Temple university. Auditing a business continuity management BCM. November, 2015

Similar documents
Business Continuity Plan

Proposal for Business Continuity Plan and Management Review 6 August 2008

Business Continuity and Disaster Recovery Planning

Company Management System. Business Continuity in SIA

Principles for BCM requirements for the Dutch financial sector and its providers.

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

BUSINESS CONTINUITY PLAN

The PNC Financial Services Group, Inc. Business Continuity Program

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four

Business Resiliency Business Continuity Management - January 14, 2014

Why Should Companies Take a Closer Look at Business Continuity Planning?

Prepared by Rod Davis, ABCP, MCSA November, 2011

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

Business Continuity Policy

Business Continuity Planning and Disaster Recovery Planning

Business Continuity - IT Disaster Recovery Discussion Paper - - Commercial in Confidence Version V2.0R Wednesday, 5 September 2012

How to write a DISASTER RECOVERY PLAN. To print to A4, print at 75%.

Business Continuity (Policy & Procedure)

2014 NABRICO Conference

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

Business Continuity Planning and Disaster Recovery Planning. Ed Crowley IAM/IEM

Desktop Scenario Self Assessment Exercise Page 1

BCP and DR. P K Patel AGM, MoF

BUSINESS CONTINUITY POLICY

Protecting your Enterprise

The PNC Financial Services Group, Inc. Business Continuity Program

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

MHA Consulting. Business Continuity Management 101

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

Business Continuity Glossary

Best Practices in Disaster Recovery Planning and Testing

BUSINESS CONTINUITY PLANNING GUIDELINES

Business Continuity Management

Emergency Response and Business Continuity Management Policy

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

State of South Carolina Policy Guidance and Training

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

Table of Contents... 1

Information Services IT Security Policies B. Business continuity management and planning

Business Continuity Planning and Disaster Recovery Planning

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

Business Continuity Policy

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

Business Continuity Management Policy

Information Security Management: Business Continuity Planning. Presentation by Stanislav Nurilov March 9th, 2005 CS 996: Info. Sec. Mgmt.

KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS)

Business Continuity Planning (800)

Business Continuity and Risk Management. Ken Kaberia Principal BCM Officer, Enterprise Risk Safaricom Limited

Assessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd

Business Continuity Management

Unit Guide to Business Continuity/Resumption Planning

Disaster Recovery Plan (DRP) / Business Continuity Plan (BCP)

Business Continuity Management

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Business Continuity Management Planning Methodology

D2-02_01 Disaster Recovery in the modern EPU

CISM Certified Information Security Manager

Module 7. Business Continuity Management

AUDITING A BCP PLAN. Thomas Bronack Auditing a BCP Plan presentation Page: 1

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

Planning for Disaster Disaster

ESCB definitions of major business continuity terms in relation to payment and securities settlement systems 1

BUSINESS CONTINUITY PLAN OVERVIEW

Business Continuity Planning

PBSi Business Continuity Planning

NIST SP , Revision 1 Contingency Planning Guide for Federal Information Systems

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

Building and Maintaining a Business Continuity Program

Business Continuity and Disaster Planning

Developing a Business Continuity Plan... More Than Disaster

BUSINESS CONTINUITY PLAN. Specific Issues for Public Health Emergencies. Guidelines for Air Carriers

DISASTER RECOVERY Steps You Need to Take (Before It s Too Late)

Continuity of Operations Planning. A step by step guide for business

Disaster Recovery Policy

eet Business continuity and disaster recovery Enhancing enterprise resiliency for the power and utilities industry Power and Utilities Fact Sheet

Ohio Conference for Payroll Professionals Disaster Recovery

Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP).

