Silo - Tips - Business Continuity Planning and Disaster Recovery PDF

Business Continuity Planning and
Disaster Recovery

Disaster Recovery
Katalin Szenes Dr., PhD, CISA, CISM, CGEIT, CISSP
szenes.katalin@nik.uni-obuda.hu
University Óbuda- Óbudai Egyetem

Faculty JvN - Neumann János Informatikai Kar
Inst. Applied Informatics -
Alkalmazott Informatikai Intézet
Dr. Szenes 1
Disclaimer
The followings represent my opinion on / interpretation of the subject.

Neither ISACA nor ITGI is liable for the followings or would be bound any way
by its contents.
A következők saját véleményemet és értelmezésemet tükrözik.

Sem az ISACA, sem az ITGI nem felelős az itt következőkért, és nekik
semmilyen kötelmet nem jelent.
Szenes Katalin
Note: the English formulation doesn't always follows the original either.
Megjegyzés: az angol fogalmazás sem mindig egyezik az eredetivel.
My comments inserted in quotations are denoted by [ ].

Idézet közbeni megjegyzéseimet [ ] -be teszem.
1
Disaster Recovery
Table of Contents
•
•
purpose and main aspects
•
definitions - BCP, disaster, DRP, IT BCP, IT DRP
tasks of the IS auditor
example on these tasks: CISA Q no 6-3
on audit concerns: CISA Q no 6-10
•
•
consequences concerning the acceptance of the risks
•
other planning issues
•
preliminaries to be settled
•
preliminaries / insurance
•
emergency management team
•
CISA Q no 6-8 notification priorities
CISA Q NO 6-9 organizational unit IT & the BCP
Dr. Szenes 3
Table of Contents
z on the components
of the Information Systems Business Continuity Plan
o some [development] phases

o [development] process
o categories of incidents & incident management
o BIA & risk management

system risk ranking
issues in BIA phase
questions in BIA phase
example on risk aspects CISA Q no 6-1
- answer: see ISO/IEC 27001, 2, too
Dr. Szenes 4
2
Disaster Recovery
Table of Contents
z on the components
of the Information Systems Business Continuity Plan
- cont'd
o BCP documents
o Infrastructure types - hot, warm, etc.
provisions for 3rd party agreements
on the audit of 3rd party agreements
infrastructure / telecommunications, networks
infrastructure / storage
Dr. Szenes 5
Table of Contents
•
•
BCP plan - testing considerations
rulebook contents
•
•
recovery aspects (RPO, RTO, etc.)
The IS BCP of the Individual Systems
• COBIT 3, 4 support of IS audit and IT security

the processes of Delivery & Support
DS4 - Ensure Continuous Service
•
DS4 control objectives
on the COBIT 5 support
•
•
ISACA CRM case study
references
Dr. Szenes 6
3
Disaster Recovery
purpose:
z to enable a business to continue offering critical services in the event of a
disruption and to survive even a disastrous interruption of its activities
the business continuity planning has to take into consideration:

z the market & strategy goals of the corporate Î
z the strategic business processes Î
z those key operations that are most necessary to the survival of the
organization
z the human/material resources supporting them
Note:
z ?? business continuity plan must be based on the long-range IT plan ??
Dr. Szenes 7
the business continuity plan includes:

z the disaster recovery plan to recover a facility rendered inoperable,
including relocating operations into a new location
for the recovered "normal" use
z the restoration plan that is used to return operations to normality whether in

a restored or new facility
only after mitigating the effect of the disruption
by restarting the business applications involved
Dr. Szenes 8
4
Disaster Recovery
Business Continuity Planning - Definition
The purpose of business continuity planning is

to enable a business to continue operations should any
kind of disturbance arise.
Rigorous planning and commitment of resources is necessary to

adequately plan for such an event. Business continuity planning is
primarily the responsibility of senior management as they are
entrusted with the safeguarding of both the assets and the viability of
the company.
The business continuity planning is to take into consideration:

• those key operations that are utmostly necessary to the survival and
later to the market success of the organizations
• the human / material resources supporting them.
Dr. Szenes 9
Business Continuity Planning - Definition
The second part, the operations part of the
business continuity plan
should address all functions and assets required to continue

as a viable organization and to keep acquiring market sucess.
The extent of provision for reserve facilities depends on the
cost / effectivity considerations of the top management.
Dr. Szenes 10
5
Disaster Recovery
Disaster Recovery Plan - Definition
Disasters
are disruptions that cause critical information resources to be inoperative for a
period of time, e.g. (weather, terrorism, disruption in expected services, human
error, etc.)
(this disaster def. & examples are from the CISA® Review Course transparents)
The business continuity plan includes:

• the disaster recovery plan
that is generally the plan to be followed by the business units to recover a
harmed / demolished facility or business functionality, or an operational facility
and
• the operations plan that is to be followed by the business units
to "get by" while recovery is taking place.
Dr. Szenes 11
Information Systems Business Continuity Planning

/ Information Systems Disaster Recovery Plan
- Definition
Everything is the same as in the case of the

Business Continuity Planning / Disaster Recovery Plan
with the exception that the continuity of the information systems

processing is threatened.
Information systems processing is one operations

of many that keep the organization not only alive but also successful
thus it is of strategic importance.
Thus the event to be controlled is such a disruption and the objective of

the control measure is to survive an interruption of the
information systems processing.
Dr. Szenes 12
6
Disaster Recovery
Information Systems Business Continuity Planning

/ Information Systems Disaster Recovery Plan - Definition
Throughout the planning process of business continuity

the overall plan of the organization should be taken into consideration.
All IS plans must be consistent with and support the corporate
business continuity plan.
This means that especially those information processing systems must

have the more elaborated and ready-to-start reserve processing
facilities that support key operations.
Dr. Szenes 13
the tasks of the auditor
to the tasks of the auditor belong:
z Evaluate the adequacy of backup and restore provisions to ensure the

availability of information required to resume processing
z Evaluate the organization's disaster recovery plan to ensure that it enables
the recovery of IT processing capabilities in the event of a disaster
z Evaluate the organization's business continuity plan to ensure the
organization's ability to continue essential business operations during the
period of an IT disruption
./.
Dr. Szenes 14
7
Disaster Recovery
auditors' tasks - cont'd
z Check if the BCP follows corporate strategy

z Evaluate plans for
{ accuracy
{ adequacy
{ effectiveness
{ etc.
Evaluate offsite storage
z Evaluate ability of IS and user personnel to respond effectively
z Ensure plan maintenance is in place
z Evaluate readability of business continuity manuals and procedures
./.
Dr. Szenes 15
z Check the documents from the viewpoint of

Currency
Effectiveness
Validity: interview personnel for appropriateness and completeness
z Evaluate the BCP quality, e.g.:

Determine whether corrective actions are in the plan
Evaluate thoroughness and accuracy
Determine problem trends and resolution of problems
./.
Dr. Szenes 16
8
Disaster Recovery
z Evaluate media & documentation handling:

{ what is available,
{ synchronization and
{ currency of media and documentation
z Perform a detailed inventory review
z Review all documentation
{ is it current, is it detailed enough?
{ change management
{ configuration management
{ release management
./.
Dr. Szenes 17
z Evaluate offsite storage facility -

{ if any, and what is there?
{ evaluate the physical and environmental access controls
{ examine the equipment for current inspection and calibration tags
{ etc.
z Key personnel must have an understanding of their responsibilities
./.
Dr. Szenes 18
9
Disaster Recovery
questions for checking:
{ Who is responsible for administration or coordination of the plan?

{ Is the plan administrator/coordinator responsible for keeping the plan
up-to-date?
{ Is there a disaster recovery implementation team (i.e., the first response
team members who will react to the emergency with immediate action
steps)?
{ Where is the disaster recovery plan stored?
{ What critical systems are covered by the plan?
{ What systems are not covered by the plan? Why not?
./.
Dr. Szenes 19
questions for checking - cont'd
{ What equipment is not covered by the plan? Why not?

{ Does the plan operate under any assumptions? What are they?
{ Does the plan identify rendezvous points for the disaster management
committee or emergency management team to meet and decide if
business continuity should be initiated?
{ Are the documented procedures adequate for successful recovery?
{ Does the plan address disasters of varying degrees?
{ Are telecommunication’s backups (both data and voice line backups)
addressed in the plan?
z and how? - see later: infrastructure / telecommunications
./.
Dr. Szenes 20
10
Disaster Recovery
questions for checking - cont'd
{ Is there a backup facility site?

{ if not, then what are the plans for the case of disruption?
and / or: what kind of precautions are made?
(see later: different types of infrastructures)
{ Does the plan address relocation to a new information processing

facility in the event that the original center cannot be restored?
{ Does the plan include procedures for
z merging master file data,
z automated tape management system data,
z etc., into pre-disaster files?
Dr. Szenes 21
the tasks of the auditor - CISA Q no 6-3

(forrás: CISA® Review Course transparents, ISACA
Business Continuity and Disaster Recovery)
An IS auditor should be involved in:
z A. observing tests of the disaster recovery plan.
z B. developing the disaster recovery plan.
z C. maintaining the disaster recovery plan.
z D. reviewing the disaster recovery requirements of supplier

contracts.
Dr. Szenes 22
11
Disaster Recovery
the tasks of the auditor - CISA Q no 6-3

/ Business Continuity and Disaster Recovery)
Answer: A
z The IS auditor should always be present when disaster recovery plans are
tested to ensure that the test meets the required targets for restoration,
ensure that recovery procedures are effective and efficient, and report on
the results, as appropriate.
z IS auditors may be involved in overseeing plan development, but they are
unlikely to be involved in the actual development process.
z Similarly, an audit of plan maintenance may be conducted, but the IS
auditor normally would not have any responsibility for the actual
maintenance.
z An IS auditor may be asked to comment upon various elements of a
supplier contract, but, again, this is not always the case.
Dr. Szenes 23
on audit concerns - CISA Q no 6-10

version 1 - the transparents
In an audit of a business continuity plan, which of the following findings is of

MOST concern?
z A. There is no insurance for the addition of assets during the year.

z B. The business continuity plan manual is not updated on a regular
basis.
z C. Testing of the backup data has not been done regularly.
z D. Records for maintenance of the access system have not been
maintained.
Dr. Szenes 24
12
Disaster Recovery

version 1 - the transparents

The correct answer is C
z The most vital assets for a company are data. In a business continuity plan,
it is critical to ensure that data are available. Therefore, regular testing of
the backup of data must be done. If testing is not done, the organization
may not be able to retrieve data when required during a disaster; hence, the
company may lose its most valuable asset and may not be able to recover
from the disaster.
z A loss on account of lack of insurance is limited to the value of assets.
z If the business continuity plan manual is not updated, the company may find
the manual not fully relevant for recovery during a disaster. However,
recovery could be still possible.
z Non-maintenance of records in an access system will not directly impact the
relevance of the business continuity plan.
Dr. Szenes 25

version 2
In an audit of a business continuity plan, which of the following findings is of

MOST concern?
z A. There is no insurance for the addition of assets during the year.

z B. The business continuity plan is not updated on a regular
basis.
z C. Testing of the backup data has not been done regularly.
z D. Records for maintenance of the access system have not been
maintained.
The correct answer is?
Dr. Szenes 26
13
Disaster Recovery
Consequences Concerning the Acceptance of the Risks
ISACA:
The alternatives of the elimination of the risks are determined by the
resources that the management wants to spend on the "safety".
The management classifies according to business

importance the
•
assets
•
processes
•
data
and the data processing systems importance is equal to the importance
of the element they support.
but my risk definition:

./.
Dr. Szenes 27
on the notion of risk
risk a strategic value of the asset * probability of the threatening
goal-related asset risk is such a value, which

z is assigned to a pair of
{ corporate asset, and
{ operational objective
risk (asset, goal) ~ distance (asset, goal)

probability (asset, goal, attack)
vulnerability (asset, goal, effort)
Î transparency
Dr. Szenes 28
14
Disaster Recovery
other BCP planning issues
the entire organization needs to be considered for BCP
the personnel has to

z classify critical systems, resources
z to determine acceptable recovery times
z react
the personnel who must react to the interruption/disaster scenarios are those
who are responsible for the most critical resources
Î management and user involvement is vital to the success of the business
continuity plan
./.
Dr. Szenes 29
User management involvement is essential to the identification of critical

systems, their associated critical recovery times and the specification of
needed resources.
z The three major divisions that require involvement in the formulation of the
business continuity plan are
{ support services,
{ business operations and
{ information processing support.
z as the underlying purpose of business continuity planning is the resumption

of business operations, every organizational unit should give aspects / and -
or /help in the development of the BCP, IT BCP, etc., already in the
planning phase
./.
Dr. Szenes 30
15
Disaster Recovery
the BCP, IT BCP, etc., are to be based on

z the risk assessment results, and the BIA
z the business goals & strategy
z all issues involved in interruption to business processes,
z including recovering from a disaster
Important:
z The plan should be documented and written in a simple language
understandable to all.
z Copies of the plan should be maintained offsite.
./.
Dr. Szenes 31
to the BCP, IT BCP, etc., the following other info are to be collected:
z Pre-disaster readiness
z possible Evacuation procedures
z Circumstances under which a disaster should be declared
z Identification of contract informations
z Recovery option explanations
z Identification of resources for recovery and continued operation of the
organization
Dr. Szenes 32
16
Disaster Recovery
preliminaries to be settled
to the BCP, IT BCP, etc., the followings should be agreed upon:
z The policies that will govern all of the continuity and recovery efforts
z The goals/requirements/products for each phase
z Alternate facilities to perform tasks and operations
z Critical information resources to deploy (e.g., data and systems)
z Persons responsible for completion
z Available resources to aid in deployment (including human)
z The scheduling of activities with priorities established
z Key decision-making personnel
z Backup of required supplies
z Telecommunication networks disaster recovery methods
z Redundant array of inexpensive disks (RAID)
z Insurance ( ./.
Dr. Szenes 33
Most insurance covers only financial losses, based upon the historical level of
performance and not the existing level of performance.
Also, insurance does not compensate for loss of image/goodwill.
The Business Continuity Plan should contain:

z key information about the organization's insurance.
z it should take the corporate physical, logical, market, etc. environment into
consideration
z etc.
IT BCP:
z The information systems processing insurance policy is usually a multi-peril
policy designed to provide various types of IS coverage.
z It should be modularly constructed in modules, so that it can be adapted to
the insured’s particular IT architecture, and requirements,
z etc.
( ./.
Dr. Szenes 34
17
Disaster Recovery
(BCP / IT BCP) insurance is to cover, among others:
z actual costs of recovery

z replacement / reconstruction of every kind of equipment and facilities
z IT losses, e.g.
{ IS Media & software & ... reconstruction
z Extra expense
z Business interruption
z Valuable papers and records
z Errors and omissions
z Fidelity coverage
z Media transportation
z etc., other kind of costs of business continuity
Dr. Szenes 35
The emergency management team coordinates the activities of all other

recovery teams. This team oversees:
• Retrieving critical and vital data from offsite storage

• Installing and
• testing systems software and applications at the systems recovery
• Identifying, purchasing, and installing hardware at the system recovery
site
• Operating from the system recovery site
• Rerouting network communications traffic
./.
Dr. Szenes 36
18
Disaster Recovery
• emergency management team -cont'd
• Reestablishing the user/system network

• Transporting users to the recovery facility
• Reconstructing databases
• Supplying necessary office goods, i.e., special forms, check stock,
paper
• Arranging and paying for employee relocation expenses at the recovery
facility
• Coordinating systems use and employee work schedules
• etc. !
Dr. Szenes 37
CISA Q NO 6-8 notification priorities

(forrás -többek közt: CISA® Review Course transparents, ISACA
In a business continuity plan, which of the following notification directories is

the MOST important?
z A. Equipment and supply vendors

z B. Insurance company agents
z C. Contract personnel services
z D. A prioritized contact list
Dr. Szenes 38
19
Disaster Recovery
CISA Q NO 6-8 notification priorities

The correct answer is D
z A prioritized list of contacts is most important since it will direct the process
of communication and contact to various entities in order of priority.
z Choices A, B and C are musts, but not as important as choice D.
Dr. Szenes 39

Which of the following components of a business continuity plan is PRIMARILY

the responsibility of an organization’s IS department?
z A. Developing the business continuity plan
z B. Selecting and approving the strategy for the business

continuity plan
z C. Declaring a disaster
z D. Restoring the IS systems and data after a disaster
Dr. Szenes 40
20
Disaster Recovery

The correct answer is D
z The correct choice is restoring the IT systems and data after a disaster.
The IT department of an organization is primarily responsible for restoring
the IT systems and data after a disaster at the earliest possible time.
z Members of the organization’s senior management are primarily

responsible for developing the business continuity plan for an
organization. Management is also responsible for selecting and
approving the strategy for developing and implementing a detailed
business continuity plan. The organization should identify a person in
management as responsible for declaring a disaster. Although IT is
involved in the three other choices, it is not primarily responsible for
them.
Dr. Szenes 41
On the Components of the Information Systems Business Continuity Plan

- considerations only !
z [some] phases of development
{ based on business impact analysis

{ creation of a business continuity and disaster recovery policy
{ classification of operations and criticality analysis
{ forming responsible teams and
{ nominating responsible employees and
{ collecting their calling data
{ development of a business continuity plan and disaster recovery
procedures, and
{ training and awareness program
{ implementation of the plan
{ regular testing and monitoring
Dr. Szenes 42
21
Disaster Recovery

z planning [or rather: development] process

(forrás: CISA® Review Course transparents, ISACA )
Dr. Szenes 43
categories of incidents & incident management
{ Negligible incidents are those causing no perceptible or significant

damage, such as very brief operating system (OS) crashes with full
information recovery or momentary power outages with uninterruptible
power supply (UPS) backup.
{ Minor events are those that, while not negligible, produce no negative
material (of relative importance) or financial impact.
{ Major incidents cause a negative material impact on business
processes and may affect other systems, departments or even outside
clients.
{ Crisis is a major incident that can have serious material (of relative
importance) impact on the continued functioning of the business and
may also adversely impact other systems or third parties. The severity
of the impact depends on the industry and circumstances, but is
generally directly proportional to the time elapsed from the inception of
the incident to incident resolution.
Dr. Szenes 44
22
Disaster Recovery
categories of incidents & incident management

Dr. Szenes 45

BIA and risk management
z CISA CRM: Business Impact Analysis (BIA)
risk management Ù business continuity plan development:

z risk assessment
includes: system risk ranking
ranking:
z Critical
z Vital
z Sensitive
z Non-sensitive
ranking in details: ./.
Dr. Szenes 46
23
Disaster Recovery

system risk ranking:
z Critical – These functions cannot be performed unless they are replaced by

identical capabilities. Critical applications cannot be replaced by manual
methods. Tolerance to interruption is very low; therefore, cost of interruption
is very high.
z Vital – These functions can be performed manually, but only for a brief
period of time. There is a higher tolerance to interruption than with critical
systems and, therefore, somewhat lower costs of interruption, provided that
functions are restored within a certain time frame (usually five days or less).
./.
Dr. Szenes 47

system risk ranking - cont'd
z Sensitive – These functions can be performed manually, at a tolerable cost

and for an extended period of time. While they can be performed manually,
it usually is a difficult process and requires additional staff to perform.
z Non-sensitive – These functions may be interrupted for an extended period

of time, at little or no cost to the company, and require little or no catching
up when restored.
Dr. Szenes 48
24
Disaster Recovery

issues in BIA phase
z consequences on BCP, that is, on:

{ alternatives - see infrastructure types
{ recovery strategies & methods
z risk management cycle
Dr. Szenes 49

questions in BIA phase
z Which are the different business processes?

z What are the critical information resources related to an organization’s
critical business processes?
z What is the critical recovery time period for information resources in which
business processing must be resumed before significant or unacceptable
losses are suffered?
Dr. Szenes 50
25
Disaster Recovery

example on the risk aspect - CISA Q
/ Business Continuity and Disaster Recovery )
6-1 During an audit of a large bank, the IS auditor observes that no formal
risk assessment exercise has been carried out for the various
business applications to arrive at their relative importance and
recovery time requirements. The risk to which the bank is exposed is
that the:
z business continuity plan may not have been calibrated to the
relative risk that disruption of each application poses to the
organization.
z business continuity plan may not include all relevant
applications and, therefore, may lack completeness in terms of
its coverage.
z business impact of a disaster may not have been accurately
understood by the management.
z business continuity plan may lack an effective ownership by
the business owners of such applications.
Dr. Szenes 51

6-1 Answer: A
z The first and key step in developing a business
continuity plan is a risk assessment exercise that
analyzes the various risks that an organization faces
and the impact of non-availability of individual
applications.
z ISO: [I refer to 27001,2 ]
Dr. Szenes 52
26
Disaster Recovery

ISO reference to 6-1 Answer (ISO 2005)

/1 27002:
Chapter 14: BUSINESS CONTINUITY MANAGEMENT
14.1 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY

MANAGEMENT
z 14.1.1 Including information security in the business continuity management
process
z 14.1.2 Business continuity and risk assessment.
z 14.1.3 Developing and implementing continuity plans including information
security 14.1.4 Business continuity planning framework.
z 14.1.5 Testing, maintaining and re-assessing business continuity plans
on the standard, see the references ! to buy: www.mszt.hu !

Dr. Szenes 53

ISO reference to 6-1 Answer

/2 27001: Annex A -Control Objectives and Control [Measure]s
A.14 Business continuity management
A.14.1 Information security aspects of business continuity management
z Objective: To counteract interruptions to business activities and to protect

critical business processes from the effects of major failures of information
systems or disasters and to ensure their timely resumption.
z see control measures A.14.1.1 - A.14.1.5 !
on the standard, see the references !

to buy: www.mszt.hu !
Dr. Szenes 54
27
Disaster Recovery
BCP documents
• Continuity of operations plan

• Disaster recovery plan (DRP)
• Business resumption plan
• Continuity of support plan / IT contingency plan
• Crisis communications plan
• Incident response plan
• Transportation plan
• Occupant emergency plan
Dr. Szenes 55

z Infrastructure Types:
o Mirroring
o Hot, Warm or Cold Site
o Alternative Hardware
o Backup of Required Supplies
o Telecommunication Networks
o Servers, Storage
o Offsite Libraries and Library Controls
o Security and Control of Offsite Facilities
o Media and Documentation Backup
o etc.
details: . / .
Dr. Szenes 56
28
Disaster Recovery
infrastructure types
z Mirroring
[ parallel processing - special HW or organized]
z Hot Sites – They are fully configured and ready to operate within several
hours. The equipment, network and systems software must be compatible
with the primary installation being backed up. The only additional needs are
staff, programs, data files and documentation.
another, new definition for hot site:

z The hot site is intended for emergency operations of a limited time period
and not for long-term extended use. Long-term use would impair the
protection of other subscribers.
cont'd with consequences ./.
Dr. Szenes 57
consequences of the new definition:
z Therefore, the hot site should be viewed as a means of accomplishing the

continuation of essential operations for a period of up to several weeks
following a disaster or major emergency. Further plans are still necessary to
provide for subsequent operations.
z Several vendors offer warm- or cold-site facilities for a subscriber to migrate

to after recovery of operations has been completed. This will free up the hot
site for use by other subscribers.
cold site defintion also has another version, with subscribers!
Dr. Szenes 58
29
Disaster Recovery
warm site:
z Warm Sites – They are partially configured, usually with network

connections and selected peripheral equipment, such as disk drives, tape
drives and controllers, but without the main computer. Sometimes a warm
site is equipped with a less powerful central processing unit (CPU), than the
one generally used. The assumption behind the warm site concept is that
the computer can usually be obtained quickly for emergency installation
(provided it is a widely used model) and, since the computer is the most
expensive unit, such an arrangement is less costly than a hot site. After the
installation of the needed components, the site can be ready for service
within hours; however, the location and installation of the CPU and other
missing units could take several days or weeks.
Dr. Szenes 59
z Cold Sites – These are sites that have only the basic environment (electrical
wiring, air conditioning, flooring, etc.) to operate an IPF reducing the cost.
The cold site is ready to receive equipment but does not offer any
components at the site in advance of the need. Activation of the site may
take several weeks.
z Duplicate (redundant) Information Processing Facility – These are

dedicated, self-developed recovery sites that can backup critical
applications. They can range in form from a standby hot site to a reciprocal
agreement with another company installation.
Dr. Szenes 60
30
Disaster Recovery
z Mobile Sites – This is a specially designed trailer that can be quickly

transported to a business location or to an alternate site to provide a ready-
conditioned information processing facility.
z Reciprocal Agreement-with other organizations – This is a less frequently

used method between two or more organizations with similar equipment or
applications. Under the typical agreement, participants promise to provide
computer time to each other when an emergency arises.
provisions for 3rd party agreements . / .
Dr. Szenes 61
infrastructure / provisions for 3rd party agreements

z Configurations—Are the vendor’s hardware and software configurations

adequate to meet company needs since these will vary over time?
z Disaster—Is the definition of disaster broad enough to meet anticipated
needs?
z Speed of availability—How soon after a disaster will facilities be available?
z Subscribers per site—Does the agreement limit the number of subscribers

per site?
z Subscribers per area—Does the agreement limit the number of subscribers
in a building or area?
z Preference—Who gets preference if there are common or regional

disasters? Is there backup for the backup facilities? Is use of the facility
exclusive or does the customer have to share the available space if multiple
customers simultaneously declare a disaster? Does the vendor have more
than one facility available for subscriber use?
Dr. Szenes 62
31
Disaster Recovery

z Insurance—Is there adequate insurance coverage for company employees

at the backup site? Will existing insurance reimburse those fees?
z Usage period—How long is the facility available for use? Is this period
adequate? What technical support will the site operator provide? Is this
adequate?
z Communications—Are the communications adequate? Are the

communication connections to the backup site sufficient to permit unlimited
communication with the alternate site if needed?
Dr. Szenes 63

z Warranties—What warranties will the vendor make regarding availability of

the site and the adequacy of the facilities? Are there liability limitations
(there usually are) and is the company willing to live with them?
z Audit—Is there a right-to-audit clause permitting an audit of the site to

evaluate the logical, physical and environmental security?
z Testing—What testing rights are included in the contract? Check with the
insurance company to determine any reduction of premiums that may be
forthcoming due to the backup site availability.
z Reliability—Can the vendor attest to the reliability of the site(s) being

offered? Ideally, the vendor should have a UPS, limited subscribers, sound
technical management, and guarantees of computer hardware and software
compatibility.
Dr. Szenes 64
32
Disaster Recovery
on the audit of 3rd party agreements

z An IS auditor should obtain a copy of the contract with the vendor.
z Ensure that the contract is written clearly and is understandable.

z Reexamine and confirm the organization’s agreement with the rules that
apply to sites shared with other subscribers.
z Ensure that insurance coverage ties in with and covers all (or most)
expenses of the disaster.
z Ensure that tests can be performed at the hot site at regular intervals.
z Review and evaluate communications requirements for the backup site.
z Ensure that enforceable source code escrow is reviewed by a lawyer
specializing in such contracts.
z Determine the limitation recourse tolerance in the event of a breached
agreement.
z The contract should be reviewed against a number of guidelines
{ Contract is clear and understandable
{ Organization’s agreement with the rules
{ etc.
Dr. Szenes 65

z [measures concerning networks include]:
{ – Alternative routing
{ – Diverse routing
{ – Long-haul network diversity
{ – Protection of the local loop
[wire between the local switch and the end-user customer]
{ – Voice recovery
{ – Availability of appropriate circuits and adequate bandwidth
details: . /.
Dr. Szenes 66
33
Disaster Recovery

details on the methods of providing telecommunications continuity:
z Redundancy—Involves providing extra capacity with a plan to use the

surplus capacity should the normal primary transmission capability not be
available. In the case of a LAN, a second cable could be installed through
an alternate route for use in the event the primary cable is damaged.
z Alternative routing—The method of routing information via an alternate

medium such as copper cable or fiber optics. This involves use of different
networks, circuits or end points should the normal network be unavailable.
z Diverse routing—The method of routing traffic through split cable facilities or

duplicate cable facilities. This can be accomplished with different and/or
duplicate cable sheaths.
Dr. Szenes 67

details on the methods of providing telecommunications continuity

- cont'd
z Long haul network diversity—Many recovery facilities vendors have

provided diverse long-distance network availability utilizing T1 circuits
among the major long-distance carriers. This ensures long-distance access
should any one carrier experience a network failure. Several of the major
carriers have now installed automatic re-routing software and redundant
lines that provide instantaneous recovery should a break in their lines occur.
[T1 is what telephone companies have traditionally used to transport

digitized telephone conversations between central offices]
Dr. Szenes 68
34
Disaster Recovery

details on the methods of providing telecommunications continuity

- cont'd
z Last mile circuit protection—Many recovery facilities provide a redundant

combination of local carrier T1s, microwave and/or coaxial cable access to
the local communications loop. This enables the facility to have access
during a local carrier communication disaster. Alternate local carrier routing
is also utilized.
z Voice recovery—With many service, financial and retail industries

dependent on voice communication, redundant cabling and alternative
routing should be provided for voice communication lines as well as data
communication lines.
Dr. Szenes 69
infrastructure / storage
Redundant array of inexpensive disks (RAID)
• Provide performance improvements and fault tolerant capabilities via

hardware or software solutions
• Provide the potential for cost-effective mirroring offsite for data back-up
Dr. Szenes 70
35
Disaster Recovery
infrastructure
Q 6-7
An IS auditor discovers that an organization’s business continuity plan provides
for an alternate processing site that will accommodate 50 percent of the
primary processing capability. Based on this, which of the following actions
should the IS auditor take?
z A - Do nothing, because generally, less than 25 percent of all
processing is critical to an organization’s survival and the backup
capacity, therefore, is adequate.
z B - Identify applications that could be processed at the alternate site
and develop manual procedures to back up other processing.
z C - Ensure that critical applications have been identified and that
the alternate site could process all such applications.
z D - Recommend that the information processing facility arrange for
an alternate processing site with the capacity to handle at least 75
percent of normal processing.
Dr. Szenes 71
infrastructure
Q 6-7
The correct answer is C
z A business continuity plan should provide for the recovery of critical

systems, not necessarily all systems.
z Perhaps only 50 percent of the company’s systems are critical; therefore,

careful assessment of critical systems and capacity requirements should be
part of the IS auditor’s test of the plan.
Dr. Szenes 72
36
Disaster Recovery

one of the purposes of the business continuity test is to determine how well the
plan works or which portions of the plan need improvement.
the test must simulate actual processing conditions
z The test should be scheduled during a time that will minimize disruptions to
normal operations. Weekends are generally a good time to conduct tests.
z It is important that the key recovery team members be involved in the test
process and allotted the necessary time to put their full effort into it.
z The test should address all critical components and
z simulate actual primetime processing conditions, even if it is conducted in
off hours.
z Test Execution – . /.
Dr. Szenes 73

the test - cont'd
z Test Execution – To perform testing, each of the following test phases

should be completed: Pretest, Test, Post-Test.
z Documentation of Results – During every phase of the test, detailed
documentation of observations, problems and resolutions should be
maintained.
z Results Analysis – It is important to have ways to measure the success of
the plan and test against the stated objectives. Therefore, results must be
quantitatively gauged as opposed to an evaluation based only on
observation.
z Recovery/Continuity plan maintenance – Plans and strategies for business
continuity should be reviewed and updated on a scheduled basis to reflect
continuing recognition of changing requirements.
Dr. Szenes 74
37
Disaster Recovery

Rulebook Contents - some of the important points
z Detailed Plan
z Organization and Assignment of Responsibilities
z Emergency Response Team
z Key Decision-making Personnel
z what will employees do?
- CISA® Review Course transparents were also used here
{ where will employees report to work,
{ how will orders be taken while the computer system is being restored,
{ who is responsible that
which vendors should be called to provide needed supplies
. /.
Dr. Szenes 75

Rulebook Contents - some of the important points, cont'd
z
z Insurance
z Recovery/Continuity Plan Testing:
{ Plan and Actual Tests
{ Documentation of the Test Results
{ Results Analysis
z Recovery/Continuity Plan Maintenance
z Periodic Backup Procedures
z Record Keeping for Offsite Storage
Dr. Szenes 76
38
Disaster Recovery
recovery aspects
/ Business Continuity and Disaster Recovery
z Recovery Point Objective (RPO)

z Recovery Time Objective (RTO)
z Interruption window
z Service delivery objective - SDO
z Maximum tolerable outage
z Disaster [problem] tolerance
Dr. Szenes 77
recovery aspects
Recovery Point Objective (RPO)

{ Based on acceptable data loss
{ Indicates earliest point in time in which it is acceptable to recover the
data
z acceptable data loss:
For example, if the process can afford to lose the data up to four hours before
disaster, then the latest backup available should be up to four hours before
disaster or interruption and the transactions during RPO and interruption
need to be entered after recovery (known as catch-up data).
Dr. Szenes 78
39
Disaster Recovery
recovery aspects
Recovery Point Objective (RPO)

{ Based on acceptable data loss
{ Indicates earliest point in time in which it is acceptable to recover the
data
z RPO effectively quantifies the permissible amount of data loss in case of

interruption. It is almost impossible to recover the data completely. Even
after entering catch-up data, some data are still lost and are referred to as
orphan data.
z If RPO is very low, say in minutes, it means that the process cannot afford
to lose the data in such a short time. In such cases, data mirroring should
be used as a recovery strategy. If RPO is high, say in hours, then other
backup procedures, such as reel backup, could be used.
Dr. Szenes 79
recovery aspects
disaster here: disaster caused by the interrupt
z Recovery Time Objective (RTO)

{ Based on acceptable downtime
{ Indicates earliest point in time at which the business operations must
resume after a disaster
z The RTO is determined based on the acceptable downtime in case of a

disruption of operations. It indicates the earliest point in time at which the
business operations must resume after disaster.
z A high RTO will mean that so much additional time would be available for
the recovery strategy.
Dr. Szenes 80
40
Disaster Recovery
recovery aspects
relation between RPO / RTO - which recovery strategies would be best with
different RTO and RPO parameters?
Dr. Szenes 81
recovery aspects
z Interruption window—The time the organization can wait from the point of
failure to the critical services/applications restoration. After this time, the
progressive losses caused by the interruption are unaffordable.
z Service delivery objective (SDO)—Level of services to be reached during

the alternate process mode until the normal situation is restored. This is
directly related to the business needs.
z Maximum tolerable outages—Maximum time the organization can support

processing in alternate mode. After this point, different problems may arise,
especially if the alternate SDO is lower than the usual SDO, and the
information pending to be updated can become unmanageable.
z Disaster [problem] tolerance is the time gap within which the business can
accept non-availability of IT facilities. If this time gap is high, recovery
strategies that take a longer time can be used.
Dr. Szenes 82
41
Disaster Recovery
recovery aspects
Q 6-5
Data mirroring should be implemented as a recovery strategy when:
z A. recovery point objective (RPO) is low.
z B. RPO is high.
z C. recovery time objective (RTO) is high.
z D. disaster tolerance is high.
Dr. Szenes 83
recovery aspects
Q 6-5
The correct Answer is A
z RPO is the earliest point in time to which it is acceptable to recover the

data. If RPO is very low, say in minutes, it means that the process cannot
afford to lose the data in such a short time. In such cases, data mirroring
should be used as a recovery strategy.
z If RPO is high, say in hours, then other backup procedures, such as reel
backup, could be used.
z A high RTO will mean that so much additional time would be available for
the recovery strategy.
z Disaster tolerance is the time gap within which the business can accept
non-availability of IT facilities. If this time gap is high, recovery strategies
that take a longer time can be used.
Dr. Szenes 84
42
Disaster Recovery
The most important part of the business continuity plan consists of

those of the individual systems.
The table of contents of the systems business continuity plan

contains (at least):
• The description of the system

• The members of the emergency team (name, every par.)
• The key users (name, every par.)
• The places ! of the systems documentation (at least 2 media)
./.
Dr. Szenes 85
The table of contents for the

systems business continuity plan contains (at least) -cont'd
• The databases, their config., and their settings

• The archives
• The typical operations fallbacks
• Manual / alternative operations
• Software & hardware resource requirements
minimum, presently available, maximum
• Communications requirements
• Recovery to normal state
Dr. Szenes 86
43
Disaster Recovery
COBIT 3, 4 support of IS Audit and IT Security
{ 34 IS processes
{ 7 IS (evaluation) criteria
{ control objectives
{ control measures / procedures
{ Balanced Scorecard
{ Capability Maturity Model tailored to the 34 processes
Dr. Szenes 87
COBIT 3, 4 support of IS Audit and IT Security
the processes of delivery and support:
{ DS1 - Define and Manage Service Levels

{ DS2 - Manage Third-party Services
{ DS3 - Manage Performance and Capacity
{ DS4 - Ensure Continuous Service
{ DS5 - Ensure Systems Security
{ DS6 - Identify and Allocate Costs
{ DS7 - Educate and Train Users
{ DS8 - Manage Service Desk and Incidents
{ DS9 - Manage the Configuration
{ DS10 - Manage Problems
{ DS11 - Manage Data
{ DS12 - Manage the Physical Environment
{ DS13 - Manage Operations
Dr. Szenes 88
44
Disaster Recovery

Control Objectives - forrás, többek között: COBIT 4.1
important: even if this is all about IT

- all business-critical human and infrastructural
assets should be taken care of
DS4.1 IT Continuity Framework
z Develop a framework for IT continuity to support enterprisewide business

continuity management using a consistent process.
The objective of the framework :
z to assist in determining the required resilience of the infrastructure and

z to drive the development of disaster recovery and IT contingency plans
./.
Dr. Szenes 89

Control Objectives - forrás , többek között : COBIT 4.1
DS4.1 IT Continuity Framework - cont'd
The framework [and the plan] should address:
z the organisational structure for continuity management,

z on internal and external service providers
{ their management
{ and their customers
z these:
{ roles,
{ tasks and
{ responsibilities
./.
Dr. Szenes 90
45
Disaster Recovery

The framework [and the plan] should address: - cont'd
z the planning processes that create

{ the rules and
{ structures
z in order to
{ document,
{ test and
{ execute
the disaster recovery and IT contingency plans
./.
Dr. Szenes 91

The framework [and the plan] should address: - cont'd
z [based on risk assessment]

{ the identification of critical resources,
{ noting key dependencies,
{ [personal responsibilities]
z the monitoring and

z reporting of the availability of
{ critical resources,
{ alternative processing,
z and [other] principles, [important info on] backup and recovery.

Dr. Szenes 92
46
Disaster Recovery

DS4.2 IT Continuity Plans
z Develop IT continuity plans based on the framework and designed to

reduce the impact of a major disruption on
{ key business functions
{ and processes.
z The plans should be based on risk understanding of potential business

impacts
-- see framework, DS 4.1,
both IT BCP - BCP should be risk assessment-based
./.
Dr. Szenes 93

DS4.2 IT Continuity Plans - cont'd
z The plan should address requirements for

{ resilience - flexibility!,
{ alternative processing and
{ recovery capability of all critical IT services.
z The plan should contain

{ usage guidelines,
{ roles and responsibilities,
{ procedures,
{ communication processes, and
{ the testing approach - test plan, + procedure !.
Dr. Szenes 94
47
Disaster Recovery

DS4.3 Critical IT Resources
z Focus attention on items specified as most critical in the IT continuity plan

{ to build in resilience and
{ establish priorities in recovery situations.
z Avoid the distraction of recovering less-critical items and
z ensure response and recovery in line with prioritised business needs,
z ensure that costs are kept at an acceptable level
z ensure compliance
{ with regulatory and
{ contractual requirements.
z Consider resilience, response and recovery requirements for different tiers,

e.g., one to four hours, four to 24 hours, more than 24 hours and critical
business operational periods.
Dr. Szenes 95

DS4.4 Maintenance of the IT Continuity Plan
z Encourage IT management to define and execute

{ change control procedures to ensure that
{ the IT continuity plan is kept up to date
{ and continually reflects actual business requirements.
z Communicate changes in
{ procedures and
{ responsibilities
clearly and in timely manner.
Dr. Szenes 96
48
Disaster Recovery

DS4.5 Testing of the IT Continuity Plan
testing should be actually performed and documented

together with the key business users & IT evaluated
according to the results the plan should be updated
0 either forewarn the employees, or not
z Test the IT continuity plan on a regular basis to ensure that

{ IT systems can be effectively recovered,
{ shortcomings are addressed
{ the plan remains relevant.
./.
Dr. Szenes 97

DS4.5 Testing of the IT Continuity Plan - cont'd
z A successful test requires

{ careful preparation,
{ documentation,
{ reporting of test results and,
according to the results,
z implementation of an action plan
z Consider the extent of testing:

{ recovery of single applications
{ integrated testing scenarios
{ end-to-end testing
{ integrated vendor testing.
Dr. Szenes 98
49
Disaster Recovery

DS4.6 IT Continuity Plan Training
z Provide all concerned parties with regular training sessions regarding the
{ procedures and
{ their roles and
{ responsibilities
in case of an incident or disaster.
z Verify and enhance training according to the results of the contingency

tests.
Dr. Szenes 99

z DS4.7 Distribution of the IT Continuity Plan
z Determine that a defined and

z managed distribution strategy exists
to ensure that plans are properly and securely distributed and
z available to appropriately authorised interested parties

when and where needed.
z Attention should be paid to making the plans accessible

under all disaster scenarios.
Dr. Szenes 100
50
Disaster Recovery

DS4.8 IT Services Recovery and Resumption
z Plan the actions to be taken for the period when IT is recovering and
resuming services. This may include
{ activation of backup sites,
{ initiation of alternative processing,
{ customer and stakeholder communication, and
{ resumption procedures.
z Ensure that the business understands

{ how to specufy for IT the recovery times they require
{ they have to help IT to buy the necessary technology investments to
support business recovery and to provide for resumption needs.
(thorough rewriting)
Dr. Szenes 101

DS4.9 Offsite Backup Storage
z Store offsite
{ all critical backup media,
{ documentation and
{ other IT resources
necessary for IT recovery and business continuity plans.
! develop and document processes to use all of these
z business process owners and IT personnel should together determine

{ the content of backup storage
{ and its other parameters
./.
Dr. Szenes 102
51
Disaster Recovery

DS4.9 Offsite Backup Storage - cont'd
z Management of the offsite storage facility should comply to the

{ data classification policy and
{ the enterprise’s media storage practices.
z IT management should ensure that

offsite arrangements are periodically assessed, at least annually, for
{ content,
{ environmental protection and
{ security.
z Ensure compatibility of hardware and software to restore archived data,

z periodically test and refresh archived data.
Dr. Szenes 103

DS4.10 Post-resumption Review
z Determine whether IT management has established procedures for

{ assessing the adequacy of the plan in regard to

the successful resumption of the IT function after a disaster, and

update the plan accordingly.
Dr. Szenes 104
52
Disaster Recovery
BCP in COBIT 5
quotations from COBIT 5 Transforming Cybersecurity...
z "cybersecurity requires a strategic component that deals with the

unexpected and unknown and contains elements of business continuity and
IT service continuity"
L
"the security strategies and management activities" [in the COBIT 5 books]
"address unknown threats and incidents, making reference
z to concepts of business continuity management (BCM)
z IT service continuity management (ITSCM)"
Dr. Szenes 105
BCP in COBIT 5
- the description of Manage Continuity in the Process Reference Guide
Area: Management, Domain: Deliver, Service and Support

DSS06: Manage Continuity
Establish and maintain a plan

z to enable the business and IT
z to respond to incidents and disruptions in order to
{ continue operation of critical business processes and required IT
services
{ maintain availability of information at a level acceptable to the
enterprise.
Process Purpose Statement

The process purpose is to continue critical business operations and maintain
availability of information at a level acceptable to the enterprise.
Dr. Szenes 106
53
Disaster Recovery
BCP in COBIT 5
Process Goals and Metrics
1 Business critical information is available to the business in line with

minimum required service levels.
metrics:
z percentage of systems meeting uptime requirements
z percentage of successful restoration from backup or alternate media
copies
z percentage of backup media transferred securely and stored in secure
location
2 Sufficient resilience is in place for critical services.

metrics:
z number of critical business systems not covered by the plan
./.
Dr. Szenes 107
BCP in COBIT 5
Process Goals and Metrics - cont'd
3 Service continuity tests have verified the effectiveness of the plan.

metrics:
z number of exercises and tests that have achieved recovery objectives
z frequency of tests
4 An up to date continuity plan reflects current business requirements.

z percentage of agreed business changes that have been reflected in the plan
z percentage of issues identified that have been subsequently
z addressed in the plan
./.
Dr. Szenes 108
54
Disaster Recovery
BCP in COBIT 5
Process Goals and Metrics
5 Internal and external parties have been trained on the Continuity Plans
z percentage of internal and external stakeholders that have received
training
z percentage of issues identified that have been subsequently addressed in
the training
Dr. Szenes 109
BCP in COBIT 5
DSS06 Management practices - "Ctrl. Obj.s" for process Manage Continuity

from: COBIT 5.0 Vol. IIa – Process Reference Guide, © 2011 ISACA
- working paper
DSS06.01
z Define Service Continuity policy and scope aligned [to] the enterprise
strategy objectives
DSS06.02
z Maintain a Continuity Strategy
DSS06.03
z Develop and Implement a Business Continuity Response
./.
Dr. Szenes 110
55
Disaster Recovery
BCP in COBIT 5

- cont'd
DSS06.04
z Exercise, test and review the Business Continuity Plan
DSS06.05
z Review, maintain and improve the Continuity Plan
DSS06.06
z Conduct Continuity Plan Training
./.
Dr. Szenes 111
BCP in COBIT 5

- cont'd
DSS06.07
z Manage backup arrangements
DSS06.08
z Conduct Post-resumption Review
Then, in the manual:

to every management practice:
explanations, input / output relations with other processes, activities
Dr. Szenes 112
56
Disaster Recovery
ISACA CRM Case Study

Case Study Scenario
z Organization revising BCP and DRP for headquarters (750 employees) and
16 branches (each with 20–35 employees and mail and file / print server)
z Current plans not updated in more than 8 years
z Organization has grown by 300%
z Staff connect via LAN to more than 60 applications, databases and print
servers in the corporate data centre
z Staff connect via a frame relay network to the branches
z Traveling users connect over the Internet using VPN
z Critical applications have RTO of 3–5 days
./.
Dr. Szenes 113

Case Study Scenario - cont'd
z All users in the headquarters and branches connect to the Internet through
a firewall and proxy server located in the data center
z Branch offices are located between 30 and 50 miles from one another, with
none closer to the headquarters' facility than 25 miles
z Backup media for the data center are stored at a third-party facility 35 miles
away
z Backups for servers located at the branch offices are stored at nearby
branch offices using reciprocal agreements between offices
./.
Dr. Szenes 114
57
Disaster Recovery

Case Study Scenario - cont'd
Current contract with third party hot site:

• 3 year term, with equipment upgrades occurring at renewal time
• 25 servers
• Work area space with PCs for 100 employees
• Separate agreement to ship 2 servers and 10 PCs to any branch
declaring a disaster
• Hot site provider has multiple sites in case the primary site is in use by
another customer or rendered unavailable by the disaster
Dr. Szenes 115
ISACA CRM Case Study - Q

Q1 On the basis of the above information, which of the following should the
IS auditor recommend concerning the hot site?
z A. Desktops at the hot site should be increased to 750.
z B. An additional 35 servers should be added to the hot site

contract.
z C. All backup media should be stored at the hot site to shorten

the RTO.
z D. Desktop and server equipment requirements should be

reviewed quarterly.
Dr. Szenes 116
58
Disaster Recovery

The correct answer to Q1 is D

z As equipment needs in a rapidly growing business are subject to frequent
change, quarterly reviews are necessary to ensure that the recovery
capability keeps pace with the organization.
z Since not all employee job functions are critical during a disaster, it is not
necessary to contact the same number of desktops at a recovery facility as
the number of employees. Similarly, not every server is critical to the
continued operation of the business.
z In both cases, only a subset will be required.
z Since there is no assurance that the hot site will not already be occupied, it
would not be advisable to store backup media at the facility. These facilities
are generally not designed to provide extensive media storage, and
frequent testing by other customers could compromise the security of the
media.
Dr. Szenes 117
ISACA CRM Case Study - Q

Q2 On the basis of the above information, which of the following should the
IS auditor recommend concerning branch office recovery?
z A. Add each of the branches to the existing hot site contract.
z B. Ensure branches have sufficient capacity to back each other

up.
z C. Relocate all branch mail and file / print servers to the data
center.
z D. Add additional capacity to the hot site contract equal to the

largest branch.
Dr. Szenes 118
59
Disaster Recovery

The correct answer to Q2 is B

z The most cost-effective solution is to recommend that branches have
sufficient capacity to accommodate critical personnel from another branch.
z Since critical job functions would represent only perhaps 20 percent of the
staff from the affected branch, accommodations for only four to seven
critical staff members would be needed.
z Adding each of the branches to the hot site contract would be far more
expensive, while adding capacity to the hot site contract would not provide
coverage as hot site contracts base their pricing on each location covered.
z Finally, relocating branch servers to the data center could result in
performance issues, and would not address the question of where to locate
displaced employees.
Dr. Szenes 119
References
z CRM 20xx CISA Review Technical Information Manual

editor: Information Systems Audit and Control Association
Rolling Meadows, Illinois, USA, 20xx-1
z CISA® Review Course transparents
z COBIT® 4.0 Control Objectives, Management Guidelines, Maturity Models

Copyright © IT Governance Institute®, 2005
z COBIT® 4.1 Framework, Management Guidelines, Maturity Models

Copyright © IT Governance Institute® , 2007
Dr. Szenes 120
60
Disaster Recovery
References
z COBIT 5.0 Vol. I – The Framework”

SME Exposure Draft (Version V005), 28 March 2011
COBIT 5 Development Team - working paper
© ISACA
z COBIT 5.0 Vol. IIa – Process Reference Guide © 2011 ISACA

- working paper
(process descriptions: COBIT 5 Vol II Section 5 Draft)
z Enabling Processes - COBIT 5 An ISACA Framework - Copyright © 2012

ISACA
z Transforming Cybersecurity Using COBIT 5 - Copyright © 2013 ISACA
Dr. Szenes 121
References
z Az Informatikai biztonság kézikönyve

szerkesztő és lektor: Szenes Katalin
Verlag Dashöfer, Budapest
z K. Szenes: "IT GRC versus ? Enterprise GRC

but: IT GRC is a Basis of Strategic Governance2
EuroCACS - Conference on Computer Audit, Control and Security
Copyright ISACA, Rolling Meadows, Illinois, USA
23-25 March , Budapest, Hungary Tutorial, Stream #1 IT Governance, #311
z CISA® Review Course transparents, ISACA

z CISA® see ISACA.org
Dr. Szenes 122
61
Disaster Recovery
References
z the predecessors of ISO 27001, ISO 27002 are:

CRAMM, ISO/IEC 17799
z ISO 27001 International Standard ISO/IEC 27001 First edition 2005-10-15

Information technology - Security techniques - Information security
management systems - Requirements
Reference number: ISO/IEC 27001:2005 (E)
Copyright © ISO/IEC 2005 new version: in 2013
z ISO 27002 International Standard ISO/IEC 27002 First edition 2005-06-15

Information technology — Security techniques — Code of practice for
information security management
Reference number: ISO/IEC 27002:2005(E)
Copyright © ISO/IEC 2005 new version: in 2013
Dr. Szenes 123
62

Silo - Tips - Business Continuity Planning and Disaster Recovery PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Silo - Tips - Business Continuity Planning and Disaster Recovery PDF

Uploaded by

Copyright:

Available Formats

Business Continuity Planning and

Business Continuity Planning and

Katalin Szenes Dr., PhD, CISA, CISM, CGEIT, CISSP

University Óbuda- Óbudai Egyetem

The followings represent my opinion on / interpretation of the subject.

A következők saját véleményemet és értelmezésemet tükrözik.

My comments inserted in quotations are denoted by [ ].

o some [development] phases

o BIA & risk management

• COBIT 3, 4 support of IS audit and IT security

purpose and main aspects

the business continuity planning has to take into consideration:

purpose and main aspects

the business continuity plan includes:

z the restoration plan that is used to return operations to normality whether in

Business Continuity Planning - Definition

The purpose of business continuity planning is

Rigorous planning and commitment of resources is necessary to

The business continuity planning is to take into consideration:

Business Continuity Planning - Definition

The second part, the operations part of the

business continuity plan

should address all functions and assets required to continue

Disaster Recovery Plan - Definition

The business continuity plan includes:

Information Systems Business Continuity Planning

Everything is the same as in the case of the

with the exception that the continuity of the information systems

Information systems processing is one operations

Thus the event to be controlled is such a disruption and the objective of

Information Systems Business Continuity Planning

Throughout the planning process of business continuity

This means that especially those information processing systems must

the tasks of the auditor

to the tasks of the auditor belong:

z Evaluate the adequacy of backup and restore provisions to ensure the

the tasks of the auditor

auditors' tasks - cont'd

z Check if the BCP follows corporate strategy

the tasks of the auditor

auditors' tasks - cont'd

z Check the documents from the viewpoint of

z Evaluate the BCP quality, e.g.:

the tasks of the auditor

auditors' tasks - cont'd

z Evaluate media & documentation handling:

the tasks of the auditor

auditors' tasks - cont'd

z Evaluate offsite storage facility -

z Key personnel must have an understanding of their responsibilities

the tasks of the auditor

questions for checking:

{ Who is responsible for administration or coordination of the plan?

the tasks of the auditor

questions for checking - cont'd

{ What equipment is not covered by the plan? Why not?

the tasks of the auditor

questions for checking - cont'd

{ Is there a backup facility site?

{ Does the plan address relocation to a new information processing

the tasks of the auditor - CISA Q no 6-3

An IS auditor should be involved in:

z A. observing tests of the disaster recovery plan.