CISA REVIEW

CISA REVIEW

The material provided in this slide show came directly from Certified Information Systems Auditor (CISA) Review Material 2010 by ISACA.

CISA REVIEWChapter 6 – Business Continuity and Disaster Recovery

Learning ObjectivesBy the end of chapter 6, you should be able to:• Evaluate the adequacy of backup and restore provisions

to ensure the availability of information required to resume processing

• Evaluate the organization's disaster recovery plan to ensure that it enables the recovery of IT processing capabilities in the event of a disaster

• Evaluate the organization's business continuity plan to ensure the organization's ability to continue essential business operations during the period of an IT disruption


Backup BasicsIf a disaster occurs, it is important that certain business activities, including IS operations, not be disrupted. To this end, information must be backed up to make sure data are not lost in an emergency situation. This duplication of data and documentation is critical for a business continuity plan (BCP). Data Retention (i.e., What Needs to Be Backed Up?)Both data and software files should be backed up on a periodic basis. Consider that to make the computers run correctly, you must back up and maintain in a current status all of your operating systems, programming languages, software, compilers, utilities and application programs. Even the paper documentation, such as operational guides, user manuals, the BCP, along with records and files are part of the raw materials and finished products necessary for the IS processing cycle.


Backup Basics: Frequency and Types of BackupThe frequency of file backup depends on the criticality of the application and data. Critical data should be backed up using the multiple-generation (i.e., "grandfather-father-son") method and rotated to an offsite location at least daily.


In the Grandfather-Father-Son method:• Daily backups are made over the course of a week (son). • The final backup taken during the week becomes the backup for that week (father). • At the end of the month, the final weekly backups are retained as the backup for that month (grandfather). • At the end of the year, the final monthly backup becomes the yearly backup.


Question:Consider the situation in which backups are performed every week and stored offsite. A monthly backup is also performed each month and stored offsite. When is it safe to return the Week 1 backup tape from the offsite storage location?A. After 2 weeks, regardless of when other backups arrive B. When the Week 2 backup arrives at the offsite location C. When the Week 3 backup arrives at the offsite location D. When the monthly backup arrives at the offsite location


Answer:Consider the situation in which backups are performed every week and stored offsite. A monthly backup is also performed each month and stored offsite. When is it safe to return the Week 1 backup tape from the offsite storage location?

D. When the monthly backup arrives at the offsite location

The backup media for Week 1 should be returned when the monthly backup is safely stored offsite. This will guarantee that the data from Week 1 are secure if something happens in the interim. Weekly backup media can then be rotated for reuse in subsequent months.


A full backup is the starting point for all other backups, and contains all the data in the folders and files that are selected to be backed up. A full backup takes longer to accomplish and requires the most storage space on the backup media, but it also provides the quickest restore times. A full backup should be performed weekly or monthly on production systems, along with daily differential backups. A full backup should also be performed before any major planned changes to a system.


An incremental backup is a backup of every file on a system that has changed since the last backup. An incremental backup is the fastest backