predstavitev smernice peter grasselli, cisa, cissp slovenski inŠtitut za revizijo ljubljana g32...
TRANSCRIPT
PREDSTAVITEV SMERNICE
Peter Grasselli, CISA, CISSP
SLOVENSKI INŠTITUT ZA REVIZIJOLjubljana
G32 Bussiness Continuity Plan (BCP) Review from IT Perspective
2
Vsebina smernice 1. Ozadje 2. Kratek opis NNP s perspektive IT 3. Neodvisnost 4. Sposobnost 5. Načrtovanje 6. Izvedba pregleda UNP s perspektive IT6. Izvedba pregleda UNP s perspektive IT 7. Poročanje 8. Spremljanje 9. Veljavnost
3
Guidelines provide guidance in applying IS auditing Standards. The IS auditor should consider them in determining how to achieve implementation of the standards, use professional judgment in their application and be prepared to justify any departure.
The objective of the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards.
ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics for IS auditors. ISACA makes no claim that use of this product will assure a successful outcome.
OPOZORILO
4
1. Ozadje
S6 Performance of audit work DS 4 Ensure continous service namen
opis običajnega postopka pregleda NNP s stališča IT identifikacija, dokumentiranje, preverjanje in
ocenjevanje v organizaciji vpeljanih kontrol na področju procesa NNP (z vidika IT)
izrazoslovje
5
načrt neprekinjenega poslovanja (NNP)
analiza poslovnih posledic (APP)
okrevalni načrt (ON)
1.6 Izrazoslovje
Business continuity plan (BCP)
Business impact analysis (BIA)
Disaster recovery plan (DRP)
BIABIA
OCENA OCENA TVEGANJATVEGANJA
STRATEGIJASTRATEGIJA UNP UNP
RARAZZVOJ IN VOJ IN VPELJAVA VPELJAVA
NANAČČRTOV UNPRTOV UNP
GRADNJA GRADNJA KULTURE UNPKULTURE UNP
VZDRŽEVANJE, VZDRŽEVANJE, PREVERJANJE PREVERJANJE
UNPUNPUPRAVLJANJE UPRAVLJANJE PROGRAMA PROGRAMA
UNPUNP
6
2. Kratek opis NNP s perspektive IT
nepregledenponavljajoč
2.1.2 BCP components include the following: Identification—Identify potential threats and risks of the business.
2.2.1 An essential element of BCP is risk assessment, which involves the task of identifying and analysing the potential vulnerabilities and threats, including the source.
7
BIABIA
OCENA OCENA TVEGANJATVEGANJA
STRATEGIJASTRATEGIJA UNP UNP
RARAZZVOJ IN VOJ IN VPELJAVA VPELJAVA
NANAČČRTOV UNPRTOV UNP
GRADNJA GRADNJA KULTURE UNPKULTURE UNP
VZDRŽEVANJE, VZDRŽEVANJE, PREVERJANJE PREVERJANJE
UNPUNPUPRAVLJANJE UPRAVLJANJE PROGRAMA PROGRAMA
UNPUNP
UPRAVLJANJEUPRAVLJANJEKRIZNIHKRIZNIHSITUACIJSITUACIJ
Kazalci pomembnosti procesov:Kazalci pomembnosti procesov:
• proces je pomemben za življenje, zdravje ali varnost ljudi
• cilj procesa je zagotavljanje zakonodajnih ali statutarnih zahtev
• prekinitev procesa bi pomenila izgubo prihodka
• lahko bi prišlo do izgube ugleda podjetja ali strank
Opis upravljanja neprekinjenega poslovanja:Opis upravljanja neprekinjenega poslovanja:
• Blanka Šauperl, Nataša Žabkar: Življenjski cikel upravljanja neprekinjenega poslovanja, Zbornik 12. Med. Konference o revidiranju in kontroli IS, 2004
• Renato Burazer, Pavle Golob: Načrt neprekinjenga poslovanja – tehnični vidik postavitve in preizkušanja, Zbornik 12. Med. Konference o …, 2004
• PAS 56: Vodnik po upravljanju neprekinjenega poslovanja
• ITIL: Service delivery, IT Service Continuity Management
8
3. Neodvisnost4. Sposobnost
Potrebno znanje in izkušnje za izvedbo pregleda področja NNP in posameznih komponent NNP
Zmožen oceniti, če je NNP usklajen s potrebami organizacije.
Razumeti poslovno okolje, cilje organizacije, zakonske zahteve, poslovne cilje, poslovne procese, informacijske potrebe teh procesov, strateško pomembnost IS in stopnjo usklajenosti IS s strategijo organizacije.
procesov upravljanja neprekinjenega poslovanja
9
5. Načrtovanje
Obseg in cilji pregleda
10
uspešnostuspešnostučinkovitostučinkovitostrazpoložljivostrazpoložljivostskladnostskladnost
zaupnostcelovitostzanesljivost
11
5. Načrtovanje
Obseg in cilji pregleda
Upoštevati razvojno fazo NNP v organizaciji
12
UNPUNP
ZAČETNAZAČETNA
PONOVLJIVAPONOVLJIVAodvisno od odvisno od
posameznikovposameznikov
DOLOČENADOLOČENAprocesi so formaliziraniprocesi so formalizirani
in odobreniin odobreni
NADZIRANANADZIRANAprocesi se procesi se
kvantitativno merijokvantitativno merijo
IZBOLJŠUJOČAIZBOLJŠUJOČAstalno izboljševanjestalno izboljševanje
procesovprocesov
13
6. Izvedba pregleda UNP s perspektive IT6. Izvedba pregleda UNP s perspektive IT
6.1. Izvedba6.1. Izvedbapregled dokumentacijepregled dokumentacije
najmanj osnovna ocenanajmanj osnovna ocenatveganj in tveganjtveganj in tveganjna področjuna področjuIT IT
IZVAJANJE PROGRAMA UNP
VODENJEPROGRAMA UNP
NAČRTI NEPREKINJENEGA POSLOVANJA
14
6. Izvedba pregleda UNP s perspektive ITIzvedba pregleda UNP s perspektive IT
6.1. Izvedba6.1. Izvedbapregled dokumentacijepregled dokumentacijePOZOR! pomanjkljivosti NNP in izvedene
spremembe
•poročila o incidentih•poročila o testiranju•poročila pregledov•intervjuji z zaposlenimi in serviserji•pregled opreme
15
6. Izvedba pregleda UNP s perspektive ITIzvedba pregleda UNP s perspektive IT
6.1. Izvedba6.1. Izvedbapregled dokumentacijepregled dokumentacijePOZOR! pomanjkljivosti NNP in izvedene spremembePOZOR! pomanjkljivosti NNP in izvedene spremembe testiranjetestiranje
• priprava na testiranje• testiranje• zaključek testiranja• poročilo o testiranju• test praviloma izvesti v času testiranja NNP
Pregledati načrt testiranja:Pregledati načrt testiranja:• točnost in popolnost NNPtočnost in popolnost NNP• oceni delo osebjaoceni delo osebja• izurjenost ekipizurjenost ekip• koordinacijo med ekipami koordinacijo med ekipami • razpoložljivost in razpoložljivost in zmogljivost rezervne zmogljivost rezervne lokacijelokacije• stanje in količino opreme stanje in količino opreme premeščene na rezervno premeščene na rezervno lokacijolokacijo
16
6. Izvedba pregleda UNP s perspektive ITIzvedba pregleda UNP s perspektive IT
6.2. Vidiki pregleda6.2. Vidiki pregleda Zakaj je potrebno narediti?Zakaj je potrebno narediti? Kako bomo naredili?Kako bomo naredili? Kdo bo naredil? Kdo bo vzdrževal?Kdo bo naredil? Kdo bo vzdrževal? Kaj je potrebno narediti?Kaj je potrebno narediti? Kdaj mora biti narejeno? Kdaj je nesreče končana?Kdaj mora biti narejeno? Kdaj je nesreče končana? Katere politike, pravila in standarde bomo upoštevali?Katere politike, pravila in standarde bomo upoštevali?
17
6.2.2 Organisational aspects should be reviewed to consider that:
The BCP is consistent with the organisational overall mission, strategic goals and operating plans
The BCP is routinely updated and considered current
The BCP is periodically tested, reviewed and verified for continuing suitability
Budget allocation is available for the BCP testing, implementation and maintenance
Risk analyses are performed routinely
A formal procedure is in place to regularly update the IT and telecom inventory
Management and personnel of the organisation have the required skills to apply the BCP and an appropriate training programme is in place
Measures to maintain an appropriate control environment (such as segregation of duties and control access to data and media) are in place in case of a contingency
Enablers are identified and the individuals’ roles and responsibilities are adequately defined, published and communicated.Core teams such as: the emergency action team, damage assessment team, emergency management team,…
Communication channels are fully documented and publicised within the organisation
The interface and its impact between departments/divisions within the organisation is understood
Roles and responsibilities of external service providers are identified, documented and communicated
Coordination procedures with external service providers and customers are documented and communicated.
BCP teams have been identified for various BCP tasks, clearly establishing roles and responsibilities and management reporting that defines accountability
Compliance with statutory and regulatory requirements is maintained
6.2.3 Planning aspects should be reviewed to consider that:
A methodology to determine activities that constitute each process is in place as part of a key business process analysis
The planned IS technology architecture for the BCP is feasible and will result in safe and sound operations if a business interruption impacts key IT processes
A risk assessment and BIA were performed before the BCP implementation
BIA includes changes in the risks and corresponding effect on the BCP
The BIA identifies the key recovery time frames of the critical business processes
There is a periodic review of risks-
There are appropriate incident response plans in place to manage, contain and minimise problems arising from unexpected events, including internal or external events
An appropriate schedule is in place for BCP testing and maintenance
An onsite test, simulation, triggering of events and their potential impacts should be performed
A BCP life cycle exists and whether it is followed during development, maintenance and upgrade
The BCP is reviewed at periodic intervals to confirm its continuing suitability to the organisation
6.2.4 Procedural aspects should be reviewed to consider that:
Top management is a serious driving force in implementation of the BCP
Top priority is provided for safety of employees, personnel and critical resources
Resources and their recovery have been prioritised and communicated to the recovery teams
Awareness is created across the entire organisation on the effect to the business in the event of a disaster
Adequate emergency response procedures are in place and tested
The people involved in the disaster assessment/recovery process are clearly identified and roles and responsibilities are delineated throughout the organisation
Appropriate levels of training are conducted including mock test drills
Evacuation plans are in place and are periodically tested
Backup human resources are identified and available
Cell, telephone or other such communication call trees are reviewed, tested and routinely updated
Alternative communications strategies are identified
Backup and recovery procedures are part of the BCP
Backups are retrievable
An appropriate backup rotation practice is in place
Offsite locations (hot, warm or cold sites) are tested for availability and reliability
Appropriate offsite records are maintained
Confidentiality and integrity of data and information are maintained
Media liaison strategies are in place, where appropriate
The BCP is periodically tested and test results documented
Corrective actions are initiated based upon test results
There is adequate insurance protection
6.2. Vidiki pregleda6.2. Vidiki pregleda Zakaj je potrebno narediti?Zakaj je potrebno narediti? Kako bomo naredili?Kako bomo naredili? Kdo bo naredil? Kdo bo vzdrževal?Kdo bo naredil? Kdo bo vzdrževal? Kaj je potrebno narediti?Kaj je potrebno narediti? Kdaj mora biti narejeno? Kdaj je nesreče končana?Kdaj mora biti narejeno? Kdaj je nesreče končana? Katere politike, pravila in standarde bomo upoštevali?Katere politike, pravila in standarde bomo upoštevali?
6. Izvedba pregleda UNP s perspektive ITIzvedba pregleda UNP s perspektive IT
18
BIA includes changes in the risks and corresponding effect on the BCP
The BIA identifies the key recovery time frames of the critical business processes
Risk analyses are performed routinely
The interface and its impact between departments/divisions within the organisation is understood
Compliance with statutory and regulatory requirements is maintained
Resources and their recovery have been prioritised and communicated to the recovery teams
The planned IS technology architecture for the BCP is feasible and will result in safe and sound operations if a business interruption impacts key IT processes
The BCP is consistent with the organisational overall mission, strategic goals and operating plans
Top priority is provided for safety of employees, personnel and critical resources
Alternative communications strategies are identified
There is adequate insurance protection
There are appropriate incident response plans in place to manage, contain and minimise problems arising from unexpected events, including internal or external events
Measures to maintain an appropriate control environment (such as segregation of duties and control access to data and media) are in place in case of a contingency
Enablers are identified and the individuals’ roles and responsibilities are adequately defined, published and communicated.Core teams such as: the emergency action team, damage assessment team, emergency management team,…
Communication channels are fully documented and publicised within the organisation
Roles and responsibilities of external service providers are identified, documented and communicated
Coordination procedures with external service providers and customers are documented and communicated.
BCP teams have been identified for various BCP tasks, clearly establishing roles and responsibilities and management reporting that defines accountability
Adequate emergency response procedures are in place and tested
The people involved in the disaster assessment/recovery process are clearly identified and roles and responsibilities are delineated throughout the organisation
Backup human resources are identified and available
Backup and recovery procedures are part of the BCP
Backups are retrievable
An appropriate backup rotation practice is in place
Confidentiality and integrity of data and information are maintained
Media liaison strategies are in place, where appropriate
Management and personnel of the organisation have the required skills to apply the BCP and an appropriate training programme is in place
Top management is a serious driving force in implementation of the BCP
Awareness is created across the entire organisation on the effect to the business in the event of a disaster
Appropriate levels of training are conducted including mock test drills
There is a periodic review of risks-
An appropriate schedule is in place for BCP testing and maintenance
An onsite test, simulation, triggering of events and their potential impacts should be performed
The BCP is reviewed at periodic intervals to confirm its continuing suitability to the organisation
The BCP is routinely updated and considered current
The BCP is periodically tested, reviewed and verified for continuing suitability
A formal procedure is in place to regularly update the IT and telecom inventory
Evacuation plans are in place and are periodically tested
Cell, telephone or other such communication call trees are reviewed, tested and routinely updated
Offsite locations (hot, warm or cold sites) are tested for availability and reliability
The BCP is periodically tested and test results documented
A methodology to determine activities that constitute each process is in place as part of a key business process analysis
A risk assessment and BIA were performed before the BCP implementation
A BCP life cycle exists and whether it is followed during development, maintenance and upgrade
Budget allocation is available for the BCP testing, implementation and maintenance
Appropriate offsite records are maintained
Corrective actions are initiated based upon test results
19
6. Izvedba pregleda UNP s perspektive ITIzvedba pregleda UNP s perspektive IT
6. 3 Zunanje izvajanje storitev6. 3 Zunanje izvajanje storitev
• usklajenost NNP usklajenost NNP uporabnika/dobaviteljauporabnika/dobavitelja• kako je uporabnik storitve zagotovil, da kako je uporabnik storitve zagotovil, da bo storitev v skladu z njegovim NNPbo storitev v skladu z njegovim NNP
• ali pogodba predvideva možnost revizijskega pregleda s stranu uporabnikaali pogodba predvideva možnost revizijskega pregleda s stranu uporabnika• ali je uporabnik primerno zaščiten v primeru prekinitev poslovanja ponudnikaali je uporabnik primerno zaščiten v primeru prekinitev poslovanja ponudnika• ali pogodba predvideva zagotavljanje storitev v primeru nesreče ali pogodba predvideva zagotavljanje storitev v primeru nesreče • zagotavljanje celovitosti, zaupnosti in razpoložljivosti podatkov pri ponudnikuzagotavljanje celovitosti, zaupnosti in razpoložljivosti podatkov pri ponudniku• dostopne kontrole in upravljanje varnosti pri ponudnikudostopne kontrole in upravljanje varnosti pri ponudniku• ponudnik poroča o incidentih in ukrepih po njihponudnik poroča o incidentih in ukrepih po njih• nadzor nad mrežo, upravljanjem sprememb in testiranjemnadzor nad mrežo, upravljanjem sprememb in testiranjem
20
7. Poročanje
revizijskemu odborurevizijskemu odboruvodstvuvodstvuslabosti NNP:slabosti NNP:
lastniku poslovnega procesalastniku poslovnega procesa odgovornemu za NNP v ISodgovornemu za NNP v IS pomembne: vodstvu
21
8. Spremljanje
Posledice slabosti v NNP običajno zajemajo široko področje in predstavljajo visoko tveganje.
Revizor IS naj, če je to primerno, sprotno in v zadostni meri spremlja, če je vodstvo takoj ukrepalo .
Za primerno zagotovitev učinkovitosti pregleda naj revizor IS izvede ponovni pregled in preveri, če so bila priporočila izvedena in če so vpeljani popravljalni ukrepi učinkoviti.
22
9. Smernico je potrebno upoštevati od 1.9.2005
VPRAŠANJAVPRAŠANJA