ch6-2009_cisa (1).pptx
TRANSCRIPT
-
8/19/2019 Ch6-2009_CISA (1).pptx
1/60
ISACA ®
The recognized global
leaders in IT governance,
control, security andassurance
-
8/19/2019 Ch6-2009_CISA (1).pptx
2/60
Chapter 6
Business Continuity AndDisaster Recovery
2009 CISA Review Course
-
8/19/2019 Ch6-2009_CISA (1).pptx
3/60
Course Agenda
• Learning Objectives
• Discuss Task and Knowledge Statements
•
Discuss specific topics within the chapter• Case study
• Sample uestions
-
8/19/2019 Ch6-2009_CISA (1).pptx
4/60
Exa Re!evance
!nsure that the C"S# candidate$
%&nderstands and can provide assurance that in the event of a
disruption the business continuity and disaster recovery
processes will ensure the timely resumption of "T services while
minimi'ing the business impact()
The content area in this chapter will
represent appro*imately +,- of
the C"S# e*amination .appro*imately /0 uestions1(
-
8/19/2019 Ch6-2009_CISA (1).pptx
5/60
Chapter 6 "earning #$%ectives
• !valuate the adeuacy of backup and restore
provisions to ensure the availability of information
reuired to resume processing
•
!valuate the organi'ation2s disaster recovery plan toensure that it enables the recovery of "T processing
capabilities in the event of a disaster
• !valuate the organi'ation2s business continuity plan
to ensure the organi'ation2s ability to continue
essential business operations during the period of an
"T disruption
-
8/19/2019 Ch6-2009_CISA (1).pptx
6/60
6&2 Business Continuity ' Disaster
Recovery (!anning
• 3usiness continuity planning .3C41 is a process
designed to reduce the organi'ation5s business risk
• # 3C4 is much more than just a plan for the information
systems
-
8/19/2019 Ch6-2009_CISA (1).pptx
7/60
Corporate risks could cause an organi'ation to
suffer
• "nability to maintain critical customer services
• Damage to market share6 reputation or brand
• 7ailure to protect the company assets including
intellectual properties and personnel
• 3usiness control failure
• 7ailure to meet legal or regulatory reuirements
6&2 Business Continuity ' Disaster
Recovery (!anning )continued*
-
8/19/2019 Ch6-2009_CISA (1).pptx
8/60
(ractice +uestion
89+ During an audit of a large bank6 the "S auditor observes that no formal riskassessment e*ercise has been carried out for the various business
applications to arrive at their relative importance and recovery time
reuirements( The risk to which the bank is e*posed is that the:
#( business continuity plan may not have been calibrated to the
relative risk that disruption of each application poses to the
organi'ation(
3( business continuity plan may not include all relevant
applications and6 therefore6 may lack completeness in terms of
its coverage(
C( business impact of a disaster may not have been accurately
understood by the management(
D( business continuity plan may lack an effective ownership by
the business owners of such applications(
-
8/19/2019 Ch6-2009_CISA (1).pptx
9/60
(ractice +uestion
89/ ;hich of the following is necessary to have ,IRS-
in the development of a business continuity plan<
#( =isk9based classification of systems
3( "nventory of all assetsC( Complete documentation of all disasters
D( #vailability of hardware and software
-
8/19/2019 Ch6-2009_CISA (1).pptx
10/60
(ractice +uestion
89> #n "S auditor should be involved in:
#( observing tests of the disaster recovery plan(
3( developing the disaster recovery plan(
C( maintaining the disaster recovery plan(
D( reviewing the disaster recovery reuirements
of supplier contracts(
-
8/19/2019 Ch6-2009_CISA (1).pptx
11/60
"S processing is of strategic importance
• Critical component of overall 3C4
• ?ost key business processes depend on the availability
of key systems and infrastructure components
6&2&. IS Business Continuity '
Disaster Recovery (!anning
-
8/19/2019 Ch6-2009_CISA (1).pptx
12/60
• Disasters are disruptions that cause critical information
resources to be inoperative for a period of time
• @ood 3C4 will take into account impacts on "S
processing facilities
6&2&2 Disasters and #ther
Disruptive Events
-
8/19/2019 Ch6-2009_CISA (1).pptx
13/60
4hases of the business continuity planning process• Creation of a business continuity and disaster recovery
policy
• 3usiness impact analysis
