Audit Questionnaire in Word Format
Transcript of Audit Questionnaire in Word Format
Program Initiation
Program Planning
Functional Requirements
Design and Development
Program Implementation
Plan Testing Program Maintenance
Management Buy In
Interim Temporary BC Plan
General Assessment
General Assessment
Risk Controls BC Plan Testing Primary Site Change Monitoring
Program Evaluation
BC Program Management Document
Detailed requirements related to standards, rules, and regulations
Risk Controls IT Recovery Systems
Test Evaluation Recovery Site Change Monitoring
Program Commitment
Program Structure Risk Management IT Systems Recovery Strategy
Alternate IT Recovery Site
BC Plan Approval Contract Management
Approval Process BIA Alternate IT Recovery Site
A Tertiary Recovery Site
BC Plan Document Risk Controls
Offsite Data Storage
Tertiary Recovery Site
Offsite Data Storage BIA
Alternate Work Area Offsite Data Storage
Critical Record Storage
IT Systems Recovery Strategy
Crisis Management Center (CMC)
Critical Record Storage
Alternate Work Area BC Plan Testing
Personnel Alternate Work Area
Crisis Management Center (CMC)
Recovery Vendor's BC Plan Reviews
Critical Records Crisis Management Center (CMC)
Assembly Location Training and Awareness
SLA and Contract Requirements
Assembly Location Data Communication Services
Management Process
External Coordination
Data Communication Services
Voice Communication
External Coordination
Training and Awareness
Voice Communication
Training and Awareness
BC Audits
Salvage & Restoration
Work around Procedures
BC Tools BC Program Reviews
Insurance Requirements
Training and Awareness
Salvage and Restoration
BC Tools Salvage and Restoration
SLA and Contracts
Assembly Location BC Plan Document
1
PI: Program InitiationQuestions Rat
ingResponse and conclusions
Further Actions Recommendation
PI.1: Management Buy In 6.4
Has the program been Initiated formally
7 Program was initiated by the IT department
BC Program needs to be raised to top level and not just owned by IT
What is the extent of management's awareness
8 CIO and other C-level officers are aware of the program but other than CIO they don't consider it a top priority.
Is there a Project Sponsor 6 CIO is the project sponsor
What is the seniority and position of Project Sponsor
7 CIO is the project sponsor
Plan exist to raise awareness of management
4 Several presentations were presented to management. Some were made on their own requests. They were a high level presentations. There is no formal plan to raise awareness.
Find out if there is a steering committee. Steering committee will help in raising top level awareness.
Utilize Steering Committee to raise top level awareness.
PI.2: Program Evaluation and Approval
5.33
High level program objectives, requirements and drivers analyzed and documented
4 We have some program requirements analyzed as a result of a recent BIA effort and we have recently updated with new requirements for E-commerce application environment. We also have an extensive document on the reasons for establishing a BC program.
Find out if objectives for the program were defined in these documents (not clearly)
Define clear objectives for the program. Objectives should be stated in both general and specific terms.
Business case prepared and evaluated
4 Yes. An informal business case was prepared.
Was a budget prepared (Yes. We presented our initial budget and provided an estimate of yearly budget to CIO)
2
Questions Rating
Response and conclusions
Further Actions Recommendation
Clear Go/No Go decision made and at what level of the management
8 Yes. CIO made the Go/No Go decision and presented this decision to senior management. But the board was not involved in this process.
Board needs to have an active involvement in the overall high level evaluation process.
PI.3: Program Commitment
2.86
Full-time qualified program manager assigned
2 No. We have a part-time (70%) business continuity coordinator assigned to this task. He is from the corporate planning department and has been involved with Emergency Response Planning in the past.
Find out if the coordinator has business continuity or DRP experience (No.)
Assign full-time BC responsibility to BC coordinator
Steering committee established
6 A committee structure has been proposed and awaiting approval. (company has the history of establishing SC for high profile critical projects)
This is a definitely a strength.
Steering committee members have clear roles and responsibilities defined
3 No. Define clear roles and responsibilities for Steering Committee.
BC Program is part of Strategic objectives and plan
1 No. Include BC Program as part of Corporate Strategic Objectives
BC Program policy exists 2 We have a security policy which covers BC from the perspective of availability of critical systems.
Create a BC policy statement
BC Program policy fully communicated
1 No. Utilize corporate communications to communicate BC policy
BC culture is well established
5 No. But, IT and Business units have a better BC/DR culture compare to the rest of the company.
Develop a plan to improve corporate wide BC culture.
3
PP: Program Planning
Questions Rating
Response and Conclusion
Further Actions Recommendations
PP.1: Interim Temporary BC Plan
5
Interim BC Plan exists if a long term plan doesn't exist
5 Yes. But, it has evolved since it was initially written.
Review all earlier versions.
Interim Recovery Strategy Developed
5 Mutual Agreement with our strategic partner.
Review agreements (Not enough carefull planning and design. Agreements show weaknesses in disaster lasts for longer than 2 or 3 days)
Interim Agreements in place for recovery of key resources, sources, and services
5 Mutual Agreement.
Interim Recovery Teams created
5 Yes. The team has evolved since it was initially established.
PP.2: BC Program Management Document
4.43
BC Program management document exist
6 We have a project plan in place.
Check the project plan details (Project plan is well structured but a complete program document is missing; project plan is part of BC plan).
Create a BC program document which is separate from the BC plan
A need statement prepared (Why is the program needed and what are the drivers?)
7 We have a statement that indicates the main drivers: External contract requirements and SOX compliance and it also includes company's strategic objectives
Review the statements. Ask if they have researched industry specific requirements (No.)
Research industry specific BC requirements.
Program objectives are well defined, aligned and approved
4 Defined in BC plan document
Plan objectives are defined in general terms. Suggest inclusion of specific objectives.
Program Scope are defined and approved
6 Defined in BC plan document
Plan scope are defined. Suggest including what is not in scope as well.
