Understanding and Evaluating Business Continuity Planning, Documentation, Processes, and Maintenance

Previous page
Table of content
Next page

In reviewing the organization's business continuity planning process, the IS auditor should look for evidence of a structured process in developing the business continuity plan. The planning process should include identifying and prioritizing resources and systems that are required to maintain continuity of critical business processes and strategies for recovery. Senior management is responsible for ensuring that the plan reduces the organization's risk associated with an unexpected disruption of critical business functions. During the audit, you should review test plans as well as the results of previous tests to ensure the adequacy of the BCP. The BCP should define key personnel and their tasks. Key personnel should have a clear understanding of their tasks and should have detailed documentation on how to perform those tasks.

Evaluating the Organization's Capability to Ensure Business Continuity in the Event of a Business Disruption

As an IS auditor, you should review the BCP for adequacy and currency by reviewing the plans and possibly participating in plan testing or reviewing the results of previous tests. In addition, the IS Auditor should review procedures associated with backups to ensure that systems required for critical business processes are included along with storage (onsite and off-site), rotation, and retention procedures. The IS Auditor should also review individual team members to ensure that their skill sets are adequate to perform their duties as described in the plan. Team members should have training specific to these duties, and personnel within the organization should be trained on their roles and responsibilities in the event of a disaster.

Per ISACA, the audit procedures for BCP review include the following:

  • Obtaining a current copy of the business continuity plan or manual.

  • Sampling the distributed copies of the manual and verifying that they are current.

  • Evaluating the effectiveness of the document procedures for the initiation of the BCP.

  • Reviewing the identification, priorities, and planned support of critical applications, including PC-based or end userdeveloped systems.

  • Determining whether all applications have been reviewed for their level of tolerance in the event of a disaster.

  • Determining whether all critical applications (including PC applications) have been identified.

  • Determining whether the hot site (if required) has the correct versions of all system software. Also, verifying that all the software is compatible; otherwise, the system will not be capable of processing production data during the disaster recovery.

  • Reviewing the list of BCP personnel, emergency alternate site contacts, vendor contacts, and so on for appropriateness and completeness.

  • Calling a sample of the people indicated and verifying that their phone numbers and addresses are correct, as indicated, and that they possess a current copy of the BCP.

  • Interviewing them for an understanding of their assigned responsibilities in a disaster situation.

  • Evaluating the procedures for documenting tests.

  • Evaluating the procedure for updating the manual. Are updates applied and distributed in a timely manner? Are specific responsibilities for maintenance of the manual documented?

The currency and viability of the plan are important, and the IS auditor should ensure that the business continuity coordinator performs regular tests of the plan and updates the plan to mitigate weaknesses discovered during testing. In addition, you will need to ensure that the tests are thorough and performed often enough to incorporate changes in strategy and critical business functions. All contracts associated with the business continuity plan should be included in a regular review, to ensure that response times, capacity, and security procedures are in accordance with the business continuity plan. The purpose of business continuity planning and disaster-recovery planning is to mitigate, or reduce, the risk and impact of a business interruption or disaster.

Evaluating Backup and Recovery Provisions in the Event of a Short-Term Disruption

Business disruptions, as opposed to disasters, can be caused by a variety of internal and external factors, including these:

  • Equipment failure (processors, hard drives, memory, and so on)

  • Service failures (telecommunications outages, power outages, external application failure, and so on)

  • Application or data corruption

In addition to the disaster-recovery plan, the IT department should have policies and procedures for backup, storage of backup media (onsite and off-site), defined roles and responsibilities, and recovery. The IS auditor should review the following to ensure that the organization can recover data and applications in the event of a short-term disruption:

  • Backup procedures The procedures identify the backup scheme and define responsibilities for implementing backups. The procedures should identify how often (weekly or daily) backups are performed, as well as the type of backup (full, differential, or incremental). In addition, the plan should include a retention and rotation schedule to ensure that critical data is in compliance with internal and external guidelines and that tapes are rotated to reduce the chance of error from overuse.

