Transcript
Page 1: Business Continuity. Business continuity... “Drive thy business or it will drive thee.” —Benjamin Franklin (1706-1790), American entrepreneur, statesman,

Business Continuity

Page 2: Business Continuity. Business continuity... “Drive thy business or it will drive thee.” —Benjamin Franklin (1706-1790), American entrepreneur, statesman,

Business continuity...Business continuity...

“Drive thy business or it will drive thee.”—Benjamin Franklin (1706-1790), American entrepreneur, statesman, scientist and philosopher“It is your business when the wall next door catches fire.”—Horatius (65-8 BC), Roman poet

Page 3: Business Continuity. Business continuity... “Drive thy business or it will drive thee.” —Benjamin Franklin (1706-1790), American entrepreneur, statesman,

What is a Disaster?

Any unplanned event that requires immediate redeployment of limited reso

urces

Any unplanned event that requires immediate redeployment of limited reso

urces

Natural Forces• Fire• Environmental Hazar

ds• Flood / Water Damag

e• Extreme Weather

Technical Failure• Power Outage• Equipment Failure• Network Failure• Software Failure

Human Interference• Criminal Act• Human Error• Loss of Users• Explosions

Sample Disasters

Page 4: Business Continuity. Business continuity... “Drive thy business or it will drive thee.” —Benjamin Franklin (1706-1790), American entrepreneur, statesman,

What is a Disaster Recovery Plan?

A management document for how and when to utilize resources needed to maintain selected functions when disrupted by agreed upon incidents

A management document for how and when to utilize resources needed to maintain selected functions when disrupted by agreed upon incidents

Page 5: Business Continuity. Business continuity... “Drive thy business or it will drive thee.” —Benjamin Franklin (1706-1790), American entrepreneur, statesman,

business continuity plan: business continuity plan: documented procedures that guide organizations documented procedures that guide organizations to respond, recover, resume, and restore to a pre-definedto respond, recover, resume, and restore to a pre-defined level of level of operation following disruptionoperation following disruption

disaster recovery plan: disaster recovery plan: clearly defined and documented plan which clearly defined and documented plan which recovers ICT capabilities when a disruption occursrecovers ICT capabilities when a disruption occurs

business impact analysis (BIA): business impact analysis (BIA): process of analysing business functions process of analysing business functions and the effect that a business disruption might have upon themand the effect that a business disruption might have upon them

Page 6: Business Continuity. Business continuity... “Drive thy business or it will drive thee.” —Benjamin Franklin (1706-1790), American entrepreneur, statesman,

The Auditor’s Role in ReviewingThe Auditor’s Role in ReviewingBusiness Business Continuity Planning, Continuity Planning, Ravi MuthukrishnanRavi Muthukrishnan

– While a BCP refers to the activities required to keep theWhile a BCP refers to the activities required to keep the organisation organisation running running during a period of displacement orduring a period of displacement or interruption of normal interruption of normal operation,operation, a disaster recovery plan a disaster recovery plan (DRP) is the process of rebuilding the (DRP) is the process of rebuilding the operations oroperations or infrastructure after the infrastructure after the disaster has passed.disaster has passed.

– A DRP is a key component of a BCP, and refers to theA DRP is a key component of a BCP, and refers to the technological technological aspect of a BCPaspect of a BCP—the advanced planning and—the advanced planning and preparations necessary to preparations necessary to minimise loss and ensure continuityminimise loss and ensure continuity of critical business functions in the of critical business functions in the event of a disaster. event of a disaster. A DRPA DRP comprises consistent actions to be undertaken comprises consistent actions to be undertaken prior to, duringprior to, during and subsequent to a disaster.and subsequent to a disaster.

Page 7: Business Continuity. Business continuity... “Drive thy business or it will drive thee.” —Benjamin Franklin (1706-1790), American entrepreneur, statesman,

– Terms and definitionsTerms and definitions

maximum tolerable period of disruption: maximum tolerable period of disruption: duration after which an duration after which an organization’s viability will be irrevocably threatened if product and organization’s viability will be irrevocably threatened if product and service delivery cannot be resumed service delivery cannot be resumed

recovery time objective: recovery time objective: period of time within which minimum levels of period of time within which minimum levels of services and/or products and the supporting systems,services and/or products and the supporting systems, applications, or applications, or functions must be recovered after a disruption has occurredfunctions must be recovered after a disruption has occurred

recovery point objectiverecovery point objective: : point in time to which data must be recovered point in time to which data must be recovered after a disruption has occurredafter a disruption has occurred

Page 8: Business Continuity. Business continuity... “Drive thy business or it will drive thee.” —Benjamin Franklin (1706-1790), American entrepreneur, statesman,

Avoidance Strategy

• Redundant configuration to avoid incidents

• Site harden facilities to resist incidents

• Redundant utilities and hardware

• Automated operation recovery plan

Mitigation Strategy

• Early warning detection• Contractual agreement

s with vendors• Mirrored data and docu

ments• Detailed migration reco

very plan

Recovery Strategy

• High level recovery plan

• Off-site data storage• Very responsive vend

or relationships• Very knowledgeable e

mployees

Types of Strategy Options

• Hot site• Cold site• Self Backup• Service Bureau• Reciprocal Agreement

Types of Strategies

Page 9: Business Continuity. Business continuity... “Drive thy business or it will drive thee.” —Benjamin Franklin (1706-1790), American entrepreneur, statesman,

Timing Requirements• Minutes• Hours• Days• Weeks• Quarters• Special Situations

Criteria for a Critical Business Function

Cost of Impact $

Impact

Cost

Cost of Control $

Cost of Control vs. Impact

Page 10: Business Continuity. Business continuity... “Drive thy business or it will drive thee.” —Benjamin Franklin (1706-1790), American entrepreneur, statesman,

Replication

Failover

Site Migration

Wide Area ClusteringWide Area Clustering

Page 11: Business Continuity. Business continuity... “Drive thy business or it will drive thee.” —Benjamin Franklin (1706-1790), American entrepreneur, statesman,
Page 12: Business Continuity. Business continuity... “Drive thy business or it will drive thee.” —Benjamin Franklin (1706-1790), American entrepreneur, statesman,

Audit Program/ICQAudit Program/ICQGet Preliminary Information

Procedure Step: Policies

Details/Test:

Determine and obtain copies of all applicable policies for disaster recovery and business continuity, if any.

Procedure Step: Get Applicable Documentation

Details/Test:Obtain a copy of the organization's disaster recovery plan.Obtain a list of implementation team members list.Obtain a current copy of the organization chart.Obtain current inventory list. Obtain a copy of agreements relating to use of backup facilities. 

Procedure Step:Control Questionnaire

Objective:To verify that the disaster recovery plan is adequate to insure resumption of computer systems in a timely manner during adverse circumstances, is in line with the current business continuation plan, and reflects the current business operating environment.

Page 13: Business Continuity. Business continuity... “Drive thy business or it will drive thee.” —Benjamin Franklin (1706-1790), American entrepreneur, statesman,

Details/Test:Is there a disaster recovery plan? If a plan exists, when was it last updated?What are your procedures for updating the plan?Who is responsible for administration or coordination of the plan?Is the plan administrator/coordinator responsible for keeping the plan up-to-date?Is there a disaster recovery implementation team (i.e., the first response team members who will react to the emergency with immediate action steps)?Where is the disaster recovery plan stored? (Verify that key team members have copies of the plan at home as well as at the office).Where are the implementation team contacts list stored? (Suggest each key team member should have contact names and addresses of all other key team members both on his person and at home, as well as in the office - contact numbers should include home and mobile as well as office number) Where is the backup facility site? Are there alternate sites? (Be suspicious of loose arrangements with local businesses!)What is your schedule for testing and training on the plan?When was the last drill performed? (Consider the adequacy of the test - a “desk test” is unlikely to reveal many potential problems)Did the drill include use of the backup facilities? If not, when were the backup facilities last used? If over 1 year, how has the organization determined that its programs can still run on the backup equipment?What was the outcome of the drill? How did it improve preparedness?What critical systems are covered by the plan? Does the plan clearly indicate priorities for system restoration, based on risk to the business in particular? Does the plan allow for the restoration within pre-determined “business critical” time frames? (I.e. If certain systems are down for longer than a predetermined time, restoration after this time may be useless if the business has already gone under.)

Page 14: Business Continuity. Business continuity... “Drive thy business or it will drive thee.” —Benjamin Franklin (1706-1790), American entrepreneur, statesman,

Details/Test (continued):

 Does the plan indicate the operational requirements for each of the systems?What systems are not covered by the plan?

Why not?What equipment is not covered by the plan?Why not?

Does the plan operate under any assumptions?

What are they?

What are the procedures for activation of the plan?

Are inventories as they relate to your critical systems kept (including LAN servers and communication devices)? (Critically, are the procedures and practices for keeping them up to date sufficient?)If inventories are kept, where are they stored?Are there formal procedures that specify backup procedures and responsibilities?

What functions/systems/components are covered under such procedures?What training has been given to personnel in using backup equipment and established procedures?

Where is the off-site storage site?Are the responsibilities for each team documented?Are the restoration procedures documented? Does the documentation for each system to be recovered indicate the process flow and as well as the equipment that will be recovered? (i.e. for an application that makes use of desktop equipment for dataentry and client server equipment for storage this should all be documented along with the software that will be required. 


Recommended