chap6 2007 cisa review course

60
2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 1 2007 CISA 2007 CISA Review Course Review Course Business Continuity and Disaster Recovery Chapter 6 Chapter 6

Upload: desmond-devendran

Post on 01-Nov-2014

2.884 views

Category:

Business


0 download

DESCRIPTION

 

TRANSCRIPT

Page 1: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 1

2007 CISA2007 CISA Review Course Review Course

Business Continuity and Disaster Recovery

Chapter 6Chapter 6

Page 2: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 2

Process Area OverviewProcess Area Overview Business Continuity/Disaster Recovery Business Continuity/Disaster Recovery

Planning Planning • IS Business Continuity/Disaster Recovery Planning• Disasters and Other Disruptive Events• BCP Process• Business Continuity and Disaster Recovery Policy• BCP Incident Management• Business Impact Analysis• Recovery Point Objective and Recovery Time Objective• Recovery Strategies• Recovery Alternatives

Page 3: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 3

Process Area OverviewProcess Area Overview Business Continuity/Disaster Recovery Business Continuity/Disaster Recovery

Planning (cont)Planning (cont)• Development of Business Continuity and Disaster

Recovery Plans• Organization and Assignment of Responsibilities• Other Issues in Plan Development• Components of a BCP• Plan Testing• Backup and Restoration

Page 4: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 4

Process Area OverviewProcess Area Overview Auditing Disaster Recovery and Business

Continuity• Reviewing the BCP• Evaluation of Prior Test Results• Evaluation of Offsite Storage• Interviewing Key Personnel• Evaluation of Security at Offsite Facility• Reviewing Alternative Processing Contract• Reviewing Insurance Coverage

Page 5: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 5

Chapter ObjectiveChapter Objective

Ensure that the IS AuditorEnsure that the IS Auditor

““understands and can provide assurance that in the understands and can provide assurance that in the

event of aevent of a

disruption the business continuity and disaster disruption the business continuity and disaster

recoveryrecovery processes will ensure the timely processes will ensure the timely

resumption of IT services while minimizing the resumption of IT services while minimizing the

business impact”business impact”

Page 6: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 6

There are three (3) tasks within this content area:There are three (3) tasks within this content area:

1.1. Evaluate the adequacy of backup and restore provisions to Evaluate the adequacy of backup and restore provisions to

ensure the availability of information required to resume ensure the availability of information required to resume

processing.processing.

2.2. Evaluate the organization’s disaster recovery plan to ensure Evaluate the organization’s disaster recovery plan to ensure

that it enables the recovery of IT processing capabilities in the that it enables the recovery of IT processing capabilities in the

event of a disaster.event of a disaster.

3.3. Evaluate the organization’s business continuity plan to ensure Evaluate the organization’s business continuity plan to ensure

its ability to continue essential business operations during the its ability to continue essential business operations during the

period of an IT disruption. period of an IT disruption. 

Chapter ObjectiveChapter Objective

Page 7: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 7

ChapterChapter SummarySummary

According to the CISA Certification According to the CISA Certification

Board, this Content Area will represent Board, this Content Area will represent

approximately 14% of the CISA examination approximately 14% of the CISA examination

(approximately 28 questions)(approximately 28 questions)

Page 8: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 8

6.1 Business Continuity / Disaster 6.1 Business Continuity / Disaster Recovery PlanningRecovery Planning

• Corporate Corporate risks couldrisks could cause an organization to suffer: cause an organization to suffer:• Inability to maintain critical customer servicesInability to maintain critical customer services

• Damage to market share, reputation or brandDamage to market share, reputation or brand

• Failure to protect the company assets including intellectual Failure to protect the company assets including intellectual properties and personnelproperties and personnel

• BusinessBusiness control failure control failure

• FailureFailure to meet legal or regulatory requirements to meet legal or regulatory requirements

• Business continuity planning (BCP) is a process designed Business continuity planning (BCP) is a process designed to reduce the organization’s business riskto reduce the organization’s business risk

• A BCP is much more than just a plan for the information A BCP is much more than just a plan for the information systemssystems

Page 9: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 9

• BusinessBusiness’’ Ability to Continue Operations Ability to Continue Operations requires:requires:

