Scribd Logo
Upload

Welcome to Scribd!

  • BCP Risk Control PDF

    Uploaded by

    Mudassar Patel
    317 views7 pages

    Original Title

    BCP-Risk-Control.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    317 views7 pages

    BCP Risk Control PDF

    Uploaded by

    Mudassar Patel

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    Module 7

    Appendix 2: RCM and audit guidelines for DRP and BRP


    The risk control matrix (RCM) can be used by IS Auditors for identifying the relevant risks,
    implemented controls and steps to audit specific areas. This is a sample risk control matrix which
    can be adapted as required. The list of risks provides the key areas which are generally
    applicable for organisations. The relevant controls mitigate the risks.

    Risk Control Audit Guidelines/Procedure


    Non Existence of a The organisation should • Identification and
    Disaster take steps in formulating a prioritization of the activities
    Recovery/Business Business Continuity Policy. which are essential to
    resumption Plan / The policy should contain continue functioning.
    improper planning details regarding the • The plan is based upon a
    methodologies used to methodologies used in business impact analysis that
    create a DR/BCP could formulating a DRP/BCP. considers the impact of the
    lead to a failure in Periodic. loss of essential functions.
    resumption of critical • Operations managers and
    business function. key employees participated in
    the development of the plan.
    • The plan identifies the
    resources that will likely be
    needed for recovery and the
    location of their availability.
    • The plan is simple and
    easily understood so that it
    will be effective when it is
    needed.
    • The plan is realistic in its
    assumptions.
    Insufficient Backup Processes should include •Determine if information
    processes could lead to periodic backup of data backup procedures are
    data not being backed up which also involves storing sufficient to allow for recovery
    correctly and restoration data of the software those of critical data.
    of data would not be are dependent to render •Determine if copies of the
    possible. Backups without the files. Backups should plan are safeguarded by off-
    data pertaining to the be followed periodically site storage.
    software environment and in the manner •Review information backup
    would lead to data being prescribed in the Business procedures in general. The
    restored but not possible Continuity Policy and availability of backup data
    to render such retrieved signoffs should be could be critical in minimizing
    data due to lack of obtained along with the time needed for recovery.
    software.

    1
    Section 3

    notification from the • Determine if the disaster


    backup utility. recovery/ business
    resumption plan covers
    procedures for disaster
    declaration, general
    shutdown and migration of
    operations to the backup
    facility.
    Insufficient testing of the Testing and revisions •Determine if a test plan
    BCP could lead to should be a part of the exists and to what extent the
    difficulties at the time of Policy. Test Plans drafted disaster recovery/business
    actual disaster. should be executed and resumption plan has been
    reports regarding the tests tested.
    should be maintained. • Determine if a testing
    schedule exists and is
    adequate (at least annually).
    Verify the date of the last
    test. Determine if
    weaknesses identified in the
    last tests were corrected.
    Lack of Required The required resources •Determine if resources have
    Resources those are should be procured and been made available to
    essential to execute a preserved. The resources maintain the disaster
    DRP/BCP will lead to a needs to be reviewed recovery/business
    failed execution. periodically and changed resumption plan and keep it
    as there could be wear and current.
    tear due to efflux of time. •Have resources been
    The required resources allocated to prevent the
    should be in accordance to disaster recovery/ business
    the BCP/DRP. resumption plan from
    becoming outdated and
    ineffective?
    BCP/DRP without correct BCP/DRP which has been •Obtain and review the
    review of the existing made for the organisation existing disaster recovery/
    plans, Business Impact should be relevant and business resumption plan.
    Analysis and Risk adequate to the size and •Obtain and review plans for
    Assessment would lead to nature of the organisation. disaster recovery/ business
    the formulation of a weak Sufficient Risk Assessment resumption testing and/or
    and ineffective Plan. and Business Impact documentation of actual tests
    Analysis should be •Obtain and review the
    performed and existing business impact
    documented while analysis.
    Module 7

    revising/formulating a •Gather background


    BCP/DRP. information to provide criteria
    and guidance in the
    preparation and evaluation of
    disaster recovery/ business
    resumption plans.
    •Gain an understanding of
    the methodology used to
    develop the existing business
    impact analysis.
    •Determine if
    recommendations made by
    the external firm who
    produced the business
    impact analysis have been
    implemented or otherwise
    addressed.
    Irregular revision of the Timely revision of the •Determine if the plan is
    BCP/DRP would lead to an BCP/DRP should be dated each time that it is
    outdated plan being carried out. Correct revised so that the most
    executed and would be versioning of the plans current version will be used if
    ineffective thus leading to should be present and the needed.
    losses and closure of the plans of the older versions •Determine if the plan has
    organisation. should be archived and been updated within past 12
    kept away from the latest months.
    version.
    Employees and other Employees should be •Interview functional area
    personnel who are given periodic briefing managers or key employees
    ignorant of the plans about the BCP/DRP. Roles to determine their
    would lead to lack of co- and Responsibilities of understanding of
    ordination, chaos and each employee should be The disaster recovery/
    confusion during allotted for smooth business resumption plan. Do
    execution of the BCP/DRP. execution of BCP. they have a clear
    Relevant documents understanding of their role in
    should be made available working towards the
    and kept at strategic areas resumption of normal
    of the organisation. operations?
    •Determine all the locations
    where the disaster recovery/
    business resumption plan is
    stored. Are there a variety of
    locations to ensure that the