White Paper: ISO Business Continuity Management An Overview. ISO Business Continuity Management An Overview

Business Continuity Planning for Risk Reduction

Disaster Recovery Planning

DISASTER RECOVERY PLANNING GUIDE

Beyond Disaster Recovery: Why Your Backup Plan Won t Work

Business Continuity Management AIRM Presentation

NHS 24 - Business Continuity Strategy

Business Continuity Management

DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY

Evaluating and Improving Your Business Continuity Plan

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

Planning for Disaster. Ramesh Ramani CISM CGEIT 02 June 2010

Business continuity management policy

NHS Hardwick Clinical Commissioning Group. Business Continuity Policy

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

Transcription:

Temple university Auditing a business continuity management BCM November, 2015

Auditing BCM Agenda 1. Introduction 2. Definitions 3. Standards 4. BCM key elements IT Governance class - IT audit program BCM Carlos Garcés Temple University 2

Is better to be prepared to a disaster that could never happened, instead, something wrong happens and we are not prepared for it IT Governance class - IT audit program BCM Carlos Garcés Temple University 3

Introduction IT Governance class - IT audit program BCM Carlos Garcés Temple University 4

The need for Continuity Planning Disasters can strike quickly and without warning, Floods, earthquakes, tornadoes, hurricanes, terrorist attacks, Business are vulnerable to the impact of not only major calamities but also minor business disruptions, Power outages IT system failures: v.g. malware or just hacking, Communication failures Manufacturing equipment failures Hazardous material contamination Robbery or other criminal activity IT Governance class - IT audit program BCM Carlos Garcés Temple University 5

Why are business continuity plans important? They provide an organized, coordinated and consolidated approach to managing response and recovery activities following any unplanned incident or business interruption, avoiding confusion and reducing exposure to error;; They provide prompt and appropriate response to unplanned incidents, thereby reducing the impacts resulting from short and long-term business interruptions;; They recover essential business operations in a timely manner, increasing the ability of the company to recover from an unplanned incident. IT Governance class - IT audit program BCM Carlos Garcés Temple University 6

Overall business continuity management Holistic Approach Emergency Response Plan Crisis Management Plan Pandemic Plan Business Continuity Plan Disaster Recovery Plan Focuses on immediate response and life and safety Focuses on strategies and coordination of response Focuses on response to outbreak of infectious disease Documents recovery procedures for critical business functions Documents procedures for recovery of IT IT Governance class - IT audit program BCM Carlos Garcés Temple University 7

Overall business continuity management The general recovery process is illustrated in the next recovery timeline: IT Governance class - IT audit program BCM Carlos Garcés Temple University 8

Overall business continuity phases IT Governance class - IT audit program BCM Carlos Garcés Temple University 9

Definitions IT Governance class - IT audit program BCM Carlos Garcés Temple University 10

Definitions Disaster Is an event, often unexpected, that seriously disrupts your usual operations or processes and can have long term impact on your normal way of life or that of your organization. He lost a laptop with the only copy of his thesis She lost her research and papers in the lab fire Payroll system failed the day before payday The death of a employee The recent tsunami An earthquake IT Governance class - IT audit program BCM Carlos Garcés Temple University 11

Definitions Resilience Is the ability and capacity to withstand and adapt to new risk environments. A resilient organizations effectively aligns is strategy, operations, business systems, governance structure, and decision-support capabilities so that it can uncover and adjust to continually changing risks, endure disruptions to its primary earning, drivers and create advantages over less adaptive competitors. Business resilience does not reduce the likelihood that an event will occur, but it does increase the likelihood that your company will withstand the event. IT Governance class - IT audit program BCM Carlos Garcés Temple University 12

Definitions Business Continuity Management - BCM The goal of BCM is to provide the organization with the ability to effectively respond to threats such as natural disasters or data breaches and protect the business interests of the organization. BCM includes disaster recovery, business recovery, crisis management, incident management, emergency management and contingency planning. According to ISO 22301, a business continuity management system emphasizes the importance of: Understanding continuity and preparedness needs, as well as the necessity for establishing business continuity management policy and objectives. Implementing and operating controls and measures for managing an organization s overall continuity risks. Monitoring and reviewing the performance and effectiveness of the business continuity management system. Continual improvement based on objective measurements. IT Governance class - IT audit program BCM Carlos Garcés Temple University 13

