensure timely recovery of infrastructure
and services in the event of a disruption.
• Ensure that business continuity plans areavailable and viable relative to its
scenario.
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 51/87
Ri k M
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 52/87
Risk ManagementRisk Management
IdentifyIdentify
MitigateMitigate
Process MappingProcess Mapping
Ri k M tRi k M t
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 53/87
Risk ManagementRisk ManagementRisk MitigationRisk Mitigation
Prioritize ActionsPrioritize Actions Evaluate recommended ControlEvaluate recommended Control
OptionsOptions Conduct Cost-Benefit AnalysisConduct Cost-Benefit Analysis Select ControlsSelect Controls
Assign ResponsibilityAssign Responsibility Develop SafeguardDevelop Safeguard
Implementation PlanImplementation Plan Implement Selected ControlsImplement Selected Controls
Risk Assessment Risk Assessment
System CharacterizationSystem Characterization
Threat IdentificationThreat Identification
Vulnerability IdentificationVulnerability Identification
Control AnalysisControl Analysis
Likelihood DeterminationLikelihood Determination Impact AnalysisImpact Analysis
Risk DeterminationRisk Determination
Control RecommendationsControl Recommendations
Results DocumentationResults Documentation
NIST SP 800-30
iP M i
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 54/87
FinancialsWebLogic
v8.1Financials
WebLogic
v8.1
iPlanet
v6.0Proxy
Server authenticati
on
FinTrainWebLogic
v8.1FinTrain
WebLogic
v8.1
iPlanet
v6.0Proxy
Server authenticati
on
SunFire v240 (2-cpu, 8GB)
Veritas Foundation Suite
Web Server
Web Server
2
SunFire v240 (2-cpu, 8GB)Veritas Foundation Suite Web Server
5
SunFire v240 (2-cpu, 8GB)Veritas Foundation Suite
SunFire v240 (2-cpu, 8GB)
Veritas Foundation SuiteWeb Server
1Web Server
4
SunFire v240 (2-cpu, 8GB)Veritas Foundation Suite
Web Server
6
SunFire v240 (2-cpu, 8GB)Veritas Foundation Suite
SunFire v240 (2-cpu, 8GB)Veritas Foundation Suite
Web Server
3
FinRepWebLogic
v8.1Fin Rep
WebLogic
v8.1
iPlanet
v6.0ProxyServer
authentication
Distributed Web
Servers
Application Server 1SunFire v1280 (12-cpu, 24GB)
Veritas Foundation Suite
Distributed Application
Transaction Servers(AppServers)
Financials
AppServer Tuxedo v6.5
Application Server 3SunFire v480 (4-cpu, 8GB)
Veritas Foundation Suite
FinRep
AppServer
Tuxedo v6.5
Application Server 2SunFire v1280 (12-cpu, 24GB)
Veritas Foundation Suite
Application Server 4SunFire v480 (4-cpu, 8GB)
Veritas Foundation Suite
FinTrainAppServer
Tuxedo v6.5Application Server SunFire v240 (2-cpu, 4GB)Veritas Foundation Suite
Sun
ENTER
PRISE450
Ultr
a
HR
AppServer Tuxedo
HRRep
AppServer
Tuxedo
HRTrain
AppServer Tuxedo
Application Server Sun E450Solaris 7
(4 SparcII cpu, 4GB)Veritas Foundation Suite
Distributed Process
Schedulers (Batch Servers)
Financials
BatchServer
Tuxedo v6.5
FinRepBatchServer Tuxedo v6.5
FinTrain
BatchServer
Tuxedo v6.5
Batch Server 1
SunFire v240 (2-cpu, 4GB)Veritas Foundation Suite
Batch Server 4
SunFire v240 (2-cpu, 4GB)Veritas Foundation Suite
Batch Server 5SunFire v240 (2-cpu, 4GB)
Veritas Foundation Suite
Batch Server 2SunFire v240 (2-cpu, 4GB)Veritas Foundation Suite
Batch Server 3SunFire v240 (2-cpu, 4GB)Veritas Foundation Suite
SunENTERPRISE
100
00
HRTuxedo
ProcessScheduler
Batch Server Sun E10K OS Domain
Solaris 7(8 SparcII cpu, 8GB)
Veritas Foundation Suite
Data Server 1SunFire E25K OS Domain
(12 SparcIV cpu, 96GB)Veritas DBE Oracle w/ FlashSnap
Financials
OLTPOracle 9i
FinRep
Reporting
Oracle 9i
FinTrainTraining
Oracle 9i
Sun
ENTERPRIS
E1000
0
Data Server 2
Sun E10K OS DomainSolaris 8
(12 SparcII cpu, 12GB)Veritas DBE Sybase w/
FlashSnap
HRSybase ASE
12.0.0.6
HRRep
Sybase ASE12.0.0.6
HRTrain
Sybase ASE12.0.0.6
UsersWeb/
Application
Clients
Databases
Process MappingProcess Mapping
I f t tI f t t
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 55/87
InfrastructureInfrastructure
Total DR through distributed high availabilityTotal DR through distributed high availability
Client Recovery SolutionsClient Recovery Solutions
Application RestorationApplication Restoration
Establish collaborative partnerships with other Establish collaborative partnerships with other
UniversitiesUniversities
Cli t R S l ti ( )Cli t R S l ti ( )
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 56/87
Client Recovery Solution(s)Client Recovery Solution(s)
