Upload
trannguyet
View
229
Download
10
Embed Size (px)
Citation preview
Paper-6 Chapter-6: BCP and DRP
BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY PLANNING
PART-3
CA A.RAFEQ, FCA
1
Learning Objectives
• To know about ‘Business Continuity Plan’.
• To understand various ‘phases’ of Business Continuity Plan.
• To know about ‘back-up’ and ‘disaster recovery planning’.
• To have an idea of ‘audit’ of these plans.
2
Topics Covered
Part-1 6.0 Introduction 6.1 Business Continuity Planning 6.2 Developing a Business Continuity Plan 6.3 Types of Plans Part-2 6.4 Test Plan 6.5 Threats and Risk Management 6.6 Software and Data Back-up Techniques 6.7 Alternate Processing Facility Arrangements 6.8 Back-up Redundancy
Part-3 6.9 Disaster Recovery Procedural Plan 6.10 Insurance 6.11 Testing Methodology and Checklist 6.12 Audit Tools and Techniques 6.13 Audit of the Disaster Recovery/Business Resumption Plan
3
DRP Testing and Audit Part-3
6.9 Disaster Recovery Procedural Plan 6.10 Insurance 6.11 Testing Methodology and Checklist 6.12 Audit Tools and Techniques 6.13 Audit of the Disaster Recovery / Business Resumption Plan
4
6.9 Disaster Recovery Procedural Plan
Conditions for activating the plans
Emergency procedures
Fall-back procedures
Resumption procedures
Maintenance schedule
Awareness and education activities
Responsibilities of individuals 5
6.9 Disaster Recovery Procedural Plan
Checklist for inventory
List of phone numbers of employees
Emergency phone list
Medical procedure
Back-up location
Insurance papers and claim forms
Primary computer centre 6
Questions
3. What do you understand by the term Disaster? What procedural plan do you suggest for disaster recovery? (10 Marks) (Nov 2008) 4. (A) Explain the various general components of Disaster Recovery Plan (8 Marks) (Nov. 2011)
7
Answer
The term disaster can be defined as an incident which jeopardizes business operations and/or human life. It could be due to sabotage (human) or natural. Following is the procedural plans for disaster recovery. Disaster Recovery Procedural Plan: Normally disaster recovery procedural plan is made when the system is normally working. After visualizing the disaster the action to be taken by different people of the organization are to be documented.
8
Answer
This recovery and planning document may include the following areas:
i. The conditions for activating the plans, which describe the
process to be followed before each plan, are activated.
ii. Emergency procedures, which describe the actions to be taken following an incident which jeopardises business operations and/or human life. This should include arrangements for public relations management and for effective liaison with appropriate public authorities e.g. police, fire, services and local government.
9
Answer
iii. Fall-back procedures which describe the actions to be taken to move essential business activities or support services to alternate temporary locations, to bring business process back into operation in the required time-scale.
iv. Resumption procedures, which describe the actions to be taken to return to normal business operations.
v. A maintenance schedule, which specifies how and when the plan will be tested, and the process for maintaining the plan.
10
Answer
vi. Awareness and education activities, which are designed to create an understanding of the business continuity, process and ensure that the business continues to be effective.
vii. The responsibilities of individuals describing who is responsible for executing which component of the plan. Alternatives should be nominated as required.
viii. Contingency plan document distribution list.
ix. Detailed description of the purpose and scope of the plan. 11
Answer
x. Contingency plan testing and recovery procedure.
xi. List of vendors doing business with the organization, their contact numbers and address for emergency purposes.
xii. Checklist for inventory taking and updating the contingency plan on a regular basis.
xiii. List of phone numbers of employees in the event of an emergency.
12
Answer
xiv. Emergency phone list for fire, police, hardware, software, suppliers, customers, back-up location, etc.
xv. Medical procedure to be followed in case of injury.
xvi. Back-up location contractual agreement, correspondences.
xvii. Insurance papers and claim forms.
xviii.Primary computer centre hardware, software, peripheral equipment and software configuration.
