Guidelines: • • • • • • Get the message across – Don’t get the readers lost in details and terminologies.

Apply the KISS principle! Provide a concise Executive Summary Start with non-technical content Start with fewer details and gradually add details Protect the information Protect yourself (Auditors)

Outline: 1. Executive Summary The BC Program is assigned the following Recoverability Confidence Rating: “Pass-pending improvements” with a High confidence value. 2. Introduction a. Reasons for Audit 3. Scope 4. Approach 5. Audit Statement a. Pass-Fail (PF) Rating b. Compliance statement c. Quality statements i. Strengths ii. Weakness iii. High level recommendations for improvements

PF Rating
Fail Pass-Pending (improvements) Pass

Value
VL or L M, H, or VH M

Rating Factor
There is no assurance that most (if not all) of the critical business operations can maintain continuity during a disaster There is an assurance that most of the critical business operations can maintain continuity during a disaster There is an assurance that all of the critical business operations can maintain continuity during a disaster with

Pass with High Confidence

H or VH

Medium Confidence Level. There is an assurance that all of the critical business operations can maintain continuity during a disaster with High or Very High Confidence Level.

The BC Program is assigned the following Recoverability Confidence Rating: Pass-pending improvements with a High confidence value. The overall rating of BC Program is Average and the controls are in compliance of current industry guideline with respect to program’s current maturity level. We find that there is evidence of consistent progress from the initial inception of the BC program. We also find that there are adequate support and controls in place to allow improvements in the overall program. The audit has discovered risk areas and weaknesses in several key quality related aspects of the program. The risks and weaknesses are primarily related to these areas: • • • • • • • • • • • • • • Program commitment Interim BC Plan BC Program Management Document Risk Management Personnel Salvage Restoration IT Systems Recovery Strategy Offsite Data Storage Work around Procedures Critical Record Storage BC Plan Document BC Plan testing Recovery site change monitoring Risk Controls

We strongly recommend developing a plan as part of the BC program to address these areas in order to improve the overall program quality. The audit finds the following as the main areas of program strength: • • • Management Buy-In IT recovery strategy IT recovery testing

• •

Business Impact Assessment SLAs and contract management

6. Audit Progress a. Compared to previous audit.

7. Program Management: Main Categories

Risk Rating
High Medium Low

Value
7-10 4-6 2-3

Assessment Rating
High Medium Low

Value
7-10 4-6 2-3

Program Phases

Assessment Rating

Program Initiation

5 - Average

Risk Rating (Low, Medium, High) Medium

Risk Concern Area Program commitment; Budget •

Concern

• •

BC coordinator is assigned part-time to BC responsibilities. This can compromise the effectiveness and success of BC program. BC budget is a part of IT budget. BC program needs a separate budget and not simply be part of IT budget. Lacks detailed budget spending plan.

Program Planning

3 - Weak

Low

Interim BC • Plan; BC Program • Management Document Risk • Management ; Personnel; Salvage • Restoration.

Based on the current and future BC program requirements, the BC budget needs to be between $500K and $800K not including personnel cost. Program is currently relying on an interim plan. Project plan is well structured but a complete program document is missing

Functional Requirement

5 - Average

High

Design and Development

4.2 Average

Low

IT Systems Recovery Strategy; Offsite Data Storage; Work around Procedures

Implementation

4.5 Average

High

Testing

5.2 Average

High

Critical Record Storage; BC Plan Document BC Plan testing

There are major weaknesses in the risk approach and the identification of threats. BC program is weak in the evaluation of detailed personnel requirements • There are no salvage and restoration requirements documented • Overall design is aligned with the requirements but there are still some gaps and room for improvements • RPO requirements are unknown for Billing Systems; Data integrity testing procedures are not documented; Lack a strategy for remote backup during recovery period • Most critical business areas have work-arounds documented but with inconsistent format and partial information • There is no internal record storage facility or program; • BC Plan document is unstructured and missing key elements. Missing testing of key business area recovery capability.

