Upload
kathy-pelletier
View
32
Download
0
Embed Size (px)
Citation preview
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
Ron Pelletier, CISSP, CBCP, CISA, QSAVP and Executive Manager
AN AUDITOR’S PERSPECTIVE
BUSINESS CONTINUITY MANAGEMENT (BCM)
Central Indiana ISACA – June 25, 2015
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 2
WHY ARE WE HERE?
“Business continuity is not a project with a beginning and ending date, it is a program to be managed indefinitely.” - Unknown, on Business Continuity Management
Only 31 percent of business continuity management programs have a high level of integration with the organization's strategic planning capabilities.
- KPMG 2013-2014 Global BCM Benchmarking Study
This dropped 3% from the 2012-2013 survey!!
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 3
AGENDA
• BCM Overview
• General BCM Audit Considerations
• A Simple Audit Methodology
• Trends and Standards
• Questions
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 4
A BUSINESS CONTINUITY MANAGEMENT OVERVIEW
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 5
COMMON COMPONENTS OF BCM
BCM
Business Continuity Planning
Disaster Recovery Planning
High Availability
Risk Management
Incident Response
Crisis Management
(general, not all inclusive)
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 6
SIMPLIFIED BCM TERMS
Business Continuity – Planning to sustain business viability.
Disaster Recovery – Planning to sustain supporting technology & data.
Crisis Management – Preserving life safety and business image.
Business Impact Analysis – Establish the organization’s critical path.
Recovery Time Objective – When do the systems/processes need to be restored?
Recovery Point Objective – How much data can you stand to lose?
Maximum Tolerable Downtime – What is the point of unacceptable risk?
Risk Tolerance – Collective picture of risk management and BCM.
High Availability – When downtime of systems/data is not an option.
Minimum Operating Requirements – What do you need, and when, to get by.
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 7
TRADITIONAL THINKING ON BCM
Disaster Recovery vs. Business Continuity
PEOPLE BUSINESS PROCESSES PROCESS
CONTINUITY
BUSINESS PROCESSES
DRPDRPDRPDisaster Recovery
Business Continuity
TECH/DATARESTORE
BUSINESS
CONTINUITY
BUSIENSS
CONTINUITY
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 8
THE INTEGRATED PERSPECTIVE
Defined Tolerance for Risk
Program Exercising, Change Management, Maintenance
(BCP)Business Continuity Planning
(DRP)Disaster Recovery Planning
DRP Strategies
BCPStrategies
DRP Documentation
BCP Documentation
The Risk Analysis Phase
Current State
Assessment
Threat and Risk
Assessment
Business Impact
Analysis
CRISIS MANAGEMENT• Owns Initial and Ongoing Response• Allocates Emergency Resources• MAKES DECISIONS AS REQUIRED• Functions as Steering Committee
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 9
UNDERSTANDING RISK TOLERANCE
$ and Operational Impacts
Manual Processing
Application ‘X’ in 72 Hours Application ‘X’ in24 Hours
Management Negotiation Based on Risk Tolerance
Recovery Time Objectives (RTO’s)
Current Recovery Capabilities (CRC’s)
Information Technology Group
Current State Assessment
Maximum Tolerable Downtimes(MTD’s)
Business Unit Personnel
Business Impact Analysis
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 10
GENERAL BCM AUDIT CONSIDERATIONS
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 11
THE POLICY IS YOUR FIRST CLUE…TO WHETHER THE COMPANY HAS A CLUE
• Many auditors go right for the plan, forgetting that a policy might provide useful information, if a policy exists
• The policy may provide you with references to other BCM documents, team members, crisis plans, etc.
• The policy may also provide objectives for the plan, scope or rationale for strategy (e.g., High Availability), etc.
• …Then again, the policy may indicate a large disconnect between management and those tasked with developing and/or executing the planBe sure to look for
cobwebs!
