Paper-6 Chapter-6: BCP and DRP

BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY PLANNING

PART-3

CA A.RAFEQ, FCA

1

Learning Objectives

• To know about ‘Business Continuity Plan’.

• To understand various ‘phases’ of Business Continuity Plan.

• To know about ‘back-up’ and ‘disaster recovery planning’.

• To have an idea of ‘audit’ of these plans.

2

Topics Covered

Part-1 6.0 Introduction 6.1 Business Continuity Planning 6.2 Developing a Business Continuity Plan 6.3 Types of Plans Part-2 6.4 Test Plan 6.5 Threats and Risk Management 6.6 Software and Data Back-up Techniques 6.7 Alternate Processing Facility Arrangements 6.8 Back-up Redundancy

Part-3 6.9 Disaster Recovery Procedural Plan 6.10 Insurance 6.11 Testing Methodology and Checklist 6.12 Audit Tools and Techniques 6.13 Audit of the Disaster Recovery/Business Resumption Plan

3

DRP Testing and Audit Part-3

6.9 Disaster Recovery Procedural Plan 6.10 Insurance 6.11 Testing Methodology and Checklist 6.12 Audit Tools and Techniques 6.13 Audit of the Disaster Recovery / Business Resumption Plan

4

6.9 Disaster Recovery Procedural Plan

Conditions for activating the plans

Emergency procedures

Fall-back procedures

Resumption procedures

Maintenance schedule

Awareness and education activities

Responsibilities of individuals 5

6.9 Disaster Recovery Procedural Plan

Checklist for inventory

List of phone numbers of employees

Emergency phone list

Medical procedure

Back-up location

Insurance papers and claim forms

Primary computer centre 6

Questions

3. What do you understand by the term Disaster? What procedural plan do you suggest for disaster recovery? (10 Marks) (Nov 2008) 4. (A) Explain the various general components of Disaster Recovery Plan (8 Marks) (Nov. 2011)

7

Answer

The term disaster can be defined as an incident which jeopardizes business operations and/or human life. It could be due to sabotage (human) or natural. Following is the procedural plans for disaster recovery. Disaster Recovery Procedural Plan: Normally disaster recovery procedural plan is made when the system is normally working. After visualizing the disaster the action to be taken by different people of the organization are to be documented.

8

Answer

This recovery and planning document may include the following areas:

i. The conditions for activating the plans, which describe the

process to be followed before each plan, are activated.

ii. Emergency procedures, which describe the actions to be taken following an incident which jeopardises business operations and/or human life. This should include arrangements for public relations management and for effective liaison with appropriate public authorities e.g. police, fire, services and local government.

9

Answer

iii. Fall-back procedures which describe the actions to be taken to move essential business activities or support services to alternate temporary locations, to bring business process back into operation in the required time-scale.

iv. Resumption procedures, which describe the actions to be taken to return to normal business operations.

v. A maintenance schedule, which specifies how and when the plan will be tested, and the process for maintaining the plan.

10

Answer

vi. Awareness and education activities, which are designed to create an understanding of the business continuity, process and ensure that the business continues to be effective.

vii. The responsibilities of individuals describing who is responsible for executing which component of the plan. Alternatives should be nominated as required.

viii. Contingency plan document distribution list.

ix. Detailed description of the purpose and scope of the plan. 11

Answer

x. Contingency plan testing and recovery procedure.

xi. List of vendors doing business with the organization, their contact numbers and address for emergency purposes.

xii. Checklist for inventory taking and updating the contingency plan on a regular basis.

xiii. List of phone numbers of employees in the event of an emergency.

12

Answer

xiv. Emergency phone list for fire, police, hardware, software, suppliers, customers, back-up location, etc.

xv. Medical procedure to be followed in case of injury.

xvi. Back-up location contractual agreement, correspondences.

xvii. Insurance papers and claim forms.

xviii.Primary computer centre hardware, software, peripheral equipment and software configuration.

13

Answer

xix. Location of data and program files, data dictionary, documentation manuals, source and object codes and back-up media.

xx. Alternate manual procedures to be followed such as preparation of invoices.

xxi. Names of employees trained for emergency situation, first aid and life saving techniques.

xxii. Details of airlines, hotels and transport arrangements.

14

6.10 Insurance

Purpose • To spread the economic cost and the

risk of loss from an individual or business to a large number of people

Policies

• Contracts that obligate the insurer to indemnify the policyholder or some third party from specific risks in return for the payment of a premium.

Resources

• Equipment, facilities, storage media, business interruption, extra expenses, valuable documents, accounts receivable, media transportation, malpractice errors.

15

First-party Insurance

• Covers claims by the policyholder against their own insurance

• Examples - property damages, business interruption, etc.

Third-party Insurance

• Covers claims made by others against the policyholder and his insurer

• Examples - general liability, errors and omissions, etc.

6.10.1 Kinds of Insurance

16

Insurance Policy coverage

Equipment

Facilities

Storage media

Business interruption

Extra expenses

Valuable papers

Accounts receivable

Media transportation

Malpractice

Errors

17

6.11 Testing Methodology and Checklist

Hypothetical • Theoretical check

Component • Detailed check

Module • Multiple components check

Full • Interdependency check

4 test types

18

Testing Process

Setting objectives

Defining the Boundaries Scenario Test Criteria

Assumption Test Prerequisites

Briefing session Checklists

Analysing the test

Debriefing session

19

Briefing Session Agenda

Team objectives

Scenario of disaster

Time of the test

Location of each team

Restrictions on specific teams

Assumptions of the test

Prerequisites for each team

20

6.12 Audit Tools and Techniques

Simulation Observations Interviews

Checklists Inquiries Meetings

Questionnaires Documentation reviews

21

Categories: Audit Tools and Techniques

Automated Tools Internal Control Auditing

Disaster and Security Checklists Penetration Testing

4 Categories

22

Question

What are the audit tools and techniques used by a system auditor to ensure that disaster recovery plan is in order? Briefly explain them.

(5 Marks) (Jun 2009)

23

Answer

Audit tools and techniques used by a system auditor to ensure that the disaster recovery plan is in order. The best audit tool and technique is a periodic simulation of a disaster. Other audit techniques would include observations, interviews, checklists, inquiries, meetings, questionnaires and documentation reviews. These are categorized as follows: i. Automated tools ii. Internal Control auditing iii. Disaster and Security Checklists iv. Penetration Testing

24

Answer

i. Automated tools: They make it possible to review large computer systems for a variety of flaws in a short time period. They can be used to find threats and vulnerabilities such as weak access controls, weak passwords, and lack of integrity of the system software.

ii. Internal Control auditing: This includes inquiry, observation and testing. The process can detect illegal acts, errors, irregularities or lack of compliance for laws and regulations.

25

Answer

iii. Disaster and Security Checklists: These checklists are used to audit the system. The checklists should be based upon disaster recovery policies and practices, which form the baseline. Checklists can also be used to verify changes to the system from contingency point of view.

iv. Penetration Testing: It is used to locate vulnerabilities to the system.

26

6.13 Audit of Disaster Recovery/ Business Resumption Plan

• A disaster recovery/business resumption plan exists • Information backup procedures are sufficient • A test plan exists • Resources have been made available to maintain the

plans

Check if

• The disaster recovery/ business resumption plan • The test plan • The existing business impact analysis

Obtain & review

27

6.13 Audit of Disaster Recovery/ Business Resumption Plan

• Criteria and guidance in the preparation and evaluation of plans • Methodology used to develop the existing plans • Methodology used to develop the existing business impact

analysis

Understand

• Recommendations on business impact analysis have been implemented

• Resources been allocated to prevent the plans from becoming outdated and ineffective

• Plan is dated each time that it is revised • Plan has been updated within past 12 months

Determine if

28

6.13 Audit of Disaster Recovery/ Business Resumption Plan

• Location where disaster recovery/ business resumption plan is stored

• Information backup procedures

Review

• Determine their understanding of the plans • Contact information of key employees • Provisions for people with special needs • Provision for replacement staff

Personnel

29

6.13 Audit of Disaster Recovery/ Business Resumption Plan

• Provision for building engineer to inspect the building and facilities

• Consider need for alternative shelter • Review agreements for use of backup facilities • Adequacy of backup facilities based on projected needs • Consider the failure of electrical power, natural gas,

toxic chemical containers, and pipes • Building safety features regularly inspected and tested • Consider the disruption of transportation systems

Building, Utilities and Transportation

30

6.13 Audit of Disaster Recovery/ Business Resumption Plan

• If the plan reflects the current IT environment • If the plan includes prioritisation of critical applications and

systems • If the plan includes time requirements for

recovery/availability of each critical system • If the plan includes arrangements for emergency

telecommunications • Plan for alternate means of data transmission if the

computer network is interrupted • If a testing schedule exists and is adequate

Information Technology

31

6.13 Audit of Disaster Recovery/ Business Resumption Plan

• Does the plan cover administrative and management aspects in addition to operations

• Is there a designated emergency operations centre • If the disaster recovery/ business resumption plan covers

procedures for disaster declaration, general shutdown and migration of operations

• Have essential records been identified • Are essential records separated from those that will not

be needed immediately

Administrative Procedures

32

6.13 Audit of Disaster Recovery/ Business Resumption Plan

• Names and numbers of suppliers of essential equipment and other material

• Provisions for the approval to expend funds that were not budgeted for the period

Other Essentials

• Have they assigned the necessary resources for plan development • Have they concurred with the selection of essential activities and

Priority for recovery • Have they agreed to back-up arrangements and the costs involved • Are they prepared to authorise activation of the plan should the need

arise

Executive Management

33

Case Study Question

Question 1 (May 2012) 1. ABC is leading company in the manufacturing of food items. The

company is in the process of automation of its various business processes. During the Phase, technical consultant of the company has highlighted the importance of information security and has suggested introducing it right from the beginning.

He has also suggested to perform the risk assessment activity and accordingly, to mitigate the assessed risk. For carrying out all these suggestions, various best practices have been followed by the company. In addition, after each activity, appropriate standards’ compliances have been tested to check the quality of each process. Various policies related with business continuity planning and disaster recovery planning has been implemented to ensure three major expectations from the software, namely, resist, tolerate and recover.

34

Case Study Question

Read the above carefully and answer the following: a) What are the major suggestions given by the technical

consultant? How the company is implementing these suggestions? 5 Marks

b) Discuss risk assessment with the help of risk analysis framework in brief. 5 Marks

c) Out of the various types of plans used in business continuity planning, discuss recovery plan in brief. 5 Marks

35

6.9 Disaster Recovery Procedural Plan

6.10 Insurance

6.11 Testing Methodology and Checklist

6.12 Audit Tools and Techniques

6.13 Audit of the Disaster Recovery/Business Resumption Plan

Summary

36

Topics Covered

Part-1 6.0 Introduction 6.1 Business Continuity Planning 6.2 Developing a Business Continuity Plan 6.3 Types of Plans Part-2 6.4 Test Plan 6.5 Threats and Risk Management 6.6 Software and Data Back-up Techniques 6.7 Alternate Processing Facility Arrangements 6.8 Back-up Redundancy

Part-3 6.9 Disaster Recovery Procedural Plan 6.10 Insurance 6.11 Testing Methodology and Checklist 6.12 Audit Tools and Techniques 6.13 Audit of the Disaster Recovery/Business Resumption Plan

37

Thank you!

38