Business

Continuity
Management
MODULE – VII – 7%
Failure of IT

Server or network failure

Disk system failure
Hacker break-in
Denial of Service attack
Extended power failure
Snow storm, earthquake, tornado or fire
Spyware, malevolent virus or worm

2
Definitions …1
Crisis:
An abnormal situation which threatens the operations, staff, customers
or reputation of the enterprise.
Incident:
An event that has the capacity to lead to loss of or a disruption to an
organization’s operations, services, or functions – which, if not
managed, can escalate into an emergency, crisis or disaster.

3
Definitions …2
Disaster:
An unplanned interruption of normal business process.
Risk:
Combination of the probability of an event and its consequence.
Vulnerability:
The degree to which a person, asset, process, information,
infrastructure or other resources are exposed to the actions or effects
of a risk, event or other occurrence.

4
Definitions …3

Incident Management Plan:

A clearly defined and documented plan of action for use at the time of
an incident, typically covering the key personnel, resources, services
and actions needed to implement the incident management process.
Disaster Recovery Planning:
A disaster recovery plan (DRP) is a documented process or set of
procedures to recover and protect a business IT infrastructure in the
event of a disaster.

5
Definitions …4
Business Continuity Planning:
Business continuity planning is the process of developing prior
arrangements and procedures that enable an organization to respond to
an event in such a manner that critical business functions can continue
within planned level of disruption.
Business Continuity Management:
A holistic management process that identifies potential threats to an
organization and the impacts to business operations that those threats
– if realized – might cause, and which provides a framework for building
organizational resilience with the capability for an effective response
that safeguards the interests of its key stake holders, reputation, brand,
and value-creating activities.

6
 Related Terms
Asset • - Something of value to organisation

Vulnerability • - Weakness in system safeguards

Threat • - Potential to harm the system

Exposure • - Extent of loss when risk materializes

Likelihood • - Probability that threat will succeed

Attack • - Set of actions designed to compromise CIA

Risk • - Potential harm if a threat exploits a vulnerability

Countermeasure • - Measure that reduces vulnerability of a system

Residual Risk • - Risk still remaining after the counter measures

7
 Other Terms
Emergency • team comprising of executives at all levels including IT is vested with the
responsibility of commanding the resources to recover
Management Team

• An event that has the capacity to lead to loss of or a disruption to an

Incident: organisation’s operations, services, or functions – which, if not managed,
can escalate into an emergency, crisis or disaster

Minimum Business
• the minimum level of services and/or products that is acceptable to the
Continuity Objective organizations to achieve its business objectives during a disruption
(MBCO

• maximum period of time that an organization can tolerate the disruption

Maximum Acceptable of a critical business function
Outage (MAO • Also referred to as maximum tolerable outage (MTO), maximum downtime
(MD). Maximum Tolerable Period Downtime (MTPD
Recovery Time Objective – RTO &
Recovery Point Objective - RPO
RTO is determined based on the acceptable data loss in case of
disruption of operations. It indicates the earliest point in time in which
it is acceptable to recover the data.
For example, if the process can afford to lose the data up to four hours
before disaster, then the latest backup available should be up to four
hours before disaster or interruption.

RPO effectively qualifies the permissible amount of data loss in case of

interruption.

2/18/2018 COMMITTEE ON INFORMATION TECHNOLOGY, ICAI 9

RPO & RTO

2/18/2018 COMMITTEE ON INFORMATION TECHNOLOGY, ICAI 10

Risks of inadequate BCP

Inadequate BCP could result in risks

• Inability to maintain critical customer services

• Damage to market share, reputation or brand
• Failure to protect Assets including IP and
personnel
• Business control failure
• Failure to meet contractual or regulatory
requirements

11
 BCP Manual
Documented description of actions to be taken
Resources to be used and
Procedures to be followed before, during and after a
disruptive event.

BCP Manual specifies the responsibilities of the BCM

team which serve as liasoning teams between the
functional area(s) affected and other departments
providing support services in the event of an incident
or disaster.

12
BCP Manual
BCM is a framework that

• Proactively improves an enterprise’s resilience against

the disruption of its ability to achieve its key objectives.

• Provides a rehearsed method of restoring an

enterprise’s ability to supply its key products and
services to an agreed level within an agreed time after a
disruption.

• Delivers a proven capability to manage a business

disruption and protect the enterprise’s reputation and
brand.

13
 BCM Policy

A high level document

To bring about
To make a To test and review
awareness among
the business
systematic the persons in scope
continuity planning
approach for about the business
for the enterprise in
disaster recovery continuity aspects
scope.
and its importance

14
BCM Policy
Objective of this policy is to provide a
structure through which
• Critical services and activities will be identified.

• Plans will be developed to ensure continuity of key service

delivery following a business disruption.

• Invocation of incident management and business continuity

plans can be managed.

• Incident management and business continuity plans are subject

to ongoing testing, revision and updation.

• Planning and management responsibility are assigned to a

member of the relevant senior management team.

15
Objectives and Goals of BCP

Primary Objectives of BCP

• To minimize loss by minimizing the

cost associated with disruptions
• To enable an organisation to survive
a disaster
• To re-establish normal business
operations

16
Objectives and Goals of BCP
Key Objectives of Contingency Plan

• Provide for the safety and well-being of people on the

premises at the time of disaster

• Continue critical business operations

• Minimise the duration of a serious disruption to

operations and resources

• Minimise immediate damage and losses

17
Objectives and Goals of BCP

Key Objectives of Contingency Plan

• Establish management succession and emergency powers

• Facilitate effective co-ordination of recovery tasks

• Reduce the complexity of the recovery effort

• Identify critical lines of business and supporting functions

18
Objectives and Goals of BCP

Goals of Business Continuity Plan

• Identify weaknesses and implement a disaster prevention

program

• Minimise the duration of a serious disruption to business

operations

• Facilitate effective co-ordination of recovery tasks

• Reduce the complexity of the recovery effort

19
Business Impact Analysis (BIA)

Assess the impacts that would occur if the activity was

disrupted over a period of time

Identify the maximum time period after a disruption

within which the activity needs to be resumed

Identify critical business processes

20
Objectives of Business Continuity
Planning…1

Manage the risk which could lead to disastrous events

Reduce the time taken to recover from an incident

Minimize the risks in recovery process

Reduce costs involved in revival of business

21
Objectives of Business
Continuity Planning…2
Reduce the likelihood of a disruption occurring that affects the
business through a risk management process

Protect staff and their welfare – ensure staff know their roles
and responsibilities

Prevent or reduce damage to the organization’s reputation

and image

Preserve and maintain relationships with customers

Safeguard organization’s market share and/or competitive

advantage

22
Business Continuity Planning

“Business Continuity Planning (BCP) is the

Creation and validation of a practical logistical plan

For how an organization

Will recover and restore partially or

Completely interrupted critical (urgent) functions

Within a predetermined time after a disaster or
extended disruption.”

23
Business Continuity Areas
Business
• The operation’s piece of business
resumption continuity planning
planning

Disaster
• The technological aspect of
recovery business continuity planning
planning

Crisis • The overall co-ordination of an

organization's response to a crisis
management in an effective timely manner
24
DR and BC
Disaster Recovery
BCM
• Disaster recovery focuses on
the IT or technology systems
that support business Disaster
functions. Recovery
• It is a subset of business
continuity. Business
Continuity

25
 Elements of Business Continuity

Recover mission-critical
Disaster
technology and applications at an
Recovery alternate site.

Recover the business process at

Business
an alternate site. Workspace
Recovery recovery.

To manage an external event that

Contingency
has far-reaching impact on the
Planning business.

26
Business Continuity Planning

The Risk Matrix

PROBABILITY
LOW HIGH

LOW NORMAL
IGNORE
PROCEDURES
IMPACT
CHANGE
HIGH PLAN
SOMETHING

April 19, 2005 © GERALD ISAACSON 2005

Business Continuity Life Cycle

Recovery Recovery Plan

Alternatives validation

Risk Recovery Plan

Assessment implementation

28
What comprises a Business
Continuity Management?

Business
Incident Disaster Business
Continuity
Response Recovery Continuity
Manageme
Plan Plan Plan
nt

29
 Types of Disasters
Natural Disaster
E.g. fire, earthquake, tsunami, typhoon, floods, tornado,
lightning, blizzards, freezing temperatures, heavy
snowfall, pandemic, severe hailstorms, volcano .

Artificial/Man-Made Disaster

E.g. Terrorist Attack, Bomb Threat, Chemical Spills, Civil

Disturbance, Electrical Failure, Fire, HVAC Failure, Water
Leaks, Water Stoppage, Strikes, Hacker Attacks, Viruses,
Human Error, Loss Of Telecommunications, Data Center
Outrage, Lost Data, Corrupted Data, Loss Of Network
Services, Power Failure etc.

30
Phases of Disaster

CRISIS

EMERGENCY RESPONSE

RECOVERY

RESTORATION

31
Phases of Disaster - example
Examples of Disaster Impact on Phases

Serious Fire during working Hours All phases in full

Serious Fire outside during All the phases, however, no staff

working hours and public evacuation

Very Minor fire during working Crisis Phase only, staff and public
hours evacuation but perhaps no
removal of valuable objects, Fire
Service Summoned to deal with
the fire

Gas mail leak outside during Only emergency response phase

working hours, repaired after is appropriate
some hours
32
Impact of Disaster
Loss of
Revenue
Human
Losses
Life
Loss of
Market
Share &
Goodwill
Loss of
Producti Litigation
vity

33
Questions

34
1. An organization's disaster recovery plan
should address early recovery of:

A. All information systems processes.

B. All financial processing applications.
C. Only those applications designated by the IS Manager.
D. Processing in priority order, as defined by business management.

Answer: D
Business management should know what systems are critical and when
they need to process well in advance of a disaster. It is their responsibility
to develop and maintain the plan. Adequate time will not be available for
this determination once the disaster occurs. IS and the information
processing facility are service organizations that exist for the purpose of
assisting the general user management in successfully performing their
jobs.

35
2. Which of the following is MOST important to have in a
disaster recovery plan?

A. Backup of compiled object programs

B. Reciprocal processing agreement
C. Phone contact list
D. Supply of special forms

Answer: A
Of the choices, a backup of compiled object programs is the most
important in a successful recovery. A reciprocal processing agreement is
not as important, because alternative equipment can be found after a
disaster occurs. A phone contact list may aid in the immediate aftermath,
as would an accessible supply of special forms, but neither is as important
as having access to required programs.

36
4. The MOST significant level of business continuity planning program
development effort is generally required during the:

A. Early stages of planning.

B. Evaluation stage.
C. Maintenance stage.
D. Testing Stage.
Answer: A
A company in the early stages of business continuity planning (BCP) will
incur the most significant level of program development effort, which
will level out as the BCP program moves into maintenance, testing and
evaluation stages. It is during the planning stage that an IS Auditor will
play an important role in obtaining senior management's commitment
to resources and assignment of BCP responsibilities.

37
5. Disaster recovery planning for a company's computer
system usually focuses on

A. Operations turnover procedures.

B. Strategic long-range planning.
C. The probability that a disaster will occur.
D. Alternative procedures to process transactions.

Answer: D
It is important that disaster recovery identify alternative processes that
can be put in place while the system is not available.

38
6. An unplanned interruption of normal
business process is?

A. Risk
B. Vulnerability
C. Disaster
D. Resilience

Answer: C
Disaster is event which interrupts business processes sufficiently to
threaten the viability of the organization. Risk is a combination of the
probability of an event and its consequence. Vulnerability is the degree to
which a person, asset, process, information, infrastructure or other
resources are exposed to the actions or effects of a risk, event or other
occurrence. Resilience is the ability of an organization to resist being
affected by the incident.

39
7. Which of the following strategy does not
encompass disaster recovery plan ?

A. Preventive
B. Detective
C. Corrective
D. Administrative

Answer: D
There are three basic strategies that encompass a disaster recovery plan:
preventive measures, detective measures, and corrective measures.
Preventive measures will try to prevent a disaster from occurring. These
measures seek to identify and reduce risks. Detective measures are taken
to discover the presence of any unwanted events within the IT
infrastructure. Their aim is to uncover new potential threats. Corrective
measures are aimed to restore a system after a disaster or otherwise
unwanted event takes place.

40
8. Which of the following is not a
fundamental of BCP?

A. Manage the risks which could lead to disastrous events.

B. Minimize the risks involved in the recovery process.
C. Reduce the costs involved in reviving the business from the
incident
D. Mitigate negative publicity

Answer: D
Mitigate negative publicity is an objective of Business continuity
management is to rest all are the fundamental aim of BCP.

41
9. Which phase starts with a damage
assessment?

A. Crisis Phase
B. Emergency Response Phase
C. Recovery Phase
D. Restoration Phase

Answer: D
Restoration phase will start with a damage assessment, usually within a
day or so of the disaster, when the cause for evacuation or stopping of
operations has ended, normal working will be restarted. During the
Restoration Phase, any damage to the premises and facilities will be
repaired.

42
10. Which of the following is of utmost important
during an impact of disaster?

A. Loss of Productivity
B. Loss of Revenue
C. Loss of Human Life
D. Loss of Goodwill & Market Share

Answer: C
Protection of human life is of utmost importance and, the overriding
principle behind continuity plans. Rest all are to be considered later.

43
Developing a BCP
Phases in Development of a BCP

Phase 2 – Risk Phase 3 –

Phase 1 – Business
Development of a
Impact Analysis Assessment BCP`

Phase 5 –
Phase 4 – Phase 6 –
Training and
Testing of the Maintenance of
awareness to the BCP
BCP
the employees

45
Phase 1: Business Impact Analysis

• BIA can be used to prioritize the recovery

sequence of data, infrastructure
• A BIA can define the minimum operating
Objectives requirements a business needs to recover
operations following a disruption. These things
include Information Technology resources,
of a BCP human capital, etc.
• A BIA presents the value proposition for
implementing the appropriate level of
recoverability.

46
Business Impact Analysis (BIA)

systematically assessing the potential impacts resulting from various

events or incidents.
enables the business continuity team to identify critical systems,
processes and functions, assess the economic impact of incidents.
Activities performed:
◦ Assess the impact of disruption
◦ Identify the maximum time period to resume
◦ Minimum requirements to begin resumption
◦ Time for normal operations to begin
◦ Relationships and interdependency of activities
Tasks to be undertaken in BIA
Identify - organisational risks

Identify - critical business processes

Quantify - risks to critical business processes

Identify – inter-dependencies of critical business processes

Determine - maximum allowable downtime

Identify - resources required for recovery

Determine - impact in the event of a disaster

48
Phase 2: Risk Assessment
Identify which business processes and related resources are critical

what threats or exposures exist to cause an unplanned

interruption

what impact accrues due to an interruption.

Investigation and grading relevant to each

the management can be given a clear and full understanding of the

risks it faces.

49
Objectives of Risk Assessment
Criticality prioritization

Estimating the critical recovery time period

• RTO-Recovery time objective

• It indicates the earliest point in time at which the business operations must
resume after disaster
• Critical System – zero RTO or very minimal
• RPO- Recovery point objective
• is a measure of how much data loss due to a node failure is acceptable to the
business.
• Lower RPO – Higher Cost of maintaining Controls
• SDO- Service Delivery Objective
• The level of services to be reached during the alternate process mode until the
normal situation is restored

50
Phases of Risk Assessment
Identify the risks that departments face;

Identify essential operations that must be restarted as quickly as

possible after a disaster has taken place;

Identify cost-effective measures that could be introduced to

prevent risks or lessen their impact and;

Provide an input for Risk Management.

All disaster events may not be anticipated or considered

51
Types of Threats

• Fire • Bomb • Outrage

• Flood • Accidental • Errors
• Storm • Theft • Disclosure
• Lightning • Strike
• Power Failure

Natural Deliberate Accidental

52
Risk Assessment Methods
• The ability of a company to cope with interruption of a business process
determines the TOLERANCE of the business process. The various
Risk Ranking business processes may be classified as Critical, Vital, Sensitive, Non
critical

• A range of values is set for each of the following, Asset cost, likelihood of
Value ranges threat, vulnerability and assessment of the risk.

• – Use the formula

Formulae for comparing risks Risk – (Asset Cost + Likelihood + Vulnerability)/3
Then perform risk ranking

• The risk will be determined by an algorithm, based on ascribing values to

Computer software the risk that is based on the values already ascribed to the threat,
vulnerability and impact.

There is no universally
appropriate formula for this • Risk = Threat x Vulnerability x Impact
process, but it approximates to

53
Phase 3: Development of BCP
Documentation BCP Manual
• BCP Policy • Purpose of BCP
• TOC
• BIA and Risk Assessment Report • Disaster Definitions
• Objectives of the Plan
• Aims, objectives, Activities • Scope of the Plan
undertaken by each function • Plan Approach/Recovery
Strategy
• BCP Manual • Plan Administration
• Plan Management
• Training Program • Disaster Notification and Plan
Notification Procedures
• Test plans

54
Some Important Teams
Business Continuity Team Administration team

Recovery management team Facilities team

Crisis management team Damage Assessment Team

Hardware installation team Application recovery team

System recovery team Logistics team

Communications team Staff coordination team

User liaison team Insurance team

55
 Minimum Requirements of a BCP

Initiation procedures Notify recovery site

Preliminary Damage Assessment Arrange movement of backup materials
Put recovery site on standby Notify impacted staff

Assemble damage assessment team Fire Insurance Claims

Conduct Damage Assessment Detail procedures for recovery

Determining Strategy Primary site operations

Establish emergency command center Return to normal operations

Assemble and brief recovery team Post Recovery Reviews

56
Phase 4: Testing of BCP
The Disaster Recovery Coordinator is responsible for
testing of the disaster recovery plan at least annually
to ensure the viability of the plan.

. The objectives of testing the disaster recovery plan

are as follows:

• Simulate the conditions of an ACTUAL Business Recovery situation.

• Determine the feasibility of the recovery process
• Identify deficiencies in the existing procedures
• Test the completeness of the business recovery information stored at
the Offsite Storage Location.
• Train members of the disaster recovery teams

57
Types of Test
Checklist Test

Structured Walk Through Test

Simulation Test

Parallel Test

Full Interruption Test

58
 Testing Process

Develop the
Test plan as per Perform the
Initiate the Test
the type of test test
decided

Documentation Evaluate the

Result Analysis of result Test

59
Phase 5: Training and Awareness

Purpose of training

• To train recovery ream participants who are required to execute plan segments in the
event of a disaster.
• To train the management and key employees in disaster prevention and awareness and
the need for disaster recovery planning.

User management must be aware of the basic recovery strategy;

how the plan provides for rapid recovery of their information
technology systems support structure.

60
Training and Awareness Methods

Walkthrough
Session

Scenario
Workshop

Live Test
Simulation

61
Phase 6: Maintenance of BCP
It is critical that existing change management processes are revised to take recovery plan
maintenance into account.

Maintenance of the plans is critical to the success of an actual recovery.

BCM testing, maintenance and audit testify the enterprise BCM to prove the extent to
which its strategies and plans are complete, current and accurate; and Identifies
opportunities for improvement.

The BCM maintenance process demonstrate the documented evidence of the proactive
management and governance of the enterprise’s business continuity program; the key
people who are to implement the BCM strategy and plans are trained and competent;

62
Incident Handling and Management

Incident response (IR) is the set of procedures that commence

when an incident is detected

Process of IRP includes

• Form IR planning team

• Develop IR policy
• Organize security incident response team
• Develop IR plan
• Develop IR procedures
• Training the Incident Response Team
• Testing the IR plan
• Selecting and maintaining tools used by the IRT
• Training users of the systems and procedures controlled by the organization

63
Reaction to the Incident

Trigger (circumstances that cause IR team activation and IR

plan initiation) are to be defined.

What must be done to react to the particular situation are to

be elaborated.

How to stop the incident if it is ongoing is also to be

addressed along with the way by which the Elimination of
problem source can be achieved.

64
Reaction to the incident - Post
Incident Classification

Collection of data under IRP

Reaction to the incidents

Incident Notification

Documenting the Incident

Incident Containment strategies

Recovering from the incident

The after action review

Incident Response Plan review and maintenance

65
Invoking a BCP/DRP Phase

66
Key disaster recovery activities
Redirecting
information
Notifying key
Activating the Notifying technology
management
recovery plan team leaders service to an
contacts
alternate
location
Securing a Ordering and
Reinstalling
new location configuring Reconfiguring
software and
for the data replacement the network
data
center equipment

Keeping Keeping the

Keeping users
management public
informed
informed informed

67
Business Categorization

Business
Categorization

Vital Essential Desirable

68
Business Categorization

Parameters for business categorization

• Loss of revenue

• Loss of reputation

• Decrease in customer satisfaction

• Loss of productivity (man-hours)

69
Disaster Scenarios

Disaster
Scenarios

Major Minor Trivial Catastrophic

70
 Disaster Scenarios

The scenario of disaster shall be decided with the matrix given below:

• X-axis - business impact of the infrastructure and business transaction

as desirable (value=1), essential (value=2) or vital (value=3)
• Y-axis - likelihood of occurrence of the disaster on a three point scale
(1-3)
Likelihood 

Business impact
 71
What is a Disaster ?

“ A sudden, unplanned calamitous event that interrupts

an enterprise’s ability to function.”

“Disruption of Business operations that stops the

organization from providing its critical & essential
services caused by the absence of critical resources –
Facilities, Communications, Power, Access to Information
or People ”
Impact of Disasters
• Loss of revenue/cash flow, Large
Financial health extraordinary expenses

Service levels/ Customer • Increased Competition, Key Differentiator

Attitude is the Service Levels, Lost Customers
don’t return
• Fewer key people due to downsizing,
Human resources Profound impact of loss of productive
services

Increasing use/dependence • Next to impossible to operate in manual

on Technology mode, More info & faster, LAN & WAN
cannot be down

Liabilities for not providing • Penalties, Management responsibility if

services DR is not adequately planned
 Testing Process

Setting Defining the

Scenario Test Criteria
objectives Boundaries

Test Briefing
Assumption Checklists
Prerequisites session

Analysing Debriefing
the test session

74
Disaster Recovery Team
Management TeamRecovery - The disaster
recovery plan should contain Disaster Management
Team Call Checklist. It should specify the contact
information about Team leader as well as team
members with the details on which functionality
he/she can be contacted.

Tech Support Team - The disaster recovery plan

should contain details about Technical support Team
and its sub-teams like Hardware, Software, Network,
Operations etc. and their respective responsibilities.

75
Disaster Recovery Team

Hardware Responsibilities - The responsibility of the

Hardware Team is to acquire (along with the Facilities
Team), configure and install servers and workstations for
Organizational information Technology users.

Software Responsibilities - The responsibility of the

Software Team is to maintain the systems software at the
alternate site and reconstruct the system software upon
returning to the primary site. In addition, the Software
Team will provide technical support to the other teams.

76
Disaster Recovery Team

Network Responsibilities - The Network Team is responsible for preparing for

voice and data communications to the alternate location data center and
restoring voice and data communications at the primary site.

Operations Responsibilities - The Operations responsibilities include the daily

operation of computer services and management of all backup tapes. When a
disaster is declared, the team must secure the correct tapes for transport to the
alternate location. Once operations are established at the alternate location,
arrangements must be made with an offsite storage service.

Technical Call team support - The disaster recovery plan should contain
Disaster Recovery Technical Support Team Call Checklist. It should specify the
contact information about Team leader as well as team members with the
details on which functionality he/she can be contacted.

77
Disaster Recovery Team
Facility Team - The disaster recovery plan should contain details about
Facility Team and its sub-teams like Salvage team, new data center,
new hardware team etc. and their respective responsibilities.

New Data Center Responsibilities - The New Data Center Team is

responsible for locating the proper location for a new data center and
overseeing the construction of it. This includes the environmental and
security controls for the room.

New Hardware Responsibilities - The New Hardware Team is

responsible for ordering replacement hardware for equipment damaged
in the disaster and installing it in the new or rebuilt data center.
Depending on the age of the damaged hardware, replacement may not
be one-for-one.

78
Disaster Recovery Team

Resumption of normal activities - Once

the threat has passed, equipment has
been repaired or replaced or a new
primary site has been built and stocked,
the disaster recovery team will assess
the situation, declare the disaster over
and resume normal operations

79
Documentation of BCM
The business
The business
The business continuity
impact analysis
continuity policy; management
report;
system;

The aims and The activities

The risk assessment
objectives of each undertaken by each
report;
function; function;

The business
continuity
strategies;

80
Documentation of BCM
Change control,
The overall and specific preventative action,
The business continuity
incident management corrective action,
plans;
plans; document control and
record control processes;

Local Authority Risk Exercise schedule and

Incident log; and
Register; results;

Training Program

81
BCP Policy
The BCM policy defines the processes of setting
up activities for establishing a business continuity
capability and the ongoing management and
maintenance of the business continuity capability.

The set-up activities incorporate the specification,

end-to-end design, build, implementation and
initial exercising of the business continuity
capability.

82
BCP Policy
The ongoing maintenance and
management activities include
embedding business continuity within
the enterprise, exercising plans
regularly, and updating and
communicating them, particularly when
there is significant change in premises,
personnel, process, market, technology
or organizational structure.

83
BCP Policy - Objectives
The enterprise should consider defining the scope, BCM principles,
guidelines and applicable standards for the enterprise. They should
refer all relevant standards, regulations and policies that have to be
included or can be used as benchmark.

Critical services and activities undertaken by the enterprise will be

identified.

Plans will be developed to ensure continuity of key service delivery

following a business disruption, which may arise from the loss of
facilities, personnel, IT and/or communication or failure within the
supply and support chains.

84
BCP Policy - Objectives
Invocation of incident management and business
continuity plans can be managed.

Incident Management Plans & Business

Continuity Plans are subject to ongoing testing,
revision and updating as required.

Planning and management responsibility are

assigned to members of the relevant senior
management team.

