In reviewing the organization's business continuity planning process, the IS auditor should look for evidence of a structured process in developing the business continuity plan. The planning process should include identifying and prioritizing resources and systems that are required to maintain continuity of critical business processes and strategies for recovery. Senior management is responsible for ensuring that the plan reduces the organization's risk associated with an unexpected disruption of critical business functions. During the audit, you should review test plans as well as the results of previous tests to ensure the adequacy of the BCP. The BCP should define key personnel and their tasks. Key personnel should have a clear understanding of their tasks and should have detailed documentation on how to perform those tasks. Evaluating the Organization's Capability to Ensure Business Continuity in the Event of a Business DisruptionAs an IS auditor, you should review the BCP for adequacy and currency by reviewing the plans and possibly participating in plan testing or reviewing the results of previous tests. In addition, the IS Auditor should review procedures associated with backups to ensure that systems required for critical business processes are included along with storage (onsite and off-site), rotation, and retention procedures. The IS Auditor should also review individual team members to ensure that their skill sets are adequate to perform their duties as described in the plan. Team members should have training specific to these duties, and personnel within the organization should be trained on their roles and responsibilities in the event of a disaster. Per ISACA, the audit procedures for BCP review include the following:
The currency and viability of the plan are important, and the IS auditor should ensure that the business continuity coordinator performs regular tests of the plan and updates the plan to mitigate weaknesses discovered during testing. In addition, you will need to ensure that the tests are thorough and performed often enough to incorporate changes in strategy and critical business functions. All contracts associated with the business continuity plan should be included in a regular review, to ensure that response times, capacity, and security procedures are in accordance with the business continuity plan. The purpose of business continuity planning and disaster-recovery planning is to mitigate, or reduce, the risk and impact of a business interruption or disaster. Evaluating Backup and Recovery Provisions in the Event of a Short-Term DisruptionBusiness disruptions, as opposed to disasters, can be caused by a variety of internal and external factors, including these:
In addition to the disaster-recovery plan, the IT department should have policies and procedures for backup, storage of backup media (onsite and off-site), defined roles and responsibilities, and recovery. The IS auditor should review the following to ensure that the organization can recover data and applications in the event of a short-term disruption:
Off-site data storage should be kept synchronized when preparing for the recovery of time-sensitive data such as that resulting from transaction processing. In addition, the plan should include procedures for the restoration of hardware, operating systems, applications, and data. The IS auditor should review all contracts associated with hardware, software, or services, to ensure that the service-level agreements are in accordance with recovery times and that specific points of contact for both the third party and the organization are accurate and up-to-date. All contracts associated with hardware replacement should identify response times to get replacement hardware onsite, support levels, and escalation procedures. The IS Auditor should review previous tests to ensure that the restoration of applications and data meets time requirements of the critical business functions. All documents associated with recovery or restoration should be stored off-site and kept up-to-date in the event of a facility failure. Although some business continuity plans focus on the procedures regarding major disasters, the recovery of minor disruptions should not be overlooked during planning. The lack of proper backup and restoration procedures associated with a minor disruption can allow the disruption to escalate to a major disruption that may affect the organization's critical business processes. Evaluating the Capability to Continue Information System Processing in the Event That the Primary Information-Processing Facilities Are Not AvailableThe off-site facility should have the same level of access control and security as the originating site. This should include physical access controls such as locked doors and human surveillance. The off-site facility should not be easily identified from the outside (with signs, for example) and should not be subject to the same natural disaster that could affect the originating site. The organization should have procedures associated with the notification and transportation of personnel and the procurement of the necessary hardware, software, and data. The off-site facility should have the same environmental monitoring and controls of the originating site. Per ISACA, the following questions can be considered in reviewing the off-site facility:
In addition to answering these questions, the IS auditor should review the plan to ensure that there are clear guidelines and responsibilities for the declaration of disaster, the movement to the off-site facility, and the restoration of normal business operations when the disaster is over. Both the facility and the contracts should be tested, reviewed, and updated to meet the needs of the organization. All personnel associated with the BCP, particularly the implementation of the disaster-recovery site, should be trained and should participate in regular testing in the off-site facility. |