Auditing BCM Pondurance ISACA Presentation

BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE

Ron Pelletier, CISSP, CBCP, CISA, QSAVP and Executive Manager

AN AUDITOR’S PERSPECTIVE

BUSINESS CONTINUITY MANAGEMENT (BCM)

Central Indiana ISACA – June 25, 2015

BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVEPONDURANCE 2

WHY ARE WE HERE?

“Business continuity is not a project with a beginning and ending date, it is a program to be managed indefinitely.” - Unknown, on Business Continuity Management

Only 31 percent of business continuity management programs have a high level of integration with the organization's strategic planning capabilities.

- KPMG 2013-2014 Global BCM Benchmarking Study

This dropped 3% from the 2012-2013 survey!!


AGENDA

• BCM Overview

• General BCM Audit Considerations

• A Simple Audit Methodology

• Trends and Standards

• Questions


A BUSINESS CONTINUITY MANAGEMENT OVERVIEW


COMMON COMPONENTS OF BCM

BCM

Business Continuity Planning

Disaster Recovery Planning

High Availability

Risk Management

Incident Response

Crisis Management

(general, not all inclusive)


SIMPLIFIED BCM TERMS

Business Continuity – Planning to sustain business viability.

Disaster Recovery – Planning to sustain supporting technology & data.

Crisis Management – Preserving life safety and business image.

Business Impact Analysis – Establish the organization’s critical path.

Recovery Time Objective – When do the systems/processes need to be restored?

Recovery Point Objective – How much data can you stand to lose?

Maximum Tolerable Downtime – What is the point of unacceptable risk?

Risk Tolerance – Collective picture of risk management and BCM.

High Availability – When downtime of systems/data is not an option.

Minimum Operating Requirements – What do you need, and when, to get by.


TRADITIONAL THINKING ON BCM

Disaster Recovery vs. Business Continuity

PEOPLE BUSINESS PROCESSES PROCESS

CONTINUITY

BUSINESS PROCESSES

DRPDRPDRPDisaster Recovery

Business Continuity

TECH/DATARESTORE

BUSINESS

CONTINUITY

BUSIENSS

CONTINUITY


THE INTEGRATED PERSPECTIVE

Defined Tolerance for Risk

Program Exercising, Change Management, Maintenance

(BCP)Business Continuity Planning

(DRP)Disaster Recovery Planning

DRP Strategies

BCPStrategies

DRP Documentation

BCP Documentation

The Risk Analysis Phase

Current State

Assessment

Threat and Risk

Assessment

Business Impact

Analysis

CRISIS MANAGEMENT• Owns Initial and Ongoing Response• Allocates Emergency Resources• MAKES DECISIONS AS REQUIRED• Functions as Steering Committee


UNDERSTANDING RISK TOLERANCE

$ and Operational Impacts

Manual Processing

Application ‘X’ in 72 Hours Application ‘X’ in24 Hours

Management Negotiation Based on Risk Tolerance

Recovery Time Objectives (RTO’s)

Current Recovery Capabilities (CRC’s)

Information Technology Group

Current State Assessment

Maximum Tolerable Downtimes(MTD’s)

Business Unit Personnel

Business Impact Analysis


GENERAL BCM AUDIT CONSIDERATIONS


THE POLICY IS YOUR FIRST CLUE…TO WHETHER THE COMPANY HAS A CLUE

• Many auditors go right for the plan, forgetting that a policy might provide useful information, if a policy exists

• The policy may provide you with references to other BCM documents, team members, crisis plans, etc.

• The policy may also provide objectives for the plan, scope or rationale for strategy (e.g., High Availability), etc.

• …Then again, the policy may indicate a large disconnect between management and those tasked with developing and/or executing the planBe sure to look for

cobwebs!

Business Continuity

Policy


THE BIGGER THE PLAN…THE BIGGER THE BINDER

• Regulatory frameworks generally do not provide requirements beyond creation, sustainment of a plan

• The size and thickness of a documented plan DOES NOT reflect its effectiveness

• Large plans can easily be over-engineered and may be discarded in a disaster situation

• The plans should identify roles, responsibilities and immediate action steps (i.e., the critical path)

• The plans should exist or be accessible outside of the physical or logical confines of the facility or domain

Business Continuity

Plan

If the plan requires a dolly to lug around, it

might need some reengineering


THE LACK OF A BIA…CAN RENDER YOUR PLAN KIA

• A plan that is not predicated on some level of precision analysis is not a plan but a guess

• An effective BIA does NOT require a long, drawn out process that can take months

• According to KPMG’s BCM Survey, 38% of respondents do not know the financial impact of a five-day disruption or outage

• Be wary of sole reliance on survey results…business unit managers may inflate their criticality to align with their MBOs

• The end state of a BIA should draw attention to management’s risk tolerance and critical path

When the plates start to fall, knowing which to catch and which to drop will determine

success or failure


AVOID RISK…BECAUSE RISK WILL NOT AVOID YOU• PREPARE TO AVOID BUT PLAN TO RESPOND!!

