chapter 5 (business contibuity or disaster recovery planning)

Information Management and AuditingBCP and DRP

Due to complexities of modern business, risks are inevitable. Following are some risks: Inability to maintain customer service. Damage to corporate image. Failure to protect company’s assets. Failure to meet legal requirements.

WHAT IS BCP?Business Continuity Planning (BCP) is a process designed to reduce organization’s business risks arising from the expected disruption of the critical functions/operations.

WHY BCP?The purpose of BCP is to enable a business to continue operations in the event of disruption.

WHO DOES BCP?Senior management.

DISASTER/DISRUPTIVE EVENTSDisasters are disruptions which cause critical information resources to be inoperative for a period of time that adversely impacts business operations. Actions are required to recover from disasters such as use of an alternate processing facility.Examples of disasters of a catastrophic nature are: Earthquakes. Floods. Tornadoes. Severe thunderstorms. Fire etc. A good business continuity plan will take into account all types of events impacting both critical IS processing facilities and end-user normal business operation functions. Short-term and long-term fallback strategies are required.

BCP PROCESSBCP process consists of the following life-cycle phases:

1) Business Impact Analysis.2) Operations classifications.3) BCP and DRP.4) Training and awareness.5) Testing and implementation.6) Monitoring.

BUSINESS IMPACT ANALYSIS:It involves identifying various business events that could impact the continuity of operations and their impact (financial, human, operational etc) on the organization. In order to perform BIA, key business processes should be understood.

APPROACHES:There are various approaches: Questionnaire approach – developing and circulating questionnaires to key

users for analysis and review.

1Prepared by: Muhammad

Umar Munir


Interview – information is tabulated and analysed for detailed BIA. Discussions – between IT and end users.

The business impact analysis will consider the following questions: What are different business processes and their relative importance and

criticality? What is the critical information resources related to an organization's critical

business processes? What is the critical recovery time period for information resources in which

business processing must be resumed before significant or unacceptable losses are suffered?

Critical processes!Receipts, production, payroll, advertising, inbound and outbound logistics etc

COST CONSIDERATIONS:There are two potential costs to be considered:1) Downtime costs:

Costs of idle resources. Drop in sales. Financial costs. Delays. Loss of goodwill and customer loyalty.

2) Recovery costs: Cost of preparing and testing BCP. Cost of backup premises. Cost of insurance coverage.

OPERATIONS CLASSIFICATIONS:Operations could be classified as under:a) Critical:

These processes could not be performed unless replaced by similar capabilities. Cost of disruption is very high – they cannot be performed manually.

b) Vital:These functions could be performed manually, but only for a brief time span.

c) Sensitive:These function can be performed manually, but usually require additional resources.

d) Non-sensitive:These functions could be disrupted for an extended period of time without additional costs.


Umar Munir

The sum of the above TWO costs should be

MINIMIZED.


RPO - Recovery Point Objective It indicates the earliest point in time to which it is ACCEPTABLE to recover the data. It effectively quantifies the permissible amount of data loss in case of disruption. It is determined using acceptable data loss in case of disruption.

RTO - Recovery Time Objective It indicates the earliest point in time at which business operations must resume after disaster. It is determined using acceptable downtime. Lower RTO, lower disaster tolerance – time business can accept the nonavailability of IT facilities.

To understand this lets assume a simple case. A company which routinely takes backups on weekly basis at the end of each Fri/Saturday has encountered a disastrous incident at around midday on Wednesday disrupting its normal operations. Now the last backup save already contains necessary data and transactions entered up to last Fri/Sat and only thing to be recovered or further backed up is the transactions and data from the start of Monday till midday of Wed.


Umar Munir


The Recovery Point Objective (RPO) is to recover the data from Monday till midday of Wed to enable the company to start its operations because no further processing is possible without first recovering this data. The Recovery Time Objective (RTO) is the shortest possible time that is acceptable to disrupt the operations due to this. In other words, if the data can be recovered in a short period say within minutes or hours then the company can resume its normal operations shortly after the said data is recovered. Now since Mirroring, although considered relatively expensive, would only take an hour to recover the said data it apparently seems preferable in the circumstances where immediate restoration of operations is critical and imperative to a company say for a bank's ATM network, an Airline's or Railway's reservation system. But if the company can afford a longer period of disruption then it can go for relatively more cost effective alternatives like normal backing up (2 hours) and even reel backup which can take as long as a day.

RECOVERY STRATEGY:A recovery strategy is a combination of detective, preventive, and corrective measures. The MOST EFFECTIVE would be:a) Remove the threat altogether.b) Minimize the likelihood of occurrence.c) Minimize the effect of occurrence.

“a” and “b” could be addressed through the implementation of physical and environmental security.

“c” could be achieved by built-in resilience through alternative routing and redundancy.

A recovery strategy identifies the best way to recover a system in case of interruption. The selection of recovery strategy would consider the following factors: Process

criticality. Cost. Recovery

time. Security.

