PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA

Similar documents
PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Business Continuity Planning and Disaster Recovery Planning

15 Organisation/ICT/02/01/15 Back- up

PART A: OVERVIEW INTRODUCTION APPLICABILITY OBJECTIVE...1 PART B: LEGAL PROVISIONS LEGAL PROVISIONS...

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

Team Financial Resources, Inc. Business Continuity Plan (BCP)

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

Business Continuity Planning (800)

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

INTERNAL REGULATIONS OF THE AUDIT AND COMPLIANCE COMMITEE OF BBVA COLOMBIA

Workflow Administration of Windchill 10.2

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

Documentation. Disclaimer

Business Continuity Plan Template for Introducing Brokers. [Firm Name] Business Continuity Plan (BCP)

Overview of Business Continuity Planning Sally Meglathery Payoff

Coping with a major business disruption. Some practical advice

Business Continuity Plan Summary (Revised November 26, 2012)

Disaster Recovery and Business Continuity Plan

Business Continuity Plan

THE MANAGEMENT OF SICKNESS ABSENCE BY NHS TRUSTS IN WALES

TABLE OF CONTENTS CHAPTER TITLE PAGE

FINRMFS9 Facilitate Business Continuity Planning and disaster recovery for a financial services organisation

Domain 1 The Process of Auditing Information Systems

System Administration of Windchill 10.2

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

INTRODUCTION I. CONSTITUTION

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

Principles for BCM requirements for the Dutch financial sector and its providers.

Effectiveness of BCM through Exercising

Business Continuity Plan For Stonefield Investment Advisory, Inc.

External Supplier Control Requirements

Unit Guide to Business Continuity/Resumption Planning

NACo RMA LLC and NACo RMA Disaster Recovery and Business Continuity Plan. January, Page 1

Walchandnagar Industries Limited. Policy on Preservation of the Document. (Effective from December 01, 2015)

BUSINESS CONTINUITY MANAGEMENT IN THE PUBLIC SECTOR A ROUGH GUIDE

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT HUMAN RESOURCE AUDIT PROGRAM

Introduction to Windchill Projectlink 10.2

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS)

FERRARI N.V. AUDIT COMMITTEE CHARTER (Effective as of January 3, 2016)

WALLA WALLA COUNTY Comprehensive Emergency Management Plan

APPLICABLE TO: All UTMB Health personnel, students, departments and properties

SECTION 15 INFORMATION TECHNOLOGY

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006

Business Continuity Planning for Risk Reduction

Virginia Commonwealth University School of Medicine Information Security Standard

CITY UNIVERSITY OF HONG KONG Business Continuity Management Standard

Business Continuity Plan (BCP)

AUDITING A BCP PLAN. Thomas Bronack Auditing a BCP Plan presentation Page: 1

Learn AX: A Beginner s Guide to Microsoft Dynamics AX. Managing Users and Role Based Security in Microsoft Dynamics AX Dynamics101 ACADEMY

Domain 3 Business Continuity and Disaster Recovery Planning

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning MARCH 2003 IT EXAMINATION H ANDBOOK

Schneps, Leila; Colmez, Coralie. Math on Trial : How Numbers Get Used and Abused in the Courtroom. New York, NY, USA: Basic Books, p i.

Business Continuity and Disaster Recovery Policy

Privacy Statement Relating to the Collection, Use and Disclosure of Personal Data & Customer Information

Disaster Recovery Plan for Center Moriches School District Information Technology Operations

B U S I N E S S C O N T I N U I T Y P L A N

Electronic Payment Schemes Guidelines

Emergency Contact Person - Firm Policy And Operation

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

Mazzone & Associates, Inc.

Business Continuity. Is your Business Prepared for the worse? What is Business Continuity? Why use a Business Continuity Plan?

The PNC Financial Services Group, Inc. Business Continuity Program

Business Continuity Plan (BCP)

BERNARD HEROLD & CO., INC. BUSINESS CONTINUITY PLAN

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

Business Continuity Plan Template for Small Introducing Firms. [Firm Name] Business Continuity Plan (BCP)

The Business Continuity Maturity Continuum

Success or Failure? Your Keys to Business Continuity Planning. An Ingenuity Whitepaper

Why Should Companies Take a Closer Look at Business Continuity Planning?