• Human, technical, operational and strategic threats MUST be considered to formulate a viable avoidance and/or response posture

• Look for single points of failure that might not have been considered

• Do not discard “Black Swan” Events, but don’t put all your focus on them (pandemic flu? Not many actually going in to work)

• According to KPMG’s BCM Survey Only 41% of Companies integrate BCM with Cyber Security

• Be sure to account for environmental and physical controls as part of the organization’s risk management plan, too (see spaghetti)

Uh…would you like some sauce to go with

that spaghetti?


DATA BACKUPS…OFTEN FULL OF HICCUPS

• Ensure the backup scheme complement the Recovery Time and Recovery Point Objectives (RTOs & RPOs)

• Tapes are fine, but often they are either not removed from the site or are taken offsite 1x per week

• If the backups (tape or disk) are not tested periodically to verify full restoration, the capability to restore is questionable

• It is entirely possible that a replication or high availability strategy encompasses too much, does not justify expenseTapes kept onsite?

Soooo…what happens if the data center burns

down?


DRP STRATEGIES…MAY NOT ALIGN WITH BCP STRATEGIES

• Some organizations will stop their planning efforts once restoration of applications, infrastructure and data are complete

• …But forget to consider where ALLLL those business people are going to go work in order to access it!

• Don’t blindly accept the “work at home” strategy…if the infrastructure cannot support multiple remote users it ain’t happening

• The strategies should consider the dependencies on vendors for either technologies, special equipment, etc.

The DR Hot Site!

The BCP Not Site!


IF THE PLANS ARE NOT TESTED…WELL, YOU KNOW WHERE I’M GOING

• 84% of KPMG’s 2011-2012 BCM Survey respondents tested their plans within the last year – GREAT!

• …But be sure to note legit testing took place! Simply opening the binder is not an effective test

• Tests should range in complexity (e.g., table-top, partial exercises, full scale exercises, etc.)

• Participants should vary as well, include IT, business units, crisis or incident teams, etc.

• The tests should be planned in advance (or surprise tests are okay), and should end with an after action review to facilitate improvement

Failure is OKAY during a test…not so okay when

the chairman of the board calls you at 3 a.m.


DURING AN EMERGENCY…THE AVERAGE IQ GOES TO “0”

• Be sure the plan considers an immediate response to a given situation

• Crisis Management and Incident Response Teams are a crucial component of BCM, make decisions, allocate resources

• If management is not integrated in the plan, they will NEVER follow the plan…but that won’t stop them from making one up as they go!

• Again…if the Crisis Management and Incident Response Teams are not tested…

Crisis Management may be the missing link to most

plans


A SIMPLE AUDIT METHODOLOGY


6 DOMAINS TO CONSIDER FOR AUDIT

Assess the entity controls that integrate, manage, and sustain a viable BCM throughout the enterprise

1. Program Management

• Program Definition – Establish the program is formally developed and integrated

• Support and Accountability – Establish the program is supported at the highest level of the org

• Budget Planning and Program Evaluation – The org is committed to sustaining program viability

The organization has defined its recovery, restoration, and high availability requirements related to business processes, applications, infrastructure & data

2. Requirements Definition

• Risk Analysis and Treatment – Establish the org has analyzed its risk posture, reasonably reduce risk• The BIA Methodology – Establish the org maintains formal method to define impacts, prioritize criticality• Data Flows and Dependencies – Establish that dependencies (internal/external) are documented• Analysis and Reporting – Establish that BIA results are aggregated, prioritized, and approved

Assess the organization’s method for developing continuity and availability strategies, within its maximum tolerable downtime.

3. Strategy Selection

• Staff and Support Requirements – Establish that strategies are developed based on defined requirements• Course of Action Analysis – Establish that the cost to maintain strategies in line with risk tolerance• Monitor, Evaluate for Change – Establish that strategies are periodically evaluated for change


6 DOMAINS TO CONSIDER FOR AUDIT

Assess the sufficiency, completeness, applicability, and implementation of the organization’s documented BCP/DRP plans.4. Plan Development

• Plan Components & Framework – Establish plans are documented, align with requirements• Supporting, Storing Plans – Establish plans are accessible, assigned to process owners• Plan Updates – Establish plans change as processes, technologies, people change

Assess the organization’s method for vendor selection and oversight relevant to the BCM program.

5. Vendor Management

• Vendor Contracting – Establish vendors are screened, will meet contractual requirements• Critical Vendor Dependencies – Establish critical dependencies are known, accounted for• Vendor Integration, Testing – Establish vendors occasionally participate in tests/exercises

Assess the organization’s capability to test and maintain the viability of its BCM program.

6. Implementation, Maintenance

• Testing and Validation – Establish plans are valid through scheduled, ongoing testing• Change Management – Establish changes required to BCM are formalized• Workforce Awareness – Establish workforce members are aware of the BCM program


CONSIDER A MATURITY MODEL APPROACHAs of: SEPTEMBER 2012

Client:

Affiliate:

Maturity Rating

Not AddressedMinimally Addressed

Emerging Managed

1 41% 0 0 5 7

1.1 25% 0 0 1 2

1.2 45% 0 0 2 3

1.3 54% 0 0 2 2

2 46% 0 2 10 4

2.1 25% 0 1 3 0

2.2 59% 0 0 0 4

2.3 25% 0 1 3 0

2.4 75% 0 0 4 0

3 61% 0 1 6 4

3.1 56% 0 0 3 3

3.2 47% 0 1 2 0

3.3 80% 0 0 1 1

4 38% 0 0 6 5

4.1 50% 0 0 4 2

4.2 40% 0 0 0 2

4.3 25% 0 0 2 1

5 30% 0 4 2 3

5.1 25% 0 0 1 2

5.2 40% 0 3 0 1

5.3 25% 0 1 1 0

6 67% 0 0 4 7

6.1 75% 0 0 1 3

6.2 50% 0 0 3 0

6.3 75% 0 0 0 4

47% 0 7 33 30

CLIENT NAME

SUB ORGANIZATION

QUANTIFIED BCM FINDINGS (# of findings per maturity level)

Vendor Contracting

Data Flows and Dependencies

Plan Updates

Supporting and Storing the Plans

Program Definition

REQUIREMENTS DEFINITION

The BIA Methodology

Support and Accountability

Budget Planning and Program Evaluation

Risk Analysis and Treatment

Analysis and Reporting

STRATEGY SELECTION

Change Management

Workforce Awareness

Enterprise BCM Principles

Critical Vendor Dependencies

Vendor Integration and Testing

PLAN IMPLEMENTATION & MAINTENANCE

Testing and Validation

Scoring

PROGRAM MANAGEMENT

Staff and Support Requirements

VENDOR MANAGEMENT

Course of Action Analysis

Monitor and Evaluate for Change

PLAN DEVELOPMENT

Plan Components and Framework

• Facilitates Scalable Program

• Isolates Highest Risk Areas

• Accounts for areas to sustain

• Incorporates All Findings from the Audit


TRENDS & STANDARDS


EMERGING TRENDS IN BCM

• Virtualization helps reduce number of overall IT assets, improves system uptime…but beware of single points of failure!

• Cloud computing provides a viable outsourcing option for production technologies…but be sure your cloud vendor is capable of meeting your RTOs, RPOs!

• Mobile devices provide a means of portability for documented plans, communications, and rapid response…but be sure phones are secure, encrypt if possible!

• Social networking provides an effective way to broadcast incidents, particularly for crisis management…but be sure that the messages are controlled!


CURRENT AND EMERGING STANDARDS

• Business Continuity Institute - Good Practice Guideline (2010)

• BS 25999 Business Continuity – BSI’s practices guideline

• Disaster Recovery Institute (DRI) – Professional Practices for BCM

• ISO/IEC 22301:2012 – One of the newest, aligned with the ISO27k set of standards

BUSINESS CONTINUITY MANAGEMENT (BCM) – AN AUDITOR’S PERSPECTIVE

Ron Pelletier, CISSP, CBCP, CISA, QSAVP and Executive Manager

QUESTIONS

[email protected]

Pondurance3105 East 98th StreetSuite 120Indianapolis, IN 46280