Hot sites can be made ready for operation normally within hours. However, the use of hot sites is expensive, should not be considered as a long-term solution, and does require that equipment and systems software be compatible with the primary installation being backed up.

RECOVERY ALTERNATIVES:a) Hot sites:

These are sites that are fully configured and ready to operate within several hours. The equipment and systems software must be compatible with the primary installation being backed up. The hot site is intended for emergency operations of a limited time period and not for long-term extended use. High costs associated with this arrangement but are often cost justified for critical applications.

b) Warm sites:These are sites that are partially configured, usually with network connections and selected peripheral equipment, such as disk drives and tape drives and controllers, but without the main computer. The assumption behind the warm site concept is that the computer can usually be obtained quickly for emergency installation (provided it is a widely used model), and since the computer is the most expensive unit, such an arrangement is less costly than a hot site. A warm site is generally available at a medium cost, requires less time to become operational and is suitable for sensitive operations.


Umar Munir


c) Cold sites:These are sites that have only the basic environment (electrical wiring, air conditioning, flooring, etc.) to operate an information processing facility. The cold site is ready to receive equipment but does not offer any components at the site in advance of the need. Activation of the site may take several weeks. Generally a cold site is contracted for a longer period at a lower cost. Since it requires more time to make a cold site operational, it is generally used for noncritical applications.

d) Mobile sites:A mobile site is a vehicle ready with all necessary computer equipment, and it can be moved to any cold or warm site depending upon the need. The need for a mobile site depends upon the scale of operations

e) Duplicate Information Processing Facility:These are dedicated, self-developed recovery sites that can backup critical applications. They can range in form from a standby hot site to a reciprocal agreement with another company installation.

f) Reciprocal Agreement:Reciprocal Agreements are agreements between two or more organizations with similar equipment or applications. Under the typical agreement, participants promise to provide computer time to each other when an emergency arises.

CONTRACT WITH HOT, WARM OR COLD SITE:Contractual provisions for the use of third-party sites should cover: Configurations Disaster definition Speed of availability Subscribers per site and per

area Preference Insurance Usage period Communications Warranties Audit Testing and reliability.PROCURING ALTERNATIVES:Following are some procuring alternatives: Vendor/third party:

Even though they require some time and not suitable for critical operations, they are usually the best replacement source.

Off-the-shelf:Such components are readily available from supplier at short notice.

Credit management or emergency credit card:Credit facility is offered.

BCP AND DRP:A detailed business continuity and disaster recovery plan should be developed. Following factors need to be considered: Evacuation procedures. Procedure to declare a disaster. Clear identification of responsibilities. Responsible person. Step-by-step explanation of recovery option.

The plan should be documented and simple.

TEAMS:Following teams are to be formed: Incident response team. Emergency action team.


Umar Munir


Damage assessment team. Emergency management team. Offsite storage team. Software team. Application team. Security team. Emergency operations

team. Network recovery team.

Communication team. Transportation team. User hardware team. Data preparation and records

team. Administrative support

team. Supplies team.

Salvage team. Relocation team. Coordination team. Legal affairs team. Recovery test team. Training team.

TESTING AND IMPLEMENTATION:Most business continuity tests fall somewhat short of a full-scale test of all operational portions of the corporation. This should not preclude performing full or partial testing as one of the purposes of the business continuity test is to determine how well the plan works or which portions of the plan need improvement. The test should be scheduled during a time that will minimize disruptions to normal operations.

SPECIFICATIONS:The test should accomplish the following tasks: Verify the completeness and precision of the BCP. Evaluate personnel performance. Evaluate training and awareness. Measure the ability of backup site. Evaluate the state and quantity of equipment and supplies. Measure overall performance.

EXECUTION PHASES:1) Pre-test:

Set of actions to make actual test.2) Test:

Actual test is performed.3) Post-test:

Cleanup of group activities is done.

DOCUMENTATION:During every phase of the test, detailed documentation of observations, problems, and resolutions should be maintained. This documentation serves as important historical information that can facilitate actual recovery during a real disaster.

RESULTS ANALYSIS:It is important to have ways to measure the success of the plan and test against the stated objectives. Therefore, results must be quantitatively gauged as opposed to an evaluation based only on observation. Specific measurements vary depending on the test and the organization; however, these general measurements usually apply: Time – time elapsed of task performance. Amount – amount of work performed. Count – number of records successfully carried. Accuracy – precision.


Umar Munir


OFFSITE LIBRARIES:Because it is desirable to ensure that the profit-seeking activities of a business are not interrupted in the event of a disaster, secondary storage media (usually tape reels, tape cartridges, removable hard disks or cassettes) are used to store programs and associated data for backup purposes. These media are stored in physical facilities called offsite libraries. The offsite librarians is maintain PERPETUAL inventory of all library contents to support availability of the data.

