The Role of Internal Audit In Business Continuity Planning

Size: px
Start display at page:

Download "The Role of Internal Audit In Business Continuity Planning"

Transcription

1 The Role of Internal Audit In Business Continuity Planning Dan Bailey, MBCP Page 0

2 Introduction Dan Bailey, MBCP Senior Manager Protiviti Inc. Actively involved in the Information Technology industry since 1984 Actively involved in the Business Continuity industry since 1991 Received CBCP designation in 1999; MBCP designation in 2002 Co-Founder of the Arkansas chapter of the Association of Contingency Planners 2002 President of the North Texas chapter of the Association of Contingency Planners DRI International Certification Commissioner DRI International Vice-Chair of the newly established Education Commission Page 1

3 Agenda Establishing A Framework Internal Audit Adding Value to the BCP Process Information Available to the Internal Auditor Proven Approaches to Conducting a BCP Audit SOX Section 404? Wrap-up and Summary By 2008, we believe more than 50% of the G2000 will have robust and tested BC plans, with the remainder attempting to enhance their capabilities beyond rudimentary BC and disaster recovery through META Group (February 2003) Page 2

4 Section I Establishing A Framework Page 3

5 Business Continuity Management Defined the development of strategies, plans and actions which provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might otherwise bring about a seriously damaging or potentially fatal loss to the enterprise. BCM = Crisis Management + Business Resumption Planning + IT Disaster Recovery Planning Page 4

6 Components of A Business Continuity Process Business Strategies & Policies Business & Risk Management Processes People & Organizational Structure Management Reports Methodologies Systems & Data Contract Terms and Conditions with Suppliers Customer Service Level Agreements Governance Documentation - Process Accountability - Recurring Activities - Documentation Standards - Strategy Testing - Training & Awareness - Plan Maintenance - Succession plans Emergency Response Crisis Mgmt Crisis Communications Business Resumption Planning IT DR Planning Business Impact Analysis Risk Assessment Business Continuity Strategy Testing Training & Awareness Supplier Risk Mgmt Audit Committee Oversight Executive Mgmt Sponsorship Business Continuity Coordinator Crisis Mgmt Team Business Recovery Coordinators IT DR Coordinators Recovery Teams Internal Audit Oversight Industry / Governmental Oversight Risk Assessment Conclusions (Likelihood and Vulnerability) Business Impact Analysis Conclusions (Recovery Objectives) Strategy Design Options Strategy Cost- Benefit Analysis Strategy Test Results Diagnostic and Benchmarking Conclusions Business Continuity Governance Design and Data Gathering Risk Assessment Business Impact Analysis Strategy Design Plan Documentation Plan Validation Knowledge Transfer / Implementation Documentation Repository Plan Documentation Software Risk Assessment Conclusions Business Impact Analysis Conclusions Backup / Replication Software (IT DR Only) IT Hardware Page 5

7 The Continuity Life Cycle Compliance Monitoring & Auditing Training & Awareness Programs Business Continuity Plan Testing Project Initiation And Management Continuity Life Cycle Solutions Deployment & Plan Documentation Risk Assessment Business Impact Analysis Business Continuity Strategy Design Typical Participants in the Planning Process: Executive Sponsor Steering Committee Business Continuity Coordinator Business Process Owners Information Technology Human Resources Facilities Security EHS Legal Corporate Communications Risk Management Internal Audit? Page 6

8 BCM Capability Maturity Continuum The BCP Maturity Continuum Optimizing Characteristics of Capability Business continuity management is a competitive advantage. Management advertises the existence of the business continuity process internally and externally with customers. Continuity-related service level agreements, associated with uptime, performance and continuity, are utilized to drive efficiencies internally and build strategic relationships with customers. Method of Achievement Comprehensive, organization-wide business continuity strategies are aligned with strategic objectives and customer expectations. BCM operates as a core business function, chartered with clear accountability and responsibility. Regular BCP testing and maintenance occurs. Personnel are well trained regarding their roles and responsibilities. Metrics are collected and managed to ensure continuity-related service level agreements are met. Process Maturity Managed Defined Repeatable In addition to a customer focus and the desire to minimize financial loss and reputation impairment, management addresses regulatory compliance through the design of solutions with characteristics mandated by industry and governmental organizations. Specific compliance categories include data protection, financial reporting process continuity, strategy testing and plan maintenance processes. Business functions and IT assets supporting the delivery of products and services, as well as customer service, are protected from long-term business interruptions. Customer expectations regarding product and service delivery have been taken into account. Testing and training limitations may result in isolated recovery issues, often taking the form of recovery capacity constraints and missed recovery objectives. Management relies on untested or under-tested continuity-related processes to manage the effects of business interruptions. IT asset recovery is often the most mature aspect of the continuity process, although some organizations emphasize either crisis management or business resumption planning. Employees have limited knowledge regarding their roles during recovery, potentially impacting the likelihood of a successful response effort. Business continuity strategies address core business functions, information technology assets and supply chain relationships. Management fully supports this effort. The organization s business continuity management process, to include crisis management, crisis communications, business resumption planning and IT disaster recovery planning, operates as a single function. The BCM process reflects the current business and technology environment. A formal business continuity strategy has been designed and deployed. A risk assessment has been performed to identify and assess continuity risks. A business impact analysis (BIA) has been performed, but there are no processes to keep it current. Testing is infrequent or fails to address all aspects of the continuity process. Plan maintenance activities have not occurred in over twelve months. Metrics for key BCP tasks require refinement. The organization s business continuity strategy addresses crisis management, business resumption or IT disaster recovery. Continuity processes are designed and developed separately and lack integration. A high-level risk assessment and/or business impact analysis has been performed. Although some continuityrelated processes exist, plan maintenance and testing procedures have not been implemented. Ad Hoc Significant risk of continuity-related impacts are present. Business interruptions, ranging from isolated infrastructure failures through regional events, have the potential to cause serious financial harm and/or reputational impairment. The organization relies on force majeure clauses to minimize contractual violations. BCP goals and expectations were derived without a risk assessment or business impact analysis. Business continuity strategies are characterized as ad hoc; a formal documented plan does not exist. Business continuity accountability and responsibility remain unassigned. Business continuity testing and training and awareness processes have not been designed. The organization lacks confidence in its ability to survive following a business interruption Protiviti Inc.

9 Managing Business Continuity Effectiveness Finance Direct Report to CFO Risk Management / Loss Prevention Executive Council Legal Human Resources Corporate Communications Operations Direct Report to the COO EHS Security Information Technology Internal Audit Page 8

10 Section II Internal Audit Adding Value to the BCP Process Page 9

11 In the Past, The Internal Auditor Asked if a plan was in place Reviewed the (IT Disaster Recovery) plan for currency, if they were truly IT Auditors Asked if tests were performed; didn t review the results Occasionally owned the BCP process! Page 10

12 The Continuity Life Cycle - Revisited Compliance Monitoring & Auditing Training & Awareness Programs Business Continuity Plan Testing Project Initiation And Management Continuity Life Cycle Solutions Deployment & Plan Documentation Risk Assessment Business Impact Analysis Business Continuity Strategy Design Ways In Which the Internal Auditor Can Add Value to the BCP Process: Keeping Management Informed on Progress Toward BCM Development and Implementation The Internal Sales Person Making the Case for Business Continuity Participation in the Risk Assessment and Business Impact Analysis Defining Key Business Functions By Assisting with the BIA Defining Key Controls and Guide Toward a Process, not a Plan Project Management Standards Help Craft Maturity Levels and Definitions Audit the BCP Process Initially and in the Future Page 11

13 Section III Information Available to the Internal Auditor Page 12

14 Guidance from the IIA Practice Advisory : Internal Audit s Role in the Business Continuity Process Business Continuity Management Auditors should evaluate business continuity readiness Internal audit should assess the organization's business continuity process on a regular basis provide preparedness summary to senior management Internal auditors can play a role in the organization s planning, to include the risk assessment Internal audit activity can help with an assessment of an organization's internal and external environment Evaluate the BCP/DRP during formulation Internal auditors have a thorough understanding of the business, the individual functions and interdependent relationships Page 13

15 Guidance from the IIA (cont.) Practice Advisory : Internal Audit s Role in the Business Continuity Process Business Continuity Management Review the proposed business continuity and disaster recovery plans for design, completeness, and overall adequacy During that recovery period: Internal audit should monitor the effectiveness of the recovery and control of operations Recommend improvements to the BCP Internal audit can also provide support during the recovery activities internal auditors can assist in identifying the lessons learned from the disaster and the recovery operations Periodically audit the organization's BCPs/DRPs Adequacy to ensure the timely resumption of operations and processes after adverse circumstances Reflects the current business operating environment Page 14

16 Guidance from the IIA (cont.) Practice Advisory : Internal Audit s Role in the Business Continuity Process Business Continuity Management During the audit, Internal Audit should consider: Are all plans up to date? Are all critical business functions and systems covered? Are the plans based on the risks and potential consequences of business interruptions? Are the plans fully documented? Have functional responsibilities been assigned? Is the organization capable of and prepared to implement the plans? Are the plans tested and revised based on the results? Are the plans stored properly and safely? Is the storage location known? Are the locations of alternate facilities (backup sites) known to employees? Do the plans call for coordination with local emergency services? Page 15

17 Regulations and Standards Regulatory Requirements Sarbanes Oxley (Governance) FEMA FERC JCAHO HIPAA GLBA FFIEC (Updated) OSHA SEC NYSE / NASD State Insurance Departments USA PATRIOT Act IRS Australian/New Zealand Standard AS/NZS 4360:1999 California 1386 BASEL II Public Utility Commissions FCC Standards and Guidelines COBIT FFIEC NIST ISO 9000 & 14000, QS 9000 ISO NFPA 1600 DRI International BCI PAS 56 ITIL Homeland Security COSO Page 16

18 Section IV Proven Approaches to Conducting a BCP Audit Page 17

19 Why Conduct a BCP Audit? Business Continuity Management Provide Management Assurance Identify Control Gaps Regulatory Compliance Identify Actions to Enhance Maturity Ensure Business Process Owners are Accountable for Their Plans and Testing Page 18

20 A Proven Practice BCP Audit Approach Work in a Collaborative Manner (Advise/Teach) Understand the History of BCP, Management Objectives and the Level of Maturity Up Front Understand the Scope of Business Continuity Approach From a Process Perspective, as Opposed to a Documentation Review Look for and assess key success factors such as repeatability, extensibility and maintainability Focus on the Entire BCM Life-cycle, Ranging from Standards Assessments Through Plan Testing Brainstorm Ideas for Improvement Engage the Business Continuity Coordinator Page 19

21 Executing A Process Oriented BCP Audit A Comprehensive Business Continuity Management Process Includes: Crisis Management Crisis Communications Business Resumption Planning IT Disaster Recovery Planning Evaluate the Following: Standards, Policies and Procedures Relationships with External Agencies and Authorities Training and Awareness Materials Budgetary Documentation Documented plans Recovery Location / Hot-site Contracts Test Results Service Level Agreements Regulatory Requirements Supply Chain / Vendors Network Page 20

22 The Assessment Approach The Approach Confirm Assessment Expectations / Collect Business Requirements Evaluate the Business Continuity Process Process Management Risk Assessment and Business Impact Analysis Define Recovery Strategies and Business Continuity Procedures Training and Awareness, Plan Testing Process, Auditing and Plan Maintenance Collect Benchmarking Data to Reinforce Findings Validate, Present and Report Page 21

23 Industry Benchmarking Data Nothing Reinforces a Recommendation Like Benchmarking Data Same Industry Same Size Company We maintain information in the following areas: BCM Process Description and Scope Who Owns the BCM Process Budgetary Data Number of Personnel Addressing Business Continuity Recovery Objectives (Business and IT) Benchmarking Data Is Available Through Third-party Specialists, Vendors and Informal Contacts (Like This Session) Page 22

24 Participants in the BCP Audit Business Continuity Management In addition to a review of documentation, we recommend discussions with Business Continuity Management owners, as well as the Business Process owners whom they support (In order to better understand their expectations) Page 23

25 Presenting the Findings Business Continuity Management Reinforce Scope and Focus Focus on Process Maturity Highlight Strengths and Weaknesses Tie Findings to Business Impact, to Include Regulatory Compliance Provide Action Items and Recommend Points of Contact for Each Offer to Track Completion of Each Finding / Action Item Next Steps What Will Next Year s Audit Focus On? Page 24

26 Section V Sarbanes Oxley? Page 25

27 Internal Audit and SOX Section 404? Furthermore, management s plans that could potentially affect financial reporting in future periods are not controls. For example, a company s business continuity or contingency planning has no effect on the company s current abilities to initiate, authorize, record, process, or report financial data. Therefore, a company s business continuity or contingency planning is not part of internal control over financial reporting. PCAOB Release No , March 9, 2004 Section 404 had become a driver for conducting some audits Standard may change audit priority Business continuity will remain a key business issue regardless of Section 404 scope Page 26

28 Section V Presentation Summary Page 27

29 Wrap-up and Summary Business Continuity Management Establishing A Framework What is Business Continuity? Components of a Business Continuity Process The Business Continuity Life Cycle The BCP Maturity Continuum Internal Audit Adding Value to the BCP Process In the Past Today: Revisiting the Continuity Life Cycle Information Available to the Internal Auditor Regulations and Standards Proven Approaches to Conducting a BCP Audit Why Conduct An Audit? Proven Practice Audit Approaches Executing A Process Oriented BCP Audit Participants in the BCP Audit Industry Benchmarking Presenting Findings Wrap-up and Summary Page 28

30 Questions & Answers Page 29

31 Contact Information Dan Bailey, MBCP Protiviti Inc. Senior Manager National Leadership Team - Business Continuity Management Services dan.bailey@protiviti.com (office) (mobile) Page 30

The Business Continuity Maturity Continuum

The Business Continuity Maturity Continuum The Business Continuity Maturity Continuum Nick Benvenuto & Brian Zawada Protiviti Inc. 2004 Protiviti Inc. EOE Agenda Terminology Risk Management Infrastructure Discussion A Proposed Continuity Maturity

More information

Business Continuity Management 101. Patrick Potter, CBCP MHA Consulting ISACA November 19, 2009

Business Continuity Management 101. Patrick Potter, CBCP MHA Consulting ISACA November 19, 2009 Business Continuity Management 101 Patrick Potter, CBCP MHA Consulting ISACA November 19, 2009 1 Who is MHA Consulting Who We Are What We Do Leading boutique consulting firm since 1998 Provider of consulting

More information

MHA Consulting. Business Continuity Management 101

MHA Consulting. Business Continuity Management 101 0 MHA Consulting Business Continuity Management 101 Presented by: Michael Herrera Brandon Magestro MHA Consulting Agenda MHA Consulting Introduction Business Continuity Management (BCM) Defined 2013 Trends

More information

Business Continuity Trends and Risk Considerations Financial Executives International Portland Chapter June 12 2013

Business Continuity Trends and Risk Considerations Financial Executives International Portland Chapter June 12 2013 Business Continuity Trends and Risk Considerations Financial Executives International Portland Chapter June 12 2013 Chitra Gopalakrishnan Director KPMG LLP Agenda Introduction Business Continuity / Disaster

More information

Regulatory Requirements for Disaster Recovery/Business Continuity Programs

Regulatory Requirements for Disaster Recovery/Business Continuity Programs Regulatory Requirements for Disaster Recovery/Business Continuity Programs Al Berman Business Continuity Planning Practice Post 9/11 Surge in Business Continuity Regulations and Standards Post 9-11 20

More information

Guide to Business Continuity Management

Guide to Business Continuity Management Guide to Business Continuity Management Frequently Asked Questions Third Edition Contents Introduction.... v Business Continuity Basics...1 1. What is business continuity management (BCM)?...1 2. BCM seems

More information

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners. Auditing the Business Continuity Process Dr. Eric Schmidt, Principal, Transitional Data Services, Inc. Business continuity audits are rapidly becoming one of the most urgent issues throughout the international

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis (BIA) Page

More information

Is Business Continuity Certification Right for Your Organization?

Is Business Continuity Certification Right for Your Organization? 2008-2013 AVALUTION CONSULTING, LLC ALL RIGHTS RESERVED i This white paper analyzes the business case for pursuing organizational business continuity certification, including what it takes to complete

More information

www.pwc.com Business Resiliency Business Continuity Management - January 14, 2014

www.pwc.com Business Resiliency Business Continuity Management - January 14, 2014 www.pwc.com Business Resiliency Business Continuity Management - January 14, 2014 Agenda Key Definitions Risks Business Continuity Management Program BCM Capability Assessment Process BCM Value Proposition

More information

www.pwc.com Governance, Risk and Compliance Update & Hot Topics Pittsburgh Chapter IIA December 3, 2012

www.pwc.com Governance, Risk and Compliance Update & Hot Topics Pittsburgh Chapter IIA December 3, 2012 www.pwc.com Governance, Risk and Compliance Update & Hot Topics Pittsburgh Chapter IIA December 3, 2012 Agenda Introduction Mark Gibbons 12:00 12:05 Governance, Risk and Compliance Overview Mark Gibbons

More information

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA 1 Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA Learning Objectives 2 To understand the concept of Business Continuity Management To understand

More information

RSA ARCHER BUSINESS CONTINUITY MANAGEMENT AND OPERATIONS Solution Brief

RSA ARCHER BUSINESS CONTINUITY MANAGEMENT AND OPERATIONS Solution Brief RSA ARCHER BUSINESS CONTINUITY MANAGEMENT AND OPERATIONS Solution Brief INTRODUCTION Now more than ever, organizations depend on services, business processes and technologies to generate revenue and meet

More information

Business Continuity Trends, Requirements and Expectations in 2009. Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting

Business Continuity Trends, Requirements and Expectations in 2009. Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting Business Continuity Trends, Requirements and Expectations in 2009 Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting Overview What Is Business Continuity? The Value Proposition What

More information

Business Continuity Planning. Description and Framework. White Paper. Preface. Contents

Business Continuity Planning. Description and Framework. White Paper. Preface. Contents Comprehensive Consulting Solutions, Inc. Business Savvy. IT Smart. Business Continuity Planning White Paper Published: April 2001 (with revisions) Business Continuity Planning Description and Framework

More information

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES APPENDIX 1 DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES March 2008 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto TABLE OF CONTENTS EXECUTIVE SUMMARY...1

More information

Business Continuity Management Program Maturity Report - SAMPLE -

Business Continuity Management Program Maturity Report - SAMPLE - Business Continuity Management Program Maturity Report - SAMPLE - Prepared by BC Management, Inc. Benchmarking. Plan Ahead. Be Ahead. - Not Actual Data Table of Contents Introduction 4 Reporting History

More information

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA Learning Objectives 2 To understand the concept of Business Continuity Management To understand

More information

BCM and DRP - RFP Template

BCM and DRP - RFP Template BCM and DRP - The Supreme Council of Information & Communication Technology ictqatar PUBLICATION DATE Document Reference This document should be used as an example of the contents of an RFP for business

More information

Solihull Clinical Commissioning Group

Solihull Clinical Commissioning Group Solihull Clinical Commissioning Group Business Continuity Policy Version v1 Ratified by SMT Date ratified 24 February 2014 Name of originator / author CSU Corporate Services Review date Annual Target audience

More information

A Sarbanes-Oxley Roadmap to Business Continuity

A Sarbanes-Oxley Roadmap to Business Continuity A Sarbanes-Oxley Roadmap to Business Continuity NEDRIX Conference June 23, 2004 Dr. Eric Schmidt eschmidt@controlsolutions.com Control Solutions International TECHNOLOGY ADVISORY, ASSURANCE & RISK MANAGEMENT

More information

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY 14304-1745

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY 14304-1745 ECP - 601: Effective Business Continuity Management: ISO 22301 This 3-day course provides an intensive, hands-on workshop covering all major aspects for the design of an effective Business Continuity Plan

More information

Continuity of operations for critical infrastructure. Disclosure of critical information to the government.

Continuity of operations for critical infrastructure. Disclosure of critical information to the government. Regulatory compliance is a significant factor influencing the development of your business resilience strategy. Moreover, while Business Continuity or Disaster Recovery regulations may not apply in every

More information

Business Continuity Standards A Primer

Business Continuity Standards A Primer INTELLIGENT NOTIFICATION Alphabet Soup: Making Sense of BC/DR Standards Part 1: Business Continuity Standards A Primer Why all the attention now? One of the hottest topics in BC/DR these days is standards.

More information

Appendix 2 - Leicester City Council s Business Continuity Management Policy Statement and Strategy 2015. Business Continuity Policy Statement 2015

Appendix 2 - Leicester City Council s Business Continuity Management Policy Statement and Strategy 2015. Business Continuity Policy Statement 2015 Appendix 2 - Leicester City Council s Business Continuity Management Policy Statement and Strategy 2015 Business Continuity Policy Statement 2015 This Policy sets the direction for Business Continuity

More information

CSC AND THE BUSINESS CONTINUITY MATURITY ASSESSMENT PROGRAM

CSC AND THE BUSINESS CONTINUITY MATURITY ASSESSMENT PROGRAM A WHITE PAPER CSC AND THE BUSINESS CONTINUITY MATURITY ASSESSMENT PROGRAM AUTHORS: Neil A. Smith, MBCP nsmith24@csc.com Sandra Riddell, MBCI sriddel4@csc.com CSC Papers 2013 ABSTRACT The auditors said

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program subsidiaries) 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis

More information

Why Should Companies Take a Closer Look at Business Continuity Planning?

Why Should Companies Take a Closer Look at Business Continuity Planning? whitepaper Why Should Companies Take a Closer Look at Business Continuity Planning? How Datalink s business continuity and disaster recovery solutions can help organizations lessen the impact of disasters

More information

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015 Business Continuity Management Governance Frank Higgins Abu Dhabi March 2015 Different Names Same Concept BCM (Business Continuity Management) BSI 25999 IPOCM (Incident Preparedness & Operational Continuity

More information

Principles for BCM requirements for the Dutch financial sector and its providers.

Principles for BCM requirements for the Dutch financial sector and its providers. Principles for BCM requirements for the Dutch financial sector and its providers. Platform Business Continuity Vitale Infrastructuur Financiële sector (BC VIF) Werkgroep BCM requirements 21 September 2011

More information

Business Continuity for the New Professional. Britt Corra Enterprise BCM Erika Voss Senior BCM

Business Continuity for the New Professional. Britt Corra Enterprise BCM Erika Voss Senior BCM Business Continuity for the New Professional Britt Corra Enterprise BCM Erika Voss Senior BCM New to Business Continuity? Agenda & Experience 3-5 years experience? Seasoned veteran? What is BCM Tool Kit?

More information

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland Audit Report Effectiveness of IT Controls at the Global Fund Follow-up report GF-OIG-15-20b Geneva, Switzerland Table of Contents I. Background and scope... 3 II. Executive Summary... 4 III. Status of

More information

GAP Subject Area 2 Risk Evaluation and Control

GAP Subject Area 2 Risk Evaluation and Control BCI Professional Practice Narrative: Determine the events and external surroundings that can adversely affect the organization and its facilities with disruption as well as disaster, the damage such events

More information

Plan Development Getting from Principles to Paper

Plan Development Getting from Principles to Paper Plan Development Getting from Principles to Paper March 22, 2015 Table of Contents / Agenda Goals of the workshop Overview of relevant standards Industry standards Government regulations Company standards

More information

Business Continuity Planning and Disaster Recovery Planning

Business Continuity Planning and Disaster Recovery Planning 4 Business Continuity Planning and Disaster Recovery Planning Basic Concepts 1. Business Continuity Management: Business Continuity means maintaining the uninterrupted availability of all key business

More information

Building A Framework-based Compliance Program. Richard E. Mackey, Jr. Vice President, SystemExperts Corp. dick.mackey@systemexperts.

Building A Framework-based Compliance Program. Richard E. Mackey, Jr. Vice President, SystemExperts Corp. dick.mackey@systemexperts. Building A Framework-based Compliance Program Richard E. Mackey, Jr. Vice President, SystemExperts Corp. dick.mackey@systemexperts.com Agenda The compliance process Assembling requirements Useful frameworks

More information

Contingency Plan for HIPAA

Contingency Plan for HIPAA TEMPLATE SUITE FOR BUSINESS CONTINUITY PLAN FOR SMALL BUSINESS (LESS THAN 50 EMPLOYEES) INCLUDES Total Cost: $549 Business Impact Analysis Enterprise Business Impact Analysis Survey Short (15 pages) Example

More information

Business Continuity in Healthcare

Business Continuity in Healthcare Business Continuity in Healthcare Cynthia Simeone, CBCP, PMP Director Business Resilience Catholic Health Initiatives Scott Ream President Virtual Corporation 1 Session Speakers Cynthia Simeone, CBCP,

More information

Business Continuity and Disaster Recovery

Business Continuity and Disaster Recovery Business Continuity and Disaster Recovery Trends, Considerations, & Leading Practices November 13, 2014 Presented by: Jon Bronson Los Angeles Trey MacDonald Atlanta Today s Presenters Jon Bronson is a

More information

Disaster Recovery Journal Spring World 2014

Disaster Recovery Journal Spring World 2014 Disaster Recovery Journal Spring World 2014 What works: Services and service supply chain business continuity risk management Don Hall, CBCP, Cisco Services Business Continuity Analyst Cisco Systems, Inc.

More information

Appendix 1 - Leicester City Council s Business Continuity Management Strategy and Policy Statement - 2016

Appendix 1 - Leicester City Council s Business Continuity Management Strategy and Policy Statement - 2016 Appendix 1 - Leicester City Council s Business Continuity Management Strategy and Policy Statement - 2016 Policy Statement - 2016 This Policy sets the direction for Business Continuity Management at Leicester

More information

Business Continuity Management Framework 2014 2017

Business Continuity Management Framework 2014 2017 Business Continuity Management Framework 2014 2017 Blackpool Council Business Continuity Framework V3.0 Page 1 of 13 CONTENTS 1.0 Forward 03 2.0 Administration 04 3.0 Policy 05 4.0 Business Continuity

More information

Subject Area 3 Business Impact Analysis

Subject Area 3 Business Impact Analysis DRJ Professional Practice Narrative: Identify the impacts resulting from the interruption of business processes/functions over time on normal operations and techniques that can be used to quantify and

More information

Vendor Risk Management Financial Organizations

Vendor Risk Management Financial Organizations Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current

More information

Best in Class Business Continuity Program Benchmark Report

Best in Class Business Continuity Program Benchmark Report Best in Class Business Continuity Program Benchmark Benchmarking. Plan Ahead. Be Ahead. Customized & Prepared Exclusively for ABC Company February 22, 2010 Table of Contents Introduction ing History 4

More information

fs viewpoint www.pwc.com/fsi

fs viewpoint www.pwc.com/fsi fs viewpoint www.pwc.com/fsi June 2013 02 11 16 21 24 Point of view Competitive intelligence A framework for response How PwC can help Appendix It takes two to tango: Managing technology risk is now a

More information

Subject Area 1 Project Initiation and Management

Subject Area 1 Project Initiation and Management DRII/BCI Professional Practice Narrative: Establish the need for a Business Continuity Plan (BCP), including obtaining management support and organizing and managing the BCP project to completion. (This

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

RISK MANAGEMENT PROGRAM THAT WORKS FOUR KEYS TO CREATING A VENDOR. HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655

RISK MANAGEMENT PROGRAM THAT WORKS FOUR KEYS TO CREATING A VENDOR. HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655 FOUR KEYS TO CREATING A VENDOR RISK MANAGEMENT PROGRAM THAT WORKS HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655 FOUR KEYS TO CREATING A VENDOR RISK MANAGEMENT PROGRAM THAT WORKS

More information

Western Intergovernmental Audit Forum

Western Intergovernmental Audit Forum Western Intergovernmental Audit Forum Business Continuity & Disaster Recovery Planning September 12, 2013 Presented by: City of Phoenix City Auditor Department Aaron Cook, Sr Internal Auditor IT Audit

More information

Auditing Enterprise Business Continuity Management (BCM) Jeffrey M. Dato, MBCP Senior Manager Risk Advisory Services KPMG, LLP

Auditing Enterprise Business Continuity Management (BCM) Jeffrey M. Dato, MBCP Senior Manager Risk Advisory Services KPMG, LLP Auditing Enterprise Business Continuity Management (BCM) Jeffrey M. Dato, MBCP Senior Manager Risk Advisory Services KPMG, LLP Agenda Rules of Engagement Definitions and Presentation Premises Business

More information

Proposal for Business Continuity Plan and Management Review 6 August 2008

Proposal for Business Continuity Plan and Management Review 6 August 2008 Proposal for Business Continuity Plan and Management Review 6 August 2008 2008/8/6 Contents About Newton IT / Quality of our services. BCM & BS25999 Overview 2. BCM Development in line with BS25999 3.

More information

By: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015

By: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015 Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level June 9, 2015 By: Tracy Hall MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company,

More information

Preparing for the Convergence of Risk Management & Business Continuity

Preparing for the Convergence of Risk Management & Business Continuity Preparing for the Convergence of Risk Management & Business Continuity Disaster Recovery Journal Webinar Series September 5, 2012 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 1 Today

More information

Global Statement of Business Continuity

Global Statement of Business Continuity Business Continuity Management Version 1.0-2014 Date October 18, 2014 Status Author Business Continuity Management (BCM) Page 1 of 8 Table of Contents 1. Credit Suisse Business Continuity Statement 3 2.

More information

DESIGNING A BUSINESS CONTINUITY TRAINING PROGRAM TO MAXIMIZE VALUE & MINIMIZE COST

DESIGNING A BUSINESS CONTINUITY TRAINING PROGRAM TO MAXIMIZE VALUE & MINIMIZE COST CONTENTS A Brief Introduction... 3 Where is the Value?... 3 How Can We Control Costs?... 5 The Delivery Mechanism... 7 Strategies to Deliver Training and Awareness... 8 Proving Training/Awareness Program

More information

ISO 31000 and Risk Management

ISO 31000 and Risk Management ISO 31000 and Risk Management August 19, 2010 What is risk? All management is risk management! Risk Management Boot camp Threat + Vulnerability = Risk Risk Controls = Residual Risk Residual Risk Probability

More information

Certified Information Security Manager (CISM)

Certified Information Security Manager (CISM) Certified Information Security Manager (CISM) Course Introduction Course Introduction Domain 01 - Information Security Governance Lesson 1: Information Security Governance Overview Information Security

More information

Auditing the Unthinkable: Business Continuity and Disaster Recovery. Agenda

Auditing the Unthinkable: Business Continuity and Disaster Recovery. Agenda Auditing the Unthinkable: Business Continuity and Disaster Recovery The Institute of Internal Auditors Moderator: Paul J. Sobel, CIA, CPA Vice President, Internal Audit Mirant Corporation Agenda Introduction

More information

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management Course: Information Security Management in e-governance Day 1 Session 3: Models and Frameworks for Information Security Management Agenda Introduction to Enterprise Security framework Overview of security

More information

Roles within ITIL V3. Contents

Roles within ITIL V3. Contents Roles within ITIL V3 Roles are employed in order to define responsibilities. In particular, they are used to assign Process Owners to the various ITIL V3 processes, and to illustrate responsibilities for

More information

Evaluating and Improving Your Business Continuity Plan

Evaluating and Improving Your Business Continuity Plan Evaluating and Improving Your Business Continuity Plan As presented to the Northeast Florida IIA Chapter January 23, 2015 Contact Information Karen Weir, MAC, CISA, CBCP Manager kweir@accretivesolutions.com

More information

Measuring Continuity Planning Program. Performance

Measuring Continuity Planning Program. Performance Measuring Continuity Planning Program Performance Carl B Jackson Director Crisis Management & Continuity Planning Resource Center (CMCPRC) Measuring Continuity Planning Program Performance Session Agenda

More information

PRIORITIZING CYBERSECURITY

PRIORITIZING CYBERSECURITY April 2016 PRIORITIZING CYBERSECURITY Five Investor Questions for Portfolio Company Boards Foreword As the frequency and severity of cyber attacks against global businesses continue to escalate, both companies

More information

How to measure your business resiliency

How to measure your business resiliency How to measure your business resiliency Define the KPI s/kri s and scorecards to control your security and business continuity capabilities Krzysztof Pulkiewicz BCMLogic krzysztof.pulkiewicz@bcmlogic.com

More information

Maintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com

Maintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance

More information

Information Technology Auditing for Non-IT Specialist

Information Technology Auditing for Non-IT Specialist Information Technology Auditing for Non-IT Specialist IIA Pittsburgh Chapter October 4, 2010 Agenda Introductions What are General Computer Controls? Auditing IT processes controls Understanding and evaluating

More information

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT JANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14

More information

The Role of Internal Audit in Risk Governance

The Role of Internal Audit in Risk Governance The Role of Internal Audit in Risk Governance How Organizations Are Positioning the Internal Audit Function to Support Their Approach to Risk Management Executive summary Risk is inherent in running any

More information

State of South Carolina Policy Guidance and Training

State of South Carolina Policy Guidance and Training State of South Carolina Policy Guidance and Training Policy Workshop All Agencies Business Continuity Management Policy June 2014 Agenda Questions & Follow-Up Policy Workshop Overview & Timeline Policy

More information

2014 NABRICO Conference

2014 NABRICO Conference Business Continuity Planning 2014 NABRICO Conference September 19, 2014 6 CityPlace Drive, Suite 900 St. Louis, Missouri 63141 314.983.1200 1520 S. Fifth Street, Suite 309 St. Charles, Missouri 63303 636.255.3000

More information

Birmingham CrossCity Clinical Commissioning Group. Business Continuity Management Policy

Birmingham CrossCity Clinical Commissioning Group. Business Continuity Management Policy Birmingham CrossCity Clinical Commissioning Group Business Continuity Management Policy Version V1.0 Ratified by Operational Development Group Date ratified 6 th November 2014 Name of originator / author

More information

BCP and DR. P K Patel AGM, MoF

BCP and DR. P K Patel AGM, MoF BCP and DR P K Patel AGM, MoF Key difference between BS 25999 and ISO 22301 ISO 22301 puts a much greater emphasis on setting the objectives, monitoring performance and metrics aligning BC to top management

More information

COSO 2013 Internal Control Framework

COSO 2013 Internal Control Framework COSO 2013 Internal Control A Guide to Implementation July 24, 2014 Justin Adamson Agenda COSO Background Changes to the Roadmap to Implementation Implementation Considerations & Lessons Learned 2 1 Who/What

More information

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD. Business Continuity Management & Disaster Recovery Planning Presented by: Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD. 1 What is Business Continuity Management? Is a holistic management

More information

Rethinking contingency planning for an integrated world

Rethinking contingency planning for an integrated world Business Continuity* January 2010 Rethinking contingency planning for an integrated world Highlights: Increased supply chain complexities require broadened scope of contingency planning. Increasing outsourcing

More information

PBSi Business Continuity Planning

PBSi Business Continuity Planning Business Continuity Planning Definition Business Continuity planning is a planning process designed to reduce the risk that disruptive failures or events could seriously harm your business. It is designed

More information

BUSINESS CONTINUITY: BEST PRACTICE, 2ND EDITION

BUSINESS CONTINUITY: BEST PRACTICE, 2ND EDITION BUSINESS CONTINUITY: BEST PRACTICE, 2ND EDITION EXCERPT FROM THE FOREWORD TO THE 2ND EDITION The events of 9/11 have cast a long shadow over the world and led to a vital reappraisal of Enterprise Risk