Business Continuity
Policy
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 12
THE BIGGER THE PLAN…THE BIGGER THE BINDER
• Regulatory frameworks generally do not provide requirements beyond creation, sustainment of a plan
• The size and thickness of a documented plan DOES NOT reflect its effectiveness
• Large plans can easily be over-engineered and may be discarded in a disaster situation
• The plans should identify roles, responsibilities and immediate action steps (i.e., the critical path)
• The plans should exist or be accessible outside of the physical or logical confines of the facility or domain
Business Continuity
Plan
If the plan requires a dolly to lug around, it
might need some reengineering
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 13
THE LACK OF A BIA…CAN RENDER YOUR PLAN KIA
• A plan that is not predicated on some level of precision analysis is not a plan but a guess
• An effective BIA does NOT require a long, drawn out process that can take months
• According to KPMG’s BCM Survey, 38% of respondents do not know the financial impact of a five-day disruption or outage
• Be wary of sole reliance on survey results…business unit managers may inflate their criticality to align with their MBOs
• The end state of a BIA should draw attention to management’s risk tolerance and critical path
When the plates start to fall, knowing which to catch and which to drop will determine
success or failure
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 14
AVOID RISK…BECAUSE RISK WILL NOT AVOID YOU• PREPARE TO AVOID BUT PLAN TO RESPOND!!
• Human, technical, operational and strategic threats MUST be considered to formulate a viable avoidance and/or response posture
• Look for single points of failure that might not have been considered
• Do not discard “Black Swan” Events, but don’t put all your focus on them (pandemic flu? Not many actually going in to work)
• According to KPMG’s BCM Survey Only 41% of Companies integrate BCM with Cyber Security
• Be sure to account for environmental and physical controls as part of the organization’s risk management plan, too (see spaghetti)
Uh…would you like some sauce to go with
that spaghetti?
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 15
DATA BACKUPS…OFTEN FULL OF HICCUPS
• Ensure the backup scheme complement the Recovery Time and Recovery Point Objectives (RTOs & RPOs)
• Tapes are fine, but often they are either not removed from the site or are taken offsite 1x per week
• If the backups (tape or disk) are not tested periodically to verify full restoration, the capability to restore is questionable
• It is entirely possible that a replication or high availability strategy encompasses too much, does not justify expenseTapes kept onsite?
Soooo…what happens if the data center burns
down?
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 16
DRP STRATEGIES…MAY NOT ALIGN WITH BCP STRATEGIES
• Some organizations will stop their planning efforts once restoration of applications, infrastructure and data are complete
• …But forget to consider where ALLLL those business people are going to go work in order to access it!
• Don’t blindly accept the “work at home” strategy…if the infrastructure cannot support multiple remote users it ain’t happening
• The strategies should consider the dependencies on vendors for either technologies, special equipment, etc.
The DR Hot Site!
The BCP Not Site!
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 17
IF THE PLANS ARE NOT TESTED…WELL, YOU KNOW WHERE I’M GOING
• 84% of KPMG’s 2011-2012 BCM Survey respondents tested their plans within the last year – GREAT!
• …But be sure to note legit testing took place! Simply opening the binder is not an effective test
• Tests should range in complexity (e.g., table-top, partial exercises, full scale exercises, etc.)
• Participants should vary as well, include IT, business units, crisis or incident teams, etc.
• The tests should be planned in advance (or surprise tests are okay), and should end with an after action review to facilitate improvement
Failure is OKAY during a test…not so okay when
the chairman of the board calls you at 3 a.m.
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 18
DURING AN EMERGENCY…THE AVERAGE IQ GOES TO “0”
• Be sure the plan considers an immediate response to a given situation
• Crisis Management and Incident Response Teams are a crucial component of BCM, make decisions, allocate resources
• If management is not integrated in the plan, they will NEVER follow the plan…but that won’t stop them from making one up as they go!
• Again…if the Crisis Management and Incident Response Teams are not tested…
Crisis Management may be the missing link to most
plans
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 19
A SIMPLE AUDIT METHODOLOGY
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 20
6 DOMAINS TO CONSIDER FOR AUDIT
Assess the entity controls that integrate, manage, and sustain a viable BCM throughout the enterprise
1. Program Management
• Program Definition – Establish the program is formally developed and integrated
• Support and Accountability – Establish the program is supported at the highest level of the org
• Budget Planning and Program Evaluation – The org is committed to sustaining program viability
The organization has defined its recovery, restoration, and high availability requirements related to business processes, applications, infrastructure & data
2. Requirements Definition
• Risk Analysis and Treatment – Establish the org has analyzed its risk posture, reasonably reduce risk• The BIA Methodology – Establish the org maintains formal method to define impacts, prioritize criticality• Data Flows and Dependencies – Establish that dependencies (internal/external) are documented• Analysis and Reporting – Establish that BIA results are aggregated, prioritized, and approved
Assess the organization’s method for developing continuity and availability strategies, within its maximum tolerable downtime.
