CISA REVIEW The material provided in this slide show came directly from Certified Information Systems Auditor (CISA) Review Material 2010 by ISACA.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Learning Objectives By the end of chapter 6, you should be able to: Evaluate the adequacy of backup and restore provisions to ensure the availability of information required to resume processing Evaluate the organization's disaster recovery plan to ensure that it enables the recovery of IT processing capabilities in the event of a disaster Evaluate the organization's business continuity plan to ensure the organization's ability to continue essential business operations during the period of an IT disruption

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Backup Basics If a disaster occurs, it is important that certain business activities, including IS operations, not be disrupted. To this end, information must be backed up to make sure data are not lost in an emergency situation. This duplication of data and documentation is critical for a business continuity plan (BCP). Data Retention (i.e., What Needs to Be Backed Up?) Both data and software files should be backed up on a periodic basis. Consider that to make the computers run correctly, you must back up and maintain in a current status all of your operating systems, programming languages, software, compilers, utilities and application programs. Even the paper documentation, such as operational guides, user manuals, the BCP, along with records and files are part of the raw materials and finished products necessary for the IS processing cycle.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Backup Basics: Frequency and Types of Backup The frequency of file backup depends on the criticality of the application and data. Critical data should be backed up using the multiple- generation (i.e., "grandfather-father-son") method and rotated to an offsite location at least daily.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery In the Grandfather-Father-Son method: Daily backups are made over the course of a week (son). The final backup taken during the week becomes the backup for that week (father). At the end of the month, the final weekly backups are retained as the backup for that month (grandfather). At the end of the year, the final monthly backup becomes the yearly backup.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Question: Consider the situation in which backups are performed every week and stored offsite. A monthly backup is also performed each month and stored offsite. When is it safe to return the Week 1 backup tape from the offsite storage location? A. After 2 weeks, regardless of when other backups arrive B. When the Week 2 backup arrives at the offsite location C. When the Week 3 backup arrives at the offsite location D. When the monthly backup arrives at the offsite location

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery A full backup is the starting point for all other backups, and contains all the data in the folders and files that are selected to be backed up. A full backup takes longer to accomplish and requires the most storage space on the backup media, but it also provides the quickest restore times. A full backup should be performed weekly or monthly on production systems, along with daily differential backups. A full backup should also be performed before any major planned changes to a system.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery An incremental backup is a backup of every file on a system that has changed since the last backup. An incremental backup is the fastest backup and requires the least storage space on the backup media. However, incremental backups also require the longest time and the most tapes to restore.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery A differential backup contains all files that have changed since the last full backup. The advantage of a differential backup is that it shortens restore time compared to a full backup or an incremental backup.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Hot site A fully operational offsite data processing facility equipped with both hardware and system software to be used in the event of a disaster.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Warm site Warm sites do not involve a main computer, but are partially configured, usually with network connections and selected peripheral equipment (such as disk drives, tape drives and controllers). The backup equipment involved in warm site recovery must be turned on periodically to receive backups of data from production servers. Because the computer is the most expensive unit, warm sites are less expensive than hot sites. Additionally, warm sites often plan to have a less-powerful Central Processing Unit (CPU) than the one typically used for everyday business functions. After needed components are installed at the warm site, it can be ready for service within hours once the location and installation of the CPU and other missing units is complete.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Cold site Cold sites contain the basic environment for business operations and are ready to receive equipment in an emergency situation. Because the location will have electrical wiring, air conditioning and flooring but not any equipment, cold sites are less expensive than hot and warm sites, and activation may take several weeks. In a cold site backup, if machines are involved, they may have software installed and configured but may not be up to date or recently turned on.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Duplicate site Duplicate or redundant IPFs are dedicated, self-developed recovery sites used to back up critical applications. This recovery alternative is viable because there are two or more separate, active sites providing inherent back up to one another. Each site has the capacity to absorb some or all of the work of the other site for an extended period of time. By keeping a duplicate site, there may be fewer problems with coordination, compatibility and availability of information and systems in a disaster situation. Some organizations can run their own duplicate IPF, but others use a third-party vendor.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Instructions: Here are six alternative processing strategies and six descriptions. Match each term to its corresponding description. Alternative Processing Strategies Hot site Warm site Cold site Duplicate IPF Descriptions A dedicated, self-developed recovery site used to provide inherent backup for critical applications Back-up site that is partially configured but does not provide a main computer Provides the equipment and office facilities needed for the organization to continue its operations, and is fully configured and ready to operate within several hours Contains only the basic environment for business operations

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery All software and related documentation should have adequate offsite storage. Even when using a standard software package from a vendor, the software can vary from one location to another. Differences may include parameter settings and modifications, security profiles, reporting options, account information, or other options chosen by the organization during or subsequent to system implementation. Therefore, comprehensive backup of all critical software is essential. Backup of operating system software, application programs and utility software must be performed whenever they are modified, updated or changed. Remote journaling is a common process that records transaction logs or journals at a remote location. These logs and journals are used to recover transaction and database changes since the most recent backup.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Think About It What types of information do you think should be backed up on a monthly basis? A weekly basis? A daily basis?

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Storage and Retention Backups need to be stored for safekeeping and be retrievable in the event of an emergency situation. One approach is to put the backups into an offsite library, although depending on the material, onsite or third-party storage may be a viable option. An offsite library is a special type of manual library because it does not have technology allowing direct access to the primary processing unit. If media (a cartridge, file, tape, document, etc.) are needed from an offsite library, they must be manually located and transported to the processing facility. An offsite library could be considered as an organized collection of material that may not be necessary to the support or backup of current daily processing operations. This material is typically required to be archived for some extended period of time, due to legislation, client or business process reasons.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Offsite Storage Facility: An offsite facility has processing capabilities to store, archive and retrieve data required for backup purposes of the organization's current production environment. All information at an offsite library or storage facility should be monitored. Controls over the offsite library and storage facilities should include ensuring that: The physical construction can withstand fire or heat according to industry standards Physical access to the media at the facility is secured (i.e., doors locked, no windows, human surveillance) The location of the facility is away from the data owner, preferably far enough away to avoid the risk of a disaster affecting both facilities Certain data are retained for specific periods of time due to state, federal, local, organization or client requirements A perpetual inventory of all storage media and files stored and moved in and out of the facility is maintained along with a record of information regarding the contents, versions and location of data files All media or materials being shipped back and forth from the facility are securely transported. For example, data in transit should be stored and sealed in a magnetic media container.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Restoration Processes and Practices Backup systems are not fail-safe and are of no use unless the information on them can be recovered and restored when necessary. Accordingly, it is imperative that an organization periodically test its backup procedures and its access to the offsite data storage facility to see if it can access archived data and properly restore those data, documents or other necessary information. All restoration tests should be performed in a way and at a time that will not disrupt regular business operations and will truly mimic actual restoration procedures.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Instructions: Determine whether each statement in the left column is true or false, and then select the appropriate box on the right. TrueFalse Application software should be backed up in the same manner as operating system software. Restoration tests that disrupt regular business operations are an acceptable practice as long as the restoration truly mimics actual restoration procedures. Documentation must be backed up and stored along with software and data. An incremental backup is the fastest backup but requires the most storage space on the backup media. Data migration is a process that records transaction logs or journals at a remote location.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery What Is the Risk? Although it is impossible for an organization to avoid all risks associated with a disaster, a company can do its best by creating Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP) that minimizes these risks. When these plans are put into place, the corporate focus will be on reestablishing business continuity and implementing disaster recovery. When these plans are needed, the last thing a company wants to worry about is forgotten, mistaken or misrepresented legalities in the BCP/DRP. Accordingly, all BCPs/DRPs must be evaluated to make sure that they address, and adhere to, any regulatory, legal, contractual and insurance issues.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Think About It What questions would you ask to determine the future value of data and the organization's plans for its data insurance needs?

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery A critical step for an organization when developing a BCP is to perform a business impact analysis (BIA). As an IS auditor, you must be able to evaluate a BIA and understand the risks associated with an organization's critical components to effectively evaluate BCPs and DRPs. This section of the module defines the importance of a BIA, discusses how to calculate risk, and details how a BIA is used to develop an organization's business continuity plan.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Organizations create business continuity and disaster recovery plans as proactive measures. These plans reduce business risk by preparing the organization to provide critical services without interruption if a disaster, unexpected problem or other emergency situation should occur. Examples of business risks include: Inability to maintain critical customer services Damage to market share, image, reputation or brand Failure to protect the company assets, including intellectual properties and personnel Business control failure Failure to meet legal or regulatory requirements

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery The BCP process includes several life cycle phases. Each of these phases must be implemented into the plan. Creation of a BCP and disaster recovery policy A BIA Classification of operations and criticality analysis Development of a BCP and disaster recovery procedures A training and awareness program A testing and implementation of plan Monitoring the BCP process The BCP must encompass all assets and functions that an organization needs to maintain viability.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Risk Analysis and Cost Benefits Even with the most rigorous planning and commitment, it may be impossible for a business to avoid all forms of risk or potential damage. However, an organization can be prudent by attempting to identify and prepare for as many risks as possible. Accordingly, the first step in a BCP is to perform a risk analysis. The risk analysis begins by identifying threat scenarios concerning the organization's assets. The risks assessed should be: Directly proportional to the value of each asset Coordinated with the probability of occurrence of a perceived threat to that asset

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Risk Analysis and Cost Benefits In the case of DRP, the assets are the components of the information system, such as application systems. Each organization's classification of these systems is determined by: Identifying the nature of the organization's actual business. Classifying what each application or system component does (how it adds or contributes value) to the organization. This value is directly proportional to the role of the application system in supporting the strategy of the organization. Matching elements of the information system to the various applications (e.g., the value of a computer or a network is determined by the importance of the application system that uses it).

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Risk Analysis and Cost Benefits After the risk assessment identifies the value of the IS components to the organization, a plan can be developed for establishing the criticality of systems and the most appropriate methods for their restoration. A subcomponent of the BCP is the IT disaster recovery plan. This plan typically details the process that IT personnel will use to restore the computer systems. DRPs may be included in the BCP or as a separate document altogether, depending on the needs of the business.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery A successful Business Impact Analysis involves obtaining a thorough understanding of the organization and the essential personnel, technologies, facilities, communications systems, vital records, data and IT resources necessary to support key business processes. Creating a BIA involves breaking down the totality of operations into specific events, functions and incidents, then determining what could happen to each element that may impact operations; determining any additional resulting financial, human and reputation effects; and prioritizing those effects. The BIA also considers the impact of legal and regulatory requirements (such as the privacy and availability of customer data). Finally, a BIA includes an estimation of maximum allowable downtime and acceptable levels of data, operations and financial losses.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Three main questions that should be considered early in the BIA process include the following: What are the organization's various business processes? What are the critical information resources related to the organization's critical business processes? What is the critical recovery time period for information resources in which business processing must be resumed before significant or unacceptable losses are suffered? The information acquisition phase should prioritize business processes based on their importance to the organization's achievement of strategic goals. However, this prioritization should be revisited after the business processes are modeled or analyzed against various threat scenarios so that a BCP can be developed.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery A system's risk ranking involves determining the risk based upon the impact derived from the critical recovery time period and the likelihood that an adverse disruption will occur. Many organizations will use a risk-of-occurrence formula to determine what it deems is a reasonable cost for being prepared. This risk-based analysis process helps prioritize critical systems and develop appropriately scaled recovery strategies. The risk-ranking procedure should be performed in coordination with IS processing and end-user personnel.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Two important parameters when establishing recovery strategies are recovery point objectives (RPOs) and recovery time objectives (RTOs). The RPO is based on what an organization agrees is an acceptable or permissible amount of data loss during a disruption. RPO indicates the earliest point in time at which it is acceptable to recover the data. Click for an example. The RTO is determined based on the acceptable downtime in case of a disruption of operations. It indicates the earliest point in time at which the business operations must resume after disaster.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery A recovery strategy identifies the best way to recover a system in case of interruption, including disaster. When an organization determines which recovery strategies to act on and when, it must consider the totality of each preventive, detective and corrective measure. Recommended actions would be to: Remove the threat altogether (if possible) Minimize the likelihood of occurrence of the threat Minimize the effect of occurrence of the threat Removing the threat and minimizing the risk of occurrence can be addressed through the implementation of physical and environmental security. Minimizing the effect can be achieved by implementing built-in resilience through alternative routing and redundancy.

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery The purpose of testing is to identify the limitations of the BCP by determining how well the plan works and which portions of the plan need improvement. Testing plans should have the following objectives: Evaluate the performance of the personnel involved in the exercise Evaluate the coordination among the BCP team and external vendors and suppliers Measure the ability and capacity of the backup site to perform prescribed processing Assess the vital records retrieval capability Measure the overall performance of operational and IS processing activities related to maintaining the business entity

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Think About It: There can be many goals and objectives that management may want to achieve through the testing of the organization's BCPs and DRPs. What are some of the minimum objectives that management should strive to achieve through its testing process?

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Testing methods vary and, although some require minimum preparation and use few resources, others can be very complex. Each has its own characteristics, objectives and benefits. The type of BCP testing used by an organization should be determined by, among other things, the organization's age and experience with BCP, as well as its size, its complexity and the nature of its business. There are five main types of BCP tests: Checklist Structured walk-through Simulation Active simulation Full interruption

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery A structured walk-through test is typically the best method to use for initial BCP testing. A structured walk-through is usually performed in a conference room by people who are familiar with the plan but did not actually write the plan. Written procedures for the structured walk-through test should include: Test Scenario Description of event Test assumptions Test constraints Time, day and month that the disaster was reported Method of discovery of the event Immediate damage assessment Specific forms and reports to be used from the plan Specific teams involved and other participants A moderator not directly participating in the test to log the event Documentation of the results and findings in the BCP

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Test analysis should include: An assessment of whether the test objectives were completed An assessment of the validity of test data processed Corrective action plans to address problems encountered A description of any gaps between the BCP and actual test results Proposed modifications to the BCP Recommendations for future tests

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Think About It What basic criteria should an IS auditor use to validate the appropriateness of an organization's test plan?

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery All personnel involved with any element of BCP must be made aware of their roles and responsibilities and have the necessary experience or are appropriately trained to fulfill their duties. The plan itself must also document each participant's specific responsibilities. When reviewing a BCP for human resource management practices, as the IS auditor, you should ensure that: The plan identifies the teams with their assigned responsibilities in the event of an incident or disaster Key decision-making, IS and end-user personnel involved in implementing the BCP are identified The involvement of the individuals or teams depends on the level of the disruption of service and the types of assets lost or damaged

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Think About It During the examination of an organization's BCP, as the IS auditor, what are your responsibilities when interviewing key personnel?

CISA REVIEW Chapter 6 – Business Continuity and Disaster Recovery Think About It What is an example of a human element factor that can have a major impact on an organization's recovery in the event of a widespread disaster, such as a flood, tornado or hurricane?