Professional Documents
Culture Documents
Disaster Recovery
szenes.katalin@nik.uni-obuda.hu
Dr. Szenes 1
Disclaimer
Szenes Katalin
Note: the English formulation doesn't always follows the original either.
Megjegyzés: az angol fogalmazás sem mindig egyezik az eredetivel.
1
Business Continuity Planning and
Disaster Recovery
Table of Contents
•
•
purpose and main aspects
•
definitions - BCP, disaster, DRP, IT BCP, IT DRP
tasks of the IS auditor
example on these tasks: CISA Q no 6-3
on audit concerns: CISA Q no 6-10
•
•
consequences concerning the acceptance of the risks
•
other planning issues
•
preliminaries to be settled
•
preliminaries / insurance
•
emergency management team
•
CISA Q no 6-8 notification priorities
CISA Q NO 6-9 organizational unit IT & the BCP
Dr. Szenes 3
Table of Contents
z on the components
of the Information Systems Business Continuity Plan
Dr. Szenes 4
2
Business Continuity Planning and
Disaster Recovery
Table of Contents
z on the components
of the Information Systems Business Continuity Plan
- cont'd
o BCP documents
o Infrastructure types - hot, warm, etc.
provisions for 3rd party agreements
on the audit of 3rd party agreements
infrastructure / telecommunications, networks
infrastructure / storage
Dr. Szenes 5
Table of Contents
•
•
BCP plan - testing considerations
rulebook contents
•
•
recovery aspects (RPO, RTO, etc.)
The IS BCP of the Individual Systems
•
DS4 control objectives
on the COBIT 5 support
•
•
ISACA CRM case study
references
Dr. Szenes 6
3
Business Continuity Planning and
Disaster Recovery
purpose:
z to enable a business to continue offering critical services in the event of a
disruption and to survive even a disastrous interruption of its activities
z those key operations that are most necessary to the survival of the
organization
z the human/material resources supporting them
Note:
z ?? business continuity plan must be based on the long-range IT plan ??
Dr. Szenes 7
Dr. Szenes 8
4
Business Continuity Planning and
Disaster Recovery
Dr. Szenes 9
Dr. Szenes 10
5
Business Continuity Planning and
Disaster Recovery
Disasters
are disruptions that cause critical information resources to be inoperative for a
period of time, e.g. (weather, terrorism, disruption in expected services, human
error, etc.)
(this disaster def. & examples are from the CISA® Review Course transparents)
Dr. Szenes 11
Dr. Szenes 12
6
Business Continuity Planning and
Disaster Recovery
Dr. Szenes 13
./.
Dr. Szenes 14
7
Business Continuity Planning and
Disaster Recovery
Dr. Szenes 16
8
Business Continuity Planning and
Disaster Recovery
./.
Dr. Szenes 17
./.
Dr. Szenes 18
9
Business Continuity Planning and
Disaster Recovery
./.
Dr. Szenes 19
./.
Dr. Szenes 20
10
Business Continuity Planning and
Disaster Recovery
Dr. Szenes 21
Dr. Szenes 22
11
Business Continuity Planning and
Disaster Recovery
Answer: A
z The IS auditor should always be present when disaster recovery plans are
tested to ensure that the test meets the required targets for restoration,
ensure that recovery procedures are effective and efficient, and report on
the results, as appropriate.
z IS auditors may be involved in overseeing plan development, but they are
unlikely to be involved in the actual development process.
z Similarly, an audit of plan maintenance may be conducted, but the IS
auditor normally would not have any responsibility for the actual
maintenance.
z An IS auditor may be asked to comment upon various elements of a
supplier contract, but, again, this is not always the case.
Dr. Szenes 23
Dr. Szenes 24
12
Business Continuity Planning and
Disaster Recovery
z The most vital assets for a company are data. In a business continuity plan,
it is critical to ensure that data are available. Therefore, regular testing of
the backup of data must be done. If testing is not done, the organization
may not be able to retrieve data when required during a disaster; hence, the
company may lose its most valuable asset and may not be able to recover
from the disaster.
z A loss on account of lack of insurance is limited to the value of assets.
z If the business continuity plan manual is not updated, the company may find
the manual not fully relevant for recovery during a disaster. However,
recovery could be still possible.
z Non-maintenance of records in an access system will not directly impact the
relevance of the business continuity plan.
Dr. Szenes 25
version 2
Dr. Szenes 26
13
Business Continuity Planning and
Disaster Recovery
ISACA:
The alternatives of the elimination of the risks are determined by the
resources that the management wants to spend on the "safety".
Dr. Szenes 27
Î transparency
Dr. Szenes 28
14
Business Continuity Planning and
Disaster Recovery
the personnel who must react to the interruption/disaster scenarios are those
who are responsible for the most critical resources
Î management and user involvement is vital to the success of the business
continuity plan
./.
Dr. Szenes 29
z The three major divisions that require involvement in the formulation of the
business continuity plan are
{ support services,
{ business operations and
{ information processing support.
./.
Dr. Szenes 30
15
Business Continuity Planning and
Disaster Recovery
Important:
z The plan should be documented and written in a simple language
understandable to all.
z Copies of the plan should be maintained offsite.
./.
Dr. Szenes 31
to the BCP, IT BCP, etc., the following other info are to be collected:
z Pre-disaster readiness
z possible Evacuation procedures
z Circumstances under which a disaster should be declared
z Identification of contract informations
z Recovery option explanations
z Identification of resources for recovery and continued operation of the
organization
Dr. Szenes 32
16
Business Continuity Planning and
Disaster Recovery
preliminaries to be settled
z The policies that will govern all of the continuity and recovery efforts
z The goals/requirements/products for each phase
z Alternate facilities to perform tasks and operations
z Critical information resources to deploy (e.g., data and systems)
z Persons responsible for completion
z Available resources to aid in deployment (including human)
z The scheduling of activities with priorities established
z Key decision-making personnel
z Backup of required supplies
z Telecommunication networks disaster recovery methods
z Redundant array of inexpensive disks (RAID)
z Insurance ( ./.
Dr. Szenes 33
preliminaries / insurance
Most insurance covers only financial losses, based upon the historical level of
performance and not the existing level of performance.
Also, insurance does not compensate for loss of image/goodwill.
17
Business Continuity Planning and
Disaster Recovery
preliminaries / insurance
Dr. Szenes 35
Dr. Szenes 36
18
Business Continuity Planning and
Disaster Recovery
Dr. Szenes 38
19
Business Continuity Planning and
Disaster Recovery
z A prioritized list of contacts is most important since it will direct the process
of communication and contact to various entities in order of priority.
Dr. Szenes 39
z C. Declaring a disaster
Dr. Szenes 40
20
Business Continuity Planning and
Disaster Recovery
z The correct choice is restoring the IT systems and data after a disaster.
The IT department of an organization is primarily responsible for restoring
the IT systems and data after a disaster at the earliest possible time.
Dr. Szenes 41
Dr. Szenes 42
21
Business Continuity Planning and
Disaster Recovery
Dr. Szenes 43
Dr. Szenes 44
22
Business Continuity Planning and
Disaster Recovery
Dr. Szenes 45
ranking:
z Critical
z Vital
z Sensitive
z Non-sensitive
Dr. Szenes 46
23
Business Continuity Planning and
Disaster Recovery
z Vital – These functions can be performed manually, but only for a brief
period of time. There is a higher tolerance to interruption than with critical
systems and, therefore, somewhat lower costs of interruption, provided that
functions are restored within a certain time frame (usually five days or less).
./.
Dr. Szenes 47
Dr. Szenes 48
24
Business Continuity Planning and
Disaster Recovery
Dr. Szenes 49
Dr. Szenes 50
25
Business Continuity Planning and
Disaster Recovery
6-1 During an audit of a large bank, the IS auditor observes that no formal
risk assessment exercise has been carried out for the various
business applications to arrive at their relative importance and
recovery time requirements. The risk to which the bank is exposed is
that the:
z business continuity plan may not have been calibrated to the
relative risk that disruption of each application poses to the
organization.
z business continuity plan may not include all relevant
applications and, therefore, may lack completeness in terms of
its coverage.
z business impact of a disaster may not have been accurately
understood by the management.
z business continuity plan may lack an effective ownership by
the business owners of such applications.
Dr. Szenes 51
6-1 Answer: A
z The first and key step in developing a business
continuity plan is a risk assessment exercise that
analyzes the various risks that an organization faces
and the impact of non-availability of individual
applications.
Dr. Szenes 52
26
Business Continuity Planning and
Disaster Recovery
Dr. Szenes 54
27
Business Continuity Planning and
Disaster Recovery
BCP documents
Dr. Szenes 55
z Infrastructure Types:
o Mirroring
o Hot, Warm or Cold Site
o Alternative Hardware
o Backup of Required Supplies
o Telecommunication Networks
o Servers, Storage
o Offsite Libraries and Library Controls
o Security and Control of Offsite Facilities
o Media and Documentation Backup
o etc.
details: . / .
Dr. Szenes 56
28
Business Continuity Planning and
Disaster Recovery
infrastructure types
z Mirroring
[ parallel processing - special HW or organized]
z Hot Sites – They are fully configured and ready to operate within several
hours. The equipment, network and systems software must be compatible
with the primary installation being backed up. The only additional needs are
staff, programs, data files and documentation.
Dr. Szenes 57
infrastructure types
Dr. Szenes 58
29
Business Continuity Planning and
Disaster Recovery
infrastructure types
warm site:
Dr. Szenes 59
infrastructure types
z Cold Sites – These are sites that have only the basic environment (electrical
wiring, air conditioning, flooring, etc.) to operate an IPF reducing the cost.
The cold site is ready to receive equipment but does not offer any
components at the site in advance of the need. Activation of the site may
take several weeks.
Dr. Szenes 60
30
Business Continuity Planning and
Disaster Recovery
infrastructure types
(forrás: CISA® Review Course transparents, ISACA
/ Business Continuity and Disaster Recovery)
Dr. Szenes 61
Dr. Szenes 62
31
Business Continuity Planning and
Disaster Recovery
z Usage period—How long is the facility available for use? Is this period
adequate? What technical support will the site operator provide? Is this
adequate?
Dr. Szenes 63
z Testing—What testing rights are included in the contract? Check with the
insurance company to determine any reduction of premiums that may be
forthcoming due to the backup site availability.
Dr. Szenes 64
32
Business Continuity Planning and
Disaster Recovery
{ – Alternative routing
{ – Diverse routing
{ – Long-haul network diversity
{ – Protection of the local loop
[wire between the local switch and the end-user customer]
{ – Voice recovery
{ – Availability of appropriate circuits and adequate bandwidth
details: . /.
Dr. Szenes 66
33
Business Continuity Planning and
Disaster Recovery
Dr. Szenes 67
Dr. Szenes 68
34
Business Continuity Planning and
Disaster Recovery
Dr. Szenes 69
infrastructure / storage
(forrás: CISA® Review Course transparents, ISACA
/ Business Continuity and Disaster Recovery)
Dr. Szenes 70
35
Business Continuity Planning and
Disaster Recovery
infrastructure
(forrás: CISA® Review Course transparents, ISACA
/ Business Continuity and Disaster Recovery)
Q 6-7
An IS auditor discovers that an organization’s business continuity plan provides
for an alternate processing site that will accommodate 50 percent of the
primary processing capability. Based on this, which of the following actions
should the IS auditor take?
z A - Do nothing, because generally, less than 25 percent of all
processing is critical to an organization’s survival and the backup
capacity, therefore, is adequate.
z B - Identify applications that could be processed at the alternate site
and develop manual procedures to back up other processing.
z C - Ensure that critical applications have been identified and that
the alternate site could process all such applications.
z D - Recommend that the information processing facility arrange for
an alternate processing site with the capacity to handle at least 75
percent of normal processing.
Dr. Szenes 71
infrastructure
(forrás: CISA® Review Course transparents, ISACA
/ Business Continuity and Disaster Recovery)
Q 6-7
The correct answer is C
Dr. Szenes 72
36
Business Continuity Planning and
Disaster Recovery
one of the purposes of the business continuity test is to determine how well the
plan works or which portions of the plan need improvement.
the test must simulate actual processing conditions
z The test should be scheduled during a time that will minimize disruptions to
normal operations. Weekends are generally a good time to conduct tests.
z It is important that the key recovery team members be involved in the test
process and allotted the necessary time to put their full effort into it.
z The test should address all critical components and
z simulate actual primetime processing conditions, even if it is conducted in
off hours.
z Test Execution – . /.
Dr. Szenes 73
Dr. Szenes 74
37
Business Continuity Planning and
Disaster Recovery
z Detailed Plan
z Organization and Assignment of Responsibilities
z Emergency Response Team
z Key Decision-making Personnel
z what will employees do?
- CISA® Review Course transparents were also used here
{ where will employees report to work,
{ how will orders be taken while the computer system is being restored,
{ who is responsible that
which vendors should be called to provide needed supplies
. /.
Dr. Szenes 75
z
z Insurance
z Recovery/Continuity Plan Testing:
{ Plan and Actual Tests
{ Documentation of the Test Results
{ Results Analysis
z Recovery/Continuity Plan Maintenance
z Periodic Backup Procedures
z Record Keeping for Offsite Storage
Dr. Szenes 76
38
Business Continuity Planning and
Disaster Recovery
recovery aspects
(forrás: CISA® Review Course transparents, ISACA
/ Business Continuity and Disaster Recovery
Dr. Szenes 77
recovery aspects
(forrás: CISA® Review Course transparents, ISACA
/ Business Continuity and Disaster Recovery
For example, if the process can afford to lose the data up to four hours before
disaster, then the latest backup available should be up to four hours before
disaster or interruption and the transactions during RPO and interruption
need to be entered after recovery (known as catch-up data).
Dr. Szenes 78
39
Business Continuity Planning and
Disaster Recovery
recovery aspects
(forrás: CISA® Review Course transparents, ISACA
/ Business Continuity and Disaster Recovery
Dr. Szenes 79
recovery aspects
(forrás: CISA® Review Course transparents, ISACA
/ Business Continuity and Disaster Recovery
Dr. Szenes 80
40
Business Continuity Planning and
Disaster Recovery
recovery aspects
(forrás: CISA® Review Course transparents, ISACA
/ Business Continuity and Disaster Recovery
relation between RPO / RTO - which recovery strategies would be best with
different RTO and RPO parameters?
Dr. Szenes 81
recovery aspects
(forrás: CISA® Review Course transparents, ISACA
/ Business Continuity and Disaster Recovery
z Interruption window—The time the organization can wait from the point of
failure to the critical services/applications restoration. After this time, the
progressive losses caused by the interruption are unaffordable.
z Disaster [problem] tolerance is the time gap within which the business can
accept non-availability of IT facilities. If this time gap is high, recovery
strategies that take a longer time can be used.
Dr. Szenes 82
41
Business Continuity Planning and
Disaster Recovery
recovery aspects
(forrás: CISA® Review Course transparents, ISACA
/ Business Continuity and Disaster Recovery
Q 6-5
z B. RPO is high.
Dr. Szenes 83
recovery aspects
(forrás: CISA® Review Course transparents, ISACA
/ Business Continuity and Disaster Recovery
Q 6-5
Dr. Szenes 84
42
Business Continuity Planning and
Disaster Recovery
./.
Dr. Szenes 85
Dr. Szenes 86
43
Business Continuity Planning and
Disaster Recovery
{ 34 IS processes
{ 7 IS (evaluation) criteria
{ control objectives
{ Balanced Scorecard
Dr. Szenes 87
44
Business Continuity Planning and
Disaster Recovery
./.
Dr. Szenes 89
./.
Dr. Szenes 90
45
Business Continuity Planning and
Disaster Recovery
z in order to
{ document,
{ test and
{ execute
the disaster recovery and IT contingency plans
./.
Dr. Szenes 91
46
Business Continuity Planning and
Disaster Recovery
./.
Dr. Szenes 93
Dr. Szenes 94
47
Business Continuity Planning and
Disaster Recovery
z Communicate changes in
{ procedures and
{ responsibilities
clearly and in timely manner.
Dr. Szenes 96
48
Business Continuity Planning and
Disaster Recovery
./.
Dr. Szenes 97
Dr. Szenes 98
49
Business Continuity Planning and
Disaster Recovery
z Provide all concerned parties with regular training sessions regarding the
{ procedures and
{ their roles and
{ responsibilities
in case of an incident or disaster.
Dr. Szenes 99
50
Business Continuity Planning and
Disaster Recovery
z Plan the actions to be taken for the period when IT is recovering and
resuming services. This may include
{ activation of backup sites,
{ initiation of alternative processing,
{ customer and stakeholder communication, and
{ resumption procedures.
(thorough rewriting)
z Store offsite
{ all critical backup media,
{ documentation and
{ other IT resources
necessary for IT recovery and business continuity plans.
51
Business Continuity Planning and
Disaster Recovery
52
Business Continuity Planning and
Disaster Recovery
BCP in COBIT 5
BCP in COBIT 5
- the description of Manage Continuity in the Process Reference Guide
53
Business Continuity Planning and
Disaster Recovery
BCP in COBIT 5
- the description of Manage Continuity in the Process Reference Guide
BCP in COBIT 5
- the description of Manage Continuity in the Process Reference Guide
./.
54
Business Continuity Planning and
Disaster Recovery
BCP in COBIT 5
- the description of Manage Continuity in the Process Reference Guide
5 Internal and external parties have been trained on the Continuity Plans
z percentage of internal and external stakeholders that have received
training
z percentage of issues identified that have been subsequently addressed in
the training
BCP in COBIT 5
- the description of Manage Continuity in the Process Reference Guide
DSS06.01
z Define Service Continuity policy and scope aligned [to] the enterprise
strategy objectives
DSS06.02
z Maintain a Continuity Strategy
DSS06.03
z Develop and Implement a Business Continuity Response
./.
Dr. Szenes 110
55
Business Continuity Planning and
Disaster Recovery
BCP in COBIT 5
- the description of Manage Continuity in the Process Reference Guide
DSS06.04
z Exercise, test and review the Business Continuity Plan
DSS06.05
z Review, maintain and improve the Continuity Plan
DSS06.06
z Conduct Continuity Plan Training
./.
Dr. Szenes 111
BCP in COBIT 5
- the description of Manage Continuity in the Process Reference Guide
DSS06.07
z Manage backup arrangements
DSS06.08
z Conduct Post-resumption Review
56
Business Continuity Planning and
Disaster Recovery
z Organization revising BCP and DRP for headquarters (750 employees) and
16 branches (each with 20–35 employees and mail and file / print server)
z Current plans not updated in more than 8 years
z Organization has grown by 300%
z Staff connect via LAN to more than 60 applications, databases and print
servers in the corporate data centre
z Staff connect via a frame relay network to the branches
z Traveling users connect over the Internet using VPN
z Critical applications have RTO of 3–5 days
./.
z All users in the headquarters and branches connect to the Internet through
a firewall and proxy server located in the data center
z Branch offices are located between 30 and 50 miles from one another, with
none closer to the headquarters' facility than 25 miles
z Backup media for the data center are stored at a third-party facility 35 miles
away
z Backups for servers located at the branch offices are stored at nearby
branch offices using reciprocal agreements between offices
./.
57
Business Continuity Planning and
Disaster Recovery
Q1 On the basis of the above information, which of the following should the
IS auditor recommend concerning the hot site?
58
Business Continuity Planning and
Disaster Recovery
Q2 On the basis of the above information, which of the following should the
IS auditor recommend concerning branch office recovery?
z C. Relocate all branch mail and file / print servers to the data
center.
59
Business Continuity Planning and
Disaster Recovery
References
60
Business Continuity Planning and
Disaster Recovery
References
References
61
Business Continuity Planning and
Disaster Recovery
References
62