85
BCP Manual
A BCP manual is a documented
description of actions to be
taken, resources to be used and
procedures to be followed
before, during and after an
event that severely disrupts all
or part of the business
operations.

A BCP Manual consists

of the Business
Continuity Plan and the
Disaster Recovery Plan.

86
Elements of BCP Manual
Organization of the
Purpose of the plan Disaster Definitions
manual

Objectives of the Plan Approach and

Scope of the plan
BCP Recovery Strategy

Disaster
Notification and
Plan Administration Plan Management
activation
procedures

87
Data Backup Strategies
Dual Recording
of Data

Periodic
Dumping of Data

Logging input
transactions

Logging changes
to the data
88
 Software and Data Back-up
Techniques
Full Backup
◦ captures all files on the disk
◦ More time & space

Incremental Backup
◦ captures files that were created or changed since the last backup (regardless of
the type of backup)
◦ Saves time, but difficult to restore
 Software and Data Back-up
Techniques
Differential Backup
◦ captures files that were created or changed since the last Full backup
◦ Faster and easy to restore

Mirror Backup
◦ Extra copy of Backup
◦ Does not zip and cannot be password protected
Different Strategies
For Data
For LAN Systems
Communication

Eliminating
Single point of Dial Up
Failure

Redundant
Circuit
cabling &
Extensions
devices

Remote Access VSAT

On demand
service from
carriers

91
Alternative Sites
Mirror Site

Hot Site

Cold Site

Warm Site

Offsite data protection

Mobile Site

92
Alternate Processing Facility
Arrangements

Cold
site

Warm
site
Recipro
cal
Hot site
agreem
ent
93
 Cold site

Organisation can tolerate some downtime

Cold site has all the facilities

Establish its own cold-site facility

94
 Hot site

Organisation Hardware and

might need hot operations
site backup facilities

A hot site is Shared with

expensive to other
maintain organisations
95
Warm site

Warm site might

A warm site
Cold-site facilities contain selected
provides an
in addition peripheral
intermediate level
equipment

96
Comparison of recovery sites

2/18/2018 COMMITTEE ON INFORMATION TECHNOLOGY, ICAI 97

Alternate Site selection criteria

98
Data Vaults
Backups are stored in purpose built vaults.

Types -
• Hybrid onsite vaulting
• Hybrid offsite vaulting

99
System Resiliency Tools

• Fault-tolerance is the property that enables a

system (often computer-based) to continue
Fault Tolerance operating properly in the event of the failure of (or
one or more faults within) some of its components.

The basic • No single point of failure.

characteristics • No single point of repair.
• Fault isolation to the failing component.
of fault • Fault containment to prevent propagation of the
tolerance failure.
• Availability of reversion modes.
require:
100
RAID Redundant array of inexpensive disks

It is a data storage virtualization

technology that combines multiple
physical disk drive components into a
single logical unit for the purposes of
data redundancy, performance
improvement, or both
Insurance

Policies are contracts that obligate the insurer to indemnify the

policyholder or some third party from specific risks in return for
the payment of a premium.

Adequate insurance coverage is a key consideration when

developing a business recovery plan and performing a risk
analysis.

Resources to be covered – Equipment, Facilities, Storage Media,

Business Interruption, Extra Expenses, Valuable Papers,
Accounts Receivable, Media Transportation, Malpractice errors

102
Types of Insurance

First-party Insurances - Property Damages

◦ Insured against destruction of property

First-party Insurances - Business Interruption

◦ Loss incurred / Profit forgone

Third-party Insurance – General Liability

◦ Insured computer damages others

Third-party Insurance - Directors and Officers

◦ Compensate for any acts of directors
Questions

104
1. Which of the following control concepts should be included in a
complete test of disaster recovery procedures?

A. Rotate recovery managers.

B. Invite client participation
C. Involve all technical staff.
D. Install locally stored backup.

Answer: A
Recovery managers should be rotated to ensure the experience of the
recovery plan is spread. Clients may be involved but not necessarily in
every case. Not all technical staff should be involved in each test. Remote
or off-site backup should always be used.

105
2. An advantage of the use of hot sites as a
backup alternative is:

A. The costs related with hot sites are low.

B. That hot sites can be used for a long amount of time.
C. That hot sites do not require that equipment and systems software
be compatible with the primary installation being backed up.
D. That hot sites can be made ready for operation within a short span
of time.

Answer: D
Hot sites can be made ready for operation normally within hours. However,
the use of hot sites is expensive, should not be considered as a long-term
solution and does require that equipment and systems software be
compatible with the primary installation being backed up.

106
5. Which of the following is NOT a feature of an
uninterruptible power supply (UPS)?

A. It provides electrical supply to a computer in the event of a power

failure.
B. It system is an external piece of equipment or can be built into the
computer itself.
C. It should function to allow an orderly computer shutdown.
D. It uses a greater wattage into the computer to ensure enough
power is available.

Answer: D
A UPS typically cleanses the power to ensure wattage into the computer
remains consistent and does not damage the computer. All other answers
are features of a UPS.

107
7. For which of the following applications would RAID
recovery be MOST crucial?

A. Point-of-sale
B. Corporate planning
C. Regulatory reporting
D. Departmental chargeback

Answer: A
A point-of-sale system is a critical online system that when inoperable
will jeopardize the ability of a company to generate revenue and
properly track inventory.