OFFSITE LIBRARY CONTROLS:They are important to ensure the uninterrupted operation of the business in the event of disaster and to optimize IS resource utilization. Unauthorized access to this information could result in lost data, unauthorized changes to data and impact IS ability to provide continuous computing services. The controls are: Physically securing library contents. Locating library away from computer room. Ensuring authorized access. Maintain perpetual inventory. Recording all relevant information.

SECURITY AND CONTROL OF OFFSITE FACILITIES:The offsite information processing facility needs to be as safely secured and controlled as the originating site. This includes adequate physical access controls such as locked doors, no windows, human supervision, etc. The offsite facility should not be easily identified from the outside, therefore, signs identifying the vendor/company and contents of the facility should not be present to prevent intentional damage of the offsite facility.

MEDIA AND DOCUMENTATION BACKUP:A crucial element of a business continuity onsite or offsite recovery plan is the availability of adequate data. Duplication of important data and documentation is a prerequisite for any type of recovery, including off-site storage of such backup data and documentation.

PERIODIC BACKUP PROCEDURES:Both data and software files should be backed up on a periodic basis. The time period in which to schedule the backup may differ per application program or software system.

Rotation frequency: Backup for data and software must allow for the continuing occurrence of change.

TYPES OF MEDIA AND DOCUMENTATION ROTATED:Without software the computer hardware is of little value. Therefore, software in the form of operating systems, programming languages, compilers, utilities and application programs must be maintained off-site in a current status. Information such as operational guides, user manuals, records, data files, databases and input/output documents, provides the raw materials and the finished products for the information systems processing cycle. Sensitive data are to be stored in a fireproof media container.

NATURE OF DOCUMENTATION: Operating procedures.


Umar Munir


System and program documentation. Special procedures. Input (source) and output documents. BCP.

ROTATION METHOD: (Grandfather-Father-Son method) Daily backups are made over the course of the week – SON. Final backup taken during the week becomes the backup for that week – FATHER. At the end of the month, the final weekly backup is retained as the backup for

that month – GRANDFATHER.

RECORD-KEEPING:An inventory of contents at the off-site storage location should be maintained. This inventory should contain information such as: The dataset name, volume serial number, date created, accounting period and

off-site storage bin number for all backup tapes Document name, location, pertinent system and date of last update for all critical

documentationAutomated tape management systems usually have options that help in recording and maintaining this information.

AUDITING RECOVERY/CONTINUITY PLANSAUDITOR TASKS: Understand and evaluate BCP in connection with corporate objectives. Evaluate BCP to ensure adequacy and currency by comparing with relevant

standards. Verify the effectiveness of BCP. Evaluating offsite storage by inspecting facility and reviewing contents. Evaluating the ability of IS personnel to respond to emergency situations. Reviewing process of plan making.

BCP REVIEW: Current copy of BCP manual. Verifying the currency of BCP. Effectiveness of documented procedures. Level of tolerance in disaster. List of business continuity personnel. Calling sample people. Interviewing people to ensure understanding. Evaluating BCP updating process.

EVALUATING PRIOR TEST RESULTS:The business continuity plan coordinator should maintain historical documentation of the results of prior business continuity tests. These results should be reviewed and it should be determined by the IS auditor that actions requiring correction have been incorporated into the plan.

EVALUATING OFFSITE STORAGE:The offsite storage facility should be evaluated to ensure the presence, synchronization and currency of critical media and documentation. This includes data files, applications software and documentation, systems software, systems and operations documentation, necessary supplies, special forms and a copy of the


Umar Munir


business continuity plan. The IS auditor should obtain documentation to compare it for currency with production documentation, evaluate its adequacy, and ensure it conforms with managerial requirements.

INTERVIEWING KEY PERSONNEL:The IS auditor should interview key personnel required for the successful recovery of business operations. All key personnel should have an understanding of their assigned responsibilities, as well as up-to-date detailed documentation describing their tasks.

EVALUATING SECURITY AT OFFSITE FACILITY:The security of the offsite facility should be evaluated to ensure that it has the proper physical and environmental access controls. These controls include the ability to limit access to only authorized users of the facility, raised flooring, humidity controls, temperature controls, specialized circuitry, uninterruptible power supply, water detection devices, smoke detectors and an appropriate fire extinguishing system.

REVIEWING ALTERNATIVE PROCESSING CONTRACT REVIEW:The IS auditor should obtain a copy of the contract with the vendor of the alternative processing facility. Deal with a reliable vendor, and check the vendor’s reference carefully. Following are the guidelines:

REVIEWING INSURANCE COVERAGE:It is essential that insurance coverage reflect the actual cost of recovery. Therefore, the insurance coverage for media damage, business interruption, equipment replacement and business continuity processing should be reviewed for adequacy.


Umar Munir

chapter 5 (business contibuity or disaster recovery planning)

Documents