Definitions Business continuity Planning Is a discipline that prepares an organization to maintain continuity of business during a disaster through an implementation of a business continuity plan. A business continuity plan is a live document that contains procedures and guidelines to help recover and restore disrupted processes and resources to normal operation status within an acceptable time frame. It is: a process to minimize the impact of a major disruption to normal operations a process to enable restoration of critical assets a process to restore normalcy to MIT as soon as possible after a crisis. It is not just: recovery of information technology resources It is the phase of crisis management that follows the immediate actions taken to protect life and property and contain the event. It begins when the situation has been stabilized. IT Governance class - IT audit program BCM Carlos Garcés Temple University 14

Definitions According with ISO 22301:2012 BCM: Holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realize, might cause, and which provides a framework for building organizational resilience with capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. BCP: documented procedures that guides organizations to respond, recover, resume and restore to a pre-defined level of operation following disruption. BIA: process of analyzing activities and the effect that a business disruption might have upon them. IT Governance class - IT audit program BCM Carlos Garcés Temple University 15

Standards IT Governance class - IT audit program BCM Carlos Garcés Temple University 16

BCP standards BS25999 British Standard NFPA1600: (National Fire Protection Association):Development, implementation, assessment, and maintenance of programs for prevention, mitigation, preparedness, response, continuity, and recovery. ASIS2009: Organizational resilience: security, preparedness, and continuity management systems requirements with guidance for use FSA (Financial Services Authority) Business continuity management practice guide. FFIEC (Federal Financial Institutions Examination Council) business continuity planning process. IT Governance class - IT audit program BCM Carlos Garcés Temple University 17

BCP standards ISO 24762 (5.11, 5.12, 7.1): provides guidelines on the provision of information and communications technology disaster recovery (ICT DR) services as part of business continuity management. ITIL Service continuity management. ISO 22301: specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. ISO 27001:2013 (A14): Information security management. IT Governance class - IT audit program BCM Carlos Garcés Temple University 18

Key elements IT Governance class - IT audit program BCM Carlos Garcés Temple University 19

BCP Process Stage 5: BC Plan Testing Validated Business Continuity Plan Stage 1: Risk Management Documented Business Continuity Plan Stage 4: BC Plan Development Update plan Continuity Strategy Alternative Critical Resources and Services, and Recovery Methods Evaluate Test Results Stage 6: BC Plan Maintenance Stage 3: Strategy Development Monitor changes and reassesses risks Monitor changes and reassesses strategy Monitor changes and reassesses impacts Business Impacts Critical Processes, Operational & Financial Impacts and Recovery Requirements Risk & Controls Threats, exposures, risk levels, risk controls Stage 2: Business Impact Analysis IT Governance class - IT audit program BCM Carlos Garcés Temple University 20

BCP Process Stage 1: Risk Management Assesses the threats of disaster, existing vulnerabilities, potential disaster impacts and identifies and implements controls needed to prevent or reduce the risk of disaster Stage 2: Business Impact Analysis (BIA) Identifies mission-critical processes and analyzes impacts to business if these processes are interrupted as a result of a disaster Stage 3: Business Continuity Strategy Development Assesses the requirements and identifies the options for recovery of critical processes and resources in the event they are disrupted by a disaster IT Governance class - IT audit program BCM Carlos Garcés Temple University 21

BCP Process Stage 4: Business Continuity Plan Development Develops a plan for maintaining business continuity based on the results of previous stages (stages 1 to 3) Stage 5: Business Continuity Plan Testing Tests the BCP document to ensure its currency, viability and completeness Stage 6: Business Continuity Plan Maintenance Maintains the BCP in a constant ready-state for execution IT Governance class - IT audit program BCM Carlos Garcés Temple University 22

Stage 1: Risk Management Graphical representation of a risk Risk Threat Consequences AND Possibility of a car accident caused by a drunk driver Expected damage to the car, loss of life, or bodily injury caused by the car accident IT Governance class - IT audit program BCM Carlos Garcés Temple University 23

Stage 1: Risk Management Decomposition of the threat components Risk Threat Consequences AND Threat Source AND Threat Event Expected damage to the car, loss of life, or bodily injury caused by the car accident Drunk driver Car accident IT Governance class - IT audit program BCM Carlos Garcés Temple University 24

Stage 1: Risk Management Representation of an example business risk Risk Threat Consequences AND Threat Source AND Threat Event Expected loss of revenue as a result of the computer center and office facility shut-down: $2 5 Ice storm Power outage IT Governance class - IT audit program BCM Carlos Garcés Temple University 25

