Stepping Through the Business Continuity Plan Audit
|
|
- Sibyl Pearson
- 7 years ago
- Views:
Transcription
1 Stepping Through the Business Continuity Plan Audit Doug Menendez Graybar Electric Company Presentation to MidAmerica Contingency Planning Forum February 16, 2012
2 Introduction Whether it is from internal auditors, external auditors or government regulators, sooner or later your contingency plan will come under the scrutiny of an audit. This presentation will assist contingency planning managers in gaining an understanding of the audit approach, how to prepare for an audit, and how to work with the auditors as a team. Emphasis will be placed on data center disaster recovery and which plan components are most likely to be examined by an auditor.
3 Biography Doug Menendez is the Audit Manager for Graybar Electric Company. He has over thirty years of financial, operational and IT auditing experience in a variety of industries. Doug is a Certified Information Systems Auditor (CISA) and a Certified Internal Auditor (CIA). He is also a past-president of the St. Louis Chapters of the Information Systems Audit and Control Association (ISACA) and the Institute of Internal Auditors (IIA). You can contact Doug at (314) , or at: douglas.menendez@graybar.com
4 The Company Established: 1869 World Headquarters: St. Louis Background: One of the largest employee-owned companies in North America since 1929 Leading distributor of high-quality electrical, communications and data networking products, and specializes in related supply chain management and logistics services Founded by inventor Elisha Gray and entrepreneur Enos Barton Operations: Through its distribution network of nearly 240 North American locations, Graybar stocks and sells hundreds of thousands of items from thousands of manufacturers Worldwide Revenue 2010: $4.6 billion
5 Agenda Why Audit? Guidelines for Auditors: IIA GTAG ISACA COBIT
6 Different types of auditors: Internal External Regulatory
7 External Audit and SOX controls General Controls: Data Center Operations (backup and recovery) System Software Access Security Application Development and Maintenance
8 Audience Survey: Who has NEVER been audited? Does your BCP group work closely with your internal auditors? What has your experience been? Positive or Negative?
9 Internal Audit Overview
10 Internal Audit Reporting Relationships Board of Directors/Audit Committee Chief Executive Officer (CEO) and Chairman Chief Financial Officer (CFO) Internal not External
11 Why Audit? Management tool Provide INDEPENDENT assessments Protect corporate assets Improve internal controls Help achieve organizational goals
12 Role of Internal Audit Independence Objectivity Direct report to Senior Management Control Consultants (improve internal controls) Protect company assets Confidentiality, Integrity, Availability of data
13 Why am I being audited? Internal I.T. Audit: Risk Assessment, Planning and Scheduling
14 I.T. Audit Risk Assessment Identify the IT Audit Universe : New System Development Reviews Tier 1 list Existing Application Reviews Currently in production General Controls (Infrastructure) Reviews Everything else that supports the application, operating systems, databases, network, disaster recovery/business continuity planning
15 I.T. Audit Planning and Scheduling Review Tier 1 plan Utilize I.T. Audit Risk Assessment Model Identify any Infrastructure changes Identify I.T. Audit resources available Allocate resource estimation to each audit Draft out schedule by quarter Review with I.T. VP s and AVP s, CIO, CFO Schedule is confidential
16 Objectives of the 3 Major I.T. Audit Areas
17 I.T. Audit Areas New Systems Development Reviews Tier 1 projects Existing Application Reviews Currently in production General Controls Reviews Infrastructure, BCP, etc.
18 Stepping Through a Generic Audit Process
19 Stepping Through the Generic Audit Planning Fieldwork Reporting
20 Audit Planning Discovery Memo Kick-off meeting Preliminary planning process Develop audit program Planning Memo Audit Scope, Objectives, Timelines What you can do: Ensure availability of resources Provide requested documentation timely Help identify risks and controls
21 Audit Fieldwork Complete the audit program Evaluation Testing Gather documentation/evidence Identify possible recommendations What you can do: Ensure availability of resources Discuss status with auditors Help identify compensating controls
22 Audit Recommendations Recommendation (condition/cause) Business Impact (effect/criteria) Management Action Plan Implementation Date What you can do: Verify/validate recommendations Remediate if appropriate Begin to develop action plan
23 Audit Reporting Closing Meeting Draft report Management responses/action plans/target dates requested in 10 business days The Final Report Executive Summary Audit report Audit recommendations Management responses
24 Audit Follow-up Remediation Until the condition described in all audit recommendation has changed to reduce risk to an acceptable level, expect: Periodic Inquiry Formal Tracking Management-level reporting Follow-up Audit Generally done months later
25 Audit Survival Strategies Accept the validity of the audit as a management tool. Understand the audit plan and the auditor's approach. Coordinate your team's response to the audit process. Use the reporting process to demonstrate your team s strengths.
