Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rich Archer Partner, Risk Advisory Services KPMG LLP Auditing Business Continuity Plans.

Published byCori Berry Modified over 8 years ago

Similar presentations

Presentation on theme: "Rich Archer Partner, Risk Advisory Services KPMG LLP Auditing Business Continuity Plans."— Presentation transcript:

1 Rich Archer Partner, Risk Advisory Services KPMG LLP Auditing Business Continuity Plans

2 Introduction Basis for auditing BCP (why should we care?) Objectives of a good plan Auditing BCP Key areas for consideration Where to start Audit steps What to look for Conclusion Agenda

3

4 The dependence of today’s enterprises on IT is significant. For an organization that uses IT extensively for its operations, not just recording of transactions, the non-availability of its information systems could mean the end of its existence. Introduction

5 The confidentiality, integrity and availability of information systems must be ensured to protect the business from the risks relating to information technology. An IT audit helps to identify areas where these are vulnerable or inadequately protected through systematic examination and evaluation. Introduction (cont…)

6 In addition, business function availability is one of the major criteria for IT audit. Availability is ensured through various means, technologies and processes—all broadly covered under the umbrella of business continuity and disaster recovery. Introduction (cont…)

7 HIPAA Security Standards: Physical Safeguards The Security Rule defines physical safeguards as: “ physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural “ physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” and environmental hazards, and unauthorized intrusion.”

8 Telecom TL9000 Section 7.1.C.3 "The organization shall establish and maintain methods for disaster recovery to ensure the organization's ability to recreate and service the product throughout its life cycle."

9 IRS Procedure 86-19 Requires off-site protection, as well as documentation of computer records maintaining tax information. These records must be available in the event that the primary facility is not. Requires off-site protection, as well as documentation of computer records maintaining tax information. These records must be available in the event that the primary facility is not.

10 Standards and Regulations ISO 9000 ISO 9000 FEMA Circular FPC 65 FEMA Circular FPC 65 Computer Security Act Computer Security Act Security Industry: ISO 17799 Security Industry: ISO 17799 NIST SP800-34 NIST SP800-34 Office of Management and Budget (OMB) Circular A-13 Office of Management and Budget (OMB) Circular A-13

11 What are the Objectives of a Good BCP Plan? Protect employees Protect employees Restore critical business processes or functions to minimize the financial impact of a disaster Restore critical business processes or functions to minimize the financial impact of a disaster Restore related infrastructure, operating systems and applications to support the critical functions Restore related infrastructure, operating systems and applications to support the critical functions

12 What are the Objectives of a Good BCP Plan (cont…) Prevent or mitigate the effects of a disaster from occurring wherever possible Prevent or mitigate the effects of a disaster from occurring wherever possible Protect corporate assets Protect corporate assets Minimize legal exposure Minimize legal exposure

13 An audit of business continuity is essentially an audit of this plan with reference to: The adequacy, completeness and appropriateness of the plan; Availability of the processes and people to implement the plan; What Is An Audit of Business Continuity?

14 Its testing; The verification of the various day-to-day functions that need to be performed to make the plan effective and ready at all times. What Is An Audit of Business Continuity? (cont…)

15 The audit of business continuity can be broken into three major components: 1.Validating the business continuity plan 2.Scrutinizing and verifying preventive and facilitating measures for ensuring continuity 3.Examining evidence about the performance of activities that can assure continuity and recovery Three Major Components

16 The IT auditor should be familiar with the business, the information systems in use and the extent of the business ’ dependence on IT. The auditor ’ s focus should be on validating the plan against this knowledge. Validating the Business Continuity Plan

17 The following points are written with this objective and are not meant to be a comprehensive description of everything that should be in the business continuity plan: Validating the Business Continuity Plan

18 Verifying Preventive Measures for Ensuring Continuity The verification of the physical facilities, equipment and environment that ensure availability and recovery after a disaster include the following:

19 Verifying Preventive Measures for Ensuring Continuity (cont..) The scrutiny of the disaster recovery site as to its location (i.e., distance from primary site, accessibility, vulnerability to similar threats) and the general controls and security relating to it should be an essential part of the audit.

20 Verify the contracts entered into by the SLAs and whether the periodic testing and drills are being performed as agreed. Verify that supporting equipment and supplies, such as fuel for the power generators, are maintained to enable usage of the redundant equipment when required. Verifying Preventive Measures for Ensuring Continuity (cont … )

21 Verify whether there are facilities for alternate routes to overcome network failures. Check the availability of the network at the DR site and the facilities for switchover from the primary site during recovery to enable all users to access the systems from the DR site. Verifying Preventive Measures for Ensuring Continuity (cont … )

22 Effective recovery is not completed by merely acting on the day of the disaster, but by sustained activities that are completed in due course with the objective of remaining in a state of preparedness for a disaster. Examining Evidence About Performance of Activities

23 Verification of maintenance and testing logs of all equipment, such as power generators, air conditioners, UPS systems and fire control equipment, can give the IT auditor clues as to the effectiveness of these controls. Examining Evidence About Performance of Activities

24 The IT auditor should not ignore the people part of the BCP. Training programs and awareness campaigns are essential, especially in large organizations, to ensure that the plans actually work on the day when disaster strikes. Examining Evidence About Performance of Activities

25 Where to Start Obtain the following documentation Organizational Charts and Business Process Analysis Organizational Charts and Business Process Analysis Overall Recovery Plan Structure Overall Recovery Plan Structure Plan Coordinator List Plan Coordinator List

26 Where to Start (cont…) Business Impact Analysis Business Impact Analysis Risk Assessment Risk Assessment Recovery Plan Documentation Recovery Plan Documentation Third Party Review (if available) Third Party Review (if available)

27 Business Process Analysis Was a high level business process analysis performed? Was a high level business process analysis performed? Has the Plan Unit organization structure been identified and documented? Has the Plan Unit organization structure been identified and documented? Is the organization and location structure current, change management? Is the organization and location structure current, change management? Have business impact criteria been defined? Have business impact criteria been defined?

28 Business Impact Analysis Was a BIA performed and documented in alignment with the criteria established? Was a BIA performed and documented in alignment with the criteria established? Was there an established methodology used to perform the BIA and document the results of the analysis? Was there an established methodology used to perform the BIA and document the results of the analysis? Is there adequate documentation for assumptions and impact scoring rationale? Is there adequate documentation for assumptions and impact scoring rationale?

29 Business Impact Analysis (cont…) Were the final BIA results approved by senior management? Were the final BIA results approved by senior management? Do recovery strategies align with the results of the BIA? Do recovery strategies align with the results of the BIA? Have Recovery Time Objectives and Recovery Point Objectives been identified? Have Recovery Time Objectives and Recovery Point Objectives been identified?

30 Risk Assessment and Mitigation Life Safety Has an emergency Coordinator been appointed? Has an emergency Coordinator been appointed? Has a review been conducted to determine potential risks of natural disasters and other building emergencies? Has a review been conducted to determine potential risks of natural disasters and other building emergencies? Have mitigation strategies been identified and implemented? Have mitigation strategies been identified and implemented?

31 Risk Assessment and Mitigation Facility/Technology/Business Operations Was a facility, Technology and Business Operations Risk Assessment conducted that: Was a facility, Technology and Business Operations Risk Assessment conducted that: Identifies control weaknesses and single points of failure Identifies control weaknesses and single points of failure Identifies one or more countermeasures Identifies one or more countermeasures Have mitigation strategies been selected and implemented? Have mitigation strategies been selected and implemented?

32 Risk Assessment and Mitigation Third Parties Have all critical third parties been identified and link to the business process and related infrastructure/technology identified in the BIA? Have all critical third parties been identified and link to the business process and related infrastructure/technology identified in the BIA? Have third party review criteria been established? Have third party review criteria been established? Was a third party risk assessment performed by vendor? Was a third party risk assessment performed by vendor?