3. Strategy Selection
• Staff and Support Requirements – Establish that strategies are developed based on defined requirements• Course of Action Analysis – Establish that the cost to maintain strategies in line with risk tolerance• Monitor, Evaluate for Change – Establish that strategies are periodically evaluated for change
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 21
6 DOMAINS TO CONSIDER FOR AUDIT
Assess the sufficiency, completeness, applicability, and implementation of the organization’s documented BCP/DRP plans.4. Plan Development
• Plan Components & Framework – Establish plans are documented, align with requirements• Supporting, Storing Plans – Establish plans are accessible, assigned to process owners• Plan Updates – Establish plans change as processes, technologies, people change
Assess the organization’s method for vendor selection and oversight relevant to the BCM program.
5. Vendor Management
• Vendor Contracting – Establish vendors are screened, will meet contractual requirements• Critical Vendor Dependencies – Establish critical dependencies are known, accounted for• Vendor Integration, Testing – Establish vendors occasionally participate in tests/exercises
Assess the organization’s capability to test and maintain the viability of its BCM program.
6. Implementation, Maintenance
• Testing and Validation – Establish plans are valid through scheduled, ongoing testing• Change Management – Establish changes required to BCM are formalized• Workforce Awareness – Establish workforce members are aware of the BCM program
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 22
CONSIDER A MATURITY MODEL APPROACHAs of: SEPTEMBER 2012
Client:
Affiliate:
Maturity Rating
Not AddressedMinimally Addressed
Emerging Managed
1 41% 0 0 5 7
1.1 25% 0 0 1 2
1.2 45% 0 0 2 3
1.3 54% 0 0 2 2
2 46% 0 2 10 4
2.1 25% 0 1 3 0
2.2 59% 0 0 0 4
2.3 25% 0 1 3 0
2.4 75% 0 0 4 0
3 61% 0 1 6 4
3.1 56% 0 0 3 3
3.2 47% 0 1 2 0
3.3 80% 0 0 1 1
4 38% 0 0 6 5
4.1 50% 0 0 4 2
4.2 40% 0 0 0 2
4.3 25% 0 0 2 1
5 30% 0 4 2 3
5.1 25% 0 0 1 2
5.2 40% 0 3 0 1
5.3 25% 0 1 1 0
6 67% 0 0 4 7
6.1 75% 0 0 1 3
6.2 50% 0 0 3 0
6.3 75% 0 0 0 4
47% 0 7 33 30
CLIENT NAME
SUB ORGANIZATION
QUANTIFIED BCM FINDINGS (# of findings per maturity level)
Vendor Contracting
Data Flows and Dependencies
Plan Updates
Supporting and Storing the Plans
Program Definition
REQUIREMENTS DEFINITION
The BIA Methodology
Support and Accountability
Budget Planning and Program Evaluation
Risk Analysis and Treatment
Analysis and Reporting
STRATEGY SELECTION
Change Management
Workforce Awareness
Enterprise BCM Principles
Critical Vendor Dependencies
Vendor Integration and Testing
PLAN IMPLEMENTATION & MAINTENANCE
Testing and Validation
Scoring
PROGRAM MANAGEMENT
Staff and Support Requirements
VENDOR MANAGEMENT
Course of Action Analysis
Monitor and Evaluate for Change
PLAN DEVELOPMENT
Plan Components and Framework
• Facilitates Scalable Program
• Isolates Highest Risk Areas
• Accounts for areas to sustain
• Incorporates All Findings from the Audit
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 24
EMERGING TRENDS IN BCM
• Virtualization helps reduce number of overall IT assets, improves system uptime…but beware of single points of failure!
• Cloud computing provides a viable outsourcing option for production technologies…but be sure your cloud vendor is capable of meeting your RTOs, RPOs!
• Mobile devices provide a means of portability for documented plans, communications, and rapid response…but be sure phones are secure, encrypt if possible!
• Social networking provides an effective way to broadcast incidents, particularly for crisis management…but be sure that the messages are controlled!
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 25
CURRENT AND EMERGING STANDARDS
• Business Continuity Institute - Good Practice Guideline (2010)
• BS 25999 Business Continuity – BSI’s practices guideline
• Disaster Recovery Institute (DRI) – Professional Practices for BCM
• ISO/IEC 22301:2012 – One of the newest, aligned with the ISO27k set of standards
BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE
Ron Pelletier, CISSP, CBCP, CISA, QSAVP and Executive Manager
QUESTIONS
Pondurance3105 East 98th StreetSuite 120Indianapolis, IN 46280