ch6-2009_cisa (1).pptx

8/19/2019 Ch6-2009_CISA (1).pptx

1/60

ISACA ®

The recognized global

leaders in IT governance,

control, security andassurance

8/19/2019 Ch6-2009_CISA (1).pptx

2/60

Chapter 6

Business Continuity AndDisaster Recovery

2009 CISA Review Course

8/19/2019 Ch6-2009_CISA (1).pptx

3/60

Course Agenda

• Learning Objectives

• Discuss Task and Knowledge Statements

•

Discuss specific topics within the chapter• Case study

• Sample uestions

8/19/2019 Ch6-2009_CISA (1).pptx

4/60

Exa Re!evance

!nsure that the C"S# candidate$

%&nderstands and can provide assurance that in the event of a

disruption the business continuity and disaster recovery

processes will ensure the timely resumption of "T services while

minimi'ing the business impact()

The content area in this chapter will

represent appro*imately +,- of

the C"S# e*amination .appro*imately /0 uestions1(

8/19/2019 Ch6-2009_CISA (1).pptx

5/60

Chapter 6 "earning #$%ectives

• !valuate the adeuacy of backup and restore

provisions to ensure the availability of information

reuired to resume processing

•

!valuate the organi'ation2s disaster recovery plan toensure that it enables the recovery of "T processing

capabilities in the event of a disaster

• !valuate the organi'ation2s business continuity plan

to ensure the organi'ation2s ability to continue

essential business operations during the period of an

"T disruption

8/19/2019 Ch6-2009_CISA (1).pptx

6/60

6&2 Business Continuity ' Disaster

Recovery (!anning

• 3usiness continuity planning .3C41 is a process

designed to reduce the organi'ation5s business risk

• # 3C4 is much more than just a plan for the information

systems

8/19/2019 Ch6-2009_CISA (1).pptx

7/60

Corporate risks could cause an organi'ation to

suffer

• "nability to maintain critical customer services

• Damage to market share6 reputation or brand

• 7ailure to protect the company assets including

intellectual properties and personnel

• 3usiness control failure

• 7ailure to meet legal or regulatory reuirements

6&2 Business Continuity ' Disaster

Recovery (!anning )continued*

8/19/2019 Ch6-2009_CISA (1).pptx

8/60

(ractice +uestion

89+ During an audit of a large bank6 the "S auditor observes that no formal riskassessment e*ercise has been carried out for the various business

applications to arrive at their relative importance and recovery time

reuirements( The risk to which the bank is e*posed is that the:

#( business continuity plan may not have been calibrated to the

relative risk that disruption of each application poses to the

organi'ation(

3( business continuity plan may not include all relevant

applications and6 therefore6 may lack completeness in terms of

its coverage(

C( business impact of a disaster may not have been accurately

understood by the management(

D( business continuity plan may lack an effective ownership by

the business owners of such applications(

8/19/2019 Ch6-2009_CISA (1).pptx

9/60

(ractice +uestion

89/ ;hich of the following is necessary to have ,IRS-

in the development of a business continuity plan<

#( =isk9based classification of systems

3( "nventory of all assetsC( Complete documentation of all disasters

D( #vailability of hardware and software

8/19/2019 Ch6-2009_CISA (1).pptx

10/60

(ractice +uestion

89> #n "S auditor should be involved in:

#( observing tests of the disaster recovery plan(

3( developing the disaster recovery plan(

C( maintaining the disaster recovery plan(

D( reviewing the disaster recovery reuirements

of supplier contracts(

8/19/2019 Ch6-2009_CISA (1).pptx

11/60

"S processing is of strategic importance

• Critical component of overall 3C4

• ?ost key business processes depend on the availability

of key systems and infrastructure components

6&2&. IS Business Continuity '