Stage 1: Risk Management Risk determination Quantitative Metrics Derived algorithmically using probability Considerable time and effort are required to gather and analyze data and to explain the results Usually you will need historical information Qualitative Metrics Simpler computations (high, medium, low) Require less time But risk values are subjective and non-repeatable (they are based on judgments) IT Governance class - IT audit program BCM Carlos Garcés Temple University 26

Stage 1: Risk Management A risk with quantitative metrics 25% probability that a power outage will occur as a result of an ice storm Risk Risk value: $625,000= Threat Consequences likelihood AND Threat Source AND Threat Event Expected loss of revenue as a result of the computer center and office facility shut-down: $2 5 Ice storm Power outage IT Governance class - IT audit program BCM Carlos Garcés Temple University 27

Stage 1: Risk Management A risk with qualitative metrics 25% probability that a power outage will occur as a result of an ice storm Risk Risk value: Low Threat Consequences likelihood AND Threat Source AND Threat Event Expected business impact: High Ice storm Power outage IT Governance class - IT audit program BCM Carlos Garcés Temple University 28

Stage 1: Risk Management Matrix LOW PROBABILITY HIGH LOW IMPACT HIGH IGNORE PLAN NORMAL PROCEDURES CHANGE SOMETHING IT Governance class - IT audit program BCM Carlos Garcés Temple University 29

Stage 1: Risk Management Audit issues Scope (processes, facilities, buildings, equipment, technology, human resources, third parties) Risk universe used Qualification scales (quantitative -- qualitative) People interviewed (validation) Proper identification and test of controls (D&O design & implementation, OE operational efficiency) Proper documentation IT Governance class - IT audit program BCM Carlos Garcés Temple University 30

Stage 2: Business Impact Analysis Goals It analyzes the financial and operational impact of disruptive events, Financial impact: monetary losses as lost sales, lost funding and contractual penalties Operational impact: non-monetary losses as loss of competitive edge, damage to investor confidence, poor customer service, low staff morale, and damage to business reputation The BIA identifies the following information Mission-critical areas of the business and their processes Extent of potential operational and financial impact to the organization Requirements for recovering disrupted critical business processes The BIA is a crucial link between the risk management stage and the business continuity plan stage: It identifies mission-critical areas and its continuity requirements IT Governance class - IT audit program BCM Carlos Garcés Temple University 31

Stage 2: Business Impact Analysis BIA approach The BIA approach consisted of the four steps outlined below: Identify Business Functions Collect and Validate Data Analyze Data Develop BIA Report Ø Defined Client function targeted in scope of BIA Ø Obtained existing documentation including previously established BCPs, BIAs, process flow diagrams. Ø Conducted BIA kickoff, BIA sessions and, Follow Ups Ø Collected BIA data for scope business processes Ø Requested & received validation/approval of all data captured Ø Analyzed business process MTPD s Ø Analyzed & aggregated quantitative and qualitative impacts Ø Analyzed internal and external (Third dependencies) Ø Identified minimum RTOs and RPOs for business applications Ø Developed a formal BIA report Ø Summarized the BIA data Ø Consolidated raw BIA data tables Ø Identified personnel, equipment/supplies requirements IT Governance class - IT audit program BCM Carlos Garcés Temple University 32

Stage 2: Business Impact Analysis Recovery Time Requirements MTD (Maximum Tolerable Period of Disruption) Maximum downtime the organization can tolerate for a business process RTO (Recovery Time Objective) Indicates the time available to recover disrupted systems/resources RPO (Recovery Point Objective) It refers to the extent of data loss measured in terms of a time period that can be tolerated by a business process WRT (Work Recovery Time) it s the time available to recover the lost data, work backlog and manually captured data once the system / resources are recovered or repaired IT Governance class - IT audit program BCM Carlos Garcés Temple University 33

Stage 2: Business Impact Analysis Business Terms versus IT Terms Terms that start with M represent business facing timing parameters Terms that start with R represent IT facing timing parameters Key terms for any organization Maximum Tolerable Period of Disruption (MTPD) Recovery Time Objective (RTO) Recovery Point Objective (RPO) IT Governance class - IT audit program BCM Carlos Garcés Temple University 34