• Classification of operations and criticality analysis
• Development of a business continuity plan and disaster
recovery procedures
• Training and awareness program
• Testing and implementation of plan
• ?onitoring
6&2&/ Business Continuity
(!anning (rocess
-
8/19/2019 Ch6-2009_CISA (1).pptx
14/60
#ll types of incidents should be categori'ed
• Aegligible
• ?inor
• ?ajor
• Crisis
6&2& Business Continuity
(!anning Incident 1anageent
-
8/19/2019 Ch6-2009_CISA (1).pptx
15/60
• Critical step in developing the business continuity plan
• Three main uestions to consider during 3"# phase:
+( ;hat are the different business processes<
/( ;hat are the critical information resources related to anorgani'ation5s critical business processes<
>( ;hat is the critical recovery time period for information
resources in which business processing must be resumed
before significant or unacceptable losses are suffered<
6&2&6 Business Ipact
Ana!ysis
-
8/19/2019 Ch6-2009_CISA (1).pptx
16/60
6&2&6 Business Ipact
Ana!ysis )continued*
-
8/19/2019 Ch6-2009_CISA (1).pptx
17/60
;hat is the system5s risk ranking<• Critical
• Bital
• Sensitive• Aon9sensitive
6&2&6 Business Ipact
Ana!ysis )continued*
-
8/19/2019 Ch6-2009_CISA (1).pptx
18/60
(ractice +uestion
89, The window of time for recovery of information
processing capabilities is based on the:
#( criticality of the processes affected(
3( uality of the data to be processed(C( nature of the disaster(
D( applications that are mainframe9based(
-
8/19/2019 Ch6-2009_CISA (1).pptx
19/60
• =ecovery 4oint Objective .=4O1 – 3ased on acceptable data loss
– "ndicates earliest point in time in which it is acceptable
to recover the data• =ecovery Time Objective .=TO1
– 3ased on acceptable downtime
– "ndicates earliest point in time at which the business
operations must resume after a disaster
6&2& Recovery (oint #$%ective
and Recovery -ie #$%ective
-
8/19/2019 Ch6-2009_CISA (1).pptx
20/60
6&2& Recovery (oint #$%ective
and Recovery -ie #$%ective
)continued*
-
8/19/2019 Ch6-2009_CISA (1).pptx
21/60
#dditional parameters important in defining
recovery strategies
• "nterruption window
• Service delivery objective .SDO1
• ?a*imum tolerable outages
6&2& Recovery (oint #$%ective
and Recovery -ie #$%ective
)continued*
-
8/19/2019 Ch6-2009_CISA (1).pptx
22/60
(ractice +uestion
89 Data mirroring should be implemented as a
recovery strategy when:
#( recovery point objective .=4O1 is low(
3( =4O is high(C( recovery time objective .=TO1 is high(
D( disaster tolerance is high(
-
8/19/2019 Ch6-2009_CISA (1).pptx
23/60
(ractice +uestion
898 ;hen preparing a business continuity plan6 which
of the following 13S- be known to establish a
recovery point objective .=4O1<
#( The acceptable data loss in case of disruption
of operations
3( The acceptable downtime in case of
disruption of operations
C( Types of offsite backup facilities availableD( Types of "T platforms supporting critical
business functions
-
8/19/2019 Ch6-2009_CISA (1).pptx
24/60
• # recovery strategy is a combination of
preventive6 detective and corrective measures
• The selection of a recovery strategy would
depend upon: – The criticality of the business process and the
applications supporting the processes
– Cost
– Time reuired to recover
– Security
6&2&4 Recovery Strategies
-
8/19/2019 Ch6-2009_CISA (1).pptx
25/60
=ecovery strategies based on the risk level
identified for recovery would include developing:
• ot sites
• ;arm sites
• Cold sites
• Duplicate information processing facilities
• ?obile sites
• =eciprocal arrangements with other organi'ations
6&2&4 Recovery Strategies
)continued*
-
8/19/2019 Ch6-2009_CISA (1).pptx
26/60
Types of offsite backup facilities
• 5ot sites ,u!!y e7uipped 8aci!ity
• ar sites (artia!!y e7uipped $ut !ac:ing
processing power
• Cold sites 9 3asic environment
• Duplicate .redundant1 information processing facility
• ?obile sites
•
=eciprocal agreement E Contract with hot6 warm or cold site
E 4rocuring alternative hardware facilities
6&2&9 Recovery A!ternatives
-
8/19/2019 Ch6-2009_CISA (1).pptx
27/60
6&2&9 Recovery A!ternatives
)continued*
Types of offsite backup facilities
• ot sites 9 7ully euipped facility
• ;arm sites 9 4artially euipped but lacking processing
power
• Co!d sites Basic environent
