1. AUDITING BUSINESS CONTINUITY PROGRAMS AND PLANS What to Look For Presented by: Tommye White, CBCP, DRP Chuck Walts, CBCP, CRP

2. March 20122 Auditing BC and DR Programs  Generally dictated by legal mandates and good business practices. o What are the mandates? Federal? State? Corporate? o Is there Executive Management sponsorship for the Program? o Has a corporate policy been developed? o Who manages the program? Risk Manager? IT? Other? o Who audits the program? Internal Auditors? External Auditors? Insurance Company? Local Authorities?

3. March 20123  Has internal audit criteria been developed? o Criteria: When was the last BIA conducted? Is an employee awareness program in place? Have IT DR and Business Continuity linkage been established? Have corporate strategies, priorities, and RTOs been identified? Has a change manage program been established? Has technology mapping been accomplished? Is there a budget for all DR and BC activities?  Vendors?  Training?  Plan Exercises?  Plan Maintenance / update? Have audit grading scales and checklists been established? Are all audit findings and recommendations reported? Does management act on audit findings and recommendations? Auditing BC and DR Programs

4. March 20124 Auditing BC and DR Plans  Have BC and DR Plans been developed?  Do all plans generally follow a common format (same look and feel)  Are the plans well documented and sufficiently comprehensive?  Have vital records been identified?  Do all plans contain the following: o Name of the organization (Department, Business Unit, IT) o What business processes / functions are being recovered? o Plan scope, objectives, and general assumptions. o Recovery Organization Structure o Recovery Organization Mission o Recovery Team(s) composition o Team role and responsibilities o Team member roles and responsibilities o Service organization support o Recovery Strategy and Solution(s)

5. March 20125 o Plan Activity Sets (recovery tasks) Pending crisis activities Incident detection activities Emergency response activities Incident reporting activities Incident notification activities (teams, customers, vendors) Situation assessment activities Damage assessment activities Salvage activities Site clean-up and restoration activities Emergency Operations Center activities Team assembly and organization activities Incident Action Plan development activities Plan invocation activities Team deployment activities Alternate facility activities Auditing BC and DR Plans

6. March 20126 Auditing BC and DR Plans o Plan Activity Sets (continued) Establishing work area activities Recovery operations initiation activities Functional restoration activities Return home planning and coordination activities Relocation activities Post-incident review activities

7. March 20127 Auditing BC and DR Plans  Plan Attachments - General (Examples) o Team Notification Guidelines o Personal Contact Record Form o Emergency Operations Center (Command Center) information o Critical File and Work in Process Assessment Form o Disaster Declaration Criteria o Incident Action Plan and Forms o Personnel Location Control Form o Recovery Status Report Form o Incident Official Public Statement  IT Specific (Examples) o Offsite Storage and Retrieval Procedures o Critical Server and Applications Inventory o Critical Applications Matrix o Data Communications Connectivity (Diagram)

8. March 20128 o Recovery scripts o Detailed restoration procedures o Damage Assessment Forms o Site Restoration Checklist o Maps o Directions o Etc. Auditing BC and DR Plans

9. March 20129 Any Questions?????