4
Questions Rating
Response and Conclusion
Further Actions Recommendations
Program assumptions are stated explicitly
0 Defined in BC plan document
No written program assumptions
State all key assumptions in program document
Program deliverables are identified
8 Defined in the project plan
Program risks are analyzed and mitigation actions identified
0 Defined in BC plan document
Investigate further (No evidence of program risks BC Plan document)
Assess program risks and mitigation steps
PP.3: Program Structure
4.7 3 (high risk factor)
Program divided into logical phases
8 Project Plan has logical phases
Risk and BIA are combined as one phase (not a major concern at this time since it has been completed)
Phases are divided into activities
7 Yes.
Activities are assigned due dates, start and end times, and dependencies
7 Yes.
A BC Steering Committee exists
4 Not currently. But CIO is presenting a case to top management for such a committtee next month.
Establishment of a SC must become a high priority. It will help to resolve a number of current obstacles and issues
A BC program team structure is defined with reporting hierarchy
7 Yes. Assess team structure. Three types of teams: Emergency management, Emergency response, and Business unit teams.
Team structure includes top management, program sponsor, BC coordinator, consultants, etc.
7 Yes. Emergency management team includes President/CEO, COO, CFO, etc.
Team roles and responsibilities are well defined
2 At a high level only. Team members task's are not assigned
Define tasks for team members
Personnel assigned to the team structure with well defined responsibilities
2 No. Personnel are assigned to teams but not with well defined responsibilities
Define responsibilities for team members
Alternates to team members are assigned
2 No. Assign alternates to team members
Are there any BC team members working on a part-time capacity.
1 Yes. BC coordinator is part-time. There are two assistants to BC coordinator working part-time on BC project.
Find out what those part-time staff are responsible for and how critical those responsibilities are.
5
Questions Rating
Response and Conclusion
Further Actions Recommendations
Business unit representatives also work on a part-time and as-needed basis.
This is a high risk factor.
PP.4: Approval Process
5.17
BC Program approval process exist for budget, objective and scope, contract, projects, policy, hiring etc.
7 Only through CIO but once a steering committee concept is approved, program approval process will be defined.
Senior Management and Board level process
6 Senior management will be presenting the case for a formal BC program in the next board meeting.
Steering committee level process
3 None
Program sponsor level 7 CIO is the program sponsor.
BC program coordinator level
7 BC program coordinator requests approval directly to CIO.
Business unit level 1 None. They are currently not involved in the approval process
6
FR: Functional Requirements
Questions Rating Response and Conclusion
Further Actions Recommendations
FR.1: General Assessment
Functional requirements have been assessed
Partially. Complete: FR.2
Functional requirements have been documented
Not in a formal way.
Functional requirements have been reviewed by senior management
We will be presenting general requirements to Steering Committee in the near future.
Functional requirements have been approved
Not yet.
FR.2: Detailed Requirements related to Standards, rules, and regulations
4.3333
General applicable standards and guidelines have been identified
8 Yes. Documents indicate DRII and BS17799
Recommend also including NFPA 1600 standards
Industry guidelines, rules, and regulations identified
4 There hasn't been any effort to find out industry specific requirements other then SOX
Briefly research industry specific guidelines and make recommendations
Specific requirements related to standards, rules and regulations assessed and documented
1 No. There hasn't been any effort to find out industry specific requirements other then SOX
FR.2: Risk Management
3.6
Formal or Informal risk assessment was conducted and how long ago.
3 Informal assessments (brain storming) has been done every year.
Risk assessment was comprehensive in scope and aligned with Program scope
8 Limited to HQ, data center, office areas only.
Review reports
7
Questions Rating Response and Conclusion
Further Actions Recommendations
A qualified risk expert(s) assisted with the risk assessment
2 BC coordinator conducted risk assessment with key staff involvement.
Recommend obtaining qualified experts assistance to review and conduct threats and risk assessments.
All potential threats were considered
2 As many as we could determine.
Review list of threats and company's exposure (Not all threats were considered).
Assessment was based on sound and proven method
3 Yes. Review methods used. Quantitative vs. Qualitative approach. Are there sound basis for calculating threat probabilities (Risk assessment is based on qualitative and informal approach)
Top management reviewed the threats and risks
3 CIO and senior business unit managers only.
Company's appetite for risk identified and approved
4 Not formally
Both regional and local threats were considered
3 Local threats mostly but some regional.
Existing risk controls were considered
5 Yes.
Management concurs with Risk Assessment findings
3 CIO and senior business unit managers have reviewed the findings but have not provided feedback on concurrence.
FR.3: BIA 8.6667
A formal BIA was conducted
9 Yes. Review BIA findings
Scope of the BIA is consistent with program scope
9 Yes.
Representatives from all areas of business within scope participated in the BIA
9 Yes.
Critical business processes have been identified
9 Yes.
Financial losses analyzed 9 Yes. Operational Impacts analyzed
9 Yes.
Worst case assumptions were used
9 Yes.
Maximum Tolerable Downtime identified
9 Yes.
RTO identified 9 Yes.
8
Questions Rating Response and Conclusion
Further Actions Recommendations
RPO identified 9 Yes. How long ago was it completed
9 3 months ago
Critical Systems and Applications identified
9 Yes.
Qualified experts conducted BIA
9 Yes.
Key concerns and issues captured and addressed
4 Yes.
Management is aware of and concurs with BIA results
9 Yes.
FR.4: Offsite Data Storage
5.5
Offsite storage requirements analyzed thoroughly
6 Partially through the BIA
When were requirements last analyzed
7 IT department has a list of backup data requirements
Scope of storage requirements are consistent with program scope
8 We backup both critical and non-critical applications and data.
Find out which backup vendor they use. Assess vendor's service reliability. (Storage Mountain).
Data backup requirements are known for all critical applications and systems
9 We now have different RPO
Gaps in backup frequency is analyzed
9 Yes.
Backup frequency established for all critical data
9 Yes, through BIA
Backup media type requirements are known
4 Right now it is all on tapes.
Find out if any one uses media other then tape. Some users still use CD to store data on their PC. We didn't see this on the list of data backup requirements from IT.
Recommendation:
Safe handling and storage requirements documented
2 No. Assess safe handling and storage requirements
Data integraty testing requirements are known
1 No. Assess data integrity test requirements
Data classification and security requirements are documented
1 No. Check to see if there is any sensitive data (Client's credit card information is stored along with their address information)
Assess data classification and security requirements
Storage media retention 1 No. But we recyle the
9
Questions Rating Response and Conclusion
Further Actions Recommendations
period documented tapes from time to time.
