Auditing BCM Pondurance ISACA Presentation

  • View
    22

  • Download
    0

Embed Size (px)

Text of Auditing BCM Pondurance ISACA Presentation

  1. 1. BUSINESS CONTINUIT Y MANAGEMENT (BCM) AN AUDITORS PERSPECTIVE Ron Pelletier, CISSP, CBCP, CISA, QSA VP and Executive Manager AN AUDITORS PERSPECTIVE BUSINESS CONTINUITY MANAGEMENT (BCM) Central Indiana ISACA June 25, 2015
  2. 2. BUSINESS CONTINUIT Y MANAGEMENT (BCM) AN AUDITORS PERSPECTIVE WHY ARE WE HERE? PONDURANCE 2 Business continuity is not a project with a beginning and ending date, it is a program to be managed indefinitely. - Unknown, on Business Continuity Management Only 31 percent of business continuity management programs have a high level of integration with the organization's strategic planning capabilities. - KPMG 2013-2014 Global BCM Benchmarking Study This dropped 3% from the 2012-2013 survey!!
  3. 3. BUSINESS CONTINUIT Y MANAGEMENT (BCM) AN AUDITORS PERSPECTIVE AGENDA BCM Overview General BCM Audit Considerations A Simple Audit Methodology Trends and Standards Questions PONDURANCE 3
  4. 4. BUSINESS CONTINUIT Y MANAGEMENT (BCM) AN AUDITORS PERSPECTIVEPONDURANCE 4 A BUSINESS CONTINUITY MANAGEMENT OVERVIEW
  5. 5. BUSINESS CONTINUIT Y MANAGEMENT (BCM) AN AUDITORS PERSPECTIVE COMMON COMPONENTS OF BCM PONDURANCE 5 BCM Business Continuity Planning Disaster Recovery Planning High Availability Risk Management Incident Response Crisis Management (general, not all inclusive)
  6. 6. BUSINESS CONTINUIT Y MANAGEMENT (BCM) AN AUDITORS PERSPECTIVE SIMPLIFIED BCM TERMS PONDURANCE 6 Business Continuity Planning to sustain business viability. Disaster Recovery Planning to sustain supporting technology & data. Crisis Management Preserving life safety and business image. Business Impact Analysis Establish the organizations critical path. Recovery Time Objective When do the systems/processes need to be restored? Recovery Point Objective How much data can you stand to lose? Maximum Tolerable Downtime What is the point of unacceptable risk? Risk Tolerance Collective picture of risk management and BCM. High Availability When downtime of systems/data is not an option. Minimum Operating Requirements What do you need, and when, to get by.
  7. 7. BUSINESS CONTINUIT Y MANAGEMENT (BCM) AN AUDITORS PERSPECTIVE TRADITIONAL THINKING ON BCM PONDURANCE 7 Disaster Recovery vs. Business Continuity PEOPLE BUSINESS PROCESSES PROCESS CONTINUITY BUSINESS PROCESSES DRPDRPDRP Disaster Recovery Business Continuity TECH/DATA RESTORE B U S I N E S S C O N T I N U I T Y B U S I E N S S C O N T I N U I T Y
  8. 8. BUSINESS CONTINUIT Y MANAGEMENT (BCM) AN AUDITORS PERSPECTIVE THE INTEGRATED PERSPECTIVE PONDURANCE 8 Defined Tolerance for Risk Program Exercising, Change Management, Maintenance (BCP) Business Continuity Planning (DRP) Disaster Recovery Planning DRP Strategies BCP Strategies DRP Documentation BCP Documentation The Risk Analysis Phase Current State Assessment Threat and Risk Assessment Business Impact Analysis CRISIS MANAGEMENT Owns Initial and Ongoing Response Allocates Emergency Resources MAKES DECISIONS AS REQUIRED Functions as Steering Committee
  9. 9. BUSINESS CONTINUIT Y MANAGEMENT (BCM) AN AUDITORS PERSPECTIVE UNDERSTANDING RISK TOLERANCE PONDURANCE 9 $ and Operational Impacts Manual Processing Application X in 72 Hours Application X in24 Hours Management Negotiation Based on Risk Tolerance Recovery Time Objectives (RTOs) Current Recovery Capabilities (CRCs) Information Technology Group Current State Assessment Maximum Tolerable Downtimes (MTDs) Business Unit Personnel Business Impact Analysis
  10. 10. BUSINESS CONTINUIT Y MANAGEMENT (BCM) AN AUDITORS PERSPECTIVEPONDURANCE 10 GENERAL BCM AUDIT CONSIDERATIONS
  11. 11. BUSINESS CONTINUIT Y MANAGEMENT (BCM) AN AUDITORS PERSPECTIVE THE POLICY IS YOUR FIRST CLUETO WHETHER THE COMPANY HAS A CLUE PONDURANCE 11 Many auditors go right for the plan, forgetting that a policy might provide useful information, if a policy exists The policy may provide you with references to other BCM documents, team members, crisis plans, etc. The policy may also provide objectives for the plan, scope or rationale for strategy (e.g., High Availability), etc. Then again, the policy may indicate a large disconnect between management and those tasked with developing and/or executing the planBe sure to look for cobwebs!
  12. 12. BUSINESS CONTINUIT Y MANAGEMENT (BCM) AN AUDITORS PERSPECTIVE THE BIGGER THE PLANTHE BIGGER THE BINDER PONDURANCE 12 Regulatory frameworks generally do not provide requirements beyond creation, sustainment of a plan The size and thickness of a documented plan DOES NOT reflect its effectiveness Large plans can easily be over-engineered and may be discarded in a disaster situation The plans should identify roles, responsibilities and immediate action steps (i.e., the critical path) The plans should exist or be accessible outside of the physical or logical confines of the facility or domainIf the plan requires a dolly to lug around, it might need some reengineering