• Rigorous planning & commitment of resourcesRigorous planning & commitment of resources• Risk assessment to identify critical business processesRisk assessment to identify critical business processes• Reduction of risk for unexpected disruption to critical Reduction of risk for unexpected disruption to critical

functionsfunctions• Assure continuity of minimum level of service for critical Assure continuity of minimum level of service for critical

operationsoperations• Responsibility of Responsibility of ssenior managementenior management• Address all functions & assets to continue as viable Address all functions & assets to continue as viable

organizationorganization

6.1 Business Continuity / Disaster 6.1 Business Continuity / Disaster Recovery PlanningRecovery Planning

Page 10: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 10

• IS BCP/DRP is a component of the overall IS BCP/DRP is a component of the overall Business Continuity and Disaster Recovery Business Continuity and Disaster Recovery sstrategytrategy

• Imperative to have a ready-tImperative to have a ready-to-start reserved o-start reserved facilityfacility

• IS plan must support the corporate BCPIS plan must support the corporate BCP

6.1.1 IS Business Continuity / 6.1.1 IS Business Continuity / Disaster Recovery PlanningDisaster Recovery Planning

Page 11: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 11

6.1.2 Disaste6.1.2 Disasters and other Disruptive rs and other Disruptive EventsEvents

• DisastersDisasters• Disrupt the operation of critical information processingDisrupt the operation of critical information processing• Adversely impact business operationsAdversely impact business operations

• Not all disruptions are disastersNot all disruptions are disasters• Causes of service disruptionCauses of service disruption

• NaturalNatural• Expected services no longer suppliedExpected services no longer supplied

• BCP must take into account all types of events BCP must take into account all types of events impacting IS processing facilities and end users impacting IS processing facilities and end users functionalityfunctionality

Page 12: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 12

• Phases of thePhases of the Business Continuity Planning Business Continuity Planning ProcessProcess

• Creation of a business continuity and disaster recovery policyCreation of a business continuity and disaster recovery policy• Business impact analysisBusiness impact analysis• Classification of operations and criticality analysisClassification of operations and criticality analysis• Development of a business continuity plan and disaster Development of a business continuity plan and disaster

recovery procedures recovery procedures • Training and awareness programTraining and awareness program• Testing and implementation of planTesting and implementation of plan• Monitoring Monitoring

6.1.3 BCP Process6.1.3 BCP Process

Page 13: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 13

6.1.4 Business Continuity and Disaster 6.1.4 Business Continuity and Disaster Recovery PolicyRecovery Policy

• Policies need to be proactive and encompass Policies need to be proactive and encompass

preventative, detective and corrective controlspreventative, detective and corrective controls

• BCP is the most critical corrective controlBCP is the most critical corrective control

• BCP needs to be well designed, documented, drill BCP needs to be well designed, documented, drill

tested, funded and auditedtested, funded and audited

• Incident management group needs to be adequately Incident management group needs to be adequately

staffed, supported and trainedstaffed, supported and trained

Page 14: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 14

6.1.5 BCP Incident Management6.1.5 BCP Incident Management

• The management of incidents need be dynamic, The management of incidents need be dynamic, proactive and documentedproactive and documented

• All types of incidents need to be categorizedAll types of incidents need to be categorized– negligible: causing no significant damagenegligible: causing no significant damage– minor: produce no negative material or financial minor: produce no negative material or financial

impactimpact– major: cause negative material impact on business major: cause negative material impact on business

processesprocesses– crisis: serious material impact on the functioning of crisis: serious material impact on the functioning of

the businessthe business

Page 15: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 15

6.1.5 BCP Incident Management6.1.5 BCP Incident Management

• Minor, major and crisis incidents must be documented, Minor, major and crisis incidents must be documented,

classified and revisted until corrected or resolvedclassified and revisted until corrected or resolved

• The SO should be notified of all incidents as soon as the The SO should be notified of all incidents as soon as the

trigger occurs. This will allow for a pre-established trigger occurs. This will allow for a pre-established

protocol to be followed.protocol to be followed.

• Service downtime determines the incident severityService downtime determines the incident severity

• The severity should be reevaluated regularlyThe severity should be reevaluated regularly

Page 16: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 16

6.16.1.6 .6 Business Impact AnalysisBusiness Impact Analysis (BIA)(BIA)

• Identifying the various events that could impact Identifying the various events that could impact the continuity of operations and their impact on the continuity of operations and their impact on the organizationthe organization

• Issues to consider for BIAIssues to consider for BIA• Different business processesDifferent business processes• Critical information resources related to critical Critical information resources related to critical

business processesbusiness processes• Critical recovery time period before significant Critical recovery time period before significant

losses are incurredlosses are incurred• Systems risk rankingSystems risk ranking

Page 17: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 17

6.1.7 Recovery Point Objective and 6.1.7 Recovery Point Objective and Recovery Time ObjectiveRecovery Time Objective

• Recovery Point Objective (RPO)Recovery Point Objective (RPO)– based on acceptable data lossbased on acceptable data loss– indicates earliest point in time in which it is indicates earliest point in time in which it is

acceptable to recover the dataacceptable to recover the data

• Recovery Time Objective (RTO)Recovery Time Objective (RTO)– based on acceptable downtimebased on acceptable downtime– indicates earliest point in time at which the indicates earliest point in time at which the

business operations must resume after a business operations must resume after a disasterdisaster

Page 18: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 18

6.1.7 Recovery Point Objective and 6.1.7 Recovery Point Objective and Recovery Time ObjectiveRecovery Time Objective

• RPO and RTO are based on time parametersRPO and RTO are based on time parameters• The lower the time requirements, the higher the cost of The lower the time requirements, the higher the cost of

recovery strategiesrecovery strategies• Parameters to consider when defining recovery Parameters to consider when defining recovery

strategies:strategies:– Interruption windowInterruption window– Service delivery objective (SDO)Service delivery objective (SDO)– Maximum tolerable outagesMaximum tolerable outages

Page 19: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 19

The window of time for recovery of informationThe window of time for recovery of information processing capabilities is based on the:processing capabilities is based on the:

A.A. criticality of the processes affected.criticality of the processes affected.

B.B. quality of the data to be processed.quality of the data to be processed.

C.C. nature of the disaster.nature of the disaster.

D.D. applications that are mainframe-based.applications that are mainframe-based.

Chapter 6: QuestionChapter 6: Question??

Page 20: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 20

When preparing a business continuity plan, When preparing a business continuity plan, which of the following must be known to which of the following must be known to establish a recovery point objective (RPO)? establish a recovery point objective (RPO)?

A.A. The acceptable data loss in case of disruption of operationsThe acceptable data loss in case of disruption of operations

B.B. The acceptable downtime in case of disruption of operationsThe acceptable downtime in case of disruption of operations

C.C. Types of offsite backup facilities availableTypes of offsite backup facilities available

D.D. Types of IT platforms supporting critical business functionsTypes of IT platforms supporting critical business functions

Chapter 6 Question 9Chapter 6 Question 9

Page 21: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 21

6.1.8 6.1.8 Recovery StrategiesRecovery Strategies

• Like all threats, the most effective action would be:Like all threats, the most effective action would be:• To remove the threat altogetherTo remove the threat altogether

• To minimize the likelihood and effect of occurrenceTo minimize the likelihood and effect of occurrence

• A recovery strategy is a combination of preventive, A recovery strategy is a combination of preventive, detective and corrective measures.detective and corrective measures.

• The selection of a recovery strategy would depend upon:The selection of a recovery strategy would depend upon:• The criticality of the business process and the applications The criticality of the business process and the applications

supporting the processessupporting the processes

• CostCost

• Time required to recoverTime required to recover

• SecuritySecurity

Page 22: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 22

• Recovery strategies based on the risk level identified Recovery strategies based on the risk level identified

for recovery would include developing:for recovery would include developing:• Hot sitesHot sites

• Warm sitesWarm sites

• Cold sitesCold sites

• Duplicate information processing facilitiesDuplicate information processing facilities

• Mobile sitesMobile sites

• Reciprocal arrangements with other organizationsReciprocal arrangements with other organizations

6.1.8 Recovery6.1.8 Recovery Strategies Strategies

Page 23: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 23

6.1.9 Recovery Alternatives6.1.9 Recovery Alternatives

• Types of Off-site Backup FacilitiesTypes of Off-site Backup Facilities

• Hot sites - Fully equipped facilityHot sites - Fully equipped facility

• Warm sites - Partially equipped butWarm sites - Partially equipped but lacking processing powerlacking processing power