• Dup!icate )redundant* in8oration processing 8aci!ity
• 1o$i!e sites
•
Reciproca! agreeent E Contract with hot6 warm or cold site
E 4rocuring alternative hardware facilities
-
8/19/2019 Ch6-2009_CISA (1).pptx
28/60
6&2&9 Recovery A!ternatives
)continued*
4rovisions for use of third9party sites should cover:• Configurations
• Disaster
• Speed of availability• Subscribers per site and area
• 4reference
• "nsurance
• #udit
• =eliability
-
8/19/2019 Ch6-2009_CISA (1).pptx
29/60
4rocuring alternative hardware facilities
• Bendor or third9party
• Off9the9shelf
• Credit agreement or emergency credit cards
6&2&9 Recovery A!ternatives
)continued*
-
8/19/2019 Ch6-2009_CISA (1).pptx
30/60
(ractice +uestion
89F #n "S auditor discovers that an organi'ation5s business continuity planprovides for an alternate processing site that will accommodate G percent
of the primary processing capability( 3ased on this6 which of the following
actions should the "S auditor take<
#( Do nothing6 because generally6 less than / percent of all
processing is critical to an organi'ation5s survival and the
backup capacity6 therefore6 is adeuate(
3( "dentify applications that could be processed at the alternate
site and develop manual procedures to back up other
processing(
C( !nsure that critical applications have been identified and that
the alternate site could process all such applications(D( =ecommend that the information processing facility arrange
for an alternate processing site with the capacity to handle at
least F percent of normal processing(
-
8/19/2019 Ch6-2009_CISA (1).pptx
31/60
7actors to consider when developing the plans• 4re9disaster readiness
• !vacuation procedures
• Circumstances under which a disaster should be declared
• "dentification of plan responsibilities
• "dentification of contract information
• =ecovery option e*planations
• "dentification of resources for recovery and continued operation
of the organi'ation• #pplication of the constitution phase
6&2&.0 Deve!opent o8 Business
Continuity and Disaster
Recovery (!ans
-
8/19/2019 Ch6-2009_CISA (1).pptx
32/60
The emergency management team coordinates the
activities of all other recovery teams( This team oversees:• =etrieving critical and vital data from offsite storage
• "nstalling and testing systems software and applications at the
systems recovery
• "dentifying6 purchasing6 and installing hardware at the system
recovery site
• Operating from the system recovery site
•
=erouting network communications traffic
6&2&.. #rgani;ation and
Assignent o8 Responsi$i!ities
6 2 .. # i ti d
-
8/19/2019 Ch6-2009_CISA (1).pptx
33/60
The emergency management team coordinates the
activities of all other recovery teams( This team oversees:• =eestablishing the userHsystem network
• Transporting users to the recovery facility
• =econstructing databases
• Supplying necessary office goods6 i(e(6 special forms6 check stock6
paper
• #rranging and paying for employee relocation e*penses at the
recovery facility• Coordinating systems use and employee work schedules
6&2&.. #rgani;ation and
Assignent o8 Responsi$i!ities
)continued*
-
8/19/2019 Ch6-2009_CISA (1).pptx
34/60
• ?anagement and user involvement is vital to the
success of 3C4 – !ssential to the identification of critical systems6
recovery times and resources – "nvolvement from support services6 business
operations and information processing support
• !ntire organi'ation needs to be considered for
3C4
6&2&.2 #ther Issues in
(!an Deve!opent
-
8/19/2019 Ch6-2009_CISA (1).pptx
35/60
# business continuity plan may consist of more
than one plan document• Continuity of operations plan .COO41
•
Disaster recovery plan .D=41• 3usiness resumption plan
• Continuity of support plan H "T contingency plan
• Crisis communications plan
•"ncident response plan
• Transportation plan
• Occupant emergency plan .O!41
6&2&./ Coponents o8 a
Business Continuity (!an
6 2 ./ C t 8
-
8/19/2019 Ch6-2009_CISA (1).pptx
36/60
Components of the plan
• Key decision9making personnel
• 3ackup of reuired supplies
• Telecommunication networks disaster recovery methods• =edundant array of ine*pensive disks .=#"D1
• "nsurance
6&2&./ Coponents o8 a
Business Continuity (!an
)continued*
-
8/19/2019 Ch6-2009_CISA (1).pptx
37/60
(ractice +uestion
