Ch-Business Continuity And Disaster Reco_CISA

1、ISACA ,The recognized global leaders in IT governance, control, security and assurance,Chapter 6Business Continuity And Disaster Recovery,2009 CISA Review Course,Course Agenda,Learning Objectives Discuss Task and Knowledge Statements Discuss specific topics within the chapter Case study Sample quest

2、ions,Exam Relevance,Ensure that the CISA candidate “Understands and can provide assurance that in the event of a disruption the business continuity and disaster recovery processes will ensure the timely resumption of IT services while minimizing the business impact.” The content area in this chapter

3、 will represent approximately 14% of the CISA examination (approximately 28 questions).,Chapter 6 Learning Objectives,Evaluate the adequacy of backup and restore provisions to ensure the availability of information required to resume processing Evaluate the organizations disaster recovery plan to en

4、sure that it enables the recovery of IT processing capabilities in the event of a disaster Evaluate the organizations business continuity plan to ensure the organizations ability to continue essential business operations during the period of an IT disruption,6.2 Business Continuity / Disaster Recove

5、ry Planning,Business continuity planning (BCP) is a process designed to reduce the organizations business risk A BCP is much more than just a plan for the information systems,Corporate risks could cause an organization to suffer Inability to maintain critical customer services Damage to market share

6、, reputation or brand Failure to protect the company assets including intellectual properties and personnel Business control failure Failure to meet legal or regulatory requirements,6.2 Business Continuity / Disaster Recovery Planning (continued),Practice Question,6-1During an audit of a large bank,

7、 the IS auditor observes that no formal risk assessment exercise has been carried out for the various business applications to arrive at their relative importance and recovery time requirements. The risk to which the bank is exposed is that the: business continuity plan may not have been calibrated

8、to the relative risk that disruption of each application poses to the organization. business continuity plan may not include all relevant applications and, therefore, may lack completeness in terms of its coverage. business impact of a disaster may not have been accurately understood by the manageme

9、nt. business continuity plan may lack an effective ownership by the business owners of such applications.,Practice Question,6-2Which of the following is necessary to have FIRST in the development of a business continuity plan? Risk-based classification of systems Inventory of all assets Complete doc

10、umentation of all disasters Availability of hardware and software,Practice Question,6-3An IS auditor should be involved in: observing tests of the disaster recovery plan. developing the disaster recovery plan. maintaining the disaster recovery plan. reviewing the disaster recovery requirements of su

11、pplier contracts.,IS processing is of strategic importance Critical component of overall BCP Most key business processes depend on the availability of key systems and infrastructure components,6.2.1 IS Business Continuity / Disaster Recovery Planning,Disasters are disruptions that cause critical inf

12、ormation resources to be inoperative for a period of time Good BCP will take into account impacts on IS processing facilities,6.2.2 Disasters and Other Disruptive Events,Phases of the business continuity planning process Creation of a business continuity and disaster recovery policy Business impact

13、analysis Classification of operations and criticality analysis Development of a business continuity plan and disaster recovery procedures Training and awareness program Testing and implementation of plan Monitoring,6.2.3 Business Continuity Planning Process,All types of incidents should be categoriz

14、ed Negligible Minor Major Crisis,6.2.5 Business Continuity Planning Incident Management,Critical step in developing the business continuity plan Three main questions to consider during BIA phase: What are the different business processes? What are the critical information resources related to an org

15、anizations critical business processes? What is the critical recovery time period for information resources in which business processing must be resumed before significant or unacceptable losses are suffered?,6.2.6 Business Impact Analysis,6.2.6 Business Impact Analysis (continued),What is the syste

16、ms risk ranking? Critical Vital Sensitive Non-sensitive,6.2.6 Business Impact Analysis (continued),Practice Question,6-4The window of time for recovery of information processing capabilities is based on the: criticality of the processes affected. quality of the data to be processed. nature of the di

17、saster. applications that are mainframe-based.,Recovery Point Objective (RPO) Based on acceptable data loss Indicates earliest point in time in which it is acceptable to recover the data Recovery Time Objective (RTO) Based on acceptable downtime Indicates earliest point in time at which the business

18、 operations must resume after a disaster,6.2.7 Recovery Point Objective and Recovery Time Objective,6.2.7 Recovery Point Objective and Recovery Time Objective (continued),Additional parameters important in defining recovery strategies Interruption window Service delivery objective (SDO) Maximum tole