Disaster Recovery (!anning

8/19/2019 Ch6-2009_CISA (1).pptx

12/60

• Disasters are disruptions that cause critical information

resources to be inoperative for a period of time

• @ood 3C4 will take into account impacts on "S

processing facilities

6&2&2 Disasters and #ther

Disruptive Events

8/19/2019 Ch6-2009_CISA (1).pptx

13/60

4hases of the business continuity planning process• Creation of a business continuity and disaster recovery

policy

• 3usiness impact analysis

• Classification of operations and criticality analysis

• Development of a business continuity plan and disaster

recovery procedures

• Training and awareness program

• Testing and implementation of plan

• ?onitoring

6&2&/ Business Continuity

(!anning (rocess

8/19/2019 Ch6-2009_CISA (1).pptx

14/60

#ll types of incidents should be categori'ed

• Aegligible

• ?inor

• ?ajor

• Crisis

6&2& Business Continuity

(!anning Incident 1anageent

8/19/2019 Ch6-2009_CISA (1).pptx

15/60

• Critical step in developing the business continuity plan

• Three main uestions to consider during 3"# phase:

+( ;hat are the different business processes<

/( ;hat are the critical information resources related to anorgani'ation5s critical business processes<

>( ;hat is the critical recovery time period for information

resources in which business processing must be resumed

before significant or unacceptable losses are suffered<

6&2&6 Business Ipact

Ana!ysis

8/19/2019 Ch6-2009_CISA (1).pptx

16/60


Ana!ysis )continued*

8/19/2019 Ch6-2009_CISA (1).pptx

17/60

;hat is the system5s risk ranking<• Critical

• Bital

• Sensitive• Aon9sensitive


Ana!ysis )continued*

8/19/2019 Ch6-2009_CISA (1).pptx

18/60

(ractice +uestion

89, The window of time for recovery of information

processing capabilities is based on the:

#( criticality of the processes affected(

3( uality of the data to be processed(C( nature of the disaster(

D( applications that are mainframe9based(

8/19/2019 Ch6-2009_CISA (1).pptx

19/60

• =ecovery 4oint Objective .=4O1 – 3ased on acceptable data loss

– "ndicates earliest point in time in which it is acceptable

to recover the data• =ecovery Time Objective .=TO1

– 3ased on acceptable downtime

– "ndicates earliest point in time at which the business

operations must resume after a disaster

6&2& Recovery (oint #$%ective

and Recovery -ie #$%ective

8/19/2019 Ch6-2009_CISA (1).pptx

20/60



)continued*

8/19/2019 Ch6-2009_CISA (1).pptx

21/60

#dditional parameters important in defining

recovery strategies

• "nterruption window

• Service delivery objective .SDO1

• ?a*imum tolerable outages



)continued*

8/19/2019 Ch6-2009_CISA (1).pptx

22/60

(ractice +uestion

89 Data mirroring should be implemented as a

recovery strategy when:

#( recovery point objective .=4O1 is low(

3( =4O is high(C( recovery time objective .=TO1 is high(

D( disaster tolerance is high(

8/19/2019 Ch6-2009_CISA (1).pptx

23/60

(ractice +uestion

898 ;hen preparing a business continuity plan6 which

of the following 13S- be known to establish a

recovery point objective .=4O1<

#( The acceptable data loss in case of disruption

of operations

3( The acceptable downtime in case of

disruption of operations

C( Types of offsite backup facilities availableD( Types of "T platforms supporting critical

business functions

8/19/2019 Ch6-2009_CISA (1).pptx

24/60

• # recovery strategy is a combination of

preventive6 detective and corrective measures

• The selection of a recovery strategy would

depend upon: – The criticality of the business process and the

applications supporting the processes

– Cost

– Time reuired to recover

– Security

6&2&4 Recovery Strategies

8/19/2019 Ch6-2009_CISA (1).pptx

25/60

=ecovery strategies based on the risk level

identified for recovery would include developing:

• ot sites

• ;arm sites

• Cold sites

• Duplicate information processing facilities

• ?obile sites

• =eciprocal arrangements with other organi'ations

6&2&4 Recovery Strategies

)continued*

8/19/2019 Ch6-2009_CISA (1).pptx

26/60

Types of offsite backup facilities

• 5ot sites ,u!!y e7uipped 8aci!ity

• ar sites (artia!!y e7uipped $ut !ac:ing

processing power

• Cold sites 9 3asic environment

• Duplicate .redundant1 information processing facility

• ?obile sites

•

=eciprocal agreement E Contract with hot6 warm or cold site

E 4rocuring alternative hardware facilities

6&2&9 Recovery A!ternatives

8/19/2019 Ch6-2009_CISA (1).pptx

27/60


)continued*

Types of offsite backup facilities

• ot sites 9 7ully euipped facility

• ;arm sites 9 4artially euipped but lacking processing

power

• Co!d sites Basic environent

• Dup!icate )redundant* in8oration processing 8aci!ity

• 1o$i!e sites

•

Reciproca! agreeent E Contract with hot6 warm or cold site

E 4rocuring alternative hardware facilities

8/19/2019 Ch6-2009_CISA (1).pptx

28/60


)continued*

4rovisions for use of third9party sites should cover:• Configurations

• Disaster

• Speed of availability• Subscribers per site and area

• 4reference

• "nsurance

• #udit

• =eliability

8/19/2019 Ch6-2009_CISA (1).pptx

29/60

4rocuring alternative hardware facilities

• Bendor or third9party

• Off9the9shelf

• Credit agreement or emergency credit cards


)continued*

8/19/2019 Ch6-2009_CISA (1).pptx

30/60

(ractice +uestion

89F #n "S auditor discovers that an organi'ation5s business continuity planprovides for an alternate processing site that will accommodate G percent

of the primary processing capability( 3ased on this6 which of the following

actions should the "S auditor take<

#( Do nothing6 because generally6 less than / percent of all

processing is critical to an organi'ation5s survival and the

backup capacity6 therefore6 is adeuate(

3( "dentify applications that could be processed at the alternate

site and develop manual procedures to back up other

processing(

C( !nsure that critical applications have been identified and that

the alternate site could process all such applications(D( =ecommend that the information processing facility arrange

for an alternate processing site with the capacity to handle at

least F percent of normal processing(

8/19/2019 Ch6-2009_CISA (1).pptx

31/60

7actors to consider when developing the plans• 4re9disaster readiness

• !vacuation procedures

• Circumstances under which a disaster should be declared

• "dentification of plan responsibilities

• "dentification of contract information

• =ecovery option e*planations

• "dentification of resources for recovery and continued operation

of the organi'ation• #pplication of the constitution phase

6&2&.0 Deve!opent o8 Business

Continuity and Disaster

Recovery (!ans

8/19/2019 Ch6-2009_CISA (1).pptx

32/60

The emergency management team coordinates the

activities of all other recovery teams( This team oversees:• =etrieving critical and vital data from offsite storage

• "nstalling and testing systems software and applications at the

systems recovery

• "dentifying6 purchasing6 and installing hardware at the system

recovery site

• Operating from the system recovery site

•

=erouting network communications traffic

6&2&.. #rgani;ation and

Assignent o8 Responsi$i!ities

6 2 .. # i ti d

8/19/2019 Ch6-2009_CISA (1).pptx

33/60

The emergency management team coordinates the

activities of all other recovery teams( This team oversees:• =eestablishing the userHsystem network

• Transporting users to the recovery facility

• =econstructing databases

• Supplying necessary office goods6 i(e(6 special forms6 check stock6

paper

• #rranging and paying for employee relocation e*penses at the

recovery facility• Coordinating systems use and employee work schedules

6&2&.. #rgani;ation and

Assignent o8 Responsi$i!ities

)continued*

8/19/2019 Ch6-2009_CISA (1).pptx

34/60

• ?anagement and user involvement is vital to the

success of 3C4 – !ssential to the identification of critical systems6

recovery times and resources – "nvolvement from support services6 business

operations and information processing support

• !ntire organi'ation needs to be considered for

3C4

6&2&.2 #ther Issues in

(!an Deve!opent

8/19/2019 Ch6-2009_CISA (1).pptx

35/60

# business continuity plan may consist of more

than one plan document• Continuity of operations plan .COO41

•

Disaster recovery plan .D=41• 3usiness resumption plan

• Continuity of support plan H "T contingency plan

• Crisis communications plan

•"ncident response plan

• Transportation plan

• Occupant emergency plan .O!41

6&2&./ Coponents o8 a

Business Continuity (!an

6 2 ./ C t 8

8/19/2019 Ch6-2009_CISA (1).pptx

36/60

Components of the plan

• Key decision9making personnel

• 3ackup of reuired supplies

• Telecommunication networks disaster recovery methods• =edundant array of ine*pensive disks .=#"D1