13
Answer
xix. Location of data and program files, data dictionary, documentation manuals, source and object codes and back-up media.
xx. Alternate manual procedures to be followed such as preparation of invoices.
xxi. Names of employees trained for emergency situation, first aid and life saving techniques.
xxii. Details of airlines, hotels and transport arrangements.
14
6.10 Insurance
Purpose • To spread the economic cost and the
risk of loss from an individual or business to a large number of people
Policies
• Contracts that obligate the insurer to indemnify the policyholder or some third party from specific risks in return for the payment of a premium.
Resources
• Equipment, facilities, storage media, business interruption, extra expenses, valuable documents, accounts receivable, media transportation, malpractice errors.
15
First-party Insurance
• Covers claims by the policyholder against their own insurance
• Examples - property damages, business interruption, etc.
Third-party Insurance
• Covers claims made by others against the policyholder and his insurer
• Examples - general liability, errors and omissions, etc.
6.10.1 Kinds of Insurance
16
Insurance Policy coverage
Equipment
Facilities
Storage media
Business interruption
Extra expenses
Valuable papers
Accounts receivable
Media transportation
Malpractice
Errors
17
6.11 Testing Methodology and Checklist
Hypothetical • Theoretical check
Component • Detailed check
Module • Multiple components check
Full • Interdependency check
4 test types
18
Testing Process
Setting objectives
Defining the Boundaries Scenario Test Criteria
Assumption Test Prerequisites
Briefing session Checklists
Analysing the test
Debriefing session
19
Briefing Session Agenda
Team objectives
Scenario of disaster
Time of the test
Location of each team
Restrictions on specific teams
Assumptions of the test
Prerequisites for each team
20
6.12 Audit Tools and Techniques
Simulation Observations Interviews
Checklists Inquiries Meetings
Questionnaires Documentation reviews
21
Categories: Audit Tools and Techniques
Automated Tools Internal Control Auditing
Disaster and Security Checklists Penetration Testing
4 Categories
22
Question
What are the audit tools and techniques used by a system auditor to ensure that disaster recovery plan is in order? Briefly explain them.
(5 Marks) (Jun 2009)
23
Answer
Audit tools and techniques used by a system auditor to ensure that the disaster recovery plan is in order. The best audit tool and technique is a periodic simulation of a disaster. Other audit techniques would include observations, interviews, checklists, inquiries, meetings, questionnaires and documentation reviews. These are categorized as follows: i. Automated tools ii. Internal Control auditing iii. Disaster and Security Checklists iv. Penetration Testing
24
Answer
i. Automated tools: They make it possible to review large computer systems for a variety of flaws in a short time period. They can be used to find threats and vulnerabilities such as weak access controls, weak passwords, and lack of integrity of the system software.
ii. Internal Control auditing: This includes inquiry, observation and testing. The process can detect illegal acts, errors, irregularities or lack of compliance for laws and regulations.
25
Answer
iii. Disaster and Security Checklists: These checklists are used to audit the system. The checklists should be based upon disaster recovery policies and practices, which form the baseline. Checklists can also be used to verify changes to the system from contingency point of view.
iv. Penetration Testing: It is used to locate vulnerabilities to the system.