Stage 2: Business Impact Analysis Disaster-recovery time frame MTPD RPO RTO WRT Lost Data Work Backlog Recover Work Backlog Collect Data Manually Recover Lost Data Recover Manually Collected Data Systems and Resources Unavailable Normal Procedures Emergency Manual (Work-around) Procedures Manual and Normal Procedures Normal Procedures Last Backup Disruptive Event System / Resources Recovered Start of Normal Processing IT Governance class - IT audit program BCM Carlos Garcés Temple University 35

Stage 2: Business Impact Analysis BIA input and output information BIA Input BIA Output Business Functions & Processes IT and non-it Resources Work-around Procedures Business Impact Analysis Mission-critical Business Processes Financial and Operational Impact Levels Recovery Time Requirements Recovery Priorities Internal and external Dependencies Resource Dependencies Critical Process Work-around Procedures Summarized Findings IT Governance class - IT audit program BCM Carlos Garcés Temple University 36

Stage 2: Business Impact Analysis Audit issues Scope (processes, facilities, buildings, equipment, technology, human resources, third parties) Qualification scales (quantitative -- qualitative) People interviewed (validation) Identification of key processes / requirements Are the mission-critical business processes according with the business needs / requirements? What is the rationale of it? The process followed to obtain it, is well done? Are the RTO, RPO and MTPD right according with the business needs / requirements? The process followed to obtain it, is well done? Are logical the estimation of the financial and operational impact levels? Are these estimates according with the business needs / requirements? The process followed to obtain it, is well done? IT Governance class - IT audit program BCM Carlos Garcés Temple University 37

Stage 2: Business Impact Analysis Audit issues The recovery priorities are based on the needs and requirements of the enterprise? Has been identified the main resources for each critical processes? Has been identified all the main internal and external dependencies? Has been identified and documented all the critical process work-around procedures? Proper documentation IT Governance class - IT audit program BCM Carlos Garcés Temple University 38

Stage 3: strategy development Begin BC Strategy Development Phases BIA Step 1: Identify Recovery Requirements Phase A Recovery Requirements Identification Phase B Recovery Options Identification Phase C Available Time Assessment Step 2: Identify Work Area Recovery Requirements Office Work Area Crisis Management Center Step 1: Identify Work Area Recovery Options Work Area Recovery Options Step 3: Identify IT Systems & Infrastructure Recovery Requirements Alternate IT Recovery Facilities Step 2: Identify IT Systems & Infrastructure Recovery Options IT Systems & Infrastructure Options Alternate Manufacturing & Production Facilities Critical IT Systems & Infrastructure Step 4: Identify Manufacturing & Production Recovery Requirements Step 3: Identify Manufacturing & Production Recovery Options Manufacturing & Production Options Critical Equipment & Resources Critical Products Assess Available Time of Options against Recovery Time Requirements Step 5: Identify Data & Critical/Vital Records Recovery Requirements Off-site Storage Facilities Critical Data Critical Vital Records Step 4: Identify Data & Critical/Vital Records Recovery Options Data & Critical/Vital Records Recovery Options Phase D Cost- Capability Assessment Step 1: Select Capability Requirements Step 2: Evaluate Recovery Options Feasible Recovery Options Step 3: Select Viable Recovery Options Business Continuity Strategy IT Governance class - IT audit program BCM Carlos Garcés Temple University 39

Stage 3: strategy development Match the tools to the business needs Wks Days Hrs Mins Secs Secs Mins Hrs Days Wks Recovery Point Recovery Time Tape or Disk Backup Async. Replication Sync. Replication Clustering Remote Replication Online Restore Tape Restore IT Governance class - IT audit program BCM Carlos Garcés Temple University 40

Stage 3: strategy development Process / functions strategies IT Governance class - IT audit program BCM Carlos Garcés Temple University 41

Stage 3: strategy development Application availability strategies IT Governance class - IT audit program BCM Carlos Garcés Temple University 42