890 "n a business continuity plan6 which of the following
notification directories is the 1#S- important<
#( !uipment and supply vendors
3( "nsurance company agentsC( Contract personnel services
D( # prioriti'ed contact list
-
8/19/2019 Ch6-2009_CISA (1).pptx
38/60
(ractice +uestion
89I ;hich of the following components of a business
continuity plan is (RI1ARI"
-
8/19/2019 Ch6-2009_CISA (1).pptx
39/60
Telecommunication networks disaster recovery
methods• =edundancy
• #lternative routing• Diverse routing
• Long haul network diversity
• Last mile circuit protection
• Boice recovery
6&2&./ Coponents o8 a
Business Continuity (!an
)continued*
6 2 ./ Coponents o8 a
-
8/19/2019 Ch6-2009_CISA (1).pptx
40/60
=edundant array of ine*pensive disks .=#"D1
J 4rovide performance improvements and fault tolerant
capabilities via hardware or software solutions
J 4rovide the potential for cost9effective mirroring offsite
for data back9up
6&2&./ Coponents o8 a
Business Continuity (!an
)continued*
6 2 ./ Coponents o8 a
-
8/19/2019 Ch6-2009_CISA (1).pptx
41/60
"nsurance• "S euipment and facilities
• ?edia .software1 reconstruction
• !*tra e*pense• 3usiness interruption
• Baluable papers and records
• !rrors and omissions
• 7idelity coverage
• ?edia transportation
6&2&./ Coponents o8 a
Business Continuity (!an
)continued*
-
8/19/2019 Ch6-2009_CISA (1).pptx
42/60
• Schedule testing at a time that will
minimi'e disruptions to normal operations
• Test must simulate actual processing
conditions• Test e*ecution:
– Documentation of results
–
=esults analysis – =ecovery H continuity plan maintenance
6&2&.= (!an -esting
-
8/19/2019 Ch6-2009_CISA (1).pptx
43/60
(ractice +uestion
89+G "n an audit of a business continuity plan6 which of
the following findings is of 1#S- concern<
#( There is no insurance for the addition of
assets during the year(
3( The business continuity plan manual is not
updated on a regular basis(
C( Testing of the backup data has not been done
regularly(
D( =ecords for maintenance of the access
system have not been maintained(
6 2 . B : d
-
8/19/2019 Ch6-2009_CISA (1).pptx
44/60
• Offsite library controls
• Security and control of offsite facilities
• ?edia and documentation backup
•
4eriodic backup procedures• 7reuency of rotation
• Types of media and documentation rotated
• =ecord keeping for offsite storage
•
3usiness continuity management best practices
6&2&. Bac:up and
Restoration
6 2 .6 Suary o8 Business
-
8/19/2019 Ch6-2009_CISA (1).pptx
45/60
• 3usiness continuity plan must:
– 3e based on the long9range "T plan
– Comply with the overall business continuity strategy
6&2&.6 Suary o8 Business
Continuity and Disaster
Recovery
6 2 .6 Suary o8 Business
-
8/19/2019 Ch6-2009_CISA (1).pptx
46/60
• 4rocess for developing and maintaining the 3C4HD=4
– 3usiness impact analysis
– "dentify and prioriti'e systems
– Choose appropriate strategies
– Develop the detailed plan for "S facilities
– Develop the detailed 3C4
–
Test the plans – ?aintain the plans
6&2&.6 Suary o8 Business
Continuity and Disaster
Recovery )continued*
-
8/19/2019 Ch6-2009_CISA (1).pptx
47/60
• &nderstand and evaluate business continuitystrategy
• !valuate plans for accuracy and adeuacy
•
Berify plan effectiveness• !valuate offsite storage
• !valuate ability of "S and user personnel to respondeffectively
• !nsure plan maintenance is in place
• !valuate readability of business continuity manualsand procedures
6&/ Auditing Business Continuity
-
8/19/2019 Ch6-2009_CISA (1).pptx
48/60
"S auditors should verify that basic elements of a
well9developed plan are evident including:
• Currency of documents
• !ffectiveness of documents
• "nterview personnel for appropriateness and
completeness
6&/&. Reviewing the Business
Continuity (!an
6 / 2 E ! ti 8 ( i
-
8/19/2019 Ch6-2009_CISA (1).pptx
49/60
"S auditors must review the test results to:
• Determine whether corrective actions are in the plan
• !valuate thoroughness and accuracy
• Determine problem trends and resolution of problems
6&/&2 Eva!uation o8 (rior
-est Resu!ts
-
8/19/2019 Ch6-2009_CISA (1).pptx
50/60
6 / = I t i i >
-
8/19/2019 Ch6-2009_CISA (1).pptx
51/60
• Key personnel must have an understanding of their
responsibilities
• Current detailed documentation must be kept
6&/&= Interviewing >ey
(ersonne!
6 / E ! ti 8 S it t
-
8/19/2019 Ch6-2009_CISA (1).pptx
52/60
#n "S auditor must:
• !valuate the physical and environmental access
controls
• !*amine the euipment for current inspection andcalibration tags
6&/& Eva!uation o8 Security at
#88site ,aci!ity
6 / 6 Reviewing A!ternative
-
8/19/2019 Ch6-2009_CISA (1).pptx
53/60
• #n "S auditor should obtain a copy of the
contract with the vendor
• The contract should be reviewed against a
number of guidelines – Contract is clear and understandable
– Organi'ation5s agreement with the rules
6&/&6 Reviewing A!ternative
(rocessing Contract
6 / Reviewing Insurance
-
8/19/2019 Ch6-2009_CISA (1).pptx
54/60
• "nsurance coverage must reflect actual cost of
recovery
• Coverage of the following must be reviewed for
adeuacy
– ?edia damage
– 3usiness interruption
–
!uipment replacement – 3usiness continuity processing
6&/& Reviewing Insurance
Coverage
-
8/19/2019 Ch6-2009_CISA (1).pptx
55/60
•
Organi'ation revising 3C4 and D=4 for headuarters.FG employees1 and +8 branches .each with /GE>
employees and mail and file H print server1
• Current plans not updated in more than 0 years
• Organi'ation has grown by >GG-• Staff connect via L#A to more than 8G applications6
databases and print servers in the corporate data centre
• Staff connect via a frame relay network to the branches
• Traveling users connect over the "nternet using B4A
• Critical applications have =TO of >E days
Case Study Scenario
Case Study Scenario
-
8/19/2019 Ch6-2009_CISA (1).pptx
56/60
• #ll users in the headuarters and branches connect to the"nternet through a firewall and pro*y server located in the data
center
• 3ranch offices are located between >G and G miles from one
another6 with none closer to the headuarters2 facility than /miles
• 3ackup media for the data center are stored at a third9party
facility > miles away
• 3ackups for servers located at the branch offices are stored atnearby branch offices using reciprocal agreements between
offices
Case Study Scenario
)continued*
Case Study Scenario
-
8/19/2019 Ch6-2009_CISA (1).pptx
57/60
Current contract with third party hot site
• > year term6 with euipment upgrades occurring at
renewal time
• / servers
• ;ork area space with 4Cs for +GG employees
• Separate agreement to ship / servers and +G 4Cs to any
branch declaring a disaster
•
ot site provider has multiple sites in case the primarysite is in use by another customer or rendered
unavailable by the disaster
Case Study Scenario
)continued*
-
8/19/2019 Ch6-2009_CISA (1).pptx
58/60
Case Study +uestion
+( On the basis of the above information6 which of thefollowing should the "S auditor recommend
concerning the hot site<
#( Desktops at the hot site should be increased
to FG(3( #n additional > servers should be added to
the hot site contract(
C( #ll backup media should be stored at the hot
site to shorten the =TO(D( Desktop and server euipment reuirements
should be reviewed uarterly(
-
8/19/2019 Ch6-2009_CISA (1).pptx
59/60
Case Study +uestion
/( On the basis of the above information6 which of thefollowing should the "S auditor recommend
concerning branch office recovery<
#( #dd each of the branches to the e*isting hot
site contract(3( !nsure branches have sufficient capacity to
back each other up(
C( =elocate all branch mail and file H print
servers to the data center(D( #dd additional capacity to the hot site
contract eual to the largest branch(
-
8/19/2019 Ch6-2009_CISA (1).pptx
60/60
Conc!usion
• uick =eference =eview – 4age +/ of the C"S# =eview ?anual /GGI