1. Business Continuity

2. Business continuity... “Drive thy business or it will drive thee.” —Benjamin Franklin (1706-1790), American entrepreneur, statesman, scientist and philosopher “It is your business when the wall next door catches fire.” —Horatius (65-8 BC), Roman poet

3. What is a Disaster? Any unplanned event that requires immediate redeployment of limited resources Natural Forces Fire Environmental Hazards Flood / Water Damage Extreme Weather Technical Failure Power Outage Equipment Failure Network Failure Software Failure Human Interference Criminal Act Human Error Loss of Users Explosions Sample Disasters

4. What is a Disaster Recovery Plan? A management document for how and when to utilize resources needed to maintain selected functions when disrupted by agreed upon incidents

5. business continuity plan: documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption disaster recovery plan: clearly defined and documented plan which recovers ICT capabilities when a disruption occurs business impact analysis (BIA): process of analysing business functions and the effect that a business disruption might have upon them

6. The Auditor’s Role in ReviewingBusiness Continuity Planning, Ravi Muthukrishnan –While a BCP refers to the activities required to keep the organisation running during a period of displacement or interruption of normal operation, a disaster recovery plan (DRP) is the process of rebuilding the operations or infrastructure after the disaster has passed. –A DRP is a key component of a BCP, and refers to the technological aspect of a BCP—the advanced planning and preparations necessary to minimise loss and ensure continuity of critical business functions in the event of a disaster. A DRP comprises consistent actions to be undertaken prior to, during and subsequent to a disaster.

7. –Terms and definitions maximum tolerable period of disruption: duration after which an organization’s viability will be irrevocably threatened if product and service delivery cannot be resumed recovery time objective: period of time within which minimum levels of services and/or products and the supporting systems, applications, or functions must be recovered after a disruption has occurred recovery point objective: point in time to which data must be recovered after a disruption has occurred

8. Avoidance Strategy Redundant configuration to avoid incidents Site harden facilities to resist incidents Redundant utilities and hardware Automated operation recovery plan Mitigation Strategy Early warning detection Contractual agreements with vendors Mirrored data and documents Detailed migration recovery plan Recovery Strategy High level recovery plan Off-site data storage Very responsive vendor relationships Very knowledgeable employees Types of Strategy Options Hot site Cold site Self Backup Service Bureau Reciprocal Agreement Types of Strategies

9. Timing Requirements Minutes Hours Days Weeks Quarters Special Situations Criteria for a Critical Business Function Cost of Impact $ Impact Cost Cost of Control $ Cost of Control vs. Impact

10. Replication Failover Site Migration Wide Area Clustering

12. Audit Program/ICQ Get Preliminary Information Procedure Step: Policies Details/Test: Determine and obtain copies of all applicable policies for disaster recovery and business continuity, if any. Procedure Step: Get Applicable Documentation Details/Test: Obtain a copy of the organization's disaster recovery plan. Obtain a list of implementation team members list. Obtain a current copy of the organization chart. Obtain current inventory list. Obtain a copy of agreements relating to use of backup facilities. Procedure Step: Control Questionnaire Objective: To verify that the disaster recovery plan is adequate to insure resumption of computer systems in a timely manner during adverse circumstances, is in line with the current business continuation plan, and reflects the current business operating environment.

13. Details/Test: Is there a disaster recovery plan? If a plan exists, when was it last updated? What are your procedures for updating the plan? Who is responsible for administration or coordination of the plan? Is the plan administrator/coordinator responsible for keeping the plan up-to-date? Is there a disaster recovery implementation team (i.e., the first response team members who will react to the emergency with immediate action steps)? Where is the disaster recovery plan stored? (Verify that key team members have copies of the plan at home as well as at the office). Where are the implementation team contacts list stored? (Suggest each key team member should have contact names and addresses of all other key team members both on his person and at home, as well as in the office - contact numbers should include home and mobile as well as office number) Where is the backup facility site? Are there alternate sites? (Be suspicious of loose arrangements with local businesses!) What is your schedule for testing and training on the plan? When was the last drill performed? (Consider the adequacy of the test - a “desk test” is unlikely to reveal many potential problems) Did the drill include use of the backup facilities? If not, when were the backup facilities last used? If over 1 year, how has the organization determined that its programs can still run on the backup equipment? What was the outcome of the drill? How did it improve preparedness? What critical systems are covered by the plan? Does the plan clearly indicate priorities for system restoration, based on risk to the business in particular? Does the plan allow for the restoration within pre-determined “business critical” time frames? (I.e. If certain systems are down for longer than a predetermined time, restoration after this time may be useless if the business has already gone under.)

14. Details/Test (continued): Does the plan indicate the operational requirements for each of the systems? What systems are not covered by the plan? Why not? What equipment is not covered by the plan? Why not? Does the plan operate under any assumptions? What are they? What are the procedures for activation of the plan? Are inventories as they relate to your critical systems kept (including LAN servers and communication devices)? (Critically, are the procedures and practices for keeping them up to date sufficient?) If inventories are kept, where are they stored? Are there formal procedures that specify backup procedures and responsibilities? What functions/systems/components are covered under such procedures? What training has been given to personnel in using backup equipment and established procedures? Where is the off-site storage site? Are the responsibilities for each team documented? Are the restoration procedures documented? Does the documentation for each system to be recovered indicate the process flow and as well as the equipment that will be recovered? (i.e. for an application that makes use of desktop equipment for data entry and client server equipment for storage this should all be documented along with the software that will be required.