Stage 3: strategy development Application data recovery strategies selection criteria IT Governance class - IT audit program BCM Carlos Garcés Temple University 43

Stage 3: strategy development Vital record recovery strategies selection criteria IT Governance class - IT audit program BCM Carlos Garcés Temple University 44

Stage 3: strategy development Audit issues Are the strategies aligned with the RTO / RPO? How was the strategy s costs estimated? Are the strategies aligned with the management goals? Are the strategy s costs well balanced with the amount of the loss? Are the strategies easy to maintain, easy to test, easy develop, let to operate for a long time? Are the strategy selection made by the management? Proper documentation IT Governance class - IT audit program BCM Carlos Garcés Temple University 45

Stage 4: Plan development Phases Disaster / Disruptive Event Phase 1 Initial Response & Notification Results in a Preliminary Problem Report Phase 2 Problem Assessment & Escalation Results in a Detailed Problem Report Phase 3 Disaster Declaration Results in a Disaster Declaration Statement Phase 4 Plan Implementation Logistics Results in Mobilization of Teams, Backup Media and Critical Resources and Equipment Phase 5 Recovery and Resumption Results in Recovery of Critical IT and Non-IT Resources and Processes Phase 6 Normalization Results in Pre-disaster Operational Status IT Governance class - IT audit program BCM Carlos Garcés Temple University 46

Stage 4: Plan development Incident escalation Incident Incident Management Team and CMT informed Assess severity and respond as appropriate Major severity Minor severity (Crisis) Manage incident at op. level CMT informed and activated Incident resolved Yes Incident closed CMT meet and agree actions Crisis resolved Invoke and activate the BCPs IT Governance class - IT audit program BCM Carlos Garcés Temple University 47 Yes Incident closed No Post crisis report produced

Stage 4: Plan development Components BCM Policies Recovery teams (crisis management team, incident management team, crisis communication team, DRP management team, BCP s teams) Governance (BCP leader, DRP Leader) Roles and responsibilities (normal and disaster time) Key performance indicators (defined and measurement) BCP directory (address, cell phone, phone) internal and external Call tree IT Governance class - IT audit program BCM Carlos Garcés Temple University 48

Stage 4: Plan development Audit issues Are the BCM policies approved by the management? Are the incident escalation according with the company s needs and requirements? Is properly defined the procedure to share the information of the call tree and directory? Are the BCM s, BCP s and DRP's leaders properly defined according with the skills and knowledge of the people selected? Are the teams well structured? Are properly defined the spokesmen? Proper documentation IT Governance class - IT audit program BCM Carlos Garcés Temple University 49

Stage 5: Testing Testing scheme Test Complexity High Full-interruption Simulation Unannounced Medium Walkthrough Walkthrough Low Checklist Checklist Monthly Quarterly Semiannually Annually Test Schedule IT Governance class - IT audit program BCM Carlos Garcés Temple University 50

Stage 5: Testing Audit issues Are the BCM s components properly tested? Is the BCM s test process properly defined and approved? Is the test frequency properly defined? Each test has its own data set and time and results expected? After each test, the results are analyzed and a work plan is defined to solve the problems presented? Is there a follow up to the implementation of the work plan? Who is the responsible? Are the strategies aligned with the RTO / RPO? Is the test program cumulative? Proper documentation IT Governance class - IT audit program BCM Carlos Garcés Temple University 51

Stage 6: Plan maintenance Audit issues Step 1 Monitor Internal & External Changes Periodic BC Plan Testing Compiled Changes Periodic BC Plan Audit Test Results Step 2 Review Compiled Changes & Results of Plan Test & Audits BC Plan Change Request Audit Results Step 3 Process BC Plan Change Request Revised Bc Plan Document IT Governance class - IT audit program BCM Carlos Garcés Temple University 52

Stage 6: Plan maintenance Audit issues Is the BCM s plan maintenance properly defined and approved? Are identified the activities that causes bcp changes / modifications? Is defined the internal and external BCP audit program? Is clear who is the responsible(s) to update the BCP? Proper documentation IT Governance class - IT audit program BCM Carlos Garcés Temple University 53

Thank you IT Governance class - IT audit program BCM Carlos Garcés Temple University 54

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information