Backup Tool/software requirements are known
9 We currently use IBM's Tivoli Storage Manager.
FR.5: Work Area 6
Requirements for alternate work area are analyzed and documented (space, personnel, equipment, facilities, etc.)
8 Our canadian site may be sufficient as a work area until we get the more permanent work site with SunGard
They have work area requirements in terms of number of workstations needed.
Requirements are aligned with BIA findings in terms of critical business units and applications
8 Work station requirements are aligned with critical applications.
Space requirements are known
1 No Work out the detailed work area space requirements
Support personnel are known
Yes. We know the key staff from the business areas needed in the recovery.
Workstation requirements are known
9 Yes
Network connectivity requirements are known
9 Yes
Non-IT resource requirements are known (faxes, copiers, etc.)
1 No. We will rely on whatever is available at the Canadian site
Work out the Non-IT work area requirements for long term recovery strategy.
FR.6: Crisis Management Center (CMC)
2.3
Requirements for CMC are analyzed and documented (space, personnel, equipment, facilities, etc.)
2 Emergency Operations Center (EOC) already exists as part of Emergency Response Plan.
Verfiy if BC plan is very closely integrated with EOC. (EOC team has not yet assessed the specific BC response requirements. There is an assumption that the current design of the EOC will be sufficient to include BC response activities)
Assess BC related CMT requirements and determine if the current EOC design is sufficient.
Requirements for crisis management center are analyzed and documented (space, equipment, facilities, etc.)
2 We expect to use EOC.
10
Questions Rating Response and Conclusion
Further Actions Recommendations
Workstation requirements 4 We will need a Workstation for each member of CM Team.
Find out if the planning tool is included in this requirement (Not yet, since they have not purchased the tool)
connectivity requirements 2 No. Non-IT resource requirements
2 No.
FR.7: Personnel 1.8
Are detailed requirements for personnel covered
No.
Contractors required 5 No. Find out if they have contractors (IT department has several contractors that support critical applications)
Contract agreement includes support during recovery period.
1 No. But we assume that they will help us out.
Include BC related support requirements in contractor agreements.
Temporary help required 1 Only if full-time staff are not available.
Identify specific temporary staff requirements to help with recovery effort
Detailed skill requirement for recovery staff
1 No. Identify detail skill requirements for key recovery staff.
Pay requirements 1 We have started talking with HR on Salary requirements during a disaster recovery time. HR wants to talk to Senior Management first on this issue.
Develop pay requirements for recovery staff during a disaster
Union rules and policies are part of the requirements
1 Company is unionized but they have not been involved in BC effort.
Work with worker's union to evaluate impact of rules and regulations on BC team and staff in general
Government labor laws are accounted for in the requirements
1 No. Work with HR to evaluate labor laws and their impact on reocovery team and their recovery assistance
Travel requirements are known
8 Yes. Team members are expected to travel to Canadian site and each is given a checklist.
Do you have BC team insurance coverage
0 No. Evaluate insurance requirements for BC team.
11
Questions Rating Response and Conclusion
Further Actions Recommendations
FR.8: Critical Records
5.5
Critical records recovery is part of BC program
4 It is the responsibility of business units
It seems like the IT recovery has been the biggest focus so far. Check to see if critical record is part of BC Project Plan (It is not covered). But, business unit recovery assessment shows that some units do have a critical record recovery program.
Critical record should not be responsibility of business units alone; Assign some one with central responsibility for coordinating critical record continuity.
Critical records inventory exists
4 Business units maintain their own records inventory. Critical paper records are stored with laptops to Iron Mountain.
Are there electronic records that are critical (yes, but they are not backed-up).
Assess electronic record recovery requirements.
Records are categorized (vital, important, useful, etc.)
7 Yes.
Inventory includes title of record, ownership, content type, users, etc.
7 Yes.
Record retention period determined
5 No. It is mostly paper based
Inventory includes information on backup frequency
6 It is all done weekly.
Inventory includes media storage type and capacity
5 Yes.
Requirements for document scanning assessed
0 No. We don't have any document management system.
Requirements for Document Management System analyzed
0 No. We don't have any document management system other than Iron Mountain Connect.
Suggest investigating document management system tool.
Requirement for local storage assessed
0 No.
Requirement for remote storage assessed
6 Yes.
Security requirements are documented
7 Yes.
Safe handling procedures are documented
7 Yes.
12
Questions Rating Response and Conclusion
Further Actions Recommendations
FR.9: SLA and Contract Requirements
7.4
SLAs and contracts identified
9 SLA with data communication services and voice services. There is also a pending SLA with our key client. We also have contracts in place with our data backup vendor. A contract is also in place for quickship of a server.
Points of contacts are documented
9 Yes. Internal procurement procedures are well structured and controlled.
General requirements and obligations analyzed
9 Yes. We follow internal contract guidelines.
Review the guidelines.
Quality of service and performance requirements are documented
9 Yes.
Worst case non-compliance scenarios and impacts assessed
1 No. It is not part of our internal guideline.
Include clauses (penalties) in SLA and contracts for worst-case non compliance scenario.
FR.10: External Coordination
4.75
All external coordination requirements analyzed
First responders and local authorities
6 Through ERP only. Review ERP for external coordination and find out if it includes BC coordination (Not very tight integration of BC and ERP)
Develop a closer integration of BC with ERP. Include a member of ERP in BC and vice versa.
Coordination requirements documented for Suppliers
Not in scope
Coordination requirements documented for Distributors
Not in scope
Coordination requirements documented for Labor unions
0 No. Review labour union rules and contracts
Recommendation: Include Labour union representative in BC team.
13
Questions Rating Response and Conclusion
Further Actions Recommendations
Coordination requirements documented for Service providers
9 Yes. We already have SLA for WAN, Internet, Voice services.
Review SLA to see coordination points. Check point of contacts, SLA review dates, meetings, etc.
Coordination requirements documented for Clients and Customers
6 It is part of ERP. Review ERP for external coordination and find out if it includes BC coordination
Coordination requirements documented for Landlords and building management
1 We only have one building in the area leased, but we have not coordinated with the landlord.
ERP does not include landlord coordination.
Recommend establishing disaster coordination with landlords and building management.
Coordination requirements documented for Insurance company
3 Insurance documents are attached to our Interim BC plan.
Review insurance documents
Recommend communication and coordination with insurance agents and adjustors.
Recovery vendors 8 Mutual agreement includes coordination information and but we also have coordination information with SunGard.
Data backup vendors 5 So far there has been any major problem with coordination with the backup vendor. We have a yearly contract in place. We deal with issues as they arise.
Recommend better coordination with data backup vendor.
FR.11: Training and Awareness
6.5
Training and awareness is part of BC Program
8 Our BC coordinator and her assistance have been to BC conferences and training courses. BC coordinator has documented the need for training and awareness.
Assess requirements for personnel outside of BC teams.
Personnel requiring training identified
6 BC team members only.
Experience levels assessed
6 No. Focus of training is primarily on BC team members.
Training needs documented
6 Yes. Only for BC team members.
FR.12: Salvage & 0 Recommend evaluating and
14
Questions Rating Response and Conclusion
Further Actions Recommendations
Restoration documenting salvage and restoration requirements.
All critical resources for salvage and restoration identified
0 Critical documents are the responsibilities of business units
Physical areas and buildings for salvage and restorations assessed
0 Facilities is responsible for this.
Salvage and restoration scenarios for critical resources and areas assessed
0 No.
FR.13: Insurance Requirements
3.5
Disaster insurance exists and who is responsible for it's purchase internally.
3 We have a standard disaster clause in our insurance policy; Finance is responsible for it.
Review insurance policy for comprehensive disaster coverage.
Insurance purchase process is integrated with BC program
0 No. Integrate insurance purchase process with BC program.
Insurance requirements to report and claim a disaster are known
0 No. Determine insurance claim process.
Secondary sites insurance requirements
7 Covered by the recovery vendor
FR.14: BC Tools 5
BC tools and software requirements are known
5 Yes. We need a tool that is web based and allows business unit plans and integration of IT and ERP. Easy to maintain and learn. Security is also important.
Assess document/record management system tool requirements.
High level descriptions of tool's features and capabilities are identified
6 Yes.
Tools have been researched and compared
8 We have evaluated four different tools.
Support staff resource requirements have been analyzed
1 No. Assess requirements for tool admin/support staff
FR.15: Assembly Location
2.75
15
Questions Rating Response and Conclusion
Further Actions Recommendations
Assembly location requirements identified
4 ERP specifies assembly location.
Assembly location capacity requirements are known
1 No. Find out if it was used in the last plan test (Yes. We were not able to get every one in the assembly location due to fire and safety regulations).
Assess detail assembly site capacity requirements
Distance location requirements are known
5 About 3 miles away from the primary site.
Do you have another site in case this assembly site is not available (Yes, EOC)
Recommendation assessing requirements for tertiary assembly location.
Ability of personnel to travel and meet at Assembly Location analyzed
1 Not specifically for BC team members.
Assess detail travel and accessibility requirements for BC team members.
16
DD: Design and Development
Questions Rating Response and Conclusion
Further Actions Recommendations
DD.1: General Assessment
Designs & Development completed
Designs have been documented
Designs have been reviewed by senior management
Designs have been approved
Budget is reviewed and approved
DD.2: Risk Controls 3 See Risk Assessment
word file for additional assessment.
Problems in this stage is due to weaknesses in the previous functional requirement process. Initiate a risk assessment and management project with the help of risk management expert and full management support.
Risk control design is part of BC Program
5 Yes
Control options have been researched and analyzed
3 Yes. We can do a lot more given more time and resources.
Not all control options have been researched and analyzed
Qualified risk expert(s) assisted with the risk control designs
1 No.
Cost of options have been compared
2 Only for some threats Find out the reasons (lack of resources and time)
Residual risks are known 1 No. Top management reviewed the risk control options and residual risks
3 Not the residual risk.
Top management selected the best options for implementation
3 For some options
Top management has approved the budget for control option implementation
3 For some options
DD.3: IT Systems 5.30769 Focus on long-term Overall design is aligned
17
Questions Rating Response and Conclusion
Further Actions Recommendations
Recovery Strategy strategy with the requirements but there are still some gaps and room for improvents. Example: Generic applications such as email is not part of recovery strategy. Drop ship of billing system server; the ability of people to get to recovery site on time.
Appropriate recovery strategies exist for all critical IT systems and applications
4 Yes. Completed the strategy design stages.
Email strategy is missing.
Alternate site strategies exist
7 Yes.
Quick-ship strategies exist 7 Yes for some systems.
Recovery strategies are aligned with RTO values
8 Partially.
Cost versus RTO trade-off analyzed
5 Partialy.
Effort requirements analyzed
3 No.
Control requirements analyzed
8 Yes. With the alternate site we have more control over the IT infrastructure.
Reliability requirements analyzed
3 We are counting on the recovery vendor for that.
recommend tertiary site
Strategies aligned with system capacity requirements
5 Yes.
Strategies aligned with system performance requirements
7 Alternate systems have more capacity than our production environment
Strategies aligned with system configuration requirements
3 There are some configuration compatability issues.
Recommend testing compatability issues.
Recovery system and primary systems exact in type, configuration, capacity, etc
5 No. But they are compatible.
Recommend testing compatability issues.
Flexibility in upgrading the recovery systems to match primary systems upgrades
4 We don't know. We will include it in the contract agreement with the vendor.
Recommend inclusion in contract for upgrade flexibility in recovery systems.
DD.4: Alternate IT Recovery Site
6.82353 Focus on long-term strategy
18
Questions Rating Response and Conclusion
Further Actions Recommendations
Alternate site meets the strategy requirements for IT systems/servers/networks
8 Yes.
Unlikely to be effected by the same disaster
8 Yes. Particularly regional disaster.
Located outside of local area threats
8 Yes.
Located outside of regional area threats
8 Yes
Alternate travel routes exists
8 Yes.
Floor plan exists 8 Yes. A comprehensive and validated BC Program exists for Alternate Recovery Site
7 Yes. Review their BC program even though they are reputable and reliable
Secondary power generator/supply exists
9 Yes. Has any body visually inspected the power supply (part of the tour).
Technical support is available at alternate site
8 Yes.
Supports connectivity to primary site
7 Yes.
supports connectivity to work areas
9 Well connected. Work area and IT recovery area are with the same vendor
Sufficient security exists at alternate site
5 Yes. Find out if the servers and systems are shared by other clients of the vendor (yes they are).
Recommend: Involving IT security department in the secure design; suggest development of security policy and procedures before, during, and after disaster situations.
