Business Continuity Management

GENERALLY ACCESSIBLE Business Continuity Management Field Report from an Audit Point of View ISACA Swiss Chapter - After Hour Seminar 28 August 2006 - Urs Voigt - Group Internal Audit Disasters Happen Anywhere and Anytime! 1

Table of Contents SECTION 1 Introduction SECTION 2 Approach SECTION 3 Framework SECTION 4 Report and Follow-Up SECTION 5 Summary SECTION 6 Supplementary Information 2 SECTION 1 Introduction

UBS Global Group, 50 countries, ~70'000 employees, distributed IT infrastructure Three Business Groups / Corporate Center Business Continuity Management for every Business Group Group Internal Audit organisation with ~ 300 employees Interfaces External Audit Regulators (EBK, FED, FSA,...) Group Internal Audit Board of Directors Chairman's Office / Audit Committee Auditee Group Executive Board Corporate Center / Business Groups Staff members 4 Goals for the Presentation Audit Scope UBS Global WM&BB, Switzerland Important business areas and processes Top business applications and IT infrastructure services Presentation Objectives Field report of the BCM framework from an audit perspective Status Business Continuity Management Point to critical areas for BCM Possible Definition for BCM "Business Continuity Management is a holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities." 5

SECTION 2 Approach The Chinese Disaster Prediction Approach not risk based Does not focus on core business processes Impact not always quantified Disaster scenarios in detail not defined 7

UBS Approach Address important external requirements such as: Regulators (e.g. EBK, FED 1 ) Financial service providers (e.g. SNB) Clients Address important internal requirements such as: Group Risk Policy BCM strategy o Identify critical business processes (applications) o Governance and reporting model o Macro Risk Assessment Standards, Guidelines (e.g. COBIT, ISO17799, ISF, COSO) Sponsor (e.g. business) 1 Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System, April 2003 8 Threats Changes to systems and processes Disruption of services or facilities Misuse of infrastructure Loss of facilities (e.g. earthquake) Loss of staff (e.g. fire, pandemic) Human errors Third party failure External attacks to infrastructure 9

BCM Workflow Process Strategic 1. Commitment from sponsors (senior management) 2. Risk Policy 3. Strategy Tactic & Operations 4. Implementation Plan 5. Test Concept 6. Measurement and Review 10 SECTION 3 Framework

Framework Awareness Initiative Risk Register Training Program Working Group IT Infra. Services Business Apps. Backup & Recovery Test Plan Crisis Mgmt. Terms of Reference BCM Concept Document Mgmt. Test Strategy First Cut Risk Analysis Business Impact Analysis SLA Governance Model BCM Strategy Standards & Guidelines Regulatory Requirements BCM Group Risk Policy 12 The Basis Regulatory Requirements Are the basis for industry-specific requirements in the countries (e.g. FED (US), FSA (UK), MAS (Singapore)) BCM Group Risk Policy Provides guidance on certain aspects of sound BCM that must be applied BCM Strategy Aims to ensure full compliance with the regulatory requirements and the group operational risk policy Terms of Reference The ToR specify the time scale, data loss and functional requirements for appropriate disaster mitigation 13

The Basis (cont.) First Cut Risk Analysis Business Impact Analysis Governance Model Standards & Guidelines The FCRA investigates the impact (risk) on the business process of unavailability of key staff and critical IT applications (e.g. financial losses, reputation risk). The BIA analyse the critical business processes and their requirements re continuity (e.g. identification of key personnel and their recovery location). Establish Departmental Recovery Plans defining recovery strategy, staff recovery, recovery location information and dependencies. Summary contact information and activity check list complement the DRP. Defines the requirements and provide guidance (e.g. test standards, risk policy). 14 Example_1 Terms of Reference Risk ranking (example) Critical Business Processes (examples) - Payments & Cash Criticality Business Targets for Business Processes Resumption Systemic - Transparent - Securities - Credit Monitoring - Account Opening Mission Critical - Withing 3 Hours -Within24 Hours -HR - Logistics Subsidiary -Within72 Hours 15

Example_1 (cont.) Terms of Reference Assessment for disaster tolerance of business applications Redundancy, Separation, Capacity 16 Example_2 Business Impact Analysis Critical business applications Key people and 3 / 24 / 72 hour team Backup IT environment at the alternate site 17

Example_3 Governance Model Group Steering Committee Business Group BG Risk Control Committee BCM Steering Committee IT Operations BCM Working Group Risk Control Business Areas Risk Management 18 Testing in Production Test Plan Test framework Dimensions: Time, place, frequency, budget Elements: Test types, objectives, business units Relationship: Test organisation, tasks, documentation, actions Example: Test Type Front to Back (F2B) End-to-end process test with all units involved in the test procedure Use In case of IT failover, exercises Front to Back tests (F2B) have to be negotiated Highly critical processes / infrastructure After big moves, reorganizations Frequency Annually for very critical processes 2-3 year intervals Responsibility Parties Involved Business or IT Business Units Security Risk Mgmt. IT 19

Testing (cont.) Test Case 1 (Infrastructure Test) Business Location Primary Site Alternate Site Data Center Apps. 20 Testing (cont.) Test Case 2 (Business Test) Business Location Primary Site Alternate Site Data Center Apps. 21

SECTION 4 Reporting and Follow-up Process Process Planning Risk Identification Assessment Fieldwork Control Measures Test Pgm. Reporting Findings Report Follow-Up Monitor Action Evidence Report Executive summary Issue description, risk Audit recommendation Management comment (action, responsibility, deadline) Chairman's Office, Group Executive Board, Line/Functional Management 23

SECTION 5 Summary, Q & A Summary Governance: Management committment Strategy: High complexity due to the dependency between business processess, business organisation, culture and IT Risk Management: High expectations from the regulators, the industry and the clients Testing: Maintenance and test arrangements Business Requirements: Understand the core business requirements 25

SECTION 6 Supplementary Information Useful Links EBK http://www.ebk.admin.ch/d/ BSI http://www.bsi.de ISF http://www.securityforum.org/html/frameset.htm SNB http://www.snb.ch/d/index3.html R/D http://recovery-disaster.info/?gclid=clrs2pbi1imcfsvaeaodnvlh5a MI5 http://www.mi5.gov.uk/output/page267.html Business Continuity World http://www.business-continuity-world.com/ ISO 17799 http://www.17799central.com/ Infosyssec http://www.infosyssec.net/infosyssec/security/buscon1.htm ISACA http://www.isaca.org/template.cfm?section=home COSO ITIL BCF NIST BCM Institute Disaster Recovery Inst. http://www.coso.org/ http://www.itil.org/ http://www.continuitysoftware.com/thebcforum/ http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/chapter11.html#84 http://www.thebci.org/ http://drii.org 27

Standards PAS 56 (2003) Public Availability Specifications www.bsi-global.com (to be replaced by BS 25999) ISO / IEC 20000 Specification for IT service management www.iso.org ISO / IEC 27001 Guidance for information security management ISO / ICE TR 18044 Technical report NIST 800-34 National Institute of Stndards and Technology csrc.nist.gov (contingency planning guide) ISF Standard of good practice www.securityforum.org Urs Voigt UBS AG Group Internal Audit - IT Flueelastrasse 32 8098 Zürich urs.voigt@ubs.com 28 UBS Facts and Figures 29