Maintenance

3.9 Average

Medium

Recovery site change monitoring; Risk Controls

Lacks proactive change management at recovery site; Lacks periodic risk assessments;

Execution

NA

a. Areas of Strength b. Recommendation 8. Program Management: Subcategories This section provides the results of the audit from Program Lifecycle perspective. Our audit examined the BC program lifecycle at seven different stages: a. b. c. d. e. f. g. Program Initiation Program Planning Program Functional Requirements Design and Development Program Implementation Plan Testing Program Maintenance

Each of these stages was assessed in terms of their main aspects (Program Stage Categories). The ratings, indicating our assessment, are given to a stage or a category as follows: 1. Weak – value of 0 to 3 2. Average – value of 4 to 6 3. Strong – value of 7 to 10 a. Program Initiation This phase involves the first step in starting the BC program. Our audit reviewed the roots of the program to determine if there is adequate management buy-in, program has been evaluated properly, a formal commitment is given from the senior management, and there is sufficient support for allocating BC funding.
Program Rating Initiation Assessment Subcategories Comments/Suggestions Recommendation

Management Buy In Program Evaluation

6.4 Average 5.3 Average

This area is well managed considering the age of the BC program. Steering committee will help to improve management buy-in.

1. Define clear program
objective. Objectives should be stated in both general and specific terms. Board needs to be actively involved in the BC program evaluation process at a high level. Assign full-time BC responsibility to BC coordinator Define clear roles and responsibilities for Steering Committee. Include BC Program as part of Corporate Strategic Objectives Create a BC policy statement Utilize corporate communications to communicate BC policy

2.

Program Commitment

2.9 Weak

1. BC coordinator is assigned parttime to BC responsibilities. This can compromise the effectiveness and success of BC program. (Risk Area) 2. Roles and responsibilities for steering committee are not yet defined. 3. BC Program is not part of corporate strategy. 4. Program lacks a formal BC policy and policy communication. BC budget is a part of IT budget. (Risk Area) BC program needs a separate budget and not simply be part of IT budget. Management Buy-In is high.

1. 2. 3. 4. 5.

Program Initiation Phase Budget Overall

4.75 Average 4.83 Average

b. BC Program Planning In this phase, plans for the rest of the phases are developed. Our audit reviewed planning and organization of BC program management. In particular, we examined aspects related to BC program management document, program structure, program approval process, and a detailed budget for BC program.
Program Planning
Interim Temporary BC Plan

Rating
4.25 Average

Comments/Suggestions
Having an interim plan is helpful until a long term plan is developed. The interim plan needs to be reviewed carefully if there is a long delay expected in the completion of the long term plan. We suggest in particular assessing the ability to support recovery for more than two or three days through the interim plan. (Risk

Recommendation

Area) BC Program Management Document 4.4 Average

1. Project plan is well structured but
a complete program document is missing; project plan is part of BC plan (Risk Area); 2. Industry specific BC requirements have not been researched 3. No written program assumptions 4. No evidence of program risks in BC plan or program document Primary reason for weakness in program structure is part-time roles assigned to BC coordinator and immediate team member. Secondary reason is that roles and responsibilities of individual team members are not well defined. The overall program structure is expected to improve with the establishment of a BC Steering Committee as planned. The approval process is reasonable given the current maturity level and efforts are being made to improve it. Program structure is weak due to part-time roles assigned to BC coordinator and immediate team members (Risk Area).

Program Structure

3.0 Weak

1. Create a BC program document which is separate from the BC plan 2. Research industry specific BC requirements 3. State all key assumptions in the program document 4. Assess and document key program risks and mitigation steps 1. BC coordinator and her immediate team members should have full-time dedicated positions. 2. Establishment of a SC must become a high priority.

Approval Process Overall

5.2 Average 3 Weak

c. BC Functional Requirements In this phase, plans for the rest of the phases are developed. Our audit reviewed planning and organization of BC program management. In particular, we examined aspects related to BC program management document, program structure, program approval process, and a detailed budget for BC program.
Functional Requirements
Detailed requirements related to standards, rules, and regulations Risk Management

Rating
4.3 Average

Comments/Suggestions
1. Documents indicate requirements referencing DRII guideline and BS17799 standard 2. There hasn't been any effort to find out industry specific requirements other then SOX 1. Risk assessment was not conducted by a qualified risk management professional (Risk Area). 2. There are many threats that have not been accounted in the assessment. For example flood

Recommendation
Recommend inclusion of NFPA 1600 standards as part of detailed requirements.