  • Onsite storage All storage media should be stored in environmentally controlled facilities and should be secured in a fire rated safe. Procedures should exist for the inventory of all onsite storage media as well as physical access controls and logging of media check-in and check-out. All storage media should have a record of information regarding the contents, version, and location of data.

  • Off-site storage The off-site storage facility should have environmental and security controls that equal those of the onsite storage facility. The contract with the off-site facility should contain the points of contact within the organization that have the authority to check storage media in and out of the facility, as well as clearly defined response times for the delivery of storage media in the event of a disaster. An inventory of all storage media at the off-site facility should be maintained and should include the dataset name, the volume serial number, the date created, the accounting period, and the off-site storage bin number.


Off-site data storage should be kept synchronized when preparing for the recovery of time-sensitive data such as that resulting from transaction processing.


In addition, the plan should include procedures for the restoration of hardware, operating systems, applications, and data. The IS auditor should review all contracts associated with hardware, software, or services, to ensure that the service-level agreements are in accordance with recovery times and that specific points of contact for both the third party and the organization are accurate and up-to-date. All contracts associated with hardware replacement should identify response times to get replacement hardware onsite, support levels, and escalation procedures. The IS Auditor should review previous tests to ensure that the restoration of applications and data meets time requirements of the critical business functions. All documents associated with recovery or restoration should be stored off-site and kept up-to-date in the event of a facility failure.

Although some business continuity plans focus on the procedures regarding major disasters, the recovery of minor disruptions should not be overlooked during planning. The lack of proper backup and restoration procedures associated with a minor disruption can allow the disruption to escalate to a major disruption that may affect the organization's critical business processes.

Evaluating the Capability to Continue Information System Processing in the Event That the Primary Information-Processing Facilities Are Not Available

The off-site facility should have the same level of access control and security as the originating site. This should include physical access controls such as locked doors and human surveillance. The off-site facility should not be easily identified from the outside (with signs, for example) and should not be subject to the same natural disaster that could affect the originating site. The organization should have procedures associated with the notification and transportation of personnel and the procurement of the necessary hardware, software, and data. The off-site facility should have the same environmental monitoring and controls of the originating site. Per ISACA, the following questions can be considered in reviewing the off-site facility:

  • Does the plan adequately address the movement to the recovery site?

  • Does the plan include the items necessary for the reconstruction of the information-processing facility, such as blueprints, hardware inventory, and wiring diagrams?

  • Does the plan identify rendezvous points for the disaster-management committee or emergency-management team to meet and decide whether business continuity should be initiated?

  • Does the plan address relocation into a new information-processing facility in the event that the original center cannot be restored?

  • Is there adequate documentation to perform a recovery?

  • Does the alternative site contract meet the recovery needs of the organization?

  • Is the contract written and clearly understandable?

  • Is the organization's agreement clear with rules that apply to sites shared with other subscribers? The following rules apply to these sites:

    • Ensure that insurance coverage ties in with and covers all (or most) expenses of the disaster

    • Ensure that tests can be performed at the site at regular intervals

    • Review and evaluate communications requirements for the site

    • Ensure that enforceable source code escrow is reviewed by a lawyer specializing in such contracts

    • Determine the limitation recourse tolerance in the event of a breached agreement

In addition to answering these questions, the IS auditor should review the plan to ensure that there are clear guidelines and responsibilities for the declaration of disaster, the movement to the off-site facility, and the restoration of normal business operations when the disaster is over. Both the facility and the contracts should be tested, reviewed, and updated to meet the needs of the organization. All personnel associated with the BCP, particularly the implementation of the disaster-recovery site, should be trained and should participate in regular testing in the off-site facility.


Previous page
Table of content
Next page
Exam Cram 2. CISA
Cisa Exam Cram 2
ISBN: B001EEFNHG
EAN: N/A
Year: 2005
Pages: 146
BUY ON AMAZON
Oracle Developer Forms Techniques
Cisco CallManager Fundamentals (2nd Edition)
Data Structures and Algorithms in Java
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy