Tips and techniques a typical audit programme

Transcription

1 Auditing Business Continuity Planning Tips and techniques a typical audit programme Karen Wills, Senior Internal Auditor St James s Place Wealth Management February 2014

2 Contents Background Roles and Responsibilities Training and Awareness Scope and Strategy Risk Assessment Business Continuity Plans Testing and Exercising Outsourced Activities / External Suppliers ITDR Incidents Glossary of Terms

3 Roles and Responsibilities Accountable Executive / Sponsor Business Continuity Team BC Manager / Deputies Time in role Full time or other responsibilities Reporting lines Objectives of BC team Crisis Management Team (Gold - Strategic / Silver - Tactical Teams) Members of Crisis Management Team / Incident Response Team Description of roles Individual Business Unit or Departmental Teams (Bronze Operational Teams) BC Plan owners / deputies Time in role Specific BC objectives included in personal objectives BC Manager / Deputy job descriptions Organisation chart Annual objectives List of Crisis Management team members List of BC plan / process owners

4 Training and Awareness Level of general BC awareness within the organisation Training materials available for the BC teams (inc Central, Crisis Mgt and Individual Teams) Mandatory training on annual basis Professional membership / qualifications (BCI / IRM / CIIA) Communications to the business Training guides inc online resources DVDs Presentations / hand-outs from any awareness sessions Programme of training activity

5 Scope and Strategy Business units / buildings / departments in scope (inc any specifically out of scope and why) Activities in (and out of) scope Shared buildings Scenarios covered Relocation strategy BCP / DR strategy Recovery contracts Service agreements List of departments / critical activities Contracts with specialist BC/DR companies Budget / funding

6 Risk Assessment Risks Business Impact Assessments (BIA): Level of granularity Status of completion Frequency of review Sign off Content of BIAs List of activities, inc criticality List of IT systems used, inc criticality, RTO, RPO Critical times / peak volumes Interdependencies internal and external Critical suppliers Recovery requirements people, IT, hardware Vital records Documents to review Risk Assessment Sample of BIAs Review timetable

7 BC Plans Plan format Word/Excel/BC software Plan ownership Crisis Management Team Plan(s) Ownership and location of Master Status of completion Reasonableness of content Clearly defined tasks and responsibilities Frequency of review Sign off Departmental Plans: Typical content: Roles and responsibilities List of critical activities (should match to BIA) Separate sections for Loss of Building / Loss of IT / Loss of People scenarios Task lists in priority order at various timescales Details of manual workarounds Planning guide and template Crisis Management Team plan(s) Sample copies of critical departmental plans

8 Testing and Exercising Range of testing performed: Call cascades Desktop walkthroughs Scenario exercises Workarea recovery tests Building evacuations Status of testing Frequency Involvement in testing Test documentation Pre and Post-Test reports Test scripts Actions required Documents to review Annual Test Plan Example of Pre-test report Example of Post-test report Example of test scripts Issues and actions logs

9 Outsourced activities Outsourced activities: Identify critical outsourced activities Location shared buildings / external BIA and BC Plan Communication strategy Status of testing Joint testing Reporting Outsourcers BIA and BCP Test reports List of critical suppliers Critical Suppliers Identify critical suppliers Status of BC preparedness Link back to individual BC Plans

10 ITDR Strategy for system recovery Relationship between BC Manager and ITDR team Location of live systems Location of DR site Outsourced IT services Status of recoverability - xref to BIAs Out of date / unsupported hardware or software Status of DR testing Provision of specialist equipment (e.g. scanning, printing, mailing, call voice recording) Call centre recovery DR contracts List of critical systems RTO / RPO Example of service agreement DR Test Plans DR Test Reports

11 Incidents Past experience of incidents Command and control structure Escalation protocols Incident logs Incident Logs PIR Reports Actions logs Post-incident Reviews (PIRs) Report and actions logs Root cause analysis

12 Glossary of Terms Glossary of Terms BC Manager Crisis Management Team BC Process/Plan Owners Business Continuity Plan Crisis Management Plan Business Impact Assessment/Analysis (BIA) Recovery Time Objective (RTO) Recovery Point Objective (RPO) Workarea Recovery Site (workarea) Hot Site Warm Site Call Tree List Call Cascade Desktop Walkthrough Scenario Exercise Workarea recovery test ITDR (Information Technology Disaster Recovery) Business Continuity Manager typically responsible for implementing and supporting Business Continuity Planning at organisational level. A group of senior individuals responsible for developing and implementing a comprehensive plan for responding to a disruptive incident. The team consists of a core group of decision-makers trained in incident management and prepared to respond to any situation. Individual departmental managers having a business continuity plan for their specific activities. Plan for a given business area describing the detailed steps to return the business to normal. Flexible, but often based on specific scenarios and plans. Dependent upon the size or complexity of the operation these could be at business unit, building or individual department level. For small business units this could be combined with the crisis management plan. Plan to manage the incident at strategic level. Will include triggers for decisions to be made whether to invoke the full BC plans and management of communications within the Group. A process aimed at developing an understanding of the organisation so that the BCM program will properly support business requirements. Includes: Analysis of continuity risks Identification and prioritisation of critical business processes Tolerable downtimes and recovery timelines (RTO / RPO see below) Definition of resources required (minimum numbers of people, infrastructure, technology PCs, IT systems, telephony) An agreed timescale by when the process would be expected to be restarted, usually expressed in hours or days, and will be dependent upon the criticality of the process. The maximum amount of data that could be lost if an application has to be recovered, usually expressed in hours or days, and will be dependent upon the criticality of the process supported by the application. An alternative building (unoccupied) to which the impacted building staff would relocate to in the event their own building is unavailable. Sometimes also referred to as hot sites or warm sites. An alternative building (unoccupied) that is already equipped with desks, live PCs, phones, live applications that is ready to use immediately if a building is unavailable. Typically only used for very critical activities as it is very expensive. An alternative building (unoccupied) that has basic office provision. PCs, phones and applications would be set up at the time of incident, thus delaying recovery. A list of staff/contacts including their telephone number that can be used in an incident to contact everyone required A process whereby calls are placed to team members using the call tree to check the accuracy of the call tree. Usually done out of business hours. A review of a business continuity plan that consists of a read through of the plan, checking the logic of the steps recorded and the accuracy and completeness of supporting information. A more detailed review of the plan that involves responding to a set scenario of an incident, and could include role play to practice how the response is given. A test to physically relocate some staff from their normal location to the workarea to test whether the PCs, phones and applications work. It should include the processing of real work and taking of live calls (providing that would not disadvantage the customer). The process by which systems that fail are recovered at an alternative data processing centre. Also includes telephony recovery.

13 Any Questions?