• "nsurance



)continued*

8/19/2019 Ch6-2009_CISA (1).pptx

37/60

(ractice +uestion

890 "n a business continuity plan6 which of the following

notification directories is the 1#S- important<

#( !uipment and supply vendors

3( "nsurance company agentsC( Contract personnel services

D( # prioriti'ed contact list

8/19/2019 Ch6-2009_CISA (1).pptx

38/60

(ractice +uestion

89I ;hich of the following components of a business

continuity plan is (RI1ARI"

8/19/2019 Ch6-2009_CISA (1).pptx

39/60

Telecommunication networks disaster recovery

methods• =edundancy

• #lternative routing• Diverse routing

• Long haul network diversity

• Last mile circuit protection

• Boice recovery



)continued*

6 2 ./ Coponents o8 a

8/19/2019 Ch6-2009_CISA (1).pptx

40/60

=edundant array of ine*pensive disks .=#"D1

J 4rovide performance improvements and fault tolerant

capabilities via hardware or software solutions

J 4rovide the potential for cost9effective mirroring offsite

for data back9up



)continued*

6 2 ./ Coponents o8 a

8/19/2019 Ch6-2009_CISA (1).pptx

41/60

"nsurance• "S euipment and facilities

• ?edia .software1 reconstruction

• !*tra e*pense• 3usiness interruption

• Baluable papers and records

• !rrors and omissions

• 7idelity coverage

• ?edia transportation



)continued*

8/19/2019 Ch6-2009_CISA (1).pptx

42/60

• Schedule testing at a time that will

minimi'e disruptions to normal operations

• Test must simulate actual processing

conditions• Test e*ecution:

– Documentation of results

–

=esults analysis – =ecovery H continuity plan maintenance

6&2&.= (!an -esting

8/19/2019 Ch6-2009_CISA (1).pptx

43/60

(ractice +uestion

89+G "n an audit of a business continuity plan6 which of

the following findings is of 1#S- concern<

#( There is no insurance for the addition of

assets during the year(

3( The business continuity plan manual is not

updated on a regular basis(

C( Testing of the backup data has not been done

regularly(

D( =ecords for maintenance of the access

system have not been maintained(

6 2 . B : d

8/19/2019 Ch6-2009_CISA (1).pptx

44/60

• Offsite library controls

• Security and control of offsite facilities

• ?edia and documentation backup

•

4eriodic backup procedures• 7reuency of rotation

• Types of media and documentation rotated

• =ecord keeping for offsite storage

•

3usiness continuity management best practices

6&2&. Bac:up and

Restoration

6 2 .6 Suary o8 Business

8/19/2019 Ch6-2009_CISA (1).pptx

45/60

• 3usiness continuity plan must:

– 3e based on the long9range "T plan

– Comply with the overall business continuity strategy

6&2&.6 Suary o8 Business


Recovery

6 2 .6 Suary o8 Business

8/19/2019 Ch6-2009_CISA (1).pptx

46/60

• 4rocess for developing and maintaining the 3C4HD=4

– 3usiness impact analysis

– "dentify and prioriti'e systems

– Choose appropriate strategies

– Develop the detailed plan for "S facilities

– Develop the detailed 3C4

–

Test the plans – ?aintain the plans

6&2&.6 Suary o8 Business


Recovery )continued*

8/19/2019 Ch6-2009_CISA (1).pptx

47/60

• &nderstand and evaluate business continuitystrategy

• !valuate plans for accuracy and adeuacy

•

Berify plan effectiveness• !valuate offsite storage

• !valuate ability of "S and user personnel to respondeffectively

• !nsure plan maintenance is in place

• !valuate readability of business continuity manualsand procedures

6&/ Auditing Business Continuity

8/19/2019 Ch6-2009_CISA (1).pptx

48/60

"S auditors should verify that basic elements of a

well9developed plan are evident including:

• Currency of documents

• !ffectiveness of documents

• "nterview personnel for appropriateness and

completeness

6&/&. Reviewing the Business

Continuity (!an

6 / 2 E ! ti 8 ( i

8/19/2019 Ch6-2009_CISA (1).pptx

49/60

"S auditors must review the test results to:

• Determine whether corrective actions are in the plan

• !valuate thoroughness and accuracy

• Determine problem trends and resolution of problems

6&/&2 Eva!uation o8 (rior

-est Resu!ts

8/19/2019 Ch6-2009_CISA (1).pptx

50/60

6 / = I t i i >

8/19/2019 Ch6-2009_CISA (1).pptx

51/60

• Key personnel must have an understanding of their

responsibilities

• Current detailed documentation must be kept

6&/&= Interviewing >ey

(ersonne!