Access to recovery area is gauranteed in case of recovery need
4 It is on the first-come-first serve basis.
Find out if there are clauses in the contract that may deny access (yes it does)
Recommend: creating a tertiary recovery site
Organization has sufficient control over the recovery area and its resources
4 Partial Find out if there are reasons for having complete control (none)
Meeting areas exist 2 Yes but it will cost more
Basic facilities exist (HVAC, Bathrooms, etc.)
6 Yes.
Close proximity to Accommodation and Food Services/restaurants, banks, etc.
7 Yes.
19
Questions Rating Response and Conclusion
Further Actions Recommendations
DD.5: A Tertiary Recovery Site
0 We recommend a use of a tertiary recovery site.
A tertiary recovery site exists with sufficient recovery capabilities and capacities
0 No.
Is it used for backup of data from secondary site
0 No.
Is it used for recovery of all systems at the secondary site
0 No.
DD.6: Offsite Data Storage
Backup Strategies are aligned with RPO requirements
What is the method of data backup
Data is replicated to servers at recovery site
Data is backed-up through tape media
Data is backed-up through Electronic Vaulting
Cost versus recovery strategy options analyzed
Backup method is reliable and dependable
All data required for recovery is backed-up
Backup Tools/Software exist and their capabilities are compatable with backup strategies
Sufficient backup media capacity exist at the storage facility
Strategies exist for remote backup during the recovery period
Facilities exist to ship backup data to recovery sites in time to meet RTO requirements
Safe handling and storage procedures documented
Data integrity testing procedures are documented
Data classification and security procedures and guidelines are documented
Storage media retention procedures are
20
Questions Rating Response and Conclusion
Further Actions Recommendations
documentedCost and budget for the above are estimated
DD.7: Critical Record Storage Area
4.66783
Internal facilities/areas exist to store critical documents
2 They stored in filing cabinets by business units themselves
Implement an internal critical document/record management group and facility in addition to a remote storage site.
Internal facilities meet the fire and water protection requirements
0 No.
Internal facilities meet the security requirements
0 No.
External facilities/areas exist to store critical documents
7 Yes. Iron Mountain only for paper documents.
External facilities meets the heat, humidity, and other climate control requirements
7 Yes
External record storage facility is under the management and control of qualified personnel
7 Yes.
External facilities meet the security requirements
7 Yes.
External facility can ship the records to work areas/primary site within required time-frame.
7 Yes.
External facility supports 24x7 operations
7 Yes.
Appropriate record management system is reviewed and assessed
8 We are using Iron Mountain Connect™ portal to track and retrieve documents.
Is Iron Mountain Connect setup for Laptop access in the event of a disruption (No)
Critical record management procedures are developed and are aligned with the requirements
Yes.
DD.8: Alternate Work Area
4.68182 Expedite design and development of long term alternate work area
Alternate work areas exist (contracted, company owned, reciprocal ?)
4 Plan to contract out the work area from SunGard. We will use Canadian site as an interim solution
Alternate work area meets 0 N/A
21
Questions Rating Response and Conclusion
Further Actions Recommendations
the BIA and functional requirements for recovery personnelAcquisition strategy for workstation and servers in work area is consistent with BIA and other business process requirements
0 N/A
Floor plan exists 0 N/A
Non-IT resource acquisition strategy is in place (faxes, copiers, etc.)
0 No.
Site is unlikely to be effected by the same disaster
7 Yes.
Located outside of local area threats
7 Yes.
Located outside of regional area threats
7 Yes.
Alternate travel routes exists
7 Yes.
A comprehensive and validated BC Program exists for work area
3 Don't know
Secondary power generator/supply exists
8 Yes.
Technical support is available at alternate work site
2 Don't know
Supports connectivity to primary site
8 Yes.
supports connectivity to alternate IT recovery sites
8 Yes.
Work area is expandable depending on the need
2 Don't know
Sufficient security exists at alternate work site
8 Yes.
Contains sufficient floor space for workstation and IT infrastructure and end-users
2 Don't know
Designed to support usage 24x7
7 Yes.
Organization has sufficient control over the work area and its resources
2 Don't know
Meeting areas exist 7 Yes.
22
Questions Rating Response and Conclusion
Further Actions Recommendations
Basic facilities exist (HVAC, Bathrooms, etc.)
7 Yes.
Close proximity to Accommodation and Food Services/restaurants, banks, etc.
7 Yes.
DD.9 Crisis Management Center (CMC)
7.25 Evaluate whether or not EOC meets the BC requirements.
CMC design meets the requirements for space, personnel, equipment, facilities, etc.
9 EOC will be used as CMC. 1st location is a leased site 30 miles away from HQ. Alternate location is a hotel meeting room to be decided at the time of disaster
Location is easily accessible for Crisis Management Team (CMT) and it is not prone to single point of failure with the primary site.
9 Yes.
Reliable and dependable 9 Yes.
CMC meets the IT requirements (workstations, laptop, printers, etc.)
3 Don't know about BC requirements.
CMC meets the Non-IT requirements (Faxes, copiers, presentation tools, etc.)
8 Yes.
CMC meets the voice connectivity requirements
3 Don't know about BC requirements.
CMC meets the data connectivity requirements
3 Don't know about BC requirements.
Designed to support usage 24x7
9 Yes.
Organization has sufficient control over the work area and its resources
9 Yes.
Meeting areas exist 9 Yes. Basic facilities exist (HVAC, Bathrooms, etc.)
8 Yes.
Close proximity to Accommodation and Food Services/restaurants, banks, etc.
8 Yes.
23
Questions Rating Response and Conclusion
Further Actions Recommendations
DD.10: Assembly Location
5.97619 Evaluate design of assembly location to determine if it meets BC requiremens.
Assembly location meets the functional requirements
1 Don't know
Assembly location complies with safety guidelines
8 Yes.
Easily accessible, dependable, and expandable
8 Yes.
Close proximity to Food, Accommodation, banks, etc.
8 Yes.
Controlled by the organization
3 No. MOU with another organization.
Less likely to be effected by the same local disaster
8 Likely to be effected by the local or regional disaster; but we have the EOC as an alternate.
DD.11: Data Communication Services
5.83333
Designs for Data Communication and Networking services are complete
Review design documents
Design overall meets the continuity requirements but needs some additional improvements
Design takes into account single points of failure concerns and communication redundacy requirements
7 Yes. We have redundant carrier links
do they go through the same conduit to the building (yes)
Review data link for improving redundancy and single-point-of-failure
Different transmission medium is used (wireless, satellite, land lines)
2 Same medium.
Network design for alternate recovery site exists with specifications for connectivity, capacity, throughput, reliability, etc.
7 Yes.
Network design for work area exists with specifications for connectivity, capacity, throughput, reliability, etc.
8 Yes. IT has all that worked out.
24
Questions Rating Response and Conclusion
Further Actions Recommendations
Network design for data backup site exists with specifications for connectivity, capacity, throughput, reliability, etc.
Yes. IT has all that worked out.
Network design for connectivity between primary site, alternate site, data backup site, and work area is complete.
4 It is complete except for work area which will is planned to be completed six weeks.
Data transmission security is par of the design.
7 Yes.
DD.12: Voice Communication
6.6
Strategies are developed for redundancy of voice communication
Design overall meets the continuity requirements but needs some additional improvements
Design takes into account single point of failures
9 Voice service provider has provided multiple voice lines going through redundant exchange routes.
Design takes into account rerouting of critical phone numbers
9 Yes. We have the capability to reroute our 1-800 numbers that customers use.
Design includes different communication mediums (cables, satellite, wireless, etc.)
3 No. They are all Land lines.
provide additional redundancy by combining voice communication mediums.
Design takes into account bandwidth requirements
Yes.
Design takes into account work area requirements
Yes.
Design takes into account CMT requirements
6 Yes.
Design takes into account Recovery Site requirements
6 Yes.
DD.13: Work around Procedures
3.86111 See business process audit file.
Ensure work around procedures for all critical areas are complete and documented with consistent format.
Work around procedures are documented for all critical business units and processes
3 Most have them documented
Each work around procedure clearly specifies its objectives and scope
3 Some do and some don't
25
Questions Rating Response and Conclusion
Further Actions Recommendations
Each work around procedure clearly specifies conditions for invoking the procedure
3 Some do and some don't
Each work around procedure clearly specifies tasks to be performed and resources required including critical records.
Yes.
Each work around procedure clearly specifies tasks depedencies
3 Some do and some don't
Work around procedures include recovery of lost data
6 Yes.
DD.14: Training and Awareness
5.16667 Assign training and awareness responsibility to a staff. Review current training and awareness design for additional improvements.
Training and awareness program is designed and developed
Training database/site designed and developed
7 We have an intranet site for business continuity which provides training documents and general information.
Training methods and services selected
4 We plan to have onsite training on a regular basis.
Training schedule prepared 1 No. Awareness plan developed 9 We currently have an
internal BC monthly newsletter.
Training evaluation process designed and developed
2 No.
Training responsibilities assigned
8 We are currently talking to HR training department to take on this task.
DD.15: Salvage and Restoration
0 See comments from functional requirements
The design and development for Salvage and Restoration must be based on the functional requirements once they are completed.
All critical resources for salvage and restoration identified
26
Questions Rating Response and Conclusion
Further Actions Recommendations
Physical areas and buildings for salvage and restorations assessed
Types of damage to critical resources and areas assessed
Salvage and restoration experts and contractors identified and contacted
Requirements and cost discussed with Salvage and Restore contractors
Contractors are selected DD.16: Program Budget Detail budget established Percentage of the IT budget or overall revenue
Detail budget and spendings established for individual projects
Detail budget and spendings established for hiring staff
Detail budget and spendings established for contracts
Detail budget established for recovery resources and services
Detail budget established for BC tools
Detail budget established for training and awarenesss
27
PP: Program Implementation
Questions Rating Response and Conclusion
Further Actions
Recommendations
PI.1: Risk controls Problems in this stage is due to weaknesses in the functional requirement process. See recommendations in Design and Development.
All risk controls have been implemented
Some have been implemented including secondary power generator.
Implementation project plans exist and approved
We have plans to continue implementation of risk controls.
Percentage Implemented 3 30 percent. PI.2: IT Recovery Systems
6 Most systems are in place and the plans in place to acquire the rest Email systems recovery capability is not in place
Alternate IT systems purchased or leased
Yes
Quick-ship strategies implemented
Currently talking to the vendor
Percentage completed 8
PI.3: Alternate IT Recovery Site
IT recovery site is in final stages of complete implementation.
Alternate IT recovery site completed
8 Yes. SunGard
Alternae IT site inspected and approved for use
8 Yes
Percentage completed 9 90 percent PI.4: A Tertiary Recovery Site
Tertiary site completed No. Tertiary site inspected and approved for use
No.
Percentage completed N/A
28
Questions Rating Response and Conclusion
Further Actions
Recommendations
PI.5: Offsite Data Storage
5 Backup site is currently in use. Backup frequency needs adjustments.
Remote backup site is complete
Yes.
Data backup process to remote site has started
Yes.
Percentage completed 8 90 percent PI.6: Critical Record Storage
2
Remote record backup site is complete
Implemented for document records only. It is remote only. There are no internal storage process or system
Remote record backup process has started
Yes.
Percentage completed 5 50 PI.7: Alternate Work Area
4 Expedite design and development of long term alternate work area
Alternate work areas exist (contracted, company owned, reciprocal ?)
4 Yes. Currently at the Canadian site but later at Sungard.
Work area inspected and approved
3 Partially.
Percentage completed 4 50 PI.8: Crisis Management Center (CMC)
7 EOC will be used as CMC. 1st location is a leased site 30 miles away from HQ. Alternate location is a hotel meeting room to be
CMC exists Yes
CMC inspected and approved
Yes
Percentage completed 7 100 PI.9: Assembly Location 7 Assembly
location is in place.
Assembly sites exists Yes
29
Questions Rating Response and Conclusion
Further Actions
Recommendations
Assembly sites inspected and approved
Yes.
Percentage completed 7 100 PI.10: Data Communication Services
8
Data Communication and Networking services are complete
Yes
Connectivity between Primary site and alternate IT recovery site is complete
Yes
Connectivity between primary site and data backup site is complete
Yes
Connectivity between alternate IT site and work area is complete
Yes
Connectivity between CMC and alternate IT site is complete
Yes
Connectivity between CMC and alternate work area is complete
Yes
Percentage Complete 8 80 PI.11: Voice Communication
8
VC infrastructure and services are complete
Yes.
Percentage completed 8 80
PI.12: Training and Awareness
2 Expedite initiation of training and awareness program.
Training and awareness program activated
Not fully.
Percentage implemented 2 10 percent PI.13: BC Tools 2 BC tool is purchased 2 No. we are still
evaluating toolsExpedite tool evaluation to begin tool usage and deployment
Tool training is complete
30
Questions Rating Response and Conclusion
Further Actions
Recommendations
Plans and information from paper/computer sources have been imported into the tool
Security and access control is in place
BC tool is deployed A dedicated staff manages and maintains the BC tool
Team members have access to the tool
Percentage Complete PI.14: Salvage and Restoration
0 Salvage and restoration is not yet included in BCP
Salvage and restoration contracts are in place
No.
Salvage and restoration procedures are documented
No.
Percentage Complete 0 0 PI.15: Personnel 4 Are all required personnel hired
5 Most have been hired but we are still waiting to hire two more staff reporting to the Coordinator.
Responsibilities assigned to personnel.
5 Mostly assigned
BC team insurance purchased
0 No.
Percentage Complete 4 60 PI.16: SLA and Contracts
7
SLA have been negotiated and implemented
6 The key SLA are in place
Contracts have been negotiated and implemented
6 Yes. Work area contract is under review.
Percentage Complete 7 80 PI.17: BC Plan Document
Plan document is complete
Executive Summary
31
Questions Rating Response and Conclusion
Further Actions
Recommendations
Plan components Objective Scope Assumptions Constraints and limitations Risk Assessment BIA Recovery Strategies Plan Execution phases BC Team Structure Contact List Call Tree Alternate contacts Contact Procedures Disaster Definition Disaster Declaration Procedures
Service Level Agreements Insurance policy Critical resource inventory Critical Staff Crisis Communication Plan
Emergency Response Plan
Business unit plans Disaster Recovery Plan Recovery site Information Data backup procedures Data backup site information
Critical record backup procedures
Critical record backup site information
Critical record recovery procedures
Plan execution logistic procedures
Security requirements and procedures
Recovery logistics Team responsibilities Salvage and Restoration procedures
IT recovery procedures Data network recovey procedures
Voice communication recovery procedures
Work area site information Work area recovery procedures
Critical service recovery procedures
32
Questions Rating Response and Conclusion
Further Actions
Recommendations
Assembly location procedure
Assembly location information
Crisis management center or EOC information
Plan execution timeline and schedule
Disaster scenarios and recovery procedures
BC Plan change controls BC plan distribution list BC plan appendices
33
PT: Plan Testing
Questions Rating Response and Conclusion
Further Actions
Recommendations
PT.1: BC Plan Testing 3.714285714 Test plans exist for testing BC plan
6 Interim plans has been tested
Test objectives cover all essential elements of BC plan
2 No. It is missing testing of key business areas
Types of testing conducted so far
2 Table top and some systems at hotsite
No testing of notification procedures; EOC location, Work areas, etc.
Recommend testing of notification procedures; EOC, and work areas.
Types of testing planned for future
7 Hot site testing of all systems
Test scenarios are realistic 1 No real scenarios have been tested
conduct likely scenario based testing.
Tests have been completed for all required parts of BC plan
3 No. It is missing testing of key business areas
Conduct testing of all key aspects of BC plan
Tests have been conducted according to test plans
5 Yes.
PT.2: Test Evaluation 8 Tests have been
evaluated well, particularly for hotsite testing. Evaluation included lessons learned. Many issues related hotsite vendor support and coordination were identified and resolved.
This is one of the strength area. A good test evaluation process is in place.
Test results have been evaluated
8
What criteria used to evaluate tests
8
Testing met all of test objectives
8
What were the strengths identified by the test
8
What were the weaknesses identified by the test
8
PT.3: BC Plan Approval 4 The long term plan
document is not yet complete.
BC Plan is approved BC Plan is approved by program sponsor and BC steering committee
BC plan is distributed to all staff and personnel on
34
Questions Rating Response and Conclusion
Further Actions
Recommendations
distribution list PT.4: BC Plan Document Which parts of the plan below have been tested?
Objective Scope Assumptions Constraints and limitations Risk Assessment BIA Recovery Strategies Plan Execution phases BC Team Structure Contact List Call Tree Alternate contacts Contact Procedures Disaster Definition Disaster Declaration Procedures
Service Level Agreements Insurance policy Critical resource inventory Critical Staff Crisis Communication Plan Emergency Response Plan Business unit plans Disaster Recovery Plan Recovery site Information Data backup procedures Data backup site information Critical record backup procedures
Critical record backup site information
Critical record recovery procedures
Plan execution logistic procedures
Security requirements and procedures
Recovery logistics Team responsibilities Salvage and Restoration procedures
IT recovery procedures Data network recovey procedures
Voice communication recovery procedures
Work area site information Work area recovery procedures
35
Questions Rating Response and Conclusion
Further Actions
Recommendations
Critical service recovery procedures
Assembly location procedure Assembly location information Crisis management center or EOC information
Plan execution timeline and schedule
Disaster scenarios and recovery procedures
BC Plan change controls
36
PM: Program Management
Questions Rating Response and Conclusion
Further Actions
Recommendations
PM.1: Primary Site Change Monitoring
3.143 Extend change management to beyond IT related changes.
Process is in place to monitor changes
4 Yes. BC Coordinator monitors all changes by attending all IT change management meetings.
IT level changes are monitored
4 Yes. Through IT change management
Business process changes are monitored
1 Not at this time.
Critical record changes are monitored
4 By business units only.
Business units have people assigned to this task.