• Cold sites - Basic environmentCold sites - Basic environment

• Duplicate information processing facilityDuplicate information processing facility

• Mobile sitesMobile sites

• Reciprocal agreementReciprocal agreement

• Contract with hot, warm or cold siteContract with hot, warm or cold site

• Procuring alternative hardware facilitiesProcuring alternative hardware facilities

Page 24: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 24

Procuring alternative hardware facilitiesProcuring alternative hardware facilities• Vendor or third-partyVendor or third-party

• Off-the-shelfOff-the-shelf

• Credit agreement or emergency credit cardsCredit agreement or emergency credit cards

6.1.9 Recovery Alternatives6.1.9 Recovery Alternatives

Page 25: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 25

An IS auditor discovers that an organization’s business An IS auditor discovers that an organization’s business continuity plan provides for an alternate processing site that continuity plan provides for an alternate processing site that will accommodate 50 percent of the primary processing will accommodate 50 percent of the primary processing capability. Based on this, which of the following actions capability. Based on this, which of the following actions should the IS auditor take?should the IS auditor take?

A.A. Do nothing, because generally, less than 25 percent of all processing Do nothing, because generally, less than 25 percent of all processing is critical to an organization’s survival and the backup capacity, is critical to an organization’s survival and the backup capacity, therefore, is adequate.therefore, is adequate.

B.B. Identify applications that could be processed at the alternate site, and Identify applications that could be processed at the alternate site, and develop manual procedures to back up other processing.develop manual procedures to back up other processing.

C.C. Ensure that critical applications have been identified and that the Ensure that critical applications have been identified and that the alternate site could process all such applications.alternate site could process all such applications.

D.D. Recommend that the information processing facility arrange for an Recommend that the information processing facility arrange for an alternate processing site with the capacity to handle at least 75 percent alternate processing site with the capacity to handle at least 75 percent of normal processing.of normal processing.

Chapter 6 Question 2Chapter 6 Question 2

Page 26: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 26

6.1.10 Developme6.1.10 Development of Business Continuity and nt of Business Continuity and Disaster Recovery Disaster Recovery PlanPlan

A detailed Business Recovery and Disaster Recovery Plan:

• Developed Based on• Inputs received from Business Impact Analysis

• Criticality Analysis• Recovery Strategy selected by management

• Must address all issues involved in interruption to Business

Processes, including covering from a Disaster

• Should consider various factors while developing the plan

Page 27: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 27

Chapter 6 Question 4Chapter 6 Question 4

During an IT audit of a large bank, the IS auditor observes that no formal risk assessment exercise has been carried out for the various business applications to arrive at their relative importance and recovery time requirements. The risk that the bank is exposed to is that the:

A. business continuity plan may not have been calibrated to the relative risk that disruption of each application poses to the organization.

B. business continuity plan may not include all relevant applications and, therefore, may lack completeness in terms of its coverage.

C. business impact of a disaster may not have been accurately understood by the management.

D. business continuity plan may lack an effective ownership by the business owners of such applications.

Page 28: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 28

6.1.11 Organization6.1.11 Organization and Assignment and Assignment of Responsibilitiesof Responsibilities

• Incidence Response TIncidence Response Teameam• EmergencyEmergency Action TeamAction Team• DamageDamage Assessment TeamAssessment Team• EmergencyEmergency Management TeamManagement Team• Off-siteOff-site Storage TeamStorage Team• Software TeamSoftware Team• ApplicationsApplications TeamTeam• SecuritySecurity T Teameam• Emergency Operations TeamEmergency Operations Team • Network Recovery TeamNetwork Recovery Team• Communications TeamCommunications Team

Page 29: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 29

6.1.11 Organization6.1.11 Organization and Assignment and Assignment of Responsibilitiesof Responsibilities

• Transportation TeamTransportation Team• User Hardware TeamUser Hardware Team• Data Preparation and Records TeamData Preparation and Records Team• Administration Support TeamAdministration Support Team• Supplies TeamSupplies Team• Salvage TeamSalvage Team• Relocation TeamRelocation Team• Coordination TeamCoordination Team• Legal Affairs TeamLegal Affairs Team• Recovery Test TeamRecovery Test Team• Training TeamTraining Team