  13. 13. BUSINESS CONTINUIT Y MANAGEMENT (BCM) AN AUDITORS PERSPECTIVE THE LACK OF A BIACAN RENDER YOUR PLAN KIA PONDURANCE 13 A plan that is not predicated on some level of precision analysis is not a plan but a guess An effective BIA does NOT require a long, drawn out process that can take months According to KPMGs BCM Survey, 38% of respondents do not know the financial impact of a five-day disruption or outage Be wary of sole reliance on survey resultsbusiness unit managers may inflate their criticality to align with their MBOs The end state of a BIA should draw attention to managements risk tolerance and critical path When the plates start to fall, knowing which to catch and which to drop will determine success or failure
  14. 14. BUSINESS CONTINUIT Y MANAGEMENT (BCM) AN AUDITORS PERSPECTIVE AVOID RISKBECAUSE RISK WILL NOT AVOID YOU PONDURANCE 14 PREPARE TO AVOID BUT PLAN TO RESPOND!! Human, technical, operational and strategic threats MUST be considered to formulate a viable avoidance and/or response posture Look for single points of failure that might not have been considered Do not discard Black Swan Events, but dont put all your focus on them (pandemic flu? Not many actually going in to work) According to KPMGs BCM Survey Only 41% of Companies integrate BCM with Cyber Security Be sure to account for environmental and physical controls as part of the organizations risk management plan, too (see spaghetti) Uhwould you like some sauce to go with that spaghetti?
  15. 15. BUSINESS CONTINUIT Y MANAGEMENT (BCM) AN AUDITORS PERSPECTIVE DATA BACKUPSOFTEN FULL OF HICCUPS PONDURANCE 15 Ensure the backup scheme complement the Recovery Time and Recovery Point Objectives (RTOs & RPOs) Tapes are fine, but often they are either not removed from the site or are taken offsite 1x per week If the backups (tape or disk) are not tested periodically to verify full restoration, the capability to restore is questionable It is entirely possible that a replication or high availability strategy encompasses too much, does not justify expense Tapes kept onsite? Soooowhat happens if the data center burns down?
  16. 16. BUSINESS CONTINUIT Y MANAGEMENT (BCM) AN AUDITORS PERSPECTIVE DRP STRATEGIESMAY NOT ALIGN WITH BCP STRATEGIES PONDURANCE 16 Some organizations will stop their planning efforts once restoration of applications, infrastructure and data are complete But forget to consider where ALLLL those business people are going to go work in order to access it! Dont blindly accept the work at home strategyif the infrastructure cannot support multiple remote users it aint happening The strategies should consider the dependencies on vendors for either technologies, special equipment, etc. The DR Hot Site! The BCP Not Site!
  17. 17. BUSINESS CONTINUIT Y MANAGEMENT (BCM) AN AUDITORS PERSPECTIVE IF THE PLANS ARE NOT TESTEDWELL, YOU KNOW WHERE IM GOING PONDURANCE 17 84% of KPMGs 2011-2012 BCM Survey respondents tested their plans within the last year GREAT! But be sure to note legit testing took place! Simply opening the binder is not an effective test Tests should range in complexity (e.g., table-top, partial exercises, full scale exercises, etc.) Participants should vary as well, include IT, business units, crisis or incident teams, etc. The tests should be planned in advance (or surprise tests are okay), and should end with an after action review to facilitate improvement Failure is OKAY during a testnot so okay when the chairman of the board calls you at 3 a.m.
  18. 18. BUSINESS CONTINUIT Y MANAGEMENT (BCM) AN AUDITORS PERSPECTIVE DURING AN EMERGENCYTHE AVERAGE IQ GOES TO 0 PONDURANCE 18 Be sure the plan considers an immediate response to a given situation Crisis Management and Incident Response Teams are a crucial component of BCM, make decisions, allocate resources If management is not integrated in the plan, they will NEVER follow the planbut that wont stop them from making one up as they go! Againif the Crisis Management and Incident Response Teams are not tested Crisis Management may be the missing link to most plans
  19. 19. BUSINESS CONTINUIT Y MANAGEMENT (BCM) AN AUDITORS PERSPECTIVEPONDURANCE 19 A SIMPLE AUDIT METHODOLOGY
  20. 20. BUSINESS CONTINUIT Y MANAGEMENT (BCM) AN AUDITORS PERSPECTIVE 6 DOMAINS TO CONSIDER FOR AUDIT PONDURANCE 20 Assess the entity controls that integrate, manage, and sustain a viable BCM throughout the enterprise 1. Program Management Program Definition Establish the program is formally developed and integrated Support and Accountability Establish the program is supported at the highest level of the org Budget Planning and Program Evaluation The org is committed to sustaining program viability The organization has defined its recovery, restoration, and high availability requirements related to business processes, applications, infrastructure & data 2. Requ