More information

Subject Area 9 Public Relations and Crisis Coordination

Subject Area 9 Public Relations and Crisis Coordination DRII/BCI Professional Practice Narrative: Develop, coordinate, evaluate, and exercise plans to communicate with internal stakeholders (employees, corporate management, etc.) external stakeholders (customers,

More information

Click to edit Master title style

Click to edit Master title style EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity

More information

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9

More information

Top Ten Technology Risks Facing Colleges and Universities

Top Ten Technology Risks Facing Colleges and Universities Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology

More information

IT Compliance 24.09.2007. After Hours Seminar September 2007 Zurich. Improving IT Risk & Compliance Management (RCM)

IT Compliance 24.09.2007. After Hours Seminar September 2007 Zurich. Improving IT Risk & Compliance Management (RCM) IT Compliance 24.09. AHS After Hours Seminar Zurich Improving IT Risk & Compliance Management (RCM) Bruno J. Wiederkehr Member of the Board ISACA Switzerland Chapter Agenda 1. Understanding the RCM Requirements

More information

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP 2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level Tracy L. Hall, MBCP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C.

More information

Business Continuity Plan

Business Continuity Plan Business Continuity Plan October 2007 Agenda Business continuity plan definition Evolution of the business continuity plan Business continuity plan life cycle FFIEC & Business continuity plan Questions

More information

Disaster Recovery/Business Continuity

Disaster Recovery/Business Continuity CITY AUDITOR'S OFFICE Disaster Recovery/Business Continuity March 6, 2015 AUDIT REPORT NO. 1511 CITY COUNCIL Mayor W.J. Jim Lane Suzanne Klapp Virginia Korte Kathy Littlefield Vice Mayor Linda Milhaven

More information

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda

More information

Business Continuity Management Systems. Protecting for tomorrow by building resilience today

Business Continuity Management Systems. Protecting for tomorrow by building resilience today Business Continuity Management Systems Protecting for tomorrow by building resilience today Vital statistics 31% 40% of UK businesses have been affected by bad weather related transport problems, power

More information

The Disaster Recovery Maturity Framework

The Disaster Recovery Maturity Framework The Disaster Recovery Maturity Framework A guide for understanding and improving your company s resiliency www.axcient.com Climbing The Recovery Maturity Curve Businesses are critically reliant upon IT

More information

Credit Union Liability with Third-Party Processors

Credit Union Liability with Third-Party Processors World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with

More information

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning The world has experienced a great deal of natural and man-made upheaval and destruction in the past few years, including tornadoes,

More information

How To Improve Your Business

How To Improve Your Business IT Risk Management Life Cycle and enabling it with GRC Technology 21 March 2013 Overview IT Risk management lifecycle What does technology enablement mean? Industry perspective Business drivers Trends

More information

Driving Operational Risk Management Into the Customer/Product Value Chain

Driving Operational Risk Management Into the Customer/Product Value Chain Driving Operational Risk Management Into the Customer/Product Value Chain Eric Staffin, MBCI, CISSP Vice President, Global Head of Product & Infrastructure Risk Management Thomson Reuters, Investment &

More information

Governance, Risk, and Compliance (GRC) White Paper

Governance, Risk, and Compliance (GRC) White Paper Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:

More information

OC Chapter. Vendor Risk Management. Cover the basics of a good VRM program, standards, frameworks, pitfall and best outcomes.

OC Chapter. Vendor Risk Management. Cover the basics of a good VRM program, standards, frameworks, pitfall and best outcomes. OC Chapter Vendor Risk Management. Cover the basics of a good VRM program, standards, frameworks, pitfall and best outcomes. 2 Why Assess a Vendor? You don t want to be a Target for hackers via your vendors

More information

Prosci change management webinar

Prosci change management webinar Prosci change management webinar Increasing change management maturity and : Prosci and EY 1 Americas 55,800+ people EMEIA 96,700+ people Asia-Pacific 31,700+ people Japan 7,200+ people 150 countries 1,000+

More information

Business Continuity Management Policy

Business Continuity Management Policy Business Continuity Management Policy Business Continuity Policy Version 1.0 1 Version control Version Date Changes Author 0.1 April 13 1 st draft PH 0.2 June 13 Amendments in line with guidance PH 0.3

More information

14 October 2015 ISACA Curaçao Conference By: Paul Helmich

14 October 2015 ISACA Curaçao Conference By: Paul Helmich Governance, Risk & Compliance A practical approach 14 October 2015 ISACA Curaçao Conference By: Paul Helmich Topics today What is GRC? How much of all the GRC literature, tools, etc. do I need to study

More information

Introduction to Business Continuity Planning

Introduction to Business Continuity Planning Introduction to Business Continuity Planning Business Continuity and Disaster Resilience Forum May 10, 2012 Rizal Ballroom A, Makati Shangri-la Manila, Philippines Dr Goh Moh Heng President BCM Institute

More information

What Should IS Majors Know About Regulatory Compliance?

What Should IS Majors Know About Regulatory Compliance? What Should IS Majors Know About Regulatory Compliance? Working Paper Series 08-12 August 2008 Craig A. VanLengen Professor of Computer Information Systems/Accounting Northern Arizona University The W.

More information