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

Business Continuity / Disaster Recovery Context

SCOPE; ENFORCEMENT; AUTHORITY; EXCEPTIONS

No. 29 February 12, The President

Proposal for Business Continuity Plan and Management Review 6 August 2008

SECOND EDITION THE SECURITY RISK ASSESSMENT HANDBOOK. A Complete Guide for Performing Security Risk Assessments DOUGLAS J. LANDOLL

BCP and DR. P K Patel AGM, MoF

BUSINESS CONTINUITY PLAN

STEP-BY-STEP BUSINESS CONTINUITY AND EMERGENCY PLANNING MAY

The Role of Internal Audit In Business Continuity Planning

Project Management Guidelines

McNally Financial Services Corporation Business Continuity Plan (BCP)

AGENCY MANAGEMENT FRAMEWORK FOR INSURANCE AGENT

SecureVest Financial Group, Inc. Argentis Advisors Business Continuity Plan (BCP)

Automation in Banking, Volume

FIELDSTONE 120 West 45th Street, Suite 1400, New York, NY TEL: (212) FAX: (212)

State of South Carolina Policy Guidance and Training

SUPERVISORY AND REGULATORY GUIDELINES: PU BUSINESS CONTINUITY GUIDELINES

Evaluation of the Railroad Retirement Board s Disaster Recovery Plan Report No , August 14, 2006 INTRODUCTION

GWM GROUP INC Business Continuity Plan (BCP)

Global Statement of Business Continuity

GFSU Certified Cyber Crime Investigator GFSU-CCCI. Training Partner. Important dates for all batches

NexTrend Securities, Inc. Business Continuity Plan (BCP)

Risk Management Policy

The PNC Financial Services Group, Inc. Business Continuity Program

Business Administration of Windchill PDMLink 10.0

Business Continuity Planning Preparing Your Organization

Audit Committee Charter

PPSADOPTED: OCT BACKGROUND POLICY STATEMENT PHYSICAL FACILITIES. PROFESSIONAL PRACTICE STATEMENT Developing a Business Continuity Plan

Transcription:

Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA

Learning Objectives 2 To understand the concept of Business Continuity Management To understand the key phases and components of a Business Continuity Plan To understand the key aspects of Business Continuity Plan implementation To learn about Back-up and Disaster Recovery Planning To learn how to audit a Business Continuity Plan

Topics Covered 3 PART-5 4.17 Audit of the Disaster Recovery/Business Resumption Plan 4.18 Summary

4 4.17 Audit of the Disaster Recovery/Business Resumption Plan Objective of BCP audit BCP Auditor is expected to identify residual risks IS processing BCP audit

Availability 5 The probability that a system is operational at any time or, in other words, the percentage of up-time

BCP Overview 6 Planning process BCP Plan in process Identify disasters Recovery strategies Impact analysis

Auditable 7 Whether the BCP can be measured against an established criteria or benchmark

Assess Threat Analysis (aka Risk Analysis) 8 A process where all possible threats to a system are identified. A list containing these threats and the severity of each threat is created. A list containing relevant controls which are available to mitigate these threats is prepared. This list is then used as a basis for defining the residual risk and prepare back up plans.

9 Review Risk Assessment Model

Objectives of BCP Audit 10 Evaluate processes of developing and maintaining documented, communicated, and tested plans for continuity of business operations and IS processing in event of a disruption Assess ability of enterprise to continue all critical operations during a contingency and recover from a disaster within the defined critical recover time period Identify residual risks, which are not identified and provide recommendations to mitigate them Assess plan of action for each type of expected contingency and its adequacy in meeting contingency requirements

Auditing BCP Understand and evaluate business continuity strategy Evaluate plans for accuracy and adequacy Ensure plan maintenance is in place Evaluate ability of IS and user personnel to respond effectively Evaluate readability of business continuity manuals and procedures Verify plan effectiveness Evaluate offsite storage