    3
    Section 3

    plan will survive disasters


    and will be available to those
    that need them?
    Loss of life to the Employees should be • Have key employees seen
    employee is a very serious given a first preference the plan and are all
    matter and loss if any is a while planning the employees aware that there
    seriously bad for the DRP/BCP. Loss of material is such plan? ii) Have
    image of the company can be tolerable but loss of employees been told their
    life should be avoided. specific roles and
    responsibilities if the disaster
    recovery/ business
    resumption plan is put into
    effect?
    • Does the disaster recovery/
    business resumption plan
    include contact information of
    key employees, especially
    after working hours?
    • Does the disaster recovery/
    business resumption plan
    include provisions for people
    with special needs?
    • Does the disaster recovery/
    business resumption plan
    have a provision for
    replacement staff when
    necessary?
    Buildings, electricity, As feasible by the • Does the disaster recovery/
    telecommunications, organisation, adequate business resumption plan
    storage facilities, water measures like having an have a provision for having a
    and other infrastructure if alternative site fully building engineer inspect the
    not well provisioned will equipped should be made building and facilities soon
    be a hindrance during the available. Rent after a disaster so that
    recovery stages. Agreements/leases to the damage can be identified and
    alternative facility should repaired to make the
    be maintained. Adequate premises safe for the return
    transport and of employees as soon as
    telecommunication possible?
    facilities should be • Does the disaster
    available. recovery/business
    resumption plan consider the
    need for alternative shelter, if
    Module 7

    needed? Alternatives in the


    immediate area may be
    affected by the same
    disaster.
    • Review any agreements for
    use of backup facilities.
    • Verify that the backup
    facilities are adequate based
    on projected needs
    (telecommunications, utilities,
    etc.). Will the site be secure?
    • Does the disaster recovery/
    business resumption plan
    consider the failure of
    electrical power, natural gas,
    toxic chemical containers,
    and pipes?
    • Are building safety features
    regularly inspected and
    tested?
    • Does the plan consider the
    disruption of transportation
    systems? This could affect
    the ability of employees to
    report to work or return
    home. It could also affect the
    ability of vendors to provide
    the goods needed in the
    recovery effort.
    Inadequate IT Environment Care should be taken that • Determine if the plan
    at the alternative site could alternative IT Infrastructure reflects the current IT
    lead to late resumption of should be made available environment.
    the Business. at the Alternative site. • Determine if the plan
    Provision for Maintenance includes prioritization of
    of the alternative IT critical applications and
    Infrastructure should be systems.
    present. • Determine if the plan
    includes time requirements
    for recovery/availability of
    each critical system, and that
    they are reasonable.

    5
    Section 3

    • Does the disaster recovery/


    business resumption plan
    include arrangements for
    emergency
    telecommunications?
    • Is there a plan for alternate
    means of data transmission if
    the computer network is
    interrupted? Has the security
    of alternate methods been
    considered?
    Inadequate details about BCP Policy should contain • Does the disaster recovery/
    the administration during details regarding business resumption plan
    the time of crisis will lead administration during cover administrative and
    to execution hindrances. Crisis, Incident management aspects in
    Inadequate Incident Management, essential addition to operations? Is
    Response teams could records to be preserved for there a management plan to
    lead to a higher chaos and future use. BCP Policy maintain operations if the
    lack of coordination. should provide for the building is severely damaged
    protection of critical assets, or if access to the building is
    documents. BCP Policy denied or limited for an
    should provide for the extended period of time?
    correct storage for such • Is there a designated
    documents. emergency operations center
    where incident management
    teams can coordinate
    response and recovery?
    • Have essential records
    been identified? Do we have
    a duplicate set of essential
    records stored in a secure
    location?
    • To facilitate retrieval, are
    essential records separated
    from those that will not be
    needed immediately?
    •Has executive management
    assigned the necessary
    resources for plan
    development, concurred with
    the selection of essential
    activities and priority for
    Module 7

    recovery, agreed to back-up


    arrangements and the costs
    involved, and are prepared to
    authorize activation of the
    plan should the need arise.
    Lack of preservation of Ensure that the BCP Policy • Does the disaster
    key business contacts and provides for preservation recovery/ business
    creation of special of contacts either through resumption plan include the
    reserves could result in an backups and the names and numbers of
    ineffective BCP/DRP management policy has Suppliers of essential
    Execution. provides for creation of equipment and other
    special reserves for material?
    BCP/DRP crisis. •Does the disaster recovery/
    business resumption plan
    include provisions for the
    approval to expend funds that
    were not budgeted for the
    period? Recovery may be
    costly.

    You might also like