People changes are monitored
3 We have been talking to HR to keep us in the loop.
Critical resource related changes are monitored
3 Not at this time.
Critical services related changes are monitored
3 Yes. We plan to go through regular review of service and resource related changes.
PM.2: Recovery Site Change Monitoring
3 Implement proactive process for monitoring recovery site changes.
Process is in place to monitor changes at the recovery sites
3 We expect vendor to notify us of any changes.
Hardware changes are monitored
3 Yes.
Software changes are monitored
3 Yes.
Network changes are monitored
3 Yes.
Facility changes are monitored
3 Yes.
Policy changes are monitored
3 Yes.
Security procedures are monitored
3 Yes.
37
Questions Rating Response and Conclusion
Further Actions
Recommendations
PM.3: Contract Management
7
BC related contracts management process established
7 BC coordinator and procurement representative conduct a frequent review/update of contracts.
Contracts are reviewed on a regular basis
7 Yes.
Contracts include maintenance and upgrades
7 Yes.
Procurement and legal departments are involved in the contract management
7 Yes.
PM.4: Risk Controls 3 Risk assessment occurs periodically
3 No.
Existing controls are reviewed and inspected on a regular basis
3 Facilities is responsible for reviewing physical controls such as secondary power generator.
Risk experts are involved in risk assessment and control process
3 No.
Risk assessment reports are presented to and reviewed by management
3 No.
PM.5: BIA 4 We plan to do it
regularly.
BIA is conducted periodically
Gaps are identified Results are reported to and reviewed by management
Recovery strategy gaps are evaluated
PM.6: IT Systems Recovery Strategy
4 We plan to review it regularly.
Recovery strategies are reviewed regularly
Alternate sites are inspected for changes and problems.
38
Questions Rating Response and Conclusion
Further Actions
Recommendations
Quick-ship strategies are reviewed regularly
PM.7: BC Plan Testing 4 We plan to do it
regularly
A plan exists for regular testing of BC Plan
Both minor and major tests are carried out regularly
Tests are reviewed and evaluated
Test results are well documented and reported to management
Test issues are resolved effectively
Backup data integrity checks are done regularly
Work around procedures are tested regularly
PM.8: Recovery Vendor's BC Plan Reviews
4 We will include it in our program
Recovery vendors' BC plans are reviewed regularly
Recovery strategies and capabilities of vendors' are reviewed regularly
BC audit reports of vendors are reviewed
PM.9: Training and Awareness
Currently not in maintenance stage.
Training and awareness program is monitored, evaluated and updated
New hire orientation includes BC information
Program includes learning resource/database
Program includes newsletters
Program includes regular BC informational meetings
Program includes BC tool training
39
Questions Rating Response and Conclusion
Further Actions
Recommendations
PM.10: Management Process
5
Steering committee is actively involved in the maintenance phase
4 Steering Committee will be establish in few months.
Program sponsor is actively involved in the maintenace phase
8 Yes.
BC Management meetings are held on weekly, monthly, and quarterly periods
8 Weekly with the sponsor and monthly with business unit managers
Reports from the steering committee are presented to Board and senior management
4 Steering Committee will be establish in few months.
Rules and regulations are monitored and reviewed
1 No.
PM.11: External Coordination
3 Improve external coordination related to BC plan
BC plan is coordinated with external public authorities
3 Through ERP. Coordinate with ERP team to include BC plan's coordination requirements.
BC plan is coordinated with business partners
1 No. Coordinate BC plan with business partners on a regular basis
BC plan is coordinated with recovery vendors
7 Yes.
Meetings are held regularly to coordinate BC plan with external entities
1 No. Arrange regular meetings with external entities to coordinate BC plan activities
BC Audits are conducted periodically
BC Audits include internal and external auditors
Audit recommendations are followed through
Audits are done through expert auditors
PM.12: BC Program Reviews
6.25
BC program is reviewed periodically
7 We hold monthly meeting with all business units to review relevant
40
Questions Rating Response and Conclusion
Further Actions
Recommendations
BC program activities and sections.
BC plan document is reviewed frequently
7 BC coordinator and his team review the plan biweekly.
Review involves all BC team members
7 Most team members depending on what we are discussing at the time.
Results of the reviews are presented to steering committtee and program sponsor
4 Not yet. But we present it to our program sponsor.
PM.13: Plan Document Maintenance
5.4
Stored offsite and onsite 6 One copy is always with BC coordinator on a memory card. One copy is with Iron Mountain.
Recommend storing a BC document at the hot site. If possible use web-based planning tool.
Easily accessible during a disaster
5 Yes
Secured 8 Yes. It is encrypted.
Need-to-know list maintained
3 No. We have a common distribution list with access to all parts of the plan.
Develop a need-to-know distribution list.
Distribution list maintained
5 Yes.
41
Program BudgetQuestions Rating Response and
ConclusionFurther Actions Recommendations
Program Budget 5.333333 BC program needs a separate budget; Work out detail budget for each phase, project, and activities.
Separate annual budget allocated
5 It is part of IT budget
Business area supporting the BC Program budget
8 Yes. Business Managers are very supportive.
Source of budget 3 IT BC program needs a separate budget and not simply be part of IT budget.
Detail budget established for BC tools
5 Yes. Does it account for a specific and its cost (We know the tool we want and its cost)
Overall budget estimates established
5 We do not have an yearly budget but last year we spent $240K
Percentage of BC budget relative to annual revenue
3 IT budget is about 2%. Last year we spent about 240 k on BC beyond people resources. We were allocated $125K originally.
Obtain more information.
Overall budget established for individual projects
7 Business units have their own budgets for BC activities.
Overall budget established for hiring staff
7 We have put the request to hire two more staff for next year.
Overall budget established for contracts
7 The budget for contracts will come out of the overall BC budget.
Overall budget established for recovery resources and services
3 Our recovery resource and service budget is mostly part of the overall IT budget.
Find out if this budget is outside of the BC budget. Yes it is outside of the IT budget. Last year approximately 60K was spend on the recovery resources and services.
42
43