identifying and protecting compliance information through ...ifsa presentation identifying and...

IFSA Presentation Identifying and Protecting Compliance Data via IT Security and BCP Page: 1

Release Date: March 21, 2012

Identifying and Protecting

Compliance Information

Through Current

Business Continuation Practices

Produced by:

Thomas Bronack

15180 20th Avenue Phone: (718) 591-5553

Whitestone, NY 11357 Cell: (917) 673-6992

Email: [email protected]

File Name: IFSA presentation


Overview of Presentation – A Roadmap to Protection.

Safeguarding Financial and Compliance Information:

• Audit Applications to Identify Critical Information and any

Gaps or Exceptions associated with the critical files.

• Utilize Technical Risk Management Services to correct Gaps

and Exposures associated with protecting critical data:

• IT Security (both Physical and Data);

• Vital Records Management;

• Version and Release Management;

• Disaster Recovery and Business Continuity Planning; and

• Process Improvements and Re-Engineering Work Flow.

• Integrate Safeguards within normal Work Flow & Operations.

• Update Standards and Procedures Manual for Work Flow.

• Provide Documentation and Training to Personnel.

• Prepare for the Future through Monitoring and Adjustment.


Auditing Accounting and Compliance Applications

Data

Programs

Accounting

Applications

Compliance

Applications

Compliance

Reports

Internet

Accounting information is submitted from locations throughout

the organization and processed by the Accounting Applications.

Output from Accounting Applications Is used to generate

Compliance Reports.

Compliance Data is CRITICAL and must be subjected to the

scrutiny of IT Security, Vital Records Management, and Business

Continuity Planning so that compliance information can be

protected from destruction and traced to its source.

Compliance

Data

Critical

Applications

and

Data that

must be

Protected and

Included in

BCP

Critical Data and

Applications for BCP

Critical Compliance Controls

needed to safeguard assets


Graham-Leach-Bliley

Safeguard Rule

HIPAA

Security Rule

Sarbanes-Oxley

404 Rules

California

SB 1386

Effective Date: May 23, 2002 April 21, 2003 June 5, 2003 July 1, 2003

Compliance

Deadline

May 23, 2003 April 21, 2005 June 15, 2004

(for public companies with market cap. of

$75 million or more)

June 15, 2005

(for other SEC reporting companies)

Covered Entities Financial Institutions as defined

in the Bank Holding Company

Act that possess, process, or

transmit private customer

information.

Organizations that possess, transmit,

or process electronic protected health

information (EPHI).

Publicly owned companies that file

periodic reports with the SEC.

Any public or private

entity that has

unencrypted

electronic personal

information of

California residents.

Purpose Protect Customer Information

from unauthorized disclosure or

use.

Protect EPHI from unauthorized

disclosure or use.

Provide senior management

assessment of effectiveness of

company’s “internal controls for

financial reporting” and attestation by

independent auditors.

Protect California

residents from

Identity Theft.

Operative

Mechanisms

Information Security

Program:

• Responsible Employee

Selection,

• Risk Assessment,

• Information Safeguards and

Controls,

• Oversight of “Service

Providers”,

• Testing and Monitoring.

Security Safeguards:


• Policies and Procedures to control

access,

• Physical Security Measures,

• Contingency Plan,

• Appointment of Security Officer,

• Training and communication to

increase awareness,

• Audits and maintenance of Audit

Trails,

• Agreements with “busines

associates”,

• Testing and Evaluation.

Internal Control Framework:

• (Coso Framework or

Equivalent)

• Control environments –

Compliance and Ethics,

• Risk Assessment and

Analysis,

• Control Activities – policies,

procedures, controls,

• Information and

Communications,

• Monitoring or operations and

control activities to determine

continuing effectiveness of

internal controls.

Criminal

Consequences of

Noncompliance

Fines and Imprisonment for up

to 5 years.

Fines to $250,000 and imprisonment

for up to 10 years.

Fines up to $5 million and prison

sentences for up to 20 years for

deliberate violations.

Civil liability to any

injured California

resident.

Existing Laws and their Consequences


Application and Program Profile

Local

Vault

Remote

Vault

JOB 1

JOB n

Application

-

-

-

-

De-allocate

Allocate

Data I/O

Display

Backup

Archive

Report

Batch On-Line Data

Base

Applications de-allocate / allocate files for input / work / output operations. Then they process data for

display and report generation. Finally backup and archive operations are performed to protect

critical data and report on their status.

Program

Control

Area

Data

Areas

Critical data can be in Batch, On-Line, or Data Base Files.


Application Interconnections and Data Usage

Job 1

Job n

-

-

-

Application

Feed Files

Job 1

Job n

-

-

-

Passed File

Job 1

Job n

-

-

-

Wrap

Around

File

Job 1

Job n

-

-

- New Master

Old Master Log File

Shadow File to

Alternate Site

Combines

Old Master

with Log

File to create

New Master

Daily transactions

to be merged with

Master file(s)

“Prioritizing applications as to their criticality, is based upon business needs and feed files used to initiate the application in question. Because of this, the synchronization of Back-up and Restoration must be planned and implemented to satisfy application needs in the order of their critical importance and processing sequence.”

The various methods for introducing data to an application, and maintaining it going forward, are

shown below.


Batch

Job

On-Line

Job

LOG

Local

Vault

Remote

Vault

Off-Site

Vault

Tape

Tape

BKUP

Tape

BKUP

Tape

Forward

Recovery

Local

Recovery

Local

Back-Up

Disaster

Recovery

Disaster

Recovery

Facility

Vital Records Management Techniques

DASD

DASD

BACKUP

LOCAL RECOVERY

REMOTE

RECOVERY

DASD

Real-Time Vaulting

Incremental Vaulting

A / B Log Files

Updated DASD Control Systems duplicate tape backup / recovery with DASD

devices in a Controlled NAS and SAN environment for more rapid response and

better data Protection, but the concept remains the same.


Why you need a Recovery Plan

* Justifying the Need for a Recovery Plan. - Enterprise-Wide Commitment

- Disaster and Business Recovery

Planning implementation.

- Risk Management implementation.

* Laws and Regulators.

- Controller of the Currency (OCC). - OCC-177 Contingency Recovery Plan.

- OCC-187 Identifying Financial Records.

- OCC-229 Access Controls.

- OCC-226 End-User computing.

- Sarbanes-Oxley, Gramm-Leach-Bliley,

- HIPAA, The Patriot Act, EPA Superfund, etc.

* Penalties. - Three Times the Cost of the Outage, or more,

- Jail Time is possible and becoming more probable.

* Insurance. - Business Interruption Insurance.

- Directors and Managers Insurance.

“Define all Regulatory, Legal, Financial, and Industry rules and regulations that must be complied with, and assign the duty of insuring that these exposures are not violated to the Risk Manager”.

“Have the Legal and Auditing Departments define the extent of Risk and Liabilities, in terms of potential and real Civil and Criminal damages that may be incurred.”.

“Once you have defined your exposures, construct an insurance portfolio that protects the business from sudden damages that could result from a disaster event.”

“For Contingency Planning to be successful, a company-wide commitment, at all levels of personnel, must be established and funded. Its purpose is to protect the company, its business, its shareholders, and its employees.”

Rapid increase in Regulations after 9-11-01


Contingency Planning

Contingency Recovery Disciplines

Contingency Planning

Disaster Recovery Business Recovery

Risk Management

Charter:1. Eliminate Business Interruptions.

2. Ensure Continuity of Business.

3. Minimize Financial Impact.

4. Adhere to Legal / Regulatory

Requirements.

EDP Protection: Corporate Asset Protection:

Management Controls:

1. Critical Jobs.

2. Data Sensitivity and

Access Controls.

3. Vital Records Management.

4. Mainframe / Mid-Range

disaster recovery.

1. Inventory Control.

2. Asset Management.

3. Configuration Management.

4. Business Continuity.

5. Office Recovery.

1. Exposures.

2. Insurance.

3. Legal / Regulatory Requirements.

4. Cost Justifications.

5. Vendor Agreements.

“These four Contingency Planning

Disciplines allow for logical work

separation and better controls.”

“Contingency Planning affects every part of

the organization and is separated into logical

work areas along lines of responsibility.”

Contingency Recovery Interfaces

Contingency

Recovery

Planning

Executive Management

Data

Processing

Company

Operations

Auditing Public

Relations

Facilities

Personnel

General

Services

“Establishing interfaces with key departments will

Allow for the inclusion of corporate-wide recovery

procedures (Security, Salvage, and Restoration, etc.)

in department specific Recovery Plans.”

Finance


COSO Risk Assessment Committee Of Sponsoring Organizations (COSO) was formed to develop

Risk Management and Mitigation Guidelines throughout the industry.

Designed to protect Stakeholders from uncertainty and associated risk that could erode value.

A Risk Assessment in accordance with the COSO Enterprise Risk Management Framework, consists of (see www.erm.coso.org for details):

• Internal Environment Review,

• Objective Setting (Recovery Point Objective, Recovery Time Objective),

• Event Identification (Range of Disaster Event types),


• Risk Response,

• Control Activities,

• Information and Communication,

• Monitoring and Reporting.

Creation of Organizational Structure, Personnel Job Descriptions and Functional Responsibilities, Workflows, Personnel Evaluation and Career Path Definition, Human Resource Management.

Implementation of Standards and Procedures guidelines associated with Risk Assessment to guaranty compliance to laws and regulations.

Employee awareness training, support, and maintenance going forward.

http://www.erm.coso.org/


Information Technology Risk Assessment (ITRA) Final Report Layout

and Baseline Controls Matrices

ITRA Deliverable Format:

Cover Page

Table of Contents

Executive Summary

Introduction

Background

Summary of Findings

Recommendations

Conclusions

Supporting Charts Appendix I

Overview Appendix II

IT Audit Schedule Appendix III

Definition of Risk Matrix Terms Appendix IV

Baseline Control Matrices Appendix V

Detailed Findings Appendix VI

Detailed Work Program Appendix VII

Technology Acronyms Appendix VIII

Areas Covered within IT Risk Assessment

1. Organization and Management Policies.

2. Segregation of Duties.

3. Logical Access Controls.

4. Physical Access Controls.

5. Systems Development Life Cycle (SDLC)

and Change Management Controls.

6. Incident Response (Problem Management,

Help Desk, Problem Escalation, Crisis

Management, etc.).

7. Business Continuity.

8. Data Center Computer Operations.

9. Network Communications.

10. Operating Systems Software.

11. Database Systems.

12. Application Systems.

13. End-User Computing.

(289 IT Risk Analysis Audit Controls are reviewed within the 13 areas listed below)

13 Areas broken down into 8 Baseline Controls

Circled areas are condensed

into one of the eight

Baseline Control Matrices


Detailed Findings document

Finding: Implication: Priority: Recommendation:

Critical Financial Files are not

protected. Security Flaw High Implement IT

Security over files


• Adhere to Compliance Requirements (Business and Industry) by implementing Business Continuity Planning disciplines;

• Implement Data Protection Techniques like Data Sensitivity, IT Security and Vital Records Management;

• Document SDLC, including: Development, Testing, Quality Assurance, Production Acceptance, Version Management, and Production Operations; • Utilize Automated Tools;

• Eliminate “Single-Point-Of-Failure” concerns;

• Integrate Asset / Inventory / Configuration Management practices;

• Create Problem and Crisis Management practices and procedures;

• Optimize Work-Flow through Re-Engineering and Automation;

• Provide Documentation, Training, and Awareness programs.

Strategies for Eliminating Audit Exceptions ($$)


1. Project Initiation and Management.

2. Risk Evaluation and Control.

3. Business Impact Analysis (BIA).

4. Developing Business Continuity Strategies.

5. Emergency Response and Operations.

6. Designing and Implementing Business Continuity Plans.

7. Awareness and Training Programs.

8. Maintaining and Exercising Business Continuity Plans.

9. Public Relations and Crisis Communications.

10. Coordinating with Public Authorities.

The “Ten Step” Process Recommended by the Business Continuity Institute for BCP (see: www.thebci.org)


Contingency Planning Strategy (FEMA) EMERGENCY MANAGEMENT PREPAREDNESS – PROJECT PLAN

THE PLANNING PROCESS: HAZARD SPECIFIC INFORMATION:

1. Establish a Planning Team. 1. Fire.

2. Analyze Capabilities and Hazards. 2. Hazardous Materials Incidents.

3. Develop the Plan. 3. Floods and Flash Floods.

4. Implement the Plan. 4. Tornadoes.

EMERGENCY MANAGEMENT CONSIDERATIONS: 5. Severe Winter Storms.

1. Direction and Control. 6. Earthquakes.

2. Communications. 7. Technology Emergencies.

3. Life Safety APPENDICES:

4. Property Protection. 1. Vulnerability Analysis Chart.

5. Community Outreach. 2. Training Drills and Exercises Chart.

6. Recovery and Restoration. 3. Information Sources (where to turn

7. Administration and Logistics. For additional information).


Business Impact

Analysis (BIA)

Business Site

or Function

Recovery

Plan Recovery

Plan Recovery

Plan Recovery

Plan

Help Desk

Network

Control

Center

(NCC)

Operations

Control

Center

(OCC)

Contingency Command Center

(CCC)

Users

Covering

various

Conditions

and Scenarios

related to

range of

problems.

Library of

Recovery Plans

Library of

Problem Types

Many Sites

And

Functions

One Per Site

or

Function

Conditions

and problems

are sensed

and reported

to Help Desk.

Problems Receives Problems

and escalates

as needed.

Receives Critical

Problems,

Activates Plans,

and Manages

Recovery. Match Problem to Recovery

Recovery Plans direct personnel to restore business operations in response to encountered problems.

The Help Desk escalates critical problems, initiates recovery plans, and manages recovery activities.

Overview of Business Continuity Planning and BIA’s


Facilities Forms Software Supplies

Disaster Recovery

Database

Personnel Vital Records

Recovery Tasks

Disaster Recovery

Templates

Data Source

Forms & Descriptions

Plan Preface

Methods & Phases

Project Checklist

Disaster Recovery Forms

Disaster

Recovery

Plans

Mail-Merge

Product

Disaster

Recovery

Plans

Word Templates

Mail Merge

Form Screen

and Merge

Data

Extract, Merge,

Tailor, and

Report

Disaster Recovery Plan Data Sources and Output Generation

Equipment

Vendors


IT Security Management

1. IT Security Organizational Structure and assigned Personnel Positions.

2. IT Security Personnel and their Functional Responsibilities:

a. Data Owner definition.

b. Data Sensitivity.

c. Data Usage guidelines.

d. Data Access Controls.

e. Violation Capturing.

f. Violation Reporting.

g. Required Forms.

h. Procedures for completing forms.

i. Forms submission and processing.

3. Existing Documentation and Training.

4. Standards and Procedures manual sections.

<NOTE>: The IT Security Management discipline will be included as needed in the SMC processes

documented within the S&P Manual.


Vital Records Management

1. Define Vital Records Management Organizational Structure.

2. Define Vital Records Management personnel and their functional

responsibilities.

3. Vital Records Management Standards: a. Vital Records definition;

b. Library Management and Naming Conventions for Vital Records,

c. Backup requirements;

d. Vaulting requirements; and,

e. Recovery requirements.

3. Vital Records Management procedures: a. Identification;

b. Classification;

c. Back-up procedures;

d. Local Vaulting;

e. Remote Vaulting, Retention, and Archiving;

f. Restoration, Re-Use, and/or Destruction procedures;

g. Interface with Tape Management System; and

- Vault Management,

- Encryption.

4. Vital Records Management Standards and Procedures Manual sections,

including process descriptions.


Customer Site Remote Vault Vital Records Transport

Critical

File

Remote

Tape Vault

Local Vault

Tapes Transported

To/From Customer Site

Vaulting Backup Tape Life Cycle

Encryption?

Backup

Tape Return Cycle

Backup

Tape

Vaulting Cycle

Transport To / From by Truck

1

2 3

4

5

6

7

8

Local,

NAS, or SAN


Systems Development Life Cycle, INITIATING a development request

End User

Request

for new

program

BKUP

Development Testing

Unit &

System

Testing.

Quality

Assurance

Usage,

Naming,

Placement.

Security,

Vital Records,

Back-Up,

Recovery,

Audit.

Production Acceptance

BKUP

Change

Management Maintenance

Security, Vital Records,

Back-Up, Recovery, Audit.

BKUP

Off-Site

Vault

Disaster

Recovery

Facility

Business

Recovery

Facility

Real-Time Periodic

Version

and

Release

Control

Enhance

and

Repair

End-User

Location

New

Recovery

Update

Production

Vendor Vendor

On-Line

data files

On-Line

data files

On-Line

data files

End User defines:

• Business Purpose,

• Business Data,

• Ownership,

• Sensitivity,

• Criticality,

• Usage,

• Restrictions,

• Back-Up,

• Restoration,

• Business Continuity,

• Disaster Recovery.


New Application Development Request Form Life Cycle

Date:

User Information ________

Business Justification ________

Technical Justification ________

Build or Buy? ________

Development (Build/Modify) ________

Test (Unit, System, Regression) ________

Quality Assurance ________

Production Acceptance ________

Production ________

Support (Problem / Change) ________

Maintenance (Fix, Enhance) ________

Documentation ________

Recovery ________

Documentation

Recovery

Procedures

• Application Overview

• Application Setup

• Input / Process / Output

• Messages and Codes

Documentation

Documentation

• Business Need

• Application Overview

• Audience

• Business / Technical Review

• Cost Justification

• Build or Buy decision

• Request Approval

• Sensitive Data

• IT Security

• Vital Records Management

• Tape Vaulting / Encryption

• Disaster Recovery

• Business Recovery

Dates are used to show application development status and as links to documentation

Documentation

• Support Programmer

• End User Coordinator

• Vendor Contacts

• Recovery Supervisor

Link to

Documentation

Development Request Form


Quality Assurance and SDLC Checkpoints

Schedule

Request

Interfaces Between Applications, QA, and Production Groups.

Create

Service

Request

Perform

Technical

Assessment

Perform

Business

Assessment

Perform

Requested

Work

Application

Group

Testing

Return

to

Submitter

Create QA

Turnover

Package

Submit to

Production

Acceptance

Successful

Successful

No Yes

No

Create

Production

Acceptance

Turnover

Package

QA Review

And

Accept

Yes

Error Loop

Error

Loop

APPLICATIONS GROUP

QA GROUP

TESTING and QA

Turnover Package Components:_________

• Service Form and results from

Assessments,

• Change & Release Notes,

• Application Group Testing Results,

• Test Scenarios & Scripts,

• Messages & Codes, and Recoveries,

• Data for Regression and Normal Testing,

• Documentation.

PRODUCTION Acceptance

Turnover Package Components:

• Explanation and Narrative,

• Files to be released,

• Predecessor Scheduling,

• Special Instructions,

• Risk Analysis,

• Authorizations.

Perform

Requested

Work

QA

Review

Meeting

Perform

Post-

Mortem

CP #

1

CP #

2 CP #

3 Perform

User

Acceptance

Testing


Utilizing Automated Tools

Whenever possible, automated tools should be utilized to:

• Gather inventory information;

• Gather Business Impact Analysis (BIA) information;

• Merge BIA information into Business Continuity Plans.

• Scan paper documents through Optical Character Recognition (OCR) readers.

• Utilize Job Scheduler Information on job sequence and resource requirements.

• Utilize Job Scanners to validate sequence and resources.

• Utilize automated job turnover products like Endevor and PVCS to enforce

standards, naming conventions, and placement requirements.

• Utilize communications analyzers like Netview to capture problems, initiate

recoveries and circumventions, and to report problems to the help desk.

• Utilize Problem Management Systems and integrate them within the Help

Desk environment.

• Assist Application Development and Maintenance.

• Supplement Systems Management Disciplines (Problem, Change, Capacity,

Performance, etc.)


Eliminating Single-Point-Of-Failure

Memory

Central

Processing

Unit

Channel

Local

Control

Unit

Transmission

Control

Unit

Communications

Lines

Local

Devices

Transmission

Control

Unit

Mainframe Computer

Remote

Devices

Remote

Devices

Internet

Local Environment

Remote

Environment

Locate any single-point-of-failure within

the Information Technology environment

and evaluate its impact should the

component fail. If impact is High, then

a secondary path or device should be

added to the configuration and recovery

procedures created (automated procedures

if possible).

Can also include Vendors, Inputs, and

other physical and logical requirements

needed to run the business.

Primary Path

Secondary Path


Identifying and Controlling Assets and Equipment

Asset Management (Financial and Legal)

• Acquisition (Interface with Finance for costs and Legal for Vendor Agreement).

• Re-Deployment (Interface with Facilities Management for install and removal).

• Termination (Surplus Equipment Disposal).

• Financials (Total Cost of Ownership).

Inventory Management (Asset Location and Criticality)

• Resource Identification (Vendor Make and Model Information).

• Usage contract conditions.

• Location.

Configuration Management (System and User)

• Component and Release Management.

• Systems Generation.

• Deployment, Installation, and Removal.

• Support (Problem and Crisis Management).

• Maintenance (Change Management)


How disasters occur, and avoiding them....

Environment

Disaster

Problem

Standards

and Procedures

Business Continuity Disaster Avoidance Disciplines

Equipment

Locations

Software

DATA

Single Point

of Failure

System,

Sub-System,

Application,

Utility.

Vital Records Management

Vaulting,

Recovery,

Access Controls.

Facilities Management,

Business Recovery.

Regulations

and Legal

Requirements

Auditor Corporate, IT, and

Independent

People Functions Performed,

Job Descriptions,

S & P Manual,

Training.

Vendors Products & Services,

Recovery Site,

Off-Site Vault.

Defined as an unscheduled business interruption

that impacts critical functions and / or services.

Problems are defined as deviations from standards,

causing a missed business delivery. Problems cause

disasters when they affect critical business services

To safeguard against Disasters, make sure

that Standards and Procedures include data entry

and workflow validated for critical resources.

“Since disasters are no more than problems affecting critical components, it stands to reason that the elimination of standards violations will reduce problems and avoid the likelihood of disasters.” This is the reason why we believe you should Develop and Implement strict Standards and Procedures to guide personnel through their Job functions and assure compliance.


User

Guides

S&P

Manual

Inventory &

Configuration

Support and Recovery Techniques

Problem

Symptoms

Analyze

Circumvent

Document

Log Problem

Route /

Escalate

Track

Resolve

Post

Mortem

Upgrade

Supportive

Documentation

1 System Software

2 Comm. Systems

3 Corp. Security

4 DB Systems

5 DASD

6 Cap. & Performance

7 Decision Support

8 Optical Storage

9 CICS

10 Systems Mgmnt.

and Controls

Problem Resolvers

Problem Feed-Back, Rerouting and Escalation

Problem Bypass Procedures

Problem Indicators

Console

Log

Unexpected

Results

Completion

Code Messages

and Codes

Job

Runbook

Problem Descriptions

Meaning Actions to

be Taken

Possible

Causes

Reference Materials

Restart

Procedures

Recovery

Procedures

Problem

Record

Contacts

Escalation

Resolvers

Problem History

Review Problem Reporting

and Resolution Procedures

Imm

edia

te

a

ctio

ns

Omegamon

Netview

AF / Operator

OPC / ESA

Diagnostic Tools F

ollo

w-o

n A

cti

on

s

Users

NCC

OCC

HD

Problem

Repository

Job

Runbooks


Network

Control

Center

(NCC)

Production

Support

Staff

Applications

Support

Staff

Systems

Support

Staff

Help

Desk

Staff

Problem Analyze Document Capture

Symptoms Circumvent Report

Log,

Route,

Escalate,

Track

Resolve

Comm.

Support

Staff

Tools:

Omegamon,

Netview.

Recovery Techniques and Personnel Involvement

Operations

Control

Center

(OCC)

Tools:

Omegamon,

AF / Operator.


Network Control

Center (NCC)

Operations Control

Center (OCC)

Command Center

SYS 1 - 972

LP1 LP2 LP3

VM CPUX CPUH

SYS 4 - 972

LP1 LP2 LP3

CPUF CPUZ BKUP

3745

TCU 3745

TCU 3745

TCU

LAN

LAN

LAN

LAN

Communications Environment

Applications Environment

“Providing a centralized control point for application

and communications support, the Command Center

can recognize problems and activate appropriate

recovery teams in response to crisis situations.”

Contingency

Recovery

Coordinator

Situation

Manager

Recovery

Team

Recovery

Team

Recovery

Team

Problem to

Recovery

Matrix

Problem

Recovery

Activate

Problem

Log

Compare

Problem Help

Desk

Status

Route

Transmission

Control

Unit

Local

Area

Network

LP - LPAR, or

Logical Partition

Command Center

Interactions

Users


Contingency Recovery Coordinator Responds to problems classified as “Potential Crisis Situations” by:

• Logging the problem within the Problem Log;

• Comparing the problem to the Recovery Matrix;

• Selecting the appropriate Recovery Plan;

• Activating the Recovery Team identified within the

Recovery Plan; and,

• Monitoring recovery operations and reporting on their

status to Management.

Situation Manager Reporting to the Contingency Recovery Coordinator and responsible for monitoring Recovery Team operations

and providing assistance through any mechanism at their disposal. When situations become overly complex and a potential

crisis can occur, the Situation Manager will take appropriate escalation actions needed to concentrate more resources on the

resolution of the problem.

Recovery Teams

Designed to pull expertise together so that specific talents can address problems that require recovery operations, before

normal processing can be resumed. Each Recovery Team consists of a Team Manager and Team Members. The organization

of a Recovery Team is supplied to the Situation Manager and Contingency Recovery Coordinator. This organizational

description includes functional responsibilities and alternate personnel for each of the recovery positions. Recovery Teams may

require recovery tools to be utilized as an aid in performing recovery operations.

Command Center

Contingency

Recovery

Coordinator

Situation

Manager

Recovery

Team

Recovery

Team

Recovery

Team

Problem to

Recovery

Matrix

Recovery

Activate

Problem

Log

Compare

Help

Desk

Status

Route

OCCNCC

Contingency Recovery Operations


Development Testing

Maintenance

Quality

Assurance

Production

Acceptance

Production

Disaster

Recovery

Vital

Records

Off-Site

Vault

Disaster Recovery Facility

Mainframe and Office Recovery

Change Management

Service Level Management,

Project Life Cycle,

Walk Thru’s,

Unit Testing,

System Testing,

Scenarios,

Scripts,

Recovery Tests,

Regression,

Benchmarks,

Post Mortem.

Test Validation,

Components,

Naming,

Placement,

Functionality,

Process.

Batch,

On-Line,

IT Security,

Operations,

Recovery,

IT Audit.

Project Life Cycle,

Component & Release Management,

Standards & Procedures,

User Guides & Vendor Manuals,

Training (CBT & Classroom), etc...

Service Level Reporting, Capacity Management, Performance Management, Problem Management,

Inventory Management, Configuration Management.

Service Level Management,

Project Life Cycle,

Batch and On-Line

Management

A Forms Management & Control System, used to originate

work requests and track work until completed, will facilitate

optimum staff productivity and efficiency.

Systems Management Controls and Workflow


Standards and Procedures Manual - Structure

i. Table of Contents

ii. Benefits from S&P Manual.

iii, Company Overview.

iv. Division and Department Overview.

v. Compliance Requirements.

vi. Company Organization.

vii. Department Organization.

viii. Job Functions and Descriptions.

ix. Forms Library.

x. Workflow Analysis.

xi. Tools Analysis.

xii. Available Training.

1. Service Level Management

2. Inventory Management

3. Configuration Management

4. Capacity Management

5. Performance Management

6. Application Development

7. Application Maintenance.

8. Application Testing.

9. Quality Assurance.

10. Production Acceptance

11. Production Operations

12. Recovery Management

13. IT Security Management

14. Vital Records Management

15. Change Management

16. Problem Management:

a. Operations Control Center,

b. Network Control Center,

c. Help Desk,

d. Crisis Management,

e. Activating Contingencies,

f. Contingency Command Center.

17. Data Processing Environment.


• Risk Assessment to identify Continuity of Business (COB) exposures and

gaps relating to newly adopted Business Recovery requirements.

• Business Impact Analysis requirements definition and risk analysis studies,

• Data Sensitivity studies and evaluations,

• IT Security (Physical and Data) studies and evaluations,

• Vital Records (Vaulting Services) and/or Library Management,

• Business Recovery Documentation evaluation and needs definition,

• Business Recovery Plan (Development, and/or Implementation),

• Disaster Recovery Vendor(s) (Evaluation through Selection),

• Business Recovery Training (Documentation, On-Line, and Class Room),

• Permanent Personnel Recruitment and Placement Services,

• Consulting, Outsourcing, and Temporary Personnel Services.

Business Recovery Services


Overall Project Phases (part 1 of 2)

Start

Risk

Assessment

IT

Security

SDLC

Systems

Management

CEO, CFO

Design Reports

(Section 302)

Review and

Approve

Reports

Operational

Risk

Manager (ORM)

Technical

Risk

Manager (TRM)

Data

Sensitivity

Study

Access

Controls

(Userid / Pswd)

Version &

Release

Management

Backup

&

Recovery

Development

And

Maintenance

Testing and

Quality

Assurance

Production

Acceptance

Production

Operations

SLA / SLR Asset

Management

Configuration

Management

Inventory

Management

Vital

Records

Management

A

Change

Management

Problem

Management

Performance

Management

Capacity

Management

I

II

III

IV

Sarbanes Oxley IT Audit


Overall Project Phases (part 2 0f 2)

A

Recovery

Standards &

Procedures

Business

Continuity

Management

Disaster

Recovery

Planning

Risk

Management

Contingency

Planning

Standards

Definition

Procedures

Creation Documentation

Forms

Management

& Control

On-going

Support

Training

Section

404

Compliance

Section

409

Compliance

End

V

VI

VII

Sarbanes Oxley IT Audit

identifying and protecting compliance information through ...ifsa presentation identifying and...

Documents