108
8. Which of the following principles must exist to ensure the
viability of a duplicate information processing facility?

A. The site is near the primary site to ensure quick and efficient recovery is
achieved.
B. The workload of the primary site is monitored to ensure adequate backup is
complete.
C. The site contains the most advanced hardware available from the chosen
vendor.
D. The hardware is tested when it is established to ensure it is working
properly

Answer: B
Resource availability must be assured. The workload of the site must be monitored
to ensure that availability for emergency backup use is not impaired. The site
chosen should not be subject to the same natural disaster as the primary site. In
addition, a reasonable compatibility of hardware/software must exist to serve as a
basis for backup. The latest or newest hardware may not adequately serve this
need. Testing the site when established is essential, but regular testing of the
actual backup data is necessary to ensure the operation will continue to perform as
planned.
109
9. While reviewing the business continuity plan of an organization, the IS auditor
observed that the organization's data and software files are backed up on a periodic basis.
Which characteristic of an effective plan does this demonstrate?

A. Deterrence
B. Mitigation
C. Recovery
D. Response
Answer: B
An effective business continuity plan includes steps to mitigate the effects of a
disaster. To have an appropriate backup plan, an organization should have a
process capability established to restore data and files on a timely basis,
mitigating the consequence of a disaster. An example of deterrence is when a
plan includes installation of firewalls for information systems. An example of
recovery is when a plan includes an organization's hot site to restore normal
business operations.

110
10. As updates to an online order entry system are processed, the updates are recorded on
a transaction tape and a hard copy transaction log. At the end of the day, the order entry files are
backed up onto tape. During the backup procedure, the disk drive malfunctions and the order
entry files are lost. Which of the following are necessary to restore these files?

A. The previous day's backup file and the current transaction tape
B. The previous day's transaction file and the current transaction tape
C. The current transaction tape and the current hardcopy transaction log
D. The current hardcopy transaction log and the previous day's transaction file

Answer: A
The previous day's backup will be the most current historical backup of activity
in the system. The current day's transaction file will contain all of the day's
activity. Therefore, the combination of these two files will enable full recovery
up to the point of interruption

111
Audit of BCP
Steps of BCP Process

Identifying the mission- or business-critical functions.

Identifying the resources that support the critical functions.

Anticipating potential contingencies or disasters.

Selecting contingency planning strategies.

Implementing the contingency strategies.

Testing and revising the strategy.

113
Tasks and resources of BCP

Human resources

Processing capability

Automated application and data

Computer-based services

Physical infrastructure

Documents and papers

114
Standards and Frameworks
Standards
• ISO 22301 –Business Continuity management
• ISO 27031 - Guidelines for information and communication technology readiness for
business continuity

Frameworks
• COBIT 5 – DSS04 (Deliver, Service and Support) – Manage Continuity
• COBIT 5 – APO09 (Align, Plan and Organize) – Manage Service Agreements
• COBIT 5 – BAI04 (Build, Acquire and Implement) – Manage Availability and Capacity
• COBIT 5 – BAI06 – Manage Changes
BCP Audit Approach
Confirm Assessment Expectations / Collect Business Requirements

Evaluate the Business Continuity Process

• Process Management
• Risk Assessment and Business Impact Analysis
• Define Recovery Strategies and Business Continuity Procedures

Training and Awareness, Plan Testing Process, Auditing and Plan Maintenance

Nothing Reinforces a Recommendation like Benchmarking Data

• Same Industry
• Same Size Company
Auditing BCP

Evaluate readability of
Understand and
Ensure plan business continuity
evaluate business
maintenance is in place manuals and
continuity strategy
procedures

Evaluate ability of IS
Evaluate plans for
and user personnel to
accuracy and adequacy
respond effectively

Verify plan
Evaluate offsite storage
effectiveness
BCP Audit Approach
Maintain information in the following areas:

• BCM Process Description and Scope

• Who Owns the BCM Process?
• Budgetary Data
• Number of Personnel Addressing Business Continuity
• Recovery Objectives (Business and IT)

Benchmarking Data Is Available Through Third-party

Specialists, Vendors etc.

In addition to a review of documentation, discussions with

Business Continuity Management owners, as well as the

Business Process owners whom they support to be done

(In order to better understand their expectations)
Presenting the Findings
Reinforce Scope Focus on process Provide Action
and Focus maturity Items

Offer to track
Recommend
completion of
point of contact
each action item
Service Level Agreement
A service level agreement is an agreement between the organization and the
customer. The SLA details are the services(s) to be provided.

Where the functions of a BCP are outsourced, the IS auditor should determine how
management gains assurance that the controls at the third party are properly designed
and operating effectively.