26 Stepping Through a BCP Audit Process
27 BCP Pre-Audit Steps Preliminary Survey Questionnaires Interviews Scope Determination
28 BCP Audit Approach/Testing Inspection/Review Observation Participation Verification
29 Auditing BCP Components Initiation and Administration Emergency Preparedness User Interim Procedures Back-Up Process Recovery Procedures Documentation Testing & Training
30 Auditing BCP Initiation and Administration Senior Management Support Organizational Responsibility and User Involvement Key Strategies and Assumptions
31 Auditing BCP Emergency Preparedness Declaration & Evacuation Procedures Public Relations Damage Containment, Clean-Up and Salvaging Program
32 Auditing BCP User Interim Procedures Key Strategies and Assumptions Security and Audit Trails
33 Auditing BCP Back-Up Process Data Files Application and System Software Hardware and Support Facilities Logistics Support and Personnel
34 Auditing BCP Recovery Procedures Data Center Activation File Recovery Procedures Start-Up of Critical Systems
35 Auditing BCP Documentation Distribution and Version Control Currency Form, Style and Clarity Use of Automated Tools
36 Auditing BCP Testing & Training Exercise Objectives Roles and Responsibilities Types of Testing Plan Maintenance
37 Summary Audit is a valuable resource use it to your advantage! Management Support User Involvement Documentation Testing
38 Institute of Internal Auditors Global Technology Audit Guide (GTAG) The IT controls guide provides: Guidance on IT topics impacting the organization's control and audit practices. Approaches to security, control, auditing, and assurance. Guidance on compliance with relevant legislation and regulations. Topical material for CAEs' discussions with executives and management. Executive summaries addressing concerns of governance and chieflevel executives. Key elements for audit reviews, assessments, and assurance.
39 Institute of Internal Auditors Website: Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association of more than 170,000 members. Throughout the world, The IIA is recognized as the internal audit profession's leader in certification, education, research, and technical guidance. Certification: CIA = Certified Internal Auditor
40 Institute of Internal Auditors GTAG-10: Business Continuity Management Guidance Provided to Internal Auditors Please let me know if you see any opportunities to improve this GTAG.
41 Objectives How can business continuity planning help minimize business disruptions? The components of an effective business continuity plan. How can a business impact analysis help identify which operations need to be recovered first following a business disruption? Ways to maximize internal audit s value in business continuity management audit and governance.
42 BCM Basics Management Support Risk Assessment and Risk Mitigation Business Impact Analysis (BIA) Business Recovery and Continuity Strategy Awareness and Training Exercises Maintenance
43 Crisis Management Planning Inform the general public Employees Stakeholders Suppliers Disaster Recovery of IT is a subset of BCM
44 What Key Ingredients are Necessary to Ensure I Have an Effective Plan? 1. Enterprise Priority 2. Support for the Cause 3. Someone to Drive 4. Materials, Labor, and a Blueprint 5. Certification 6. Maintenance
45 Key Challenges Getting Executive and Stakeholder Support Funding Getting all stakeholders to Agree on Risks and Impacts Getting the Business to Participate and Deliver on Time Performing Sufficient Testing Keeping the plan maintained
46 Related Disciplines All with different timelines: Emergency Response Crisis Management and Communications Resumption of Business Functions
47 BCM Lifecycle Project Initiation And Management Governance Compliance Monitoring & Auditing Risk Assessment Culture Training & Awareness Programs Continuity Life Cycle Business Impact Analysis Analysis Business Continuity Plan Testing Business Continuity Strategy Design Execution Solutions Deployment and Enhancement
48 BIA Pre-requisite Risk Assessment Identify potential risks to business Disasters, major disruptions, etc. Understand likely business impacts Loss of People, Operations, facilities, IT Region impact to suppliers, infrastructure Ensure Risk Mitigation is deployed Prevention: safety, maintenance, redundancies Preparation: response, Org Capabilities, standard processes
49 BIA Overview Identifying business processes Determining RTO and RPO based on business impact Identifying the other parties and physical resources Obtaining Sponsor and Manager approval of BIA
50 BIA #1: Identifying business processes Subject Matter Experts participate Identify major work processes Combine work processes when same staff, resources, suppliers Separate work processes when they have different priorities
51 BIA# 2: Determining RTO and RPO Understand type of impact Health/safety, environmental, customer, financial, regulatory/legal, reputational Identify likely consequences of different recovery times (RTO) Understand consequences of data loss (RPO) Discuss likely costs of each RTO and RPO Select RTO and RPO based on business impact and costs
52 BIA #3: Identifying other parties and resources Identify resources required to perform process Resources that must be obtained to resume process Identify other parties required to perform process Other People who must be available to provide input and/or perform work
53 BIA# 4: Obtaining Sponsor and Manager approval Review BIA results with leadership to verify: All processes were identified RTO and RPO are appropriate Critical resources were identified Next steps and strategies for creating recovery solutions
54 BIA: Business Recovery and Continuity Strategy Identify recovery alternatives Manual Work processes Alternative/Out-sourcing Disaster Recovery for IT Alternative Staffing Alternative Facilities
55 BIA Output is the BCP Create BCP at individual team level that maintains ownership Document recovery strategies, BCP solutions, recovery steps Maintain a log of BCP changes Link BCP to overall command structure & Crisis Management
56 Disaster Recovery of IT Data Center Applications and data Servers Networks Infrastructure
57 Recovery Solutions/Sites Hot recovery Warm recovery Cold recovery No recovery plan
58 Awareness and Training Sponsors Managers Coordinators Consultants Staff
59 Maintenance Changes in: Business priorities People Processes Technology
60 Exercise (not a test) Frequency Various threat scenarios Track issues and correct
61 Crisis Management Crisis communications Coordination with External Agencies Emergency response
62 The role of Internal Audit Does Sr. Management understand the current business continuity risk level? Can the organization prove the business continuity risks are mitigated to an acceptable level? If an unacceptable business continuity risk exists, but Sr. Management has decided to assume the risk, is the Board and other key partners aware? Has the decision to accept the risk been properly documented?