33 Recovery Plans Are Recovery roles identified? Are Recovery roles identified? Has an individual and a backup been identified who can declare a disaster? Has an individual and a backup been identified who can declare a disaster? Is the plan documentation current and has it been distributed to all personnel? Is the plan documentation current and has it been distributed to all personnel?

34 Recovery Plans (cont…) Are Emergency Notification Procedures clear and accurate? Are Emergency Notification Procedures clear and accurate? Are Communication procedures in place and current (who talks to who)? Are Communication procedures in place and current (who talks to who)? Are recovery requirements and data current? Are recovery requirements and data current?

35 Exercise, Maintenance and Training Has a program been developed, implemented and communicated that includes? Key elements to be maintained Key elements to be maintained Key elements to be exercised Key elements to be exercised An exercise and maintenance calendar An exercise and maintenance calendar Specific exercises conducted Specific exercises conducted Recommendations and follow-up for improvement Recommendations and follow-up for improvement

36 Change Control Are there change control procedures? Are there change control procedures? Are changes formally approved before implementation? Are changes formally approved before implementation? Is there document version control procedures established? Is there document version control procedures established? Are there procedures for incorporating changes and notification? Are there procedures for incorporating changes and notification?

37 Check whether the plan covers all mission- critical systems or is only for other, selected systems. Ascertain whether the plan is based on a systematic business impact analysis that clearly understands the impact of non- availability of the systems on the business The IT Auditor Should…

38 Examine the plan to determine whether the plan has a good combination of preventive controls and recovery controls. Verify whether the BCP is updated periodically and reflects the current business and IT environment accurately. The IT Auditor Should…

39 Evaluate the requirement of testing the plans or disaster recovery drills. Verify whether the plan addresses not just recovery after a disaster but also restoration back to the primary site when normalcy returns. The IT Auditor Should…

40 Evaluate other elements, like notifications, call trees, the response teams, updating the contact information, and the step-by-step procedures for recovery and for appropriateness. The IT Auditor Should…

41 The nature, complexity and cost of the business continuity program are related to the nature of the business’ dependence on information technology. Conclusion

42 While the testing of business continuity plans with various testing techniques and drills is the best possible way to ensure that the plans and the expensive systems deployed really work on the day of disaster, such tests have some limitations as they often need to be planned in advance. Conclusion (cont…)

43 An effective audit review by the IT auditor can help uncover many deficiencies and operational lapses that may not come up in testing and points that have been overlooked in the design of the plan. Conclusion (cont…)

44 “Well, thank God we all made it out in time … ‘Course, now we’re equally out of luck.”

45 Rich Archer KPMG LLP 412-232-1590 rearcher@kpmg.com Final Word

Download ppt "Rich Archer Partner, Risk Advisory Services KPMG LLP Auditing Business Continuity Plans."

Similar presentations

Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Business Continuity Training & Awareness by Sulia Toutai (ANZ)

Business Continuity Training & Awareness by Sulia Toutai (ANZ)
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Environmental Management System (EMS)

Environmental Management System (EMS)
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
IAEA International Atomic Energy Agency. IAEA Outline Learning objectives Introduction Functions of Regulatory Body (RB) on EPR Appraisal guidance: Part.

IAEA International Atomic Energy Agency. IAEA Outline Learning objectives Introduction Functions of Regulatory Body (RB) on EPR Appraisal guidance: Part.
Auditing Computer Systems

Auditing Computer Systems
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Copyright 2004 Turning Point Solutions Establishing Lines Of Communication Before a Crisis.

Copyright 2004 Turning Point Solutions Establishing Lines Of Communication Before a Crisis.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Security Controls – What Works

Security Controls – What Works
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
TRAINING AND DRILLS. Training and Drills Ensure A comprehensive, coordinated, and documented program as an integral part of the emergency management program.

TRAINING AND DRILLS. Training and Drills Ensure A comprehensive, coordinated, and documented program as an integral part of the emergency management program.
Crisis Management Planning Employee Health Safety and Security Expertise Panel · Presenter Name · 2008.

Crisis Management Planning Employee Health Safety and Security Expertise Panel · Presenter Name · 2008.

Similar presentations

Ads by Google