Page 30: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 30

6.1.12 Other Issues in Plan 6.1.12 Other Issues in Plan DevelopmentDevelopment

• Management and user involvement is vital Management and user involvement is vital to the success of BCPto the success of BCP– essential to the identification of critical essential to the identification of critical

systems, recovery times and resourcessystems, recovery times and resources– involvement from support services, business involvement from support services, business

operations and information processing operations and information processing supportsupport

• Entire organisation needs to be Entire organisation needs to be considered for BCPconsidered for BCP

Page 31: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 31

6.1.12 Other Issues in Plan 6.1.12 Other Issues in Plan DevelopmentDevelopment

• IS processing plan can be extended where IS processing plan can be extended where a BCP does not exist for the entire a BCP does not exist for the entire organizationorganization

• Include the following in the plan:Include the following in the plan:– A list of detailed staff informationA list of detailed staff information– The configuration of the buildingThe configuration of the building

Page 32: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 32

6.1.13 Components6.1.13 Components of a BCPof a BCP

A BCP may consist of more than one plan A BCP may consist of more than one plan document:document:• Business continuity plan (BCP)• Business recovery (or resumption) plan (BRP)• Continuity of operations plan (COOP)• Continuity of support plan/IT contingency plan• Crisis communications plan• Incident response plan• Disaster recovery plan (DRP)• Occupant emergency plan (OEP)

Page 33: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 33

6.1.13 Components6.1.13 Components of a BCPof a BCP

• Components of this Plan Components of this Plan

• Key decision-making personnelKey decision-making personnel

• Backup of required supplies Backup of required supplies

• Telecommunication networks disaster recovery methodsTelecommunication networks disaster recovery methods

• Redundant array of inexpensive disks (RAID)Redundant array of inexpensive disks (RAID)

• InsuranceInsurance

Page 34: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 34

6.1.16.1.13 3 ComponentsComponents of a BCPof a BCP

• Telecommunication networks disaster recovery Telecommunication networks disaster recovery

methodsmethods

• RedundancyRedundancy• Alternative routingAlternative routing

• Diverse routingDiverse routing

• Long haul network diversityLong haul network diversity

• Last mile circuit protectionLast mile circuit protection

• Voice recoveryVoice recovery

Page 35: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 35

6.1.13 Components6.1.13 Components of a BCPof a BCP

• Redundant array of inexpensive disks (RAID)• Level 0, striped disk array without fault tolerance

• Level 1, mirroring

• Level 2, hamming code ECC

• Level 3, parallel transfer with parity

• Level 4, independent data disks with shared parity disk

• Level 5, independent data disks with distributed parity blocks

• Level 6, independent data disks with two independent distributed

parity schemes

Page 36: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 36

6.1.13 Components6.1.13 Components of a BCPof a BCP

• Redundant array of inexpensive disks (RAID)• Level 7, optimized asynchrony for high I/O rates as well as high

data transfer rates

• Level 10, very high reliability combined with high performance

• Level 53, high I/O rates and data transfer performance

• Level 0+1, high data transfer performance

Page 37: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 37

• InsuranceInsurance• IS equipment and facilitiesIS equipment and facilities

• Media (software) reconstructionMedia (software) reconstruction

• Extra expenseExtra expense

• Business interruptionBusiness interruption

• Valuable papers and recordsValuable papers and records

• Errors and omissionsErrors and omissions

• Fidelity coverageFidelity coverage

• Media transportationMedia transportation

6.1.13 Components6.1.13 Components of a BCPof a BCP

Page 38: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 38

Which of the following is necessary to have FIRST Which of the following is necessary to have FIRST in the development of a business continuity plan? in the development of a business continuity plan?

A.A. Risk-based classification of systemsRisk-based classification of systems

B.B. Inventory of all assetsInventory of all assets

C.C. Complete documentation of all disastersComplete documentation of all disasters

D.D. Availability of hardware and softwareAvailability of hardware and software

Chapter 6: Question 5Chapter 6: Question 5

Page 39: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 39

In business continuity plan (BCP) which of the In business continuity plan (BCP) which of the following notification directories is the MOST following notification directories is the MOST important?important?