3.6 Weak

1. Obtaining qualified experts
assistance to review and conduct threats and risk assessments. 2. Involve senior management in the risk assessment process. 3. Protect the Secondary power generator from potential

Functional Requirements

Rating

Comments/Suggestions
and pandemic is not part of the assessment (Risk Area). 3. Analysis is based only on qualitative approach 4. Secondary power generator is located on the ground level which may be exposed to flooding. 5. Senior level management has not been involved in risk assessment and approval process BIA was conducted by qualified BIA experts. It is comprehensive and based on sound approach. Backup timing requirements are known but there are weaknesses in capturing detail requirement assessment. For example some users still use CD to store data on their PC. We didn't see this on the list of data backup requirements from IT. Safe handling and storage requirements and data security requirements are also not captured in sufficient detail. Work area requirements are good in general with the exception of space and non-IT requirements for long term alternate work area Emergency Response (ER) team has not yet assessed the specific BC response requirements. There is an assumption that the current design of the EOC will be sufficient to include BC response activities BC program is weak in the evaluation of detail personnel requirements such as contractor agreements, temporary staff, detailed skill requirements, recovery time pay requirements, union and labor requirements, and personnel insurance coverage (Risk Area). Critical record requirements are in place with the exception of electronic records. There is no requirements analyzed for document management system. Business units have the complete responsibility for critical record recovery. SLA and contracts area is assessed as strong.

Recommendation
flooding – if it is assessed as a threat.

BIA

8.7 Strong 5.5 Average

Offsite Data Storage

Assess detail data requirements.

Alternate Work Area Crisis Management Center (CMC)

6 Average 2.4 Weak

Gather detailed space and non-IT requirements for alternate work area. Assess BC related CMT requirements and determine if the current EOC design is sufficient.

Personnel

1.8 Weak

Evaluate detailed personnel requirements.

Critical Records

5.5 Average

SLA and Contract Requirements

7.4 Strong

1. Assess electronic record recovery requirements. 2. Assign some one with central responsibility for coordinating critical record continuity. 3. Assess document management system tool requirements. As an additional improvement, we recommend including worst-case non-compliance clauses in all SLAs

Functional Requirements

Rating

Comments/Suggestions

Recommendation
and Contract agreements.

External Coordination

4.75 Average

External coordination requirements need to improve.

1. Assess requirements for a closer 2.
integration of BC with ERP to improve external coordination. Assess requirements to improve coordination with Landlord and building management, insurance company, and data backup provider.

Training and Awareness Salvage & Restoration Insurance Requirements

6.5 Strong 0 Weak 3.5 Weak

Training requirements have been documented but only for BC teams. There are no salvage and restoration requirements documented (Risk Area) Insurance requirement area is weak.

Document requirements for personnel outside of BC teams. Evaluate and document salvage and restoration requirements. 1. Review insurance policy for comprehensive disaster coverage. 2. Integrate insurance purchase process with BC program. 3. Determine insurance claim process. Assess requirements for tool support staff.

BC Tools

5 Average 2.75 Weak

Tools are currently under evaluation.

Assembly Location

Assembly location requirements have not been assessed thoroughly for BC team members.

1. Assess detail assembly site 2. 3.
capacity requirements for BC teams. Assess detail travel and accessibility requirements for BC teams. Assess requirements for tertiary assembly location.

Overall

4.83 Average

Risk management is weak but BIA has a high rating. There are no salvage and restoration requirements documented (Risk Area)

d. BC Design and Development .