26
6.13 Audit of Disaster Recovery/ Business Resumption Plan
• A disaster recovery/business resumption plan exists • Information backup procedures are sufficient • A test plan exists • Resources have been made available to maintain the
plans
Check if
• The disaster recovery/ business resumption plan • The test plan • The existing business impact analysis
Obtain & review
27
6.13 Audit of Disaster Recovery/ Business Resumption Plan
• Criteria and guidance in the preparation and evaluation of plans • Methodology used to develop the existing plans • Methodology used to develop the existing business impact
analysis
Understand
• Recommendations on business impact analysis have been implemented
• Resources been allocated to prevent the plans from becoming outdated and ineffective
• Plan is dated each time that it is revised • Plan has been updated within past 12 months
Determine if
28
6.13 Audit of Disaster Recovery/ Business Resumption Plan
• Location where disaster recovery/ business resumption plan is stored
• Information backup procedures
Review
• Determine their understanding of the plans • Contact information of key employees • Provisions for people with special needs • Provision for replacement staff
Personnel
29
6.13 Audit of Disaster Recovery/ Business Resumption Plan
• Provision for building engineer to inspect the building and facilities
• Consider need for alternative shelter • Review agreements for use of backup facilities • Adequacy of backup facilities based on projected needs • Consider the failure of electrical power, natural gas,
toxic chemical containers, and pipes • Building safety features regularly inspected and tested • Consider the disruption of transportation systems
Building, Utilities and Transportation
30
6.13 Audit of Disaster Recovery/ Business Resumption Plan
• If the plan reflects the current IT environment • If the plan includes prioritisation of critical applications and
systems • If the plan includes time requirements for
recovery/availability of each critical system • If the plan includes arrangements for emergency
telecommunications • Plan for alternate means of data transmission if the
computer network is interrupted • If a testing schedule exists and is adequate
Information Technology
31
6.13 Audit of Disaster Recovery/ Business Resumption Plan
• Does the plan cover administrative and management aspects in addition to operations
• Is there a designated emergency operations centre • If the disaster recovery/ business resumption plan covers
procedures for disaster declaration, general shutdown and migration of operations
• Have essential records been identified • Are essential records separated from those that will not
be needed immediately
Administrative Procedures
32
6.13 Audit of Disaster Recovery/ Business Resumption Plan
• Names and numbers of suppliers of essential equipment and other material
• Provisions for the approval to expend funds that were not budgeted for the period
Other Essentials
• Have they assigned the necessary resources for plan development • Have they concurred with the selection of essential activities and
Priority for recovery • Have they agreed to back-up arrangements and the costs involved • Are they prepared to authorise activation of the plan should the need
arise
Executive Management
33
Case Study Question
Question 1 (May 2012) 1. ABC is leading company in the manufacturing of food items. The
company is in the process of automation of its various business processes. During the Phase, technical consultant of the company has highlighted the importance of information security and has suggested introducing it right from the beginning.
He has also suggested to perform the risk assessment activity and accordingly, to mitigate the assessed risk. For carrying out all these suggestions, various best practices have been followed by the company. In addition, after each activity, appropriate standards’ compliances have been tested to check the quality of each process. Various policies related with business continuity planning and disaster recovery planning has been implemented to ensure three major expectations from the software, namely, resist, tolerate and recover.
34
Case Study Question
Read the above carefully and answer the following: a) What are the major suggestions given by the technical
consultant? How the company is implementing these suggestions? 5 Marks
b) Discuss risk assessment with the help of risk analysis framework in brief. 5 Marks
c) Out of the various types of plans used in business continuity planning, discuss recovery plan in brief. 5 Marks
35
6.9 Disaster Recovery Procedural Plan
6.10 Insurance
6.11 Testing Methodology and Checklist
6.12 Audit Tools and Techniques
6.13 Audit of the Disaster Recovery/Business Resumption Plan
Summary
36
Topics Covered
Part-1 6.0 Introduction 6.1 Business Continuity Planning 6.2 Developing a Business Continuity Plan 6.3 Types of Plans Part-2 6.4 Test Plan 6.5 Threats and Risk Management 6.6 Software and Data Back-up Techniques 6.7 Alternate Processing Facility Arrangements 6.8 Back-up Redundancy
Part-3 6.9 Disaster Recovery Procedural Plan 6.10 Insurance 6.11 Testing Methodology and Checklist 6.12 Audit Tools and Techniques 6.13 Audit of the Disaster Recovery/Business Resumption Plan
37
Thank you!
38