A.A. Equipment and Supply vendorsEquipment and Supply vendors

B.B. Insurance company agentsInsurance company agents

C.C. Contract personnel servicesContract personnel services

D.D. A prioritized contact listA prioritized contact list

Chapter 6 Question 7Chapter 6 Question 7

Page 40: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 40

Data mirroring should be implemented as a Data mirroring should be implemented as a recovery strategy when: recovery strategy when:

A.A. recovery point objective (RPO) is low. recovery point objective (RPO) is low.

B.B. recovery point objective (RPO) is high. recovery point objective (RPO) is high.

C.C. recovery time objective (RTO) is high. recovery time objective (RTO) is high.

D.D. disaster tolerance is high.disaster tolerance is high.

Chapter 6 Question 1Chapter 6 Question 1

Page 41: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 41

Which of the following components of a business Which of the following components of a business continuity plan is PRIMARILY the responsibility of continuity plan is PRIMARILY the responsibility of an organization’s IS department?an organization’s IS department?

A.A. Developing the business continuity planDeveloping the business continuity plan

B.B. Selecting and approving the strategy for the business Selecting and approving the strategy for the business continuity plancontinuity plan

C.C. Declaring a disasterDeclaring a disaster

D.D. Restoring the IS systems and data after a disasterRestoring the IS systems and data after a disaster

Chapter 6 Question 8Chapter 6 Question 8

Page 42: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 42

6.1.14 Plan Testing6.1.14 Plan Testing

• Schedule testing at a time that will minimize disruptions to Schedule testing at a time that will minimize disruptions to

normal operationsnormal operations

• Test must simulate actual processing conditionsTest must simulate actual processing conditions

• Test ExecutionTest Execution

• Documentation of ResultsDocumentation of Results

• Results Analysis Results Analysis

• Recovery/Continuity Plan Maintenance Recovery/Continuity Plan Maintenance

Page 43: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 43

6.1.15 Backup and Restoration6.1.15 Backup and Restoration

• Secondary storage media are used to allow for the Secondary storage media are used to allow for the

un-interrupted un-interrupted profit-seeking activities of a businessprofit-seeking activities of a business

• This media are stored in one or more physical This media are stored in one or more physical

facilities (facilities (referred to as offsite libraries)referred to as offsite libraries)

• Offsite librarian’s responsibility to maintain inventory Offsite librarian’s responsibility to maintain inventory

and access to the librariesand access to the libraries

• Current copy of the business continuity plan needs to Current copy of the business continuity plan needs to

be maintained at the facility as wellbe maintained at the facility as well

Page 44: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 44

6.1.15 Backup and Restoration6.1.15 Backup and Restoration

• Off-site Library ControlsOff-site Library Controls

• Security and Control of Off-siteSecurity and Control of Off-site FacilitiesFacilities

• Media and Documentation Back-upMedia and Documentation Back-up

• Periodic Back-up ProceduresPeriodic Back-up Procedures

• Frequency of RotationFrequency of Rotation

• Types of Media and Documentation RotatedTypes of Media and Documentation Rotated

• Methods of RotationMethods of Rotation

• Record Keeping for Off-site StorageRecord Keeping for Off-site Storage

• Business Continuity Management (BCM) Best PracticesBusiness Continuity Management (BCM) Best Practices

Page 45: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 45

6.1.16 Summary of Business Continuity 6.1.16 Summary of Business Continuity and Disaster Recoveryand Disaster Recovery

• Business Continuity Plan mustBusiness Continuity Plan must

– be based on the long-range IT planbe based on the long-range IT plan

– comply with the overall business continuity strategycomply with the overall business continuity strategy

• Process for developing and maintaining the BCP/DRP:Process for developing and maintaining the BCP/DRP:

– Business Impact AnalysisBusiness Impact Analysis

– Identify and prioritize systemsIdentify and prioritize systems

– Choose appropriate strategiesChoose appropriate strategies

– Develop the detailed plan for IS facilitiesDevelop the detailed plan for IS facilities

– Develop the detailed BCPDevelop the detailed BCP

– Test the plansTest the plans

– Maintain the plansMaintain the plans

Page 46: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 46

6.2 Auditing Recovery /6.2 Auditing Recovery / Continuity Continuity PlansPlans

• Review Business Continuity PlanReview Business Continuity Plan

• Evaluate Prior Test ResultsEvaluate Prior Test Results

• Evaluate Off-site StorageEvaluate Off-site Storage

• Interview Key PersonnelInterview Key Personnel

• Evaluate Security at Off-site FacilityEvaluate Security at Off-site Facility

• Review Alternative Processing Contract Review Alternative Processing Contract

• Review Insurance CoverageReview Insurance Coverage

Page 47: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 47

6.2.1 Review Business Continuity Plan6.2.1 Review Business Continuity Plan

• When reviewing the developed plan, IS auditors should When reviewing the developed plan, IS auditors should verify that basic elements of a well-developed plan are verify that basic elements of a well-developed plan are evident.evident.

• Basic elements include:Basic elements include:– currency of documentscurrency of documents

– effectiveness of documentseffectiveness of documents

– interview personnel for appropriateness and completenessinterview personnel for appropriateness and completeness

– etcetc

Page 48: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 48

6.2.2 Evaluate Prior Test Results6.2.2 Evaluate Prior Test Results

• Historical documentation of prior tests must be keptHistorical documentation of prior tests must be kept

• IS Auditor must review the test results to:IS Auditor must review the test results to:– determine whether corrective actions are in the plandetermine whether corrective actions are in the plan

– evaluate thoroughness and accuracyevaluate thoroughness and accuracy

– determine problem trends and resolution of problemsdetermine problem trends and resolution of problems

Page 49: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 49

6.2.3 Evaluate Off-site Storage6.2.3 Evaluate Off-site Storage

• The IS Auditor mustThe IS Auditor must– evaluate presence, synchronization and currency of media and evaluate presence, synchronization and currency of media and

documentationdocumentation

– perform a detailed inventory reviewperform a detailed inventory review

– review all documentationreview all documentation

– evaluate availability of facilityevaluate availability of facility

Page 50: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 50

6.2.4 Interview Key Personnel6.2.4 Interview Key Personnel

• Key personnel must have an understanding of their Key personnel must have an understanding of their responsibilitiesresponsibilities

• Current detailed documentation must be keptCurrent detailed documentation must be kept

Page 51: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 51

6.2.5 Evaluate Security at Off-site Storage6.2.5 Evaluate Security at Off-site Storage

• The IS Auditor mustThe IS Auditor must– evaluate the physical and environmental access controlsevaluate the physical and environmental access controls

– examine the equipment for current inspection and calibration examine the equipment for current inspection and calibration tagstags

Page 52: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 52

6.2.6 Review Alternative Processing 6.2.6 Review Alternative Processing ContractContract

• The references listed in the contract with the vendor of The references listed in the contract with the vendor of the alternative processing facility must be checked; and the alternative processing facility must be checked; and vendor’s promises verified in writingvendor’s promises verified in writing

• The contract should be reviewed against a number of The contract should be reviewed against a number of guidelinesguidelines– contract is clear and understandablecontract is clear and understandable

– organization’s agreement with the rulesorganization’s agreement with the rules

– etcetc

Page 53: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 53

6.2.7 Review Insurance Coverage6.2.7 Review Insurance Coverage

• Insurance coverage must reflect actual cost of recoveryInsurance coverage must reflect actual cost of recovery

• Coverage of the following must be reviewed for Coverage of the following must be reviewed for

adequacyadequacy– media damagemedia damage

– business interruptionbusiness interruption

– equipment replacementequipment replacement

– business continuity processingbusiness continuity processing

Page 54: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 54

An IS auditor should be involved in:An IS auditor should be involved in:

A.A. observing tests of the disaster recovery plan.observing tests of the disaster recovery plan.

B.B. developing the disaster recovery plan.developing the disaster recovery plan.

C.C. maintaining the disaster recovery plan.maintaining the disaster recovery plan.

D.D. reviewing the disaster recovery requirements of supplier reviewing the disaster recovery requirements of supplier contracts.contracts.

Chapter 6 Question 6Chapter 6 Question 6

Page 55: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 55

In an audit of a business continuity plan, which of the In an audit of a business continuity plan, which of the following findings is of following findings is of MOSTMOST concern? concern?

A.A. There is no insurance for the addition of assets during the There is no insurance for the addition of assets during the year.year.

B.B. The BCP manual is not updated on a regular basis.The BCP manual is not updated on a regular basis.

C.C. Testing of the backup of data has not been done regularly.Testing of the backup of data has not been done regularly.

D.D. Records for maintenance of the access system have not Records for maintenance of the access system have not been maintainedbeen maintained

Chapter 6 Question 10Chapter 6 Question 10

Page 56: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 56

Chapter 6:Chapter 6: Case StudyCase Study• Organisation revising BCP and DRP for headquarters (750 Organisation revising BCP and DRP for headquarters (750

employees) and 16 branches (each with 20 – 35 employees and employees) and 16 branches (each with 20 – 35 employees and

mail and file/print server)mail and file/print server)

• Current plans not updated in more than 8 yearsCurrent plans not updated in more than 8 years

• Organisation has grown by 300%Organisation has grown by 300%

• Staff connect via LAN to more than 60 applications, databases Staff connect via LAN to more than 60 applications, databases

and print servers in the corporate data centreand print servers in the corporate data centre

• Staff connect via a frame relay network to the branchesStaff connect via a frame relay network to the branches

• Travelling users connect over the Internet using VPNTravelling users connect over the Internet using VPN

Page 57: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 57

Chapter 6:Chapter 6: Case StudyCase Study• All users in the headquarters and branches connect to the Internet All users in the headquarters and branches connect to the Internet

through a firewall and proxy server located in the data centrethrough a firewall and proxy server located in the data centre

• Critical applications have RTO of 3 – 5 daysCritical applications have RTO of 3 – 5 days

• Branch offices are located between 30 and 50 miles from one Branch offices are located between 30 and 50 miles from one

another, with none closer to the headquarters' facility than 25 miles another, with none closer to the headquarters' facility than 25 miles

• Backup media for the data center are stored at a third-party facility Backup media for the data center are stored at a third-party facility

35 miles away35 miles away

• Backups for servers located at the branch offices are stored at Backups for servers located at the branch offices are stored at

nearby branch offices using reciprocal agreements between officesnearby branch offices using reciprocal agreements between offices

Page 58: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 58

Chapter 6:Chapter 6: Case StudyCase Study

• Current contract with third party hot-siteCurrent contract with third party hot-site– 3 year term, with equipment upgrades occurring at renewal 3 year term, with equipment upgrades occurring at renewal

timetime

– 25 servers25 servers

– work area space with PC’s for 100 employeeswork area space with PC’s for 100 employees

– separate agreement to ship 2 servers and 10 PC’s to any separate agreement to ship 2 servers and 10 PC’s to any branch declaring a disasterbranch declaring a disaster

– hot site provider has multiple sites in case the primary site is in hot site provider has multiple sites in case the primary site is in use by another customer or rendered unavailable by the use by another customer or rendered unavailable by the disasterdisaster

Page 59: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 59

Chapter 6:Chapter 6: Case Study Case Study Question 1Question 1

1.1. On the basis of the above information, which of the On the basis of the above information, which of the following should the IS auditor recommend concerning following should the IS auditor recommend concerning the hot site?the hot site?

A.A. Desktops at the hot site should be increased to 750.Desktops at the hot site should be increased to 750.

B.B. An additional 35 servers should be added to the hot site An additional 35 servers should be added to the hot site contract.contract.

C.C. All backup media should be stored at the hot site to shorten All backup media should be stored at the hot site to shorten the RTO.the RTO.

D.D. Desktop and server equipment requirements should be Desktop and server equipment requirements should be reviewed quarterly.reviewed quarterly.

Page 60: Chap6 2007 Cisa Review Course

2007 CISA© Review Course © 2006 ISACA All rights reserved www.isaca.org Chap 6 - Pag - 60

Chapter 6:Chapter 6: Case Study Case Study Question 2Question 2

2.2. On the basis of the above information, which of the On the basis of the above information, which of the following should the IS auditor recommend concerning following should the IS auditor recommend concerning branch office recovery?branch office recovery?

A.A. Add each of the branches to the existing hot site contract.Add each of the branches to the existing hot site contract.

B.B. Ensure branches have sufficient capacity to back each other up.Ensure branches have sufficient capacity to back each other up.

C.C. Relocate all branch mail and file/print servers to the Data Relocate all branch mail and file/print servers to the Data Center.Center.

D.D. Add additional capacity to the hot site contract equal to the Add additional capacity to the hot site contract equal to the largest branch.largest branch.