Reviewing BCP Verify that basic elements of a well-developed plan are evident and review: Currency of documents Effectiveness of documents Interview personnel for appropriateness and completeness

Review BCP test results Determine whether corrective actions are in the plan Evaluate thoroughness and accuracy Determine problem trends and resolution of problems

Evaluate Offsite Storage Evaluate presence, synchronization and currency of media and documentation Perform a detailed inventory review Review all documentation Evaluate availability of facility

Interview Key Personnel Key personnel must have an understanding of their responsibilities Current detailed documentation must be kept

Evaluate Security at Offsite Facility Evaluate the physical and environmental access controls Examine the equipment for current inspection and calibration tags

Review Alternative Processing Contract Review contract with the vendor against specific requirements and guidelines Contract is clear and understandable Enterprise compliance with contractual and regulatory requirements.

Review Insurance Cover Insurance to cover actual cost of recovery. Review the adequacy of: Media damage Business interruption Equipment replacement Business continuity processing

Sample list of BCP Audit steps 19 (i) Determine if a disaster recovery/business resumption plan exists and was developed using a sound methodology that includes the following elements Identification and prioritization of the activities, which are essential to continue functioning. The plan is based upon a business impact analysis that considers the impact of the loss of essential functions. Operations managers and key employees participated in the development of the plan. The plan identifies the resources that will likely be needed for recovery and the location of their availability. The plan is simple and easily understood so that it will be effective when it needed The plan is realistic in its assumptions.

Sample list of BCP Audit steps 20 (ii) Determine if information backup procedures are sufficient to allow for recovery of critical data (iii) Determine if a test plan exists and to what extent the disaster recovery/business resumption plan has been tested (iv) Determine if resources have been made available to maintain the disaster recovery/ business resumption plan and keep it current (v) Obtain and review the existing disaster recovery/ business resumption plan

Sample list of BCP Audit steps 21 (vi) Obtain and review plans for disaster recovery/ business resumption testing and/or documentation of actual tests (vii) Obtain and review the existing business impact analysis. viii) Gather background information to provide criteria and guidance in the preparation and evaluation of disaster recovery/ business resumption plans. (ix) Determine if copies of the plan are safeguarded by off-site storage. (x) Gain an understanding of the methodology used to develop the existing disaster recovery/ business resumption plan. Who participated in the development effort?

Sample list of BCP Audit steps 22 (xi) Gain an understanding of the methodology used to develop the existing business impact analysis (xii) Determine if recommendations made by the external firm who produced the business impact analysis have been implemented or otherwise addressed (xiii) Have resources been allocated to prevent the disaster recovery/ business resumption plan from becoming outdated and ineffective (xiv) Determine if the plan is dated each time that it is revised so that the most current version will be used if needed. (xv) Determine if the plan has been updated within past 12 months.

Sample list of BCP Audit steps 23 (xvi) Determine all the locations where the disaster recovery/ business resumption plan is stored. Are there a variety of locations to ensure that the plan will survive disasters and will be available to those that need them? (xvii) Review information backup procedures in general. The availability of backup data could be critical in minimizing the time needed for recovery.

Sample list of BCP Audit steps 24 (xviii) Interview functional area managers or key employees to determine their understanding of the disaster recovery/ business resumption plan. Do they have a clear understanding of their role in working towards the resumption of normal operations? Does the disaster recovery/ business resumption plan include provisions for Personnel Have key employees seen the plan and are all employees aware that there is such a plan? ii) Have employees been told their specific roles and responsibilities if the disaster recovery/ business resumption plan is put into effect? Does the disaster recovery/ business resumption plan include contact information of key employees, especially after working hours?

Sample list of BCP Audit steps 25 Does the disaster recovery/ business resumption plan include provisions for people with special needs? Does the disaster recovery/ business resumption plan have a provision for replacement staff when necessary?