6 / E ! ti 8 S it t

8/19/2019 Ch6-2009_CISA (1).pptx

52/60

#n "S auditor must:

• !valuate the physical and environmental access

controls

• !*amine the euipment for current inspection andcalibration tags

6&/& Eva!uation o8 Security at

#88site ,aci!ity

6 / 6 Reviewing A!ternative

8/19/2019 Ch6-2009_CISA (1).pptx

53/60

• #n "S auditor should obtain a copy of the

contract with the vendor

• The contract should be reviewed against a

number of guidelines – Contract is clear and understandable

– Organi'ation5s agreement with the rules

6&/&6 Reviewing A!ternative

(rocessing Contract

6 / Reviewing Insurance

8/19/2019 Ch6-2009_CISA (1).pptx

54/60

• "nsurance coverage must reflect actual cost of

recovery

• Coverage of the following must be reviewed for

adeuacy

– ?edia damage

– 3usiness interruption

–

!uipment replacement – 3usiness continuity processing

6&/& Reviewing Insurance

Coverage

8/19/2019 Ch6-2009_CISA (1).pptx

55/60

•

Organi'ation revising 3C4 and D=4 for headuarters.FG employees1 and +8 branches .each with /GE>

employees and mail and file H print server1

• Current plans not updated in more than 0 years

• Organi'ation has grown by >GG-• Staff connect via L#A to more than 8G applications6

databases and print servers in the corporate data centre

• Staff connect via a frame relay network to the branches

• Traveling users connect over the "nternet using B4A

• Critical applications have =TO of >E days

Case Study Scenario

Case Study Scenario

8/19/2019 Ch6-2009_CISA (1).pptx

56/60

• #ll users in the headuarters and branches connect to the"nternet through a firewall and pro*y server located in the data

center

• 3ranch offices are located between >G and G miles from one

another6 with none closer to the headuarters2 facility than /miles

• 3ackup media for the data center are stored at a third9party

facility > miles away

• 3ackups for servers located at the branch offices are stored atnearby branch offices using reciprocal agreements between

offices

Case Study Scenario

)continued*

Case Study Scenario

8/19/2019 Ch6-2009_CISA (1).pptx

57/60

Current contract with third party hot site

• > year term6 with euipment upgrades occurring at

renewal time

• / servers

• ;ork area space with 4Cs for +GG employees

• Separate agreement to ship / servers and +G 4Cs to any

branch declaring a disaster

•

ot site provider has multiple sites in case the primarysite is in use by another customer or rendered

unavailable by the disaster

Case Study Scenario

)continued*

8/19/2019 Ch6-2009_CISA (1).pptx

58/60

Case Study +uestion

+( On the basis of the above information6 which of thefollowing should the "S auditor recommend

concerning the hot site<

#( Desktops at the hot site should be increased

to FG(3( #n additional > servers should be added to

the hot site contract(

C( #ll backup media should be stored at the hot

site to shorten the =TO(D( Desktop and server euipment reuirements

should be reviewed uarterly(

8/19/2019 Ch6-2009_CISA (1).pptx

59/60

Case Study +uestion

/( On the basis of the above information6 which of thefollowing should the "S auditor recommend

concerning branch office recovery<

#( #dd each of the branches to the e*isting hot

site contract(3( !nsure branches have sufficient capacity to

back each other up(

C( =elocate all branch mail and file H print

servers to the data center(D( #dd additional capacity to the hot site

contract eual to the largest branch(

8/19/2019 Ch6-2009_CISA (1).pptx

60/60

Conc!usion

• uick =eference =eview – 4age +/ of the C"S# =eview ?anual /GGI

ch6-2009_cisa (1).pptx

Documents