Design and Development
Risk Controls

Rating
3.0 Weak

Comments/Suggestions
Problems in this stage are due to weaknesses in the previous functional requirement process. Not all control options have been analyzed and residual risks have not been examined. Overall design is aligned with the requirements but there are still some gaps and room for improvements (Risk Area). Example: Generic applications such as email are not part of recovery strategy. Drop ship of billing system server may not be a reliable strategy; the ability of people to get to recovery site on time needs additional assessment. Recovery site is with a vendor who is both reputable and reliable. It is located outside of the regional risk area. Information security is a concern because the servers and work areas are shared among other clients. There is no guarantee of access in the time of a disaster. Service is provided on the first-comefirst serve basis. None exists

Recommendation
Initiate a risk assessment and management project with the help of risk management expert and full management support. 1. Assess requirements for Email and other generic applications. 2. Assess requirements of the ability of people to get to recovery site on time needs additional. 3. Align drop ship strategy with RTO requirements. 1. Implement information security measures for the recovery site. 2. Consider use of tertiary recovery site to deal with potential lack of access to secondary site. 3. Review BC plan of recovery site vendor.

IT Systems Recovery Strategy

5.3 Average

Alternate IT Recovery Site

6.85 Strong

Tertiary Recovery Site

0 Weak

Consider Canadian site as a possible tertiary recovery site to deal with potential lack of access to secondary site.

Offsite Data Storage

3 Weak

RPO requirements are unknown for Billing Systems; Data integrity testing procedures are not documented; Lack a strategy for remote backup during recovery period (Risk Area) There is no internal records management group or facility besides the remote storage facility. Interim site exists. There are plans to acquire a long term alternate work area with the same IT recovery site vendor.

1. Assess RPO requirements for
Billing System. 2. Assess and document data integrity test procedures. 3. Design data backup strategy for recovery period. Design and develop an internal critical document/record management group and facility in addition to a remote storage site. 1. Expedite design and development of alternate work site. 2. Consider Canadian site as a possible tertiary work area recovery site See recommendations in requirement stage

Critical Record Storage Alternate Work Area

4.6 Average 4.7 Average

Crisis Management Center (CMC)

6 Average

EOC will be used as CMC. 1st location is a leased site 30 miles away from HQ. Alternate location is a hotel meeting room to be

Design and Development
Assembly Location Data Communication Services

Rating
6 Average 5.83 Strong

Comments/Suggestions
No major concerns except that it has not been evaluated for BC related use. The design overall meets the continuity requirements but needs some additional improvements. For example, carrier links to data center go through the same conduit through the single entry to the building (Risk Area). The design overall meets the continuity requirements but needs some additional improvements. Most critical business areas have work-arounds documented but with inconsistent format and partial information (Risk Area) There are no major weaknesses in this area but there is room for improvements. Functional requirements have not been initiated yet. See comments from Functional Requirement Table.

Recommendation
Evaluate design of assembly location to determine if it meets BC requirements. Review data link for improving redundancy and single-point-offailure. Include this review as part of risk assessment project.

Voice Communication Work-around Procedures Training and Awareness Salvage and Restoration

6.6 Strong 3.6 Weak 5.2 Average 0 Weak

Review design to provide additional redundancy by combining voice communication mediums Ensure work around procedures for all critical areas are complete and documented using a consistent and complete format. Assign training and awareness responsibility to a staff. Review current training and awareness design for additional improvements. The design and development for Salvage and Restoration must be based on the functional requirements once they are completed.

Overall

4.2 Average

e. BC Program Implementation In this phase, plans for the rest of the phases are developed. Our audit reviewed planning and organization of BC program management. In particular, we examined aspects related to BC program management document, program structure, program approval process, and a detailed budget for BC program.
Program Implementation
General Assessment Risk Controls

Rating

Comments/Suggestions

Recommendation

3.0 Weak 6.0 Average

IT Recovery Systems

Risk controls are not implemented due to weakness in risk assessment phase. Most systems are in place and the plans in place to acquire the rest Email systems recovery capability is

Program Implementation

Rating

Comments/Suggestions
not in place

Recommendation

Alternate IT Recovery Site

9.0 Strong

IT recovery site is in final stages of complete implementation.

A Tertiary Recovery Site Offsite Data Storage Critical Record Storage

0 Weak 5 Average 2.0 Weak

None exists

Backup site is currently in use. Backup frequency needs adjustments. Implemented for document records only. It is remote storage only. There are no internal storage process or system Interim site exists. There are plans to acquire a long term alternate work area with the same IT recovery site vendor. EOC will be used as CMC. 1st location is a leased site 30 miles away from HQ. Alternate location is a hotel meeting room. Assembly location is in place.

Alternate Work Area Crisis Management Center (CMC) Assembly Location Data Communication Services Voice Communication Training and Awareness BC Tools

4.0 Average 7 Strong 7 Average 8.0 Strong 8.0 Strong 2.0 Weak 2.0 Weak 0 Weak

Design and develop an internal critical document/record management group and facility in addition to a remote storage site. Implement internal record storage systems and processes. Expedite implementation of alternate work site. See recommendations in requirement stage

Data communication services for recovery are in place. Voice Communication service for disaster recovery is in place. Training and awareness program is partially implemented. There are no major weaknesses in this area but there is room for improvements. Salvage and restoration is not yet included in BCP. See comments from Functional Requirement Table. (Risk Area) Expedite initiation of training and awareness program. Expedite tool evaluation to begin tool usage and deployment Expedite salvation and restoration requirement assessment to begin its implementation.

Salvage and Restoration

Program Implementation
Personnel

Rating
4.0 Average 7.0 Strong 3.0 Weak

Comments/Suggestions
Most of the required personnel are hired except for two key positions reporting to BC coordinator. Most of the key SLA have been implemented and the rest are under review. Plan document is missing key sections. Most parts of the document are incomplete.

Recommendation
Expedite hiring of staff to fill two key positions.

SLA and Contracts BC Plan Document Overall

Redesign BC plan document and address incomplete areas.

f. Plan Testing g. Program Maintenance 9. Business Unit Confidence Assessment a. Confidence Level by business units b. Areas of strength c. Areas of weakness d. Recommendations Confidence Scale: 1 to 10. 1 – 2: Very Low (VL) 3 – 4: Low (L) 5 – 6: Medium (M) 7 - 8: High (H) 9 – 10: Very High (VH)

Business Department Sales Order Management

Business Function Customer Service

Business Process New Account Management Manage Customer Problems Handle Product Returns Overall Receive Orders Process Orders Fulfill Orders Overall Manage Sales Contracts Sell Product Develop Sales Plan Overall Provide Sales Lead

Systems Not Tested

WorkArounds 0 2 3

IT Strategy 9 9 9 9 6 6 6 6 4 4 4 4 7

Records Strategy 4 3 4 3 4 4 3 3 7 7 7 7 4

Recovery Team 9 9 9 9 9 9 9 9 9 9 9 9 9

Recovery Tasks 7 7 7 7 7 7 7 7 7 7 7 7 7

Recovery Tested 9 9 9 9 9 1 1 1 2 2 2 2 9

All

9

4.5 6

7.2

Order Processing

IMS IMS 1 SITS SITS 1 8

6 6 6 9 7 7 7.6 8

4.7

Sales and Marketing

Sales

5.4

Marketing

Product Pricing

Distribution

Packaging

Shipping

Overall Establish Wholesale Product Price Adjust Product Pricing Establish Online and Retail Product Pricing Overall Package Products Order Packaging Supplies Overall Create Shipping Labels Attach Invoice Urgent Delivery Normal Delivery Scan Package Overall

8 8 8 8

8 5 5 5

7 7 7 7

4 8 8 8

9 9 9 9

7 7 7 7

9 9 9 9

7.4

8 IMS IMS 1

5 5 5 5 8 8 8 8

7 8 8 8 6 7 5 5 7 6

8 7 7 7 8 8 8 8 8 8

9 9 9 9 9 9 9 9 9 9

7 7 7 7 7 7 7 7 7 7

9 1 1 1 8 8 8 8 8 8

7.6

5.4

7

8 8

7.6

Business Department All Departments

Business Function

Business Process

Systems Not Tested

WorkArounds

IT Strategy

Records Strategy

Recovery Team

Recovery Tasks

Recovery Tested

All 6.5

10. BC Process Assessment (per plan) a. Risk Management b. BIA c. BC Strategy d. BC Plan Development e. BC Plan Testing f. BC Plan Maintenance 11. Summary of Recommendations 12. BC Program Standards and Guidelines for Audit 13. Information Sources 14. Audit Information Confidentially Directives 15. Legal clause to protect auditor 16. Appendices

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.