63 Maximize IA value in BCP process. Work in a Collaborative Manner with the client. Understand BCP and Management Objectives Understand the Scope of Business Continuity Approach From a Process Perspective, as Opposed to a Documentation Review Focus on the Entire BCM Life-cycle, Ranging from Standards Assessments Through Plan Testing Brainstorm Ideas for Improvement Engage the Business Continuity Coordinator
64 Information Systems Audit and Control Association (ISACA) A nonprofit, independent membership association, ISACA is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance, control and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969 as the EDP Auditors Association, ISACA helps its members and their employers ensure trust in, and value from, information systems. ISACA has more than 95,000 constituents in more than 160 countries in Asia, Latin America, Europe, Africa, North America and Oceania. Its members include internal and external auditors, CEOs, CFOs, CIOs, educators, information security and control professionals, business managers, students, and IT consultants. Certification: CISA Certified Information Systems Auditor
65 COBIT COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.
66 COBIT DS4 Ensure Continuous Service Guidance provided to IT Auditors Please let me know if you see any opportunities to improve this COBIT section
67 DS IT Continuity Framework 4.2 IT Continuity Plans 4.3 Critical IT Resources 4.4 Maintenance of the IT Continuity Plan 4.5 Testing 4.6 Training 4.7 Distribution 4.8 IT Services Recovery and Resumption 4.9 Offsite Backup Storage 4.10 Post-resumption review
68 DS 4.1 IT Continuity Framework Control Objective: Develop a framework for IT continuity to support enterprise-wide business continuity management using a consistent process.
69 DS 4.2 Continuity Plans Control Objective: Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes.
70 DS 4.3 Critical IT Resources Control Objective: Focus attention on items specified as most critical in the IT continuity plan to build in resilience and establish priorities in recovery situations.
71 DS 4.4 Maintenance of the IT Continuity Plan Control Objective: Encourage IT Management to define and execute change control procedures to ensure that the IT continuity plan is kept up to date and continually reflects actual business requirements.
72 DS 4.5 Testing of the IT Continuity Plan Control Objective: Test the IT continuity plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant
73 DS 4.6 IT Continuity Plan Training Control Objective: Provide all concerned parties with regular training sessions regarding the procedures and their roles and responsibilities in case of an incident or disaster
74 DS 4.7 Distribution of the IT Continuity Plan Control Objective: Determine that a defined and managed distribution strategy exists to ensure that plans are properly and securely distributed and available to appropriately authorized interested parties when and where needed
75 DS 4.8 IT Services Recovery and Resumption Control Objective: Plan the actions to be taken for the period when IT is recovering and resuming services.
76 DS 4.9 Offsite Backup Storage Control Objective: Store offsite all critical back up media, documentation and other IT resources necessary for IT recovery and business continuity plans.
77 DS 4.10 Post-resumption Review Control Objective: Determine whether IT management has established procedures for assessing the adequacy of the plan in regard to the successful resumption of the IT function after a disaster, and update the plan accordingly.
78 Conclusion Make auditors part of the team Communicate Seek auditor s help Let the auditors in Make the auditing process part of the BCP routine
79 QUESTIONS?
The PNC Financial Services Group, Inc. Business Continuity Program
The PNC Financial Services Group, Inc. Business Continuity Program 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis (BIA) Page
More informationCENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT
CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT JANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationwww.pwc.com Business Resiliency Business Continuity Management - January 14, 2014
www.pwc.com Business Resiliency Business Continuity Management - January 14, 2014 Agenda Key Definitions Risks Business Continuity Management Program BCM Capability Assessment Process BCM Value Proposition
More informationThe Role of Internal Audit In Business Continuity Planning
The Role of Internal Audit In Business Continuity Planning Dan Bailey, MBCP Page 0 Introduction Dan Bailey, MBCP Senior Manager Protiviti Inc. dan.bailey@protiviti.com Actively involved in the Information
More informationThe PNC Financial Services Group, Inc. Business Continuity Program
The PNC Financial Services Group, Inc. Business Continuity Program subsidiaries) 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis
More informationInstitute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY 14304-1745
ECP - 601: Effective Business Continuity Management: ISO 22301 This 3-day course provides an intensive, hands-on workshop covering all major aspects for the design of an effective Business Continuity Plan
More informationThe Business Continuity Maturity Continuum
The Business Continuity Maturity Continuum Nick Benvenuto & Brian Zawada Protiviti Inc. 2004 Protiviti Inc. EOE Agenda Terminology Risk Management Infrastructure Discussion A Proposed Continuity Maturity
More informationExternal Supplier Control Requirements BCM
External Supplier Control Requirements BCM BCM Requirement Description BCM Tiers Recovery Time Objective Why this is important 1. Business Continuity Policy Supplier will have a documented Business Continuity
More informationBusiness Continuity Planning and Disaster Recovery Planning
4 Business Continuity Planning and Disaster Recovery Planning Basic Concepts 1. Business Continuity Management: Business Continuity means maintaining the uninterrupted availability of all key business
More informationProposal for Business Continuity Plan and Management Review 6 August 2008
Proposal for Business Continuity Plan and Management Review 6 August 2008 2008/8/6 Contents About Newton IT / Quality of our services. BCM & BS25999 Overview 2. BCM Development in line with BS25999 3.
More informationAudit of IMS Disaster Recovery Plan
Audit of IMS Disaster Recovery Plan Internal Audit 378-1-615 April 29, 2009 TABLE OF CONTENTS EXECUTIVE SUMMARY...II 1.0 INTRODUCTION...5 2.0 AUDIT OBJECTIVES AND SCOPE...7 3.0 AUDIT APPROACH AND METHODOLOGY...7
More informationDisaster Recovery Journal Spring World 2014
Disaster Recovery Journal Spring World 2014 What works: Services and service supply chain business continuity risk management Don Hall, CBCP, Cisco Services Business Continuity Analyst Cisco Systems, Inc.
More informationWhy Should Companies Take a Closer Look at Business Continuity Planning?
whitepaper Why Should Companies Take a Closer Look at Business Continuity Planning? How Datalink s business continuity and disaster recovery solutions can help organizations lessen the impact of disasters
More informationPAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA
Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA Learning Objectives 2 To understand the concept of Business Continuity Management To understand
More informationWestern Intergovernmental Audit Forum
Western Intergovernmental Audit Forum Business Continuity & Disaster Recovery Planning September 12, 2013 Presented by: City of Phoenix City Auditor Department Aaron Cook, Sr Internal Auditor IT Audit
More informationBusiness Continuity Planning
Information Systems Audit and Control Association www.isaca.org Business Continuity Planning AUDIT PROGRAM & INTERNAL CONTROL QUESTIONNAIRE The Information Systems Audit and Control Association With more
More informationSound Transit Internal Audit Report - No. 2014-6
Sound Transit Internal Audit Report - No. 2014-6 Maturity Assessment: Information Technology Division Disaster Recovery Planning Report Date: June 5, 2015 Table of Contents Page Executive Summary 2 Background
More informationThe ABC s of BCP. Jeremy Sucharski Governance Risk and Compliance G31
The ABC s of BCP Jeremy Sucharski Governance Risk and Compliance G31 Jeremy Sucharski, CISA, CRISC Over 12 years of experience CISA and CRISC Certifications Governance, Risk and Compliance Practice Leader
More informationDRAFT BUSINESS CONTINUITY MANAGEMENT POLICY
DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY This document outlines a set of policies and procedures for formalising a Business Continuity programme, and provides guidelines for developing, maintaining
More informationBusiness Continuity Plan
Business Continuity Plan October 2007 Agenda Business continuity plan definition Evolution of the business continuity plan Business continuity plan life cycle FFIEC & Business continuity plan Questions
More informationBusiness Continuity and Disaster Recovery Planning
Business Continuity and Disaster Recovery Planning Jennifer Brandt, CISA A p r i l 16, 2015 HISTORY OF STINNETT & ASSOCIATES Stinnett & Associates (Stinnett) is a professional advisory firm offering services
More informationBCP and DR. P K Patel AGM, MoF
BCP and DR P K Patel AGM, MoF Key difference between BS 25999 and ISO 22301 ISO 22301 puts a much greater emphasis on setting the objectives, monitoring performance and metrics aligning BC to top management
More informationBusiness Continuity Planning 101. +1 610 768-4120 (800) 634-2016 www.strohlsystems.com info@strohlsystems.com
Business Continuity Planning 101 Presentation Overview What is business continuity planning Plan Development Plan Testing Plan Maintenance Future advancements in BCP Question & Answer What is a Disaster?
More informationSubject: Internal Audit of Information Technology Disaster Recovery Plan
RIVERSIDE: AUDIT & ADVISORY SERVICES June 30, 2009 To: Charles Rowley, Associate Vice Chancellor Computing & Communications Subject: Internal Audit of Information Technology Disaster Recovery Plan Ref:
More informationBank of Papua New Guinea Prudential Standard BPS251: Business Continuity Management
Bank of Papua New Guinea Prudential Standard BPS251: Business Continuity Management Issued under Section 27 of the Banks and Financial Institutions Act 2000 Overview and Key Requirements Business Continuity
More informationCompany Management System. Business Continuity in SIA
Company Management System Business Continuity in SIA Document code: Classification: Company Project/Service Year Document No. Version Public INDEX 1. INTRODUCTION... 3 2. SIA S BUSINESS CONTINUITY MANAGEMENT
More informationState of South Carolina Policy Guidance and Training
State of South Carolina Policy Guidance and Training Policy Workshop All Agencies Business Continuity Management Policy June 2014 Agenda Questions & Follow-Up Policy Workshop Overview & Timeline Policy
More informationFacilitated By: Ken M. Shaurette, CISSP, CISA, CISM, CRISC FIPCO Director IT Services
Facilitated By: Ken M. Shaurette, CISSP, CISA, CISM, CRISC FIPCO Director IT Services 1 Today s Agenda Structure of Today s Discussion Set Objectives General overview of DR/BCP Exercise Assumptions Scenarios
More informationHow to measure your business resiliency
How to measure your business resiliency Define the KPI s/kri s and scorecards to control your security and business continuity capabilities Krzysztof Pulkiewicz BCMLogic krzysztof.pulkiewicz@bcmlogic.com
More informationAUDITING A BCP PLAN. Thomas Bronack Auditing a BCP Plan presentation Page: 1
AUDITING A BCP PLAN Thomas Bronack Auditing a BCP Plan presentation Page: 1 What are the Objectives of a Good BCP Plan Protect employees Restore critical business processes or functions to minimize the
More informationTable of Contents... 1
... 1 Chapter 1 Introduction... 4 1.1 Executive Summary... 4 1.2 Goals and Objectives... 5 1.3 Senior Management and Board of Directors Responsibilities... 5 1.4 Business Continuity Planning Processes...
More informationSolihull Clinical Commissioning Group
Solihull Clinical Commissioning Group Business Continuity Policy Version v1 Ratified by SMT Date ratified 24 February 2014 Name of originator / author CSU Corporate Services Review date Annual Target audience
More informationPINK ELEPHANT THOUGHT LEADERSHIP WHITE PAPER DEVELOPING AN IT SERVICE MANAGEMENT TRAINING STRATEGY & PLAN
PINK ELEPHANT THOUGHT LEADERSHIP WHITE PAPER DEVELOPING AN IT SERVICE MANAGEMENT TRAINING STRATEGY & PLAN Executive Summary Developing and implementing an overall IT Service Management (ITSM) training
More informationEMERGENCY PREPAREDNESS PLAN Business Continuity Plan
EMERGENCY PREPAREDNESS PLAN Business Continuity Plan GIS Bankers Insurance Group Powered by DISASTER PREPAREDNESS Implementation Small Business Guide to Business Continuity Planning Surviving a Catastrophic
More informationImplementing and Auditing a Successful Business Continuity Plan
IIA Chicago Chapter 53 rd Annual Seminar April 15, 2013, Donald E. Stephens Convention Center @IIAChicago #IIACHI ing and Auditing a Successful Plan Agenda Introductions Training Overview and Objectives
More informationBest Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and Testing axcient.com 2015. Axcient, Inc. All Rights Reserved. 1 Best Practices in Disaster Recovery Planning and Testing Disaster Recovery plans are widely
More informationBusiness Continuity Management
Business Continuity Management cliftonlarsonallen.com Introductions Brian Pye CliftonLarsonAllen Senior Manager Business Risk Services group 15 years of experience with Business Continuity Megan Moore
More informationInternal Audit Department NeighborWorks America. Audit Review of the Business Continuity Plan (BCP) Management and Documentation
Department NeighborWorks America Audit Review of the Business Continuity Plan (BCP) and Documentation Project Number: ADMN.BCP.2013 Audit Review of of BCP Table of Contents Project Completion Letter...
More informationDisaster Recovery/Business Continuity
CITY AUDITOR'S OFFICE Disaster Recovery/Business Continuity March 6, 2015 AUDIT REPORT NO. 1511 CITY COUNCIL Mayor W.J. Jim Lane Suzanne Klapp Virginia Korte Kathy Littlefield Vice Mayor Linda Milhaven
More informationBusiness Continuity Management
Business Continuity Management Policy Statement & Strategy July 2009 Basildon District Council Business Continuity Management Policy Statement The Council is committed to ensuring robust and effective
More informationBusiness Continuity Planning
Business Continuity Planning Presenter Carolyn Bell-Wisdom, CIA, FCCA, FCA, CISA, CFE, Director, Internal Audit Outsourcing, Risk & Business Continuity Services at Jamaica AGENDA Welcome and introduction
More informationHow To Manage A Disruption Event
BUSINESS CONTINUITY FRAMEWORK DOCUMENT INFORMATION DOCUMENT TYPE: DOCUMENT STATUS: POLICY OWNER POSITION: INTERNAL COMMITTEE ENDORSEMENT: APPROVED BY: Strategic document Approved Manager Organisational
More informationUniversity of Michigan Disaster Recovery / Business Continuity Administrative Information Systems 4/6/2004 1
University of Michigan Disaster Recovery / Business Continuity Administrative Information Systems. 1 Michigan Administrative Information Services (MAIS) MAIS is responsible for the production support of
More informationBy. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd
BS 25999 Business Continuity Management By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd 1 Contents slide BSI British Standards 2006 BS 25999(Business Continuity) 2002 BS 15000
More informationThis article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.
Auditing the Business Continuity Process Dr. Eric Schmidt, Principal, Transitional Data Services, Inc. Business continuity audits are rapidly becoming one of the most urgent issues throughout the international
More informationTips and techniques a typical audit programme
Auditing Business Continuity Planning Tips and techniques a typical audit programme Karen Wills, Senior Internal Auditor St James s Place Wealth Management February 2014 Contents Background Roles and Responsibilities
More informationPAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA
1 Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA Learning Objectives 2 To understand the concept of Business Continuity Management To understand
More informationThe Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS)
Information Technology Disaster Recovery Policy Policy Statement This policy defines acceptable methods for disaster recovery planning, preparedness, management and mitigation of IT systems and services
More informationBusiness Continuity Management Emerging Trends
Business Continuity Management Emerging Trends Presentation Title Goes Here Samir Shah CA, CISA, DISA, CIA, CISSP, CFE, ISO 22301 LI Associate Director Axis Risk Consulting March 2013 Outline 2 1. Business
More information2014 NABRICO Conference
Business Continuity Planning 2014 NABRICO Conference September 19, 2014 6 CityPlace Drive, Suite 900 St. Louis, Missouri 63141 314.983.1200 1520 S. Fifth Street, Suite 309 St. Charles, Missouri 63303 636.255.3000
More informationBC / DR Implementation Tying Disaster Recovery Investment to Measurable Business Value
BC / DR Implementation Tying Disaster Investment to Measurable Business Value Continuity Insights Conference May 16-18, 2005 Agenda Purpose Discuss best practice process and tools that might be leveraged
More informationCONTINUITY OF OPERATIONS AUDIT PROGRAM EVALUATION AND AUDIT
CONTINUITY OF OPERATIONS AUDIT PROGRAM EVALUATION AND AUDIT April 16, 2014 INTRODUCTION Purpose The purpose of the audit is to give assurance that the development of the Metropolitan Council s Continuity
More informationDomain 3 Business Continuity and Disaster Recovery Planning
Domain 3 Business Continuity and Disaster Recovery Planning Steps (ISC) 2 steps [Har10] Project initiation Business Impact Analysis (BIA) Recovery strategy Plan design and development Implementation Testing
More informationNHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY
NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY AUTHOR/ APPROVAL DETAILS Document Author Written By: Human Resources Authorised Signature Authorised By: Helen Shields Date: 20
More informationHow To Understand The Role Of An Internal Audit
Top Ten Issues facing Internal Auditing in the Future The IIA Dallas Chapter April 6, 2006 Presented by: David A. Richards, CIA, CPA President The Institute of Internal Auditors drichards@theiia.org 1
More informationPost-Class Quiz: Business Continuity & Disaster Recovery Planning Domain
1. What is the most common planned performance duration for a continuity of operations plan (COOP)? A. 30 days B. 60 days C. 90 days D. It depends on the severity of a disaster. 2. What is the business
More informationDisaster Recovery Policy
Disaster Recovery Policy INTRODUCTION This policy provides a framework for the ongoing process of planning, developing and implementing disaster recovery management for IT Services at UCD. A disaster is
More informationMANAGEMENT AUDIT REPORT DISASTER RECOVERY PLAN DEPARTMENT OF FINANCE AND ADMINISTRATIVE SERVICES INFORMATION TECHNOLOGY SERVICES DIVISION
MANAGEMENT AUDIT REPORT OF DISASTER RECOVERY PLAN DEPARTMENT OF FINANCE AND ADMINISTRATIVE SERVICES INFORMATION TECHNOLOGY SERVICES DIVISION REPORT NO. 13-101 City of Albuquerque Office of Internal Audit
More informationPrinciples for BCM requirements for the Dutch financial sector and its providers.
Principles for BCM requirements for the Dutch financial sector and its providers. Platform Business Continuity Vitale Infrastructuur Financiële sector (BC VIF) Werkgroep BCM requirements 21 September 2011
More informationShankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.
Business Continuity Management & Disaster Recovery Planning Presented by: Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD. 1 What is Business Continuity Management? Is a holistic management
More informationBest Practices in Developing an IT Disaster Recovery Plan. Vijaykumar Kulkarni AGM Product Management
Best Practices in Developing an IT Disaster Recovery Plan Vijaykumar Kulkarni AGM Product Management PRESENTER PROFILE Vijaykumar Kulkarni Assistant General Manager - Product Management in Netmagic Solutions,
More informationDISASTER RECOVERY/ BUSINESS CONTINUITY AUDITING: A CASE STUDY
1 DISASTER RECOVERY/ BUSINESS CONTINUITY AUDITING: A CASE STUDY WAYNE PURVES DIRECTOR CHRISTA VOIE IT AUDITOR MULTICARE HEALTH SYSTEM TACOMA, WA AHIA 32 nd Annual Conference August 25-28, 2013 Chicago,
More informationPlease feel free to call on our organizations if we can be of assistance in any way on further deliberations, task forces or committees.
17 May 2012 International Internal Audit Standards Board Via e-mail: Lily.Bi@theiia.org Re: Definition of Internal Auditing Ms. Lily Bi, CIA, CISA, CGEIT Director, Standards and Guidance The Institute
More informationBy: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015
Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level June 9, 2015 By: Tracy Hall MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company,
More informationBusiness Continuity in Healthcare
Business Continuity in Healthcare Cynthia Simeone, CBCP, PMP Director Business Resilience Catholic Health Initiatives Scott Ream President Virtual Corporation 1 Session Speakers Cynthia Simeone, CBCP,
More informationHow To Prepare For A Disaster
Building an effective Tabletop Exercise Presented by: Ken M. Shaurette, CISSP, CISA, CISM, CRISC FIPCO Director IT Services 3/26/2013 #1 Continuity Plan Testing Flowchart 3/26/2013 #2 1 Ongoing Multi-Year
More informationChapter 3: Audit of business Continuity plan... 3 Learning Objectives... 3 3.1 Introduction... 3 3.2 Steps of BCP Process... 3 3.2.
Chapter 3: Audit of business Continuity plan... 3 Learning Objectives... 3 3.1 Introduction... 3 3.2 Steps of BCP Process... 3 3.2.1 Step 1: Identifying the mission or business-critical functions... 4
More informationThe Commonwealth of Massachusetts
A. JOSEPH DeNUCCI AUDITOR The Commonwealth of Massachusetts AUDITOR OF THE COMMONWEALTH ONE ASHBURTON PLACE, ROOM 1819 BOSTON, MASSACHUSETTS 02108 TEL. (617) 727-6200 No. 2008-1308-4T OFFICE OF THE STATE
More informationBusiness Continuity Management
Business Continuity Management Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not
More informationStepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM
Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and
More informationSupporting information technology risk management
IBM Global Technology Services Thought Leadership White Paper October 2011 Supporting information technology risk management It takes an entire organization 2 Supporting information technology risk management
More informationHOW CAN YOU ENSURE BUSINESS CONTINUITY? ISO 22301 AUDITS, CERTIFICATION AND TRAINING
HOW CAN YOU ENSURE BUSINESS CONTINUITY? ISO 22301 AUDITS, CERTIFICATION AND TRAINING ISO 22301 BUSINESS CONTINUITY MANAGEMENT SYSTEMS Most organisations will, at some point, be faced with having to respond
More informationAligning Disaster Recovery and Business Continuity to Business Objectives. Session E7 John Jackson Fusion Risk Management, Inc.
Aligning Disaster Recovery and Business Continuity to Business Objectives Session E7 John Jackson Fusion Risk Management, Inc. Topics Business Drivers Resilience Defined Your RPO is zero (or close to it!)
More informationOFFICE OF AUDITS & ADVISORY SERVICES IT DISASTER RECOVERY AUDIT FINAL REPORT
County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES IT DISASTER RECOVERY AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Audit Manager: Lynne Prizzia, CISA, CRISC Senior Auditor:
More informationBusiness Continuity Standards A Primer
INTELLIGENT NOTIFICATION Alphabet Soup: Making Sense of BC/DR Standards Part 1: Business Continuity Standards A Primer Why all the attention now? One of the hottest topics in BC/DR these days is standards.