19、rable outages,6.2.7 Recovery Point Objective and Recovery Time Objective (continued),Practice Question,6-5Data mirroring should be implemented as a recovery strategy when: recovery point objective (RPO) is low. RPO is high. recovery time objective (RTO) is high. disaster tolerance is high.,Practice

20、Question,6-6When preparing a business continuity plan, which of the following MUST be known to establish a recovery point objective (RPO)? The acceptable data loss in case of disruption of operations The acceptable downtime in case of disruption of operations Types of offsite backup facilities avail

21、able Types of IT platforms supporting critical business functions,A recovery strategy is a combination of preventive, detective and corrective measures The selection of a recovery strategy would depend upon: The criticality of the business process and the applications supporting the processes Cost T

22、ime required to recover Security,6.2.8 Recovery Strategies,Recovery strategies based on the risk level identified for recovery would include developing: Hot sites Warm sites Cold sites Duplicate information processing facilities Mobile sites Reciprocal arrangements with other organizations,6.2.8 Rec

23、overy Strategies(continued),Types of offsite backup facilities Hot sites - Fully equipped facility Warm sites - Partially equipped but lacking processing power Cold sites - Basic environment Duplicate (redundant) information processing facility Mobile sites Reciprocal agreement Contract with hot, wa

24、rm or cold site Procuring alternative hardware facilities,6.2.9 Recovery Alternatives,6.2.9 Recovery Alternatives (continued),Types of offsite backup facilities Hot sites - Fully equipped facility Warm sites - Partially equipped but lacking processing power Cold sites - Basic environment Duplicate (

25、redundant) information processing facility Mobile sites Reciprocal agreement Contract with hot, warm or cold site Procuring alternative hardware facilities,6.2.9 Recovery Alternatives(continued),Provisions for use of third-party sites should cover: Configurations Disaster Speed of availability Subsc

26、ribers per site and area Preference Insurance Audit Reliability,Procuring alternative hardware facilities Vendor or third-party Off-the-shelf Credit agreement or emergency credit cards,6.2.9 Recovery Alternatives(continued),Practice Question,6-7An IS auditor discovers that an organizations business

27、continuity plan provides for an alternate processing site that will accommodate 50 percent of the primary processing capability. Based on this, which of the following actions should the IS auditor take? Do nothing, because generally, less than 25 percent of all processing is critical to an organizat

28、ions survival and the backup capacity, therefore, is adequate. Identify applications that could be processed at the alternate site and develop manual procedures to back up other processing. Ensure that critical applications have been identified and that the alternate site could process all such appl

29、ications. Recommend that the information processing facility arrange for an alternate processing site with the capacity to handle at least 75 percent of normal processing.,Factors to consider when developing the plans Pre-disaster readiness Evacuation procedures Circumstances under which a disaster

30、should be declared Identification of plan responsibilities Identification of contract information Recovery option explanations Identification of resources for recovery and continued operation of the organization Application of the constitution phase,6.2.10 Development of Business Continuity and Disa

31、ster Recovery Plans,The emergency management team coordinates the activities of all other recovery teams. This team oversees: Retrieving critical and vital data from offsite storage Installing and testing systems software and applications at the systems recovery Identifying, purchasing, and installi

32、ng hardware at the system recovery site Operating from the system recovery site Rerouting network communications traffic,6.2.11 Organization and Assignment of Responsibilities,The emergency management team coordinates the activities of all other recovery teams. This team oversees: Reestablishing the

33、 user/system network Transporting users to the recovery facility Reconstructing databases Supplying necessary office goods, i.e., special forms, check stock, paper Arranging and paying for employee relocation expenses at the recovery facility Coordinating systems use and employee work schedules,6.2.

34、11 Organization and Assignment of Responsibilities (continued),Management and user involvement is vital to the success of BCP Essential to the identification of critical systems, recovery times and resources Involvement from support services, business operations and information processing support En

35、tire organization needs to be considered for BCP,6.2.12 Other Issues inPlan Development,A business continuity plan may consist of more than one plan document Continuity of operations plan (COOP) Disaster recovery plan (DRP) Business resumption plan Continuity of support plan / IT contingency plan Cr

36、isis communications plan Incident response plan Transportation plan Occupant emergency plan (OEP),6.2.13 Components of a Business Continuity Plan,Components of the plan Key decision-making personnel Backup of required supplies Telecommunication networks disaster recovery methods Redundant array of i

