Western Intergovernmental Audit Forum



Similar documents
Business Continuity Plan

Why Should Companies Take a Closer Look at Business Continuity Planning?

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

Business Unit CONTINGENCY PLAN

2014 NABRICO Conference

Beyond Disaster Recovery: Why Your Backup Plan Won t Work

Building and Maintaining a Business Continuity Program

How to Plan for Disaster Recovery and Business Continuity

Business Continuity Planning Preparing Your Organization

Business Continuity Planning. Donna Curran, Director Audit and Risk Management February, 2014

Business Continuity Planning for Risk Reduction

Version Copyright Janco Associates, Inc. - Page 1

How to Design and Implement a Successful Disaster Recovery Plan

Assessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC

Business Continuity and Disaster Recovery Planning

University of Michigan Disaster Recovery / Business Continuity Administrative Information Systems 4/6/2004 1

DRAFT Disaster Recovery Policy Template

Table of Contents... 1

Disaster Recovery. Hendry Taylor Tayori Limited

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

Application / Hardware - Business Impact Analysis Template. MARC Configuration Requirements. Business Impact Analysis

Business Resiliency Business Continuity Management - January 14, 2014

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

BUSINESS CONTINUITY PLAN OVERVIEW

State of South Carolina Policy Guidance and Training

Disaster Recovery Plan (DRP) / Business Continuity Plan (BCP)

Business Continuity Management

Temple university. Auditing a business continuity management BCM. November, 2015

NIST SP , Revision 1 Contingency Planning Guide for Federal Information Systems

D2-02_01 Disaster Recovery in the modern EPU

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

Ohio Conference for Payroll Professionals Disaster Recovery

Evaluating and Improving Your Business Continuity Plan

Business Continuity and the Cloud. Aaron Shaver US Signal, Solution Architect

Protecting your Enterprise

Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP).

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Abhi Rathinavelu Foster School of Business

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

Continuity of Operations Planning. A step by step guide for business

Emergency Response and Business Continuity Management Policy

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

SCADA Business Continuity and Disaster Recovery. Presented By: William Biehl, P.E (mobile)

Disaster Recovery and Business Continuity What Every Executive Needs to Know

Module 7. Business Continuity Management

[Insert Company Logo]

Saving SharePoint. Presented By: Sean McDonough Product Manager, SharePoint Products Idera

Fundamentals of Business Continuity Planning Have a Plan!

Business Continuity and Disaster Recovery

Building a strong business continuity plan

Best Practices in Disaster Recovery Planning and Testing

Unit Guide to Business Continuity/Resumption Planning

a Disaster Recovery Plan

Disaster Recovery and Business Continuity Plan

Subject: Internal Audit of Information Technology Disaster Recovery Plan

NHS 24 - Business Continuity Strategy

Desktop Scenario Self Assessment Exercise Page 1

Disaster Recovery Plan (Business Continuity) Template

Business Continuity and Disaster Recovery

Planning for Disaster Disaster

The Role of Internal Audit In Business Continuity Planning

Best Practices in Developing an IT Disaster Recovery Plan. Vijaykumar Kulkarni AGM Product Management

Virginia Commonwealth University School of Medicine Information Security Standard

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

BCP and DR. P K Patel AGM, MoF

How to write a DISASTER RECOVERY PLAN. To print to A4, print at 75%.

Business Continuity Management

Disaster Recovery Business Continuity Premium Edition

A BCP Tale: From Theory to Practice

NCUA LETTER TO CREDIT UNIONS

Business Continuity Trends and Risk Considerations Financial Executives International Portland Chapter June

DISASTER RECOVERY AND CONTINGENCY PLANNING CHECKLIST FOR ICT SYSTEMS

Business Continuity Planning Principles and Best Practices Tom Hinkel and Zach Duke

Proposal for Business Continuity Plan and Management Review 6 August 2008

Business Impact Analysis (BIA) and Risk Mitigation

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

Standard Operating Procedure Contingency Planning Guidance

Business Continuity & Disaster Recovery

Business Continuity Planning and Disaster Recovery Planning. Ed Crowley IAM/IEM

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Building a Disaster Recovery Program By: Stieven Weidner, Senior Manager

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four

Identify and Protect Your Vital Records

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning MARCH 2003 IT EXAMINATION H ANDBOOK

Disaster Recovery Planning Procedures and Guidelines

Audit of IMS Disaster Recovery Plan

Operational Continuity

Business Continuity Management Emerging Trends

BUSINESS CONTINUITY PLANNING GUIDELINES

Transcription:

Western Intergovernmental Audit Forum Business Continuity & Disaster Recovery Planning September 12, 2013 Presented by: City of Phoenix City Auditor Department Aaron Cook, Sr Internal Auditor IT Audit Heather Kneale, Internal Auditor Stacey Linch, Internal Auditor

How Prepared Are You?

Objectives Defining Business Continuity Defining Disaster Recovery Importance of BCP & DRP Developing a BCP and DRP Auditing a BCP and DRP Audit Resources

Key Concepts Emergency/Incident Plans Plans developed by first responders and public safety to address disasters Business Continuity Plan (BCP) Process to ensure business risks are identified, mitigated, and planned for so that operations can recover in response to a disruption Analysis -> Strategy Design -> Implementation (Training) -> Testing -> Maintenance Continuity of Operations Plan (COOP) Documented plan, usually using the FEMA COOP framework and templates Ensures continuous availability so operations can continue Ensures continuation of leadership by establishing an order of succession of key personnel Specifies plans for delegation of agency authority and devolution Disaster Recovery Plan (DRP) Plans specific to IT systems

Standards Disaster Recovery Institute International DRII Professional Practices Framework International Organization for Standardization ISO22301:2012 Business Continuity Institute Good Practices Guidelines

Business Continuity Plan You need a plan before it s needed

Business Continuity Plan Goals Protect Human Life Protect Vital Assets Property Data Resume business operations at alternate site (if primary site inoperable) Restore business operations to primary site

Elements of a BCP BCP Committee (executive support) Policies and Procedures (roles and responsibilities) Identify Essential Functions/Services Risk Assessment Business Impact Analysis Prioritization Identify Interdependencies Internal/external Determine Succession/Delegation of Authority

Elements of a BCP cont d Locate Alternate Facilities & Resources Determine Vital Records Build the Emergency Response Team (ERT) Conduct Staff Training Regular Testing, Maintenance, & Auditing Tabletop Exercises, call trees, partial drills, full drills Communications Plan

Business Continuity Plan Importance Pandemic Power outage Fire Flood (pipes, monsoon) Natural gas leak Chemical spill (railroad, highway, chemical plant) Natural disaster (haboob, earthquake, tornado, hurricane) Nuclear explosion (power plant Japan) Terrorist attack (Boston marathon) Wildfires/Loss of staff Plane crash

Auditing the BCP Audit Objectives: Determine if the plan is effective and aligns to business objectives Ensure the plan is consistent with accepted practices and controls Ensure the plan is documented, readily available, understood by staff, and actionable Validate the adequacy, completeness, and appropriateness

BCP Audit Validation Designated committee/emergency response team Policies, mission statement, recovery expectations (do business and IT align) Risk assessment/business impact analysis Documented plan with continual updating Hardware and software inventory Designated alternate work site(s) Emergency procedures Communication plan Emergency phone numbers Service level agreements with external agencies Training, tests and drills

Disaster Recovery Planning Prevention is better than a cure

Definition and Why Disaster Recovery Plan Definition: Disaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Why? Maintain data confidentiality, integrity, and availability Continue providing services Protect reputation and public confidence PCI compliance and financial reporting Protect physical assets

Key Terms Recovery Time Objective (RTO) The time that it takes for a system to be completely up and running in the event of a disaster. The maximum time the business can afford to be without a system. Recovery Point Objective (RPO) The ability to recover files by specifying a point in time to restore the backup copies. Describes what data (i.e., age) that will be restored in the event of a disaster. The RTO and RPO should align with the requirements of the business.

Standards Specific to IT ITIL Information Technology Infrastructure Library v3 Service Design COBIT 5 DSS04 Manage Continuity NIST SP800-34 Rev. 1 Contingency Planning Guide for Federal Information Systems ISO 27002:2005 Business Continuity Management

Disaster Recovery Plan Importance

Disaster Recovery Plans Importance Technology failure natural disaster, human error, virus November 19, 2012 Hurricane Sandy leaves wounded servers in its wake (Computerworld.com) August 26, 2013 China s Internet hit by biggest cyberattack in its history (CNNMoney) August 26, 2013 Server Crash Spurs Three- Hour Nasdaq Halt as Data Link Lost (BloombergBusineessweek)

Framework Everyone looks to the IT department Framework needed Framework should include all elements to resume business process Accountability, communication, escalation, recovery strategies, service levels, emergency procedures

Disaster Recovery Plan Elements Disaster Recovery Team Staff training Backup Data Risk Analysis/Business Impact Analysis (BIA) Application Criticality Service Level Agreements Required hardware and software Third party contracts

Disaster Recovery Plan Elements Response/Recovery teams roles and responsibilities Restoration plans Communication plan Alternate site(s) Plan maintenance Plan testing

Disaster Recovery Plan ----what should it look like?

Disaster Recovery Plan Audit Validation Roles and responsibilities Teams Incident Response, Emergency Response, Recovery, Communications, Supplies, Salvage Do staff know what their roles are? Is Training provided?

Disaster Recovery Plan Audit Validation

Disaster Recovery Plan Audit Validation System Recovery Service level agreements RTO/RPO System requirements Restoration plans Regulatory requirements Back up data

Disaster Recovery Plan Audit Validation Data Backup Availability of data Offsite data Security Quality of data Plan Documentation and Accessibility Online Hardcopy Offsite

Disaster Recovery Plan Audit Validation Plan Maintenance Updates/Upgrades New Staff Change Management Frequency

Disaster Recovery Plan Audit Validation Plan Testing Types of testing Frequency of testing Documentation of testing

Lessons Learned Groups want to do the right thing time, resource, and tool constraints Aligning business needs/expectations with IT is key An untested plan = No plan Plan maintenance an unmaintained plan is a paper weight Disasters do happen

Audit Resources IIA s GTAG 10 Business Continuity Management ISACA s Business Continuity Management Audit/Assurance Program FFEIC (Federal Financial Institutions Examination Council) IT Examination Handbook Business Continuity Planning NIST SP800-53 Contingency Planning Policy & Procedures

Questions? Aaron Cook aaron.cook@phoenix.gov Heather Kneale heather.kneale@phoenix.gov Stacey Linch stacey.linch@phoenix.gov

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information