More informationFINAL AUDIT REPORT WITH RECOMENDATIONS Information Technology No. 11-001
FINAL AUDIT REPORT WITH RECOMENDATIONS Information Technology No. 11-001 SUBJECT: Review of Emergency Plans DATE: September 24, 2010 for Critical Information Technology Operations and Financial Systems
More informationTemple university. Auditing a business continuity management BCM. November, 2015
Temple university Auditing a business continuity management BCM November, 2015 Auditing BCM Agenda 1. Introduction 2. Definitions 3. Standards 4. BCM key elements IT Governance class - IT audit program
More informationDeveloping National Frameworks & Engaging the Private Sector
www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012
More informationAudit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland
Audit Report Effectiveness of IT Controls at the Global Fund Follow-up report GF-OIG-15-20b Geneva, Switzerland Table of Contents I. Background and scope... 3 II. Executive Summary... 4 III. Status of
More informationPPSADOPTED: OCT. 2012 BACKGROUND POLICY STATEMENT PHYSICAL FACILITIES. PROFESSIONAL PRACTICE STATEMENT Developing a Business Continuity Plan
PROFESSIONAL PRACTICE STATEMENT Developing a Business Continuity Plan OCT. 2012 PPSADOPTED: What is a professional practice statement? Professional Practice developed by the Association Forum of Chicagoland
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine
More informationGovernance and Management of Information Security
Governance and Management of Information Security Øivind Høiem, CISA CRISC Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector secretary for information
More informationBusiness continuity management policy
Business continuity management policy health.wa.gov.au Effective: XXX Title: Business continuity management policy 1. Purpose All public sector bodies are required to establish, maintain and review business
More informationBUSINESS CONTINUITY MANAGEMENT POLICY
This document is uncontrolled once printed. Please check on the CCG s Intranet site for the most up to date version BUSINESS CONTINUITY MANAGEMENT POLICY DOCUMENT CONTROL Type of Document Document Title
More informationAssessing & Managing IT Risks: Using ISACA's CobiT & Risk IT Frameworks
Assessing & Managing IT Risks: Using ISACA's CobiT & Risk IT Frameworks 2ο InfoCom Security Conference Anestis Demopoulos, Vice President ISACA Athens Chapter, & Senior Manager, Advisory Services, Ernst
More informationwww.td.com.au Business Continuity - IT Disaster Recovery Discussion Paper - - Commercial in Confidence Version V2.0R Wednesday, 5 September 2012
Business Continuity - IT Disaster Recovery Discussion Paper - - Version V2.0R Wednesday, 5 September 2012 Commercial in Confidence Melbourne Sydney 79-81 Coppin St Level 2 Richmond VIC 3121 414 Kent St
More informationBUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS
BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS DIRECTORATE OF BANKING SUPERVISION AUGUST 2009 TABLE OF CONTENTS PAGE 1.0 INTRODUCTION..3 1.1 Background...3 1.2 Citation...3
More information9/3/2009. Information Systems Disaster Recovery. Learning Objectives. Why have a plan? unexpected? APPA-Institute for Facilities Management
Information Systems Disaster Recovery APPA-Institute for Facilities Management J. Craig Klimczak, D.V.M., M.S. Vice-Chancellor for Technology St. Louis Community College 300 South Broadway St. Louis, MO
More informationAssessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC
Assessing Your Disaster Recovery Plans Gregory H. Soule, CPA, CISA, CISSP, CFE Andrews Hooper Pavlik PLC Andrews Hooper Pavlik PLC Agenda Business Continuity Concepts Impact Analysis Risk Assessment Risk
More informationBusiness Continuity Planning
Business Continuity Planning We believe all organisations recognise the importance of having a Business Continuity Plan, however we understand that it can be difficult to know where to start. That s why
More informationNIST SP 800-34, Revision 1 Contingency Planning Guide for Federal Information Systems
NIST SP 800-34, Revision 1 Contingency Planning Guide for Federal Information Systems Marianne Swanson NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Table Of Contents Introduction to NIST SP 800-34
More informationBusiness Continuity Management Governance. Frank Higgins Abu Dhabi March 2015
Business Continuity Management Governance Frank Higgins Abu Dhabi March 2015 Different Names Same Concept BCM (Business Continuity Management) BSI 25999 IPOCM (Incident Preparedness & Operational Continuity
More information3/17/2015. Healthcare Technology Audit Basics. Session Objectives. Jennifer McGill, CIA, CISA, CGEIT April 20, 2015
Healthcare Technology Audit Basics Jennifer McGill, CIA, CISA, CGEIT April 20, 2015 Session Objectives Review information technology basic concepts. Use real world examples to identify and understand healthcare
More informationHealthcare Technology Audit Basics. Session Objectives
Healthcare Technology Audit Basics Jennifer McGill, CIA, CISA, CGEIT April 20, 2015 Session Objectives Review information technology basic concepts. Use real world examples to identify and understand healthcare
More informationAudit of Physical Security Management
Audit of Physical Security Management Natural Sciences and Engineering Research Council of Canada Social Sciences and Humanities Research Council Approved by the President on March 18, 2015 1 Her Majesty
More informationNEEDS BASED PLANNING FOR IT DISASTER RECOVERY
The Define/Align/Approve Reference Series NEEDS BASED PLANNING FOR IT DISASTER RECOVERY Disaster recovery planning is essential it s also expensive. That s why every step taken and dollar spent must be
More informationDisaster Recovery. Hendry Taylor Tayori Limited
Disaster Recovery Hendry Taylor Tayori Limited Agenda What is Business Continuity planning (BCP) What is Disaster Recovery (DR) and Disaster Recovery Planning (DRP) Overview Lifecycle Analysis Plan design
More informationInternal Audit Quality Assessment. Presented To: World Intellectual Property Organization
Internal Audit Quality Assessment Presented To: World Intellectual Property Organization April 2014 Table of Contents List of Acronyms 3 Page Executive Summary Opinion as to Conformance to the Standards,
More informationBusiness Continuity Policy and Business Continuity Management System
Business Continuity Policy and Business Continuity Management System Summary: This policy sets out the structure for ensuring that the PCT has effective Business Continuity Plans in place in order to maintain
More information