A li ti R t tiA li ti R t ti
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 57/87
Application RestorationApplication Restoration
EventEvent
TimeTime
Scope of ImpactScope of Impact InfrastructureInfrastructure
SoftwareSoftware
HardwareHardware
C ll b ti P t hiC ll b ti P t hi
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 58/87
Collaborative PartnershipsCollaborative Partnerships
V lti
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 59/87
Readily accessibleReadily accessible
SecureSecure
OnsiteOnsite OffsiteOffsite
Vaulting
Critical Business Units
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 60/87
Critical Business Units
Advancement Services All Campus Network Budget Office College of Agriculture and Life Sciences - Personnel Office ComTech - Data Networking ComTech - Telecommunications Contracts and Grants Controller's Office Enterprise Application and Database Services EH&S - Business Continuity EH&S - Campus Police EH&S - Emergency Response EH&S - Environmental Affairs
EH&S - Health and Safety EH&S - Industrial Hygiene EH&S - Insurance and Risk Management EH&S - Radiation Safety EH&S - Transportation EH&S - Waste Management
Enrollment Management - Admissions
Enrollment Management - Office of Scholarships & Financial Aid
Enrollment Management - Registration and Records
• Enterprise Technology Services and Support
• Facilities - Construction Management
• Facilities - Design and Construction Services
• Facilities - Operations
• Facilities - University Architect
• Fire Protection
• Foundations Accounting & Investments
• HR - Benefits
• HR - Employment & Compensation
• HR - Human Resource Information Management
• HR - Payroll
• ITD - Business Services
• ITD - Computer Operations
• ITD - Computer Services
• ITD - Systems
• Libraries - Administration
• Materials Management - Materials Support
• Materials Management - Purchasing
• Materials Management - University Graphics
• Real Estate
• Student Health Services
• University Cashier's Office
• University Dining
• University Housing
B i C ti it Pl iB siness Contin it Planning
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 61/87
Business Continuity PlanningBusiness Continuity Planning
C i tiCommunication
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 62/87
CommunicationCommunication
Consistency in plan updatingConsistency in plan updating TrainingTraining
PartneringPartnering
Emergency Communication standardizationEmergency Communication standardization Call TreesCall Trees
Mobile DevicesMobile Devices
WebsiteWebsite
Incident Command System Call Center Incident Command System Call Center
Incident Report PlanIncident Report Plan
IT Di t C t i tiIT Disaster Categorization
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 63/87
IT Disaster CategorizationIT Disaster Categorization
Category 1Category 1: A single person or group in a Critical: A single person or group in a CriticalBusiness Unit (CBU) is unable to perform their Business Unit (CBU) is unable to perform their critical functionscritical functions
Category 2Category 2: An entire CBU is unable to perform: An entire CBU is unable to perform
its critical functionsits critical functions Category 3Category 3: Multiple CBUs are unable to perform: Multiple CBUs are unable to perform
their critical functionstheir critical functions Category 4Category 4: Non CBUs are not able to perform: Non CBUs are not able to perform
their critical functionstheir critical functions Category 5Category 5: A wide spread event that impacts the: A wide spread event that impacts the
entire Universityentire University
GoalsGoals
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 64/87
GoalsGoals
Total DR through distributed highTotal DR through distributed high
availabilityavailability
Standardized Emergency CommunicationsStandardized Emergency Communications
Immediate Client Recovery SolutionsImmediate Client Recovery Solutions
Improved RTOImproved RTO
on ro ec ves or n orma ond l d h l ( b )d l d T h l
(C bIT)
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 65/87
and related Technology (CobIT)and related Technolog y (CobIT)
Control Objective:Control Objective:
Ensure Continuous ServiceEnsure Continuous ServiceManaging continuous service includes the ability toManaging continuous service includes the ability to
recover from a disaster.recover from a disaster.
