Tips and techniques a typical audit programme



Similar documents
BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

How To Manage A Disruption Event

External Supplier Control Requirements BCM

Business Continuity Plan

Principles for BCM requirements for the Dutch financial sector and its providers.

1.0 Policy Statement / Intentions (FOIA - Open)

Proposal for Business Continuity Plan and Management Review 6 August 2008

Business Continuity Planning and Disaster Recovery Planning

BUSINESS CONTINUITY MANAGEMENT FRAMEWORK

" # $% "%&$& Lesley Fayers Exercising the BCP workbook.doc Page 1 of 12

Business Continuity - IT Disaster Recovery Discussion Paper - - Commercial in Confidence Version V2.0R Wednesday, 5 September 2012

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

Prudential Practice Guide

Business Continuity Planning: Bridging the Gap Between IT and Business

University of Glasgow. Policy for. Business Continuity Management

Business Continuity Planning advice for Businesses with employees

Overview of how to test a. Business Continuity Plan

Risk Management Guidelines

A BCP Tale: From Theory to Practice

NOT PROTECTIVELY MARKED BUSINESS CONTINUITY. Specialist Operations Contingency Planning Business Continuity Manager

Business continuity management policy

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Business Continuity Management AIRM Presentation

Business Continuity Management

NHS 24 - Business Continuity Strategy

Business Continuity Management Policy

How To Manage A Business Continuity Strategy

Glossary of General Business Continuity Management Terms

ESCB definitions of major business continuity terms in relation to payment and securities settlement systems 1

Business Continuity Management

CISM Certified Information Security Manager

BC / DR Implementation Tying Disaster Recovery Investment to Measurable Business Value

Business Continuity Management (BCM) Policy

Business Continuity (Policy & Procedure)

Business Continuity Management. Policy Statement and Strategy

Company Management System. Business Continuity in SIA

State of South Carolina Policy Guidance and Training

Departmental Business Continuity Framework. Part 2 Working Guides

Protecting Your Business

Guideline - Business Continuity Plan

NAVIGATING THROUGH A CATASTROPHIC DISASTER:

DEPARTMENT FOR TRANSPORT BUSINESS CONTINUITY MANAGEMENT POLICY

Professional Practice Eight - Business Continuity Plan Exercise, Audit, and Maintenance

business continuity plan for:

University of Glasgow. Business Continuity Management. Guidance Notes

Business Continuity Management Standard and Guide

Business Continuity Planning

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd

BCP and DR. P K Patel AGM, MoF

Business Continuity Plan. Components and sequencing description

Business Continuity Management Framework

Disaster Recovery Planning

Business Continuity Planning Instructions

Essex Clinical Commissioning Groups. Business Continuity Management System. Business Impact Analysis Process

The ABC s of BCP. Jeremy Sucharski Governance Risk and Compliance G31

Statement of Guidance

Checklist of ISO Mandatory Documentation

Business Continuity Management For Small to Medium-Sized Businesses

Financial Services Authority. Business Continuity Management Practice Guide

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

Information Security Management: Business Continuity Planning. Presentation by Stanislav Nurilov March 9th, 2005 CS 996: Info. Sec. Mgmt.

Business Continuity Glossary

BUSINESS CONTINUITY: BEST PRACTICE, 2ND EDITION

Shankar Gawade VP IT INFRASTRUCTURE ENAM SECURITIES PVT. LTD.

Best Practices in Disaster Recovery Planning and Testing

DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY

Introduction UNDERSTANDING BUSINESS CONTINUITY MANAGEMENT

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

Business Continuity Planning (800)

Domain 3 Business Continuity and Disaster Recovery Planning

Business Continuity Management Policy and Framework

BCS Practitioner Certificate in Business Continuity Management Syllabus

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Domain 1 The Process of Auditing Information Systems

Business Continuity Policy

Business Continuity Planning (BCP) 101

ICT Contingency Plan Top Level Plan

Guidance Note XGN XXX.1

The PNC Financial Services Group, Inc. Business Continuity Program

Temple university. Auditing a business continuity management BCM. November, 2015

Business Continuity Management Program Development Guide

Business Continuity Overview

Emergency Response and Business Continuity Management Policy

EPRR: BCP - Checklist

Prudential Practice Guide

IT Service Continuity Management PinkVERIFY

Flinders University IT Disaster Recovery Framework

Recommendation Current Position and Explanation for Slippage: Target Dates:

Business Continuity Management Policy

Business continuity plan

PBSi Business Continuity Planning

Transcription:

Auditing Business Continuity Planning Tips and techniques a typical audit programme Karen Wills, Senior Internal Auditor St James s Place Wealth Management February 2014

Contents Background Roles and Responsibilities Training and Awareness Scope and Strategy Risk Assessment Business Continuity Plans Testing and Exercising Outsourced Activities / External Suppliers ITDR Incidents Glossary of Terms

Roles and Responsibilities Accountable Executive / Sponsor Business Continuity Team BC Manager / Deputies Time in role Full time or other responsibilities Reporting lines Objectives of BC team Crisis Management Team (Gold - Strategic / Silver - Tactical Teams) Members of Crisis Management Team / Incident Response Team Description of roles Individual Business Unit or Departmental Teams (Bronze Operational Teams) BC Plan owners / deputies Time in role Specific BC objectives included in personal objectives BC Manager / Deputy job descriptions Organisation chart Annual objectives List of Crisis Management team members List of BC plan / process owners

Training and Awareness Level of general BC awareness within the organisation Training materials available for the BC teams (inc Central, Crisis Mgt and Individual Teams) Mandatory training on annual basis Professional membership / qualifications (BCI / IRM / CIIA) Communications to the business Training guides inc online resources DVDs Presentations / hand-outs from any awareness sessions Programme of training activity

Scope and Strategy Business units / buildings / departments in scope (inc any specifically out of scope and why) Activities in (and out of) scope Shared buildings Scenarios covered Relocation strategy BCP / DR strategy Recovery contracts Service agreements List of departments / critical activities Contracts with specialist BC/DR companies Budget / funding

Risk Assessment Risks Business Impact Assessments (BIA): Level of granularity Status of completion Frequency of review Sign off Content of BIAs List of activities, inc criticality List of IT systems used, inc criticality, RTO, RPO Critical times / peak volumes Interdependencies internal and external Critical suppliers Recovery requirements people, IT, hardware Vital records Documents to review Risk Assessment Sample of BIAs Review timetable

BC Plans Plan format Word/Excel/BC software Plan ownership Crisis Management Team Plan(s) Ownership and location of Master Status of completion Reasonableness of content Clearly defined tasks and responsibilities Frequency of review Sign off Departmental Plans: Typical content: Roles and responsibilities List of critical activities (should match to BIA) Separate sections for Loss of Building / Loss of IT / Loss of People scenarios Task lists in priority order at various timescales Details of manual workarounds Planning guide and template Crisis Management Team plan(s) Sample copies of critical departmental plans

Testing and Exercising Range of testing performed: Call cascades Desktop walkthroughs Scenario exercises Workarea recovery tests Building evacuations Status of testing Frequency Involvement in testing Test documentation Pre and Post-Test reports Test scripts Actions required Documents to review Annual Test Plan Example of Pre-test report Example of Post-test report Example of test scripts Issues and actions logs

Outsourced activities Outsourced activities: Identify critical outsourced activities Location shared buildings / external BIA and BC Plan Communication strategy Status of testing Joint testing Reporting Outsourcers BIA and BCP Test reports List of critical suppliers Critical Suppliers Identify critical suppliers Status of BC preparedness Link back to individual BC Plans

ITDR Strategy for system recovery Relationship between BC Manager and ITDR team Location of live systems Location of DR site Outsourced IT services Status of recoverability - xref to BIAs Out of date / unsupported hardware or software Status of DR testing Provision of specialist equipment (e.g. scanning, printing, mailing, call voice recording) Call centre recovery DR contracts List of critical systems RTO / RPO Example of service agreement DR Test Plans DR Test Reports

Incidents Past experience of incidents Command and control structure Escalation protocols Incident logs Incident Logs PIR Reports Actions logs Post-incident Reviews (PIRs) Report and actions logs Root cause analysis

Glossary of Terms Glossary of Terms BC Manager Crisis Management Team BC Process/Plan Owners Business Continuity Plan Crisis Management Plan Business Impact Assessment/Analysis (BIA) Recovery Time Objective (RTO) Recovery Point Objective (RPO) Workarea Recovery Site (workarea) Hot Site Warm Site Call Tree List Call Cascade Desktop Walkthrough Scenario Exercise Workarea recovery test ITDR (Information Technology Disaster Recovery) Business Continuity Manager typically responsible for implementing and supporting Business Continuity Planning at organisational level. A group of senior individuals responsible for developing and implementing a comprehensive plan for responding to a disruptive incident. The team consists of a core group of decision-makers trained in incident management and prepared to respond to any situation. Individual departmental managers having a business continuity plan for their specific activities. Plan for a given business area describing the detailed steps to return the business to normal. Flexible, but often based on specific scenarios and plans. Dependent upon the size or complexity of the operation these could be at business unit, building or individual department level. For small business units this could be combined with the crisis management plan. Plan to manage the incident at strategic level. Will include triggers for decisions to be made whether to invoke the full BC plans and management of communications within the Group. A process aimed at developing an understanding of the organisation so that the BCM program will properly support business requirements. Includes: Analysis of continuity risks Identification and prioritisation of critical business processes Tolerable downtimes and recovery timelines (RTO / RPO see below) Definition of resources required (minimum numbers of people, infrastructure, technology PCs, IT systems, telephony) An agreed timescale by when the process would be expected to be restarted, usually expressed in hours or days, and will be dependent upon the criticality of the process. The maximum amount of data that could be lost if an application has to be recovered, usually expressed in hours or days, and will be dependent upon the criticality of the process supported by the application. An alternative building (unoccupied) to which the impacted building staff would relocate to in the event their own building is unavailable. Sometimes also referred to as hot sites or warm sites. An alternative building (unoccupied) that is already equipped with desks, live PCs, phones, live applications that is ready to use immediately if a building is unavailable. Typically only used for very critical activities as it is very expensive. An alternative building (unoccupied) that has basic office provision. PCs, phones and applications would be set up at the time of incident, thus delaying recovery. A list of staff/contacts including their telephone number that can be used in an incident to contact everyone required A process whereby calls are placed to team members using the call tree to check the accuracy of the call tree. Usually done out of business hours. A review of a business continuity plan that consists of a read through of the plan, checking the logic of the steps recorded and the accuracy and completeness of supporting information. A more detailed review of the plan that involves responding to a set scenario of an incident, and could include role play to practice how the response is given. A test to physically relocate some staff from their normal location to the workarea to test whether the PCs, phones and applications work. It should include the processing of real work and taking of live calls (providing that would not disadvantage the customer). The process by which systems that fail are recovered at an alternative data processing centre. Also includes telephony recovery.

Any Questions? karen.wills@sjp.co.uk

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information