Several techniques can be used by management, including questionnaires, onsite visits

or an independent third-party assurance report such as an SSAE 16 SOC 1 report or
SOC 2 or SOC 3 report.
Services that can be provided by
an IS Auditor
Management Management
Designing Test plans and
Consultancy Services in Consultancy Services in
conducting tests of the
providing guidance in designing and
BCP
drafting a BCP implementing a BCP

Conducting Pre
implementation Audit,
Consultancy Services in Consultancy Services in
Post Implementation
Revising the BCP Risk Assessment and BIA
Audit and General Audit
of BCP
Questions

122
 1. An IS auditor reviewing an organization's information systems
disaster recovery plan should verify that it is:

A. Tested every 1 month.

B. Regularly reviewed and updated.
C. Approved by the chief executive officer
D. Approved by the top management

Answer: B
The plan must be reviewed at appropriate intervals, depending upon the nature of the business and the rate of
change of systems and personnel, otherwise it may quickly become out of date and may no longer be effective (for
example, hardware or software changes in the live processing environment are not reflected in the plan). Of
course, the plan must be subjected to regular testing, but the period between tests will again depend on the nature
of the organization and the relative importance of IS. Three months or even annually may be appropriate in
different circumstances. Although the disaster recovery plan should receive the approval of senior management, it
need not be the CEO if another executive officer is equally, or more appropriate. For a purely IS-related plan, the
executive responsible for technology may have approved the plan. Similarly, although a business continuity plan
(BCP) is likely to be circulated throughout an organization, the IS disaster recovery plan will usually be a technical
document and relevant to IS and communications staff only.

123
2. Which of the following would an IS auditor consider to be the MOST important to
review when conducting a business continuity audit?

A. A hot site is contracted for and available when

needed.
B. A business continuity manual is available and current.
C. Insurance coverage is sufficient
D. Media backups are performed on a timely basis and
stored off-site.
Answer: D
Without data to process, all other components of the
recovery effort are in vain. Even in the absence of a plan,
recovery efforts of any type would not be practical without
data to process.
124
 3. Which of the following findings would an IS auditor be MOST concerned
about when performing an audit of backup and recovery and the offsite storage
vault?

A. There are three individuals with a key to enter the area

B. Paper documents are also stored in the offsite vault
C. Data files, which are stored in the vault, are synchronized
D. The offsite vault is located in a separate facility

Answer: C
More than one person would need to have a key to the vault and location of the
vault is important, but not as important as the files being synchronized. Choice A is
incorrect because more than one person would typically need to have a key to the
vault to ensure that individuals responsible for the offsite vault can take vacations
and rotate duties. Choice B is not correct because the IS auditor would not be
concerned whether paper documents are stored in the offsite vault. In fact, paper
documents such as procedural documents and a copy of the contingency plan would
most likely be stored in the offsite vault.

125
4. A company performs full back-up of data and programs on a regular basis.
The primary purpose of this practice is to:

A. Maintain data integrity in the applications.

B. Restore application processing after a disruption.
C. Prevent unauthorized changes to programs and data.
D. Ensure recovery of data processing in case of a disaster.

Answer: B
Back-up procedures are designed to restore programs and data to a
previous state prior to computer or system disruption. These backup
procedures merely copy data and do not test or validate integrity. Back-up
procedures will also not prevent changes to program and data. On the
contrary, changes will simply be copied. Although backup procedures can
ease the recovery process following a disaster, they are not sufficient in
themselves.

126
5. Which of the following procedures would an IS auditor perform to BEST determine
whether adequate recovery/restart procedures exist?

A. Reviewing program code

B. Reviewing operations documentation
C. Turning off the UPS, then the power
D. Reviewing program documentation
Answer : B
Operations documentation should contain recovery/restart procedures so that
operations can return to normal processing in a timely manner. Turning off the UPS
and then turning off the power might create a situation for recovery and restart,
but the negative effect on operations would prove this method to be undesirable.
The review of program code and documentation generally does not provide
evidence regarding recovery/restart procedures

127
6. An IS auditor performing a review of the back-up processing
facilities would be MOST concerned that:

A. Adequate fire insurance exists.

B. Regular hardware maintenance is performed.
C. Offsite storage of transaction and master files exists.
D. Backup processing facilities are fully tested.

Answer: C
Adequate fire insurance and fully tested backup processing facilities are
important elements for recovery, but without the offsite storage of
transaction and master files, it is generally impossible to recover.
Regular hardware maintenance does not relate to recovery.

128
 7. Which of the following offsite information processing facility conditions
would cause an IS auditor the GREATEST concern?

A. Company name is clearly visible on the facility.

B. The facility is located outside city limits from the originating city.
C. The facility does not have any windows.
D. The facility entrance is located in the back of the building rather than the front.
Answer: A
The offsite facility should not be easily identified from the outside. Signs identifying the
company and the contents of the facility should not be present. This is to prevent intentional
sabotage of the offsite facility should the destruction of the originating site be from malicious
attack. The offsite facility should not be subject to the same natural disaster that affected the
originating site. The offsite facility must also be secured and controlled just as the originating
site. This includes adequate physical access controls such as locked doors, no windows and
human surveillance.

129
8. Which of the following methods of results analysis, during the testing of the business
continuity plan (BCP), provides the BEST assurance that the plan is workable?

A. Quantitatively measuring the results of the test

B. Measurement of accuracy
C. Elapsed time for completion of prescribed tasks
D. Evaluation of the observed test results

Answer: A
Quantitatively measuring the results of the test involves a generic
statement measuring all the activities performed during BCP, which gives
the best assurance of an effective plan. Although choices B and C are also
quantitative, they relate to specific areas or an analysis of results from one
viewpoint, namely the accuracy of the results and the elapsed time.

130
The End ☺
CA Narasimhan Elangovan
B. Com, CA, CS, DISA, DipIFR (UK), CISA (US), LLB
Mail: ca.narasi23@gmail.com / narasimhan@ken-co.in
LinkedIn / YouTube: Narasimhan Elangovan