Controls need to be in place to manage various disaster Controls need to be in place to manage various disaster
scenarios, from backup and recovery to full businessscenarios, from backup and recovery to full businesscontinuity.continuity.
Actions performed in this area align with the controlActions performed in this area align with the controlactivities and monitoring components of activities and monitoring components of COSO-Committee Of COSO-Committee Of
Sponsoring OrganizationsSponsoring Organizations ..
Deficiencies in this area could significantly impactDeficiencies in this area could significantly impactfinancial reporting and disclosure of an entity.financial reporting and disclosure of an entity.For instance, the inability to recover from a disaster after year-end could prevent the organization fromFor instance, the inability to recover from a disaster after year-end could prevent the organization from
producing financial report that are supported with source documentation and details of transactions that make producing financial report that are supported with source documentation and details of transactions that makeup financial reporting balances.up financial reporting balances.
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 66/87
Ensure Continuous ServiceEnsure Continuous Service
IT management, in cooperationIT management, in cooperation
with business process owners,with business process owners,
has established a businesshas established a business
continuity framework thatcontinuity framework thatdefines the roles,defines the roles,
responsibilities, risk-basedresponsibilities, risk-based
approach/methodology to beapproach/methodology to be
adopted, and the approvaladopted, and the approval
procedures. procedures.
COSO ComponentCOSO Component Control ActivitiesControl Activities
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 67/87
Ensure Continuous ServiceEnsure Continuous Service
The business continuityThe business continuity
plan identifies the plan identifies the
critical applicationcritical application
programs, third-party programs, third-party
services, operatingservices, operating
systems, personnel andsystems, personnel and
supplies, data files, andsupplies, data files, andtime frames needed for time frames needed for
recoveryrecovery
COSO ComponentCOSO Component Control ActivitiesControl Activities
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 68/87
Ensure Continuous ServiceEnsure Continuous Service
The IT continuity plan isThe IT continuity plan is
aligned with the overallaligned with the overall
business continuity plan business continuity plan
to ensure consistencyto ensure consistency
COSO ComponentCOSO Component Control ActivitiesControl Activities
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 69/87
The IT organizationThe IT organization
members responsiblemembers responsible
for disaster continuityfor disaster continuity
plans have been trained plans have been trained
regarding theregarding the
procedures to be procedures to be
followed in case of anfollowed in case of anincident or a disaster incident or a disaster
COSO ComponentCOSO Component Control ActivitiesControl Activities
Ensure Continuous ServiceEnsure Continuous Service
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 70/87
IT management hasIT management has
ensured that theensured that the
continuity plancontinuity plan
adequately tested, atadequately tested, at
least annually, and thatleast annually, and that
any deficiencies areany deficiencies are
addressed within aaddressed within areasonable period of reasonable period of
timetime
COSO ComponentCOSO Component Control ActivitiesControl Activities
Ensure Continuous ServiceEnsure Continuous Service
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 71/87
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 72/87
Offsite storage andOffsite storage and
recovery facilities arerecovery facilities are
periodically assessed, at periodically assessed, at
least annually, for least annually, for
viability, adequacy andviability, adequacy and
security mechanismssecurity mechanisms
COSO ComponentCOSO Component MonitoringMonitoring
Ensure Continuous ServiceEnsure Continuous Service
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 73/87
A business impact analysisA business impact analysis
assessment has beenassessment has been
performed that performed that
considers the impact of considers the impact of
systems failure on thesystems failure on the
financial reporting andfinancial reporting and
disclosure processdisclosure process
COSO ComponentCOSO Component Control ActivitiesControl Activities
Ensure Continuous ServiceEnsure Continuous Service
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 74/87
Management has reviewedManagement has reviewed
the impact assessmentthe impact assessment
in determining thein determining the
nature and extent of nature and extent of
system recoverysystem recovery
procedures necessary to procedures necessary to
support the timeliness of support the timeliness of financial reporting andfinancial reporting and
disclosure processesdisclosure processes
COSO ComponentCOSO Component Control ActivitiesControl Activities
Ensure Continuous ServiceEnsure Continuous Service
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 75/87
IS Auditing GuidelineIS Auditing Guideline
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 76/87
IS Auditing GuidelineIS Auditing Guideline
1.4 Purpose of the Guideline1.4 Purpose of the Guideline
1.4.11.4.1 The primary objective of BCP is to protect theThe primary objective of BCP is to protect the
organization in the event that all or part of its operations and/or organization in the event that all or part of its operations and/or
information systems services are rendered unusable and aid theinformation systems services are rendered unusable and aid theorganization to recover from the effect of such events.organization to recover from the effect of such events.
1.4.21.4.2 The purpose of this guideline is to describe theThe purpose of this guideline is to describe the
recommended practices in performing arecommended practices in performing a business continuitybusiness continuity
plan (BCP) plan (BCP) review.review.
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 77/87
IS Auditing GuidelineIS Auditing Guideline
1.4.31.4.3 The purpose of a BCP review is to identify,The purpose of a BCP review is to identify,
document, test and evaluate the controls and thedocument, test and evaluate the controls and the
associated risks relating to the process of BCP asassociated risks relating to the process of BCP as
implemented in an organization to achieve relevantimplemented in an organization to achieve relevant
control objectives.control objectives.
1.4.41.4.4 These control objectives can be primary,These control objectives can be primary,
directly related to BCP, and secondary, indirectlydirectly related to BCP, and secondary, indirectlyrelated to BCPrelated to BCP
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 78/87
IS Auditing GuidelineIS Auditing Guideline
1.4.51.4.5 This guideline provides guidance in applying ISThis guideline provides guidance in applying IS
auditing standard 060 (Performance of Audit Work) toauditing standard 060 (Performance of Audit Work) to
obtain sufficient,reliable, relevant and useful evidenceobtain sufficient,reliable, relevant and useful evidence
during review of the business continuity plan. The ISduring review of the business continuity plan. The ISauditor should consider it in determining how to achieveauditor should consider it in determining how to achieve
implementation of the above standard, use professionalimplementation of the above standard, use professional
judgment in its application and be prepared to justify any judgment in its application and be prepared to justify any
departure.departure.
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 79/87
IS Auditing GuidelineIS Auditing Guideline
1.5 Guideline Application1.5 Guideline Application
1.5.11.5.1 This guideline is applied when conducting a reviewThis guideline is applied when conducting a review
of BCP from an IT perspective in an organization.of BCP from an IT perspective in an organization.
1.5.21.5.2 When applying this guideline, the IS auditor shouldWhen applying this guideline, the IS auditor should
consider its guidance in relation to other relevantconsider its guidance in relation to other relevant
Information Systems Auditing & Control Inf ormation Systems Auditing & Control
Association (ISACA) Association (ISACA) standards and guidelines.standards and guidelines.
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 80/87
IS Auditing GuidelineIS Auditing Guideline
2.1.32.1.3 Risk assessment followed by aRisk assessment followed by a Business Business
Improvement Area (BIA) Improvement Area (BIA) must be performed tomust be performed to
assess the overall financial exposures and operationalassess the overall financial exposures and operationaleffects due to a disruption in business activities. The BIAeffects due to a disruption in business activities. The BIA
should identify and prioritize the critical business processesshould identify and prioritize the critical business processes
supported by the IS infrastructure including, but not limitedsupported by the IS infrastructure including, but not limited
to, cost-benefit analysis of controls in different disruptionto, cost-benefit analysis of controls in different disruption
scenarios.scenarios.
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 81/87
IS Auditing GuidelineIS Auditing Guideline
2.1.4 Disaster Recover Plan (2.1.4 Disaster Recover Plan (DRP), a keyDRP), a key
component of BCP, refers to the technologicalcomponent of BCP, refers to the technological
aspect of BCP—the advance planning andaspect of BCP—the advance planning and
preparations necessary to minimize loss and ensure preparations necessary to minimize loss and ensure
continuity of critical business functions in the eventcontinuity of critical business functions in the event
of a disaster. DRP comprises consistent actions toof a disaster. DRP comprises consistent actions to
be undertaken prior to, during and subsequent to a be undertaken prior to, during and subsequent to adisaster.disaster.
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 82/87
IS Auditing GuidelineIS Auditing Guideline
2.1.52.1.5 A sound DRP should be built from aA sound DRP should be built from a
comprehensive planning process, involving all of thecomprehensive planning process, involving all of the
enterprise. In today's interconnected economy,enterprise. In today's interconnected economy,
organizations are more vulnerable than ever to theorganizations are more vulnerable than ever to the possibility of technical difficulties disrupting business. possibility of technical difficulties disrupting business. AnyAny
disaster, from floods or fire to viruses any cyber terrorism,disaster, from floods or fire to viruses any cyber terrorism,
can affect the availability, integrity and confidentialitycan affect the availability, integrity and confidentiality
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 83/87
Business Continuity Planning Initiation
Policy Organization Resources Scope
Risk Analysis
Business Impact Analysis
Recovery Strategy
Create Planning Organization
Plans/Procedures Risk Reduction Standby Facilities
Testing
Change Management Education Testing/Review
Process
Source: Gartner Group
Ongoing
Process
Project
BCM ModelBCM Model
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 84/87
BCM Program ElementsBCM Program Elements
BUSINESSBUSINESS
RECOVERYRECOVERY
PLANPLAN
BusinessBusiness
RecoveryRecovery
OrganizationOrganization
(BRO)(BRO)
RecoveryRecovery
Location(s)Location(s)
SwitchableSwitchableTelecomm.Telecomm.
Network(s)Network(s)
Data/RecordsData/Records
Backup & Off-Backup & Off-
Site StorageSite Storage RecoveryRecovery
Actions, TasksActions, Tasks
& Procedures& Procedures
Recovery PlanRecovery PlanDevelopmentDevelopment
Recovery PlanRecovery PlanMaintenanceMaintenance
Program JustificationProgram Justification& Authorization& Authorization
Business Impact
Analysis (BIA)
RecoveryStrategies
Budget &
Policies
Commitment byCommitment byExecutiveExecutive
ManagementManagement
UpdatedRecovery
Strategies
Plan Changes& Updates
Test Systems,Software &
Environments
New Processes &
Procedures
Availability & Survivability ComponentsAvailability & Survivability Components
- Evacuation & Life-Safety Plans- Fire Detection, Alerting & Suppression
- Physical & Logical Security- UPS & Emergency Generators
- Redundant Equipment Components- Equipment Maintenance &
Replacement- Redundant Power,
Telecommunications and Water
RECOVERYRECOVERY
CAPABILITYCAPABILITY
CONTINUITYCONTINUITY
Risk Analysis(RA)
Training &Exercises-Prove
Plans & TeamsProcess
Identification
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 85/87
BC PhasesBC Phases
Continuity Planning PolicyContinuity Planning Policy
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 86/87
Continuity Planning PolicyContinuity Planning Policy
The process is generally initiated by issuing a continuity planningThe process is generally initiated by issuing a continuity planning policy statement that: policy statement that: Establishes and documents the basic planning requirements, standards,Establishes and documents the basic planning requirements, standards,
and guidelines that responsible offices will apply in developing,and guidelines that responsible offices will apply in developing,implementing, and executing their respective continuity plans.implementing, and executing their respective continuity plans.
Outlines the organizational framework for continuity planning andOutlines the organizational framework for continuity planning andexecutionexecution
Determines the scope (services, functions and resources subject toDetermines the scope (services, functions and resources subject tocontinuity planning requirement).continuity planning requirement).
DefinesDefines continuity planning objectivescontinuity planning objectives..
8/7/2019 4. Disaster Recovery and Business Continuity
http://slidepdf.com/reader/full/4-disaster-recovery-and-business-continuity 87/87
Continuity Planning ObjectivesContinuity Planning Objectives
Organization-wide continuity planning policyOrganization-wide continuity planning policyobjectives need to be:objectives need to be: IdentifiedIdentified
Prioritized, andPrioritized, and
Validated by senior management.Validated by senior management.
Policy objectives ensure that continuity plansPolicy objectives ensure that continuity plans
focus on achievingfocus on achieving essential missionessential mission
requirements.requirements.
Objectives establish the criteria for assessingObjectives establish the criteria for assessing