JOELLE QUIAPO

FOLA OYEDIRAN

GREG SWENSON

SUKHI BEDI

CHENYU GONG

Disaster Recovery & Business Continuity Planning

19 NOVEMBER 2013

Disaster Recovery and Business Continuity Planning: Testing an Organization’s Plans

What Every IT Auditor Should Know About Backup and RecoveryAuditing Business Continuity

“More difficult to calculate are the intangible damages a company can suffer.”

“Disaster recovery efforts of the past were designed to provide backup options for centralized data centers. Disaster recovery efforts of the present multivendor, multiplatform environment require a plan designed for integrated business continuity.”

Disaster Recovery

Disaster Recovery and Business Continuity Planning: Testing an Organization’s Plans

What are the two main reasons why organizations do not test their disaster recovery plans regularly?

Question…

Answer…ComplacencyCostly

“Serious business interruptions are now measured in minutes rather than hours. Because electronic transactions and communications take place so quickly, the amount of work and business lost in an hour far exceeds the toll of previous decades.”

“A minor problem—a faulty hard drive or a software glitch—can cause the same level of loss as a power outage or a flooded data center if a critical business process is affected.”

“The key to business continuity lies in understanding one’s business and determining which processes are critical to staying in that business and identifying all the elements crucial to those processes.” Specialized skills and knowledge Physical facilities Training and employee satisfaction Information Technology

Business Continuity Planning

Disaster Recovery and Business Continuity Planning: Testing an Organization’s Plans

http://www.novamind.com/blog/2011/articles/business-continuity/

What is the goal for companies with NO business tolerance for downtime?

Question…

Disaster Recovery and Business Continuity Planning: Testing an Organization’s Plans

Answer… Achieve a state of business continuity where critical systems

and networks are available no matter what happens. Think proactively:

Engineering availability Security and Reliability into business processes from the onset Not retrofitting a disaster recovery plan to accommodate

ongoing business requirements

“Organizations must make an executive commitment to regularly test, validate and refresh their business continuity and disaster recovery programs to protect the organization against perhaps the greatest risk of all– complacency.”

Importance of Testing

http://www.bcm-institute.org/bcmi10/en/pr-library-2010-press-release/2011-press-release/696-mall-blast-incident-bcp-case-study

Risks

Complacency or unskilled personnel

Power Failure IT System Crashes/

incompatibleNew EquipmentNo redundancy

Risks Continued…EXAMPLES IMPACT

Companies in New Orleans (Hurricane Katrina 2005)

- Inability to retrieve off-site data and relocate to secondary site due to disaster impacts to both sites- Loss of data, equipment & money

Cocoa Bakery: Jersey City, NJ (Hurricane Sandy 2012)

- Has not reopened since- Loss of investment & equipment worth $250,000(6 feet of water seeped in; destroyed everything)

Active Sprinkler : Brooklyn, NY

(Hurricane Sandy 2012)

- Inoperable sprinklers- Loss of credibility- No business but Union workers still received wages ($200,000 per week)

Interiors by Joann: Ocean City, NJ

(Hurricane Sandy 2012)

- 5,000 square foot showroom flooded - $150,000 worth destroyed (includes files and design books)- $61,000 flood insurance (insufficient to cover damages)

Source: Emily Maltby, The Wall Street Journal, Nov 7, 2012.

Question… Which of the following would be of MOST concern to

an IS Auditor performing an audit of a disaster recovery plan (DRP)?

Answer…A. The DRP has not been tested

A. The DRP has not been testedB. New team members have not read the DRPC. The manager responsible for the DRP recently

resignedD. The DRP manual is not updated regularly

ControlsCONTROL PRIORITY DISASTER

RECOVERYBUSINESS CONT.

PLANNING

Location of critical documents

High ✖✔

Data Backups: (Frequency of backup / Storage of backup media / Testing of backups)

High

✔ ✔

Hot / Cold site testing and readiness

High

✔ ✔

As an Auditor…DISASTER RECOVERY BUSINESS CONTINUITY

PLANNINGDo you have a disaster recovery plan? Does the business have a plan to

continue operations in the event of an emergency? Does this include all business units, not just IT?

When was the DR plan last tested? Where is the BCP stored?

Are employees aware of the DR plan; do they know their individual roles?

Does the BCP document identify the minimum equipment, resources, and service required, along with the timescales within which they must be available?

Has an emergency coordinator been appointed?

When the BCP is revised, are old copies destroyed?

Has a review been conducted to determine potential risks of natural disaster and other building emergencies?

How far away is the off-site location?

Questions