37、nexpensive disks (RAID) Insurance,6.2.13 Components of a Business Continuity Plan (continued),Practice Question,6-8In a business continuity plan, which of the following notification directories is the MOST important? Equipment and supply vendors Insurance company agents Contract personnel services A

38、 prioritized contact list,Practice Question,6-9Which of the following components of a business continuity plan is PRIMARILY the responsibility of an organizations IS department? Developing the business continuity plan Selecting and approving the strategy for the business continuity plan Declaring a

39、disaster Restoring the IS systems and data after a disaster,Telecommunication networks disaster recovery methods Redundancy Alternative routing Diverse routing Long haul network diversity Last mile circuit protection Voice recovery,6.2.13 Components of a Business Continuity Plan (continued),Redundan

40、t array of inexpensive disks (RAID) Provide performance improvements and fault tolerant capabilities via hardware or software solutions Provide the potential for cost-effective mirroring offsite for data back-up,6.2.13 Components of a Business Continuity Plan (continued),Insurance IS equipment and f

41、acilities Media (software) reconstruction Extra expense Business interruption Valuable papers and records Errors and omissions Fidelity coverage Media transportation,6.2.13 Components of a Business Continuity Plan (continued),Schedule testing at a time that will minimize disruptions to normal operat

42、ions Test must simulate actual processing conditions Test execution: Documentation of results Results analysis Recovery / continuity plan maintenance,6.2.14 Plan Testing,Practice Question,6-10In an audit of a business continuity plan, which of the following findings is of MOST concern? There is no i

43、nsurance for the addition of assets during the year. The business continuity plan manual is not updated on a regular basis. Testing of the backup data has not been done regularly. Records for maintenance of the access system have not been maintained.,Offsite library controls Security and control of

44、offsite facilities Media and documentation backup Periodic backup procedures Frequency of rotation Types of media and documentation rotated Record keeping for offsite storage Business continuity management best practices,6.2.15 Backup and Restoration,Business continuity plan must: Be based on the lo

45、ng-range IT plan Comply with the overall business continuity strategy,6.2.16 Summary of Business Continuity and Disaster Recovery,Process for developing and maintaining the BCP/DRP Business impact analysis Identify and prioritize systems Choose appropriate strategies Develop the detailed plan for IS

46、 facilities Develop the detailed BCP Test the plans Maintain the plans,6.2.16 Summary of Business Continuity and Disaster Recovery (continued),Understand and evaluate business continuity strategy Evaluate plans for accuracy and adequacy Verify plan effectiveness Evaluate offsite storage Evaluate abi

47、lity of IS and user personnel to respond effectively Ensure plan maintenance is in place Evaluate readability of business continuity manuals and procedures,6.3 Auditing Business Continuity,IS auditors should verify that basic elements of a well-developed plan are evident including: Currency of docum

48、ents Effectiveness of documents Interview personnel for appropriateness and completeness,6.3.1 Reviewing the BusinessContinuity Plan,IS auditors must review the test results to: Determine whether corrective actions are in the plan Evaluate thoroughness and accuracy Determine problem trends and resol

49、ution of problems,6.3.2 Evaluation of PriorTest Results,An IS auditor must: Evaluate presence, synchronization and currency of media and documentation Perform a detailed inventory review Review all documentation Evaluate availability of facility,6.3.3 Evaluation of Offsite Storage,Key personnel must

50、 have an understanding of their responsibilities Current detailed documentation must be kept,6.3.4 Interviewing Key Personnel,An IS auditor must: Evaluate the physical and environmental access controls Examine the equipment for current inspection and calibration tags,6.3.5 Evaluation of Security atO

51、ffsite Facility,An IS auditor should obtain a copy of the contract with the vendor The contract should be reviewed against a number of guidelines Contract is clear and understandable Organizations agreement with the rules,6.3.6 Reviewing AlternativeProcessing Contract,Insurance coverage must reflect

52、 actual cost of recovery Coverage of the following must be reviewed for adequacy Media damage Business interruption Equipment replacement Business continuity processing,6.3.7 Reviewing Insurance Coverage,Organization revising BCP and DRP for headquarters (750 employees) and 16 branches (each with 20

53、35 employees and mail and file / print server) Current plans not updated in more than 8 years Organization has grown by 300% Staff connect via LAN to more than 60 applications, databases and print servers in the corporate data centre Staff connect via a frame relay network to the branches Traveling users connect over the Internet using VPN Critical applications have RTO of 35 days,Case Study Scenario,All users in the headquarters