Sample list of BCP Audit steps 26 Building, Utilities and Transportation Does the disaster recovery/ business resumption plan have a provision for having a building engineer inspect the building and facilities soon after a disaster so that damage can be identified and repaired to make the premises safe for the return of employees as soon as possible? Does the disaster recovery/business resumption plan consider the need for alternative shelter, if needed? Alternatives in the immediate area may be affected by the same disaster. Review any agreements for use of backup facilities.

Sample list of BCP Audit steps 27 Verify that the backup facilities are adequate based on projected needs (telecommunications, utilities, etc.). Will the site be secure? Does the disaster recovery/ business resumption plan consider the failure of electrical power, natural gas, toxic chemical containers, and pipes? Are building safety features regularly inspected and tested? Does the plan consider the disruption of transportation systems? This could affect the ability of employees to report to work or return home. It could also affect the ability of vendors to provide the goods needed in the recovery effort.

Sample list of BCP Audit steps 28 Information Technology Determine if the plan reflects the current IT environment. Determine if the plan includes prioritization of critical applications and systems. Determine if the plan includes time requirements for recovery/availability of each critical system, and that they are reasonable. Does the disaster recovery/ business resumption plan include arrangements for emergency telecommunications? Is there a plan for alternate means of data transmission if the computer network is interrupted? Has the security of alternate methods been considered? Determine if a testing schedule exists and is adequate (at least annually). Verify the date of the last test. Determine if weaknesses identified in the last tests were corrected.

Sample list of BCP Audit steps 29 (xxi) Administrative Procedures Does the disaster recovery/ business resumption plan cover administrative and management aspects in addition to operations? Is there a management plan to maintain operations if the building is severely damaged or if access to the building is denied or limited for an extended period of time? Is there a designated emergency operations center where incident management teams can coordinate response and recovery? Determine if the disaster recovery/ business resumption plan covers procedures for disaster declaration, general shutdown and migration of operations to the backup facility. Have essential records been identified? Do we have a duplicate set of essential records stored in a secure location? To facilitate retrieval, are essential records separated from those that will not be needed immediately?

Sample list of BCP Audit steps 30 (xxii) Does the disaster recovery/ business resumption plan include the names and numbers of suppliers of essential equipment and other material? (xxiii) Does the disaster recovery/ business resumption plan include provisions for the approval to expend funds that were not budgeted for the period? Recovery may be costly. (xxiv) Has executive management assigned the necessary resources for plan development, concurred with the selection of essential activities and priority for recovery, agreed to back-up arrangements and the costs involved, and are prepared to authorize activation of the plan should the need arise.

4.18 Summary 31 BCP has to address Business requirements Advantages of having an effective business continuity process Adequate resources are provisioned Management to be actively involved Enables availability 24 x 7 pro-actively

Learning Objectives 32 To understand the concept of Business Continuity Management To understand the key phases and components of a Business Continuity Plan To understand the key aspects of Business Continuity Plan implementation To learn about Back-up and Disaster Recovery Planning To learn how to audit a Business Continuity Plan

Task Statements 33 To design, develop, implement, test, maintain and audit all key phases and components of a Business Continuity Plan in an enterprise To conduct Risk assessment and Business Impact Assessment

Knowledge Statements 34 To understand the concepts and components of Business Continuity Management To know the development of Business Continuity Plans, Disaster Recovery Plans; Emergency Plans etc To know the different phases and components of Business Continuity Plan

Topics Covered Part-1 Part-2 4.1 Introduction 4.2 Need for BC Management 4.3 BCM Policy 4.4 Business Continuity Planning 4.6 Components of BCM Process 4.7 BCM Management Process 4.8 BCM Information Collection Process (BCP) 4.5 Developing a BCP 35

Topics Covered Part-3 4.9 BCM - Strategy Process 4.10 BCM Development and Implementation Process 4.11 BCM Testing and Maintenance Process 4.12 BCM - Training Process Part-4 4.13 Types of Plans 4.14 Types of Back-ups 4.15 Alternate Processing 4.16 DR Procedural Plan Part-5 4.17 Audit of the DR/BR Plan 4.18 Summary 36

Chapter Summary 37 Business Continuity Management Business Continuity Planning BCP Implementation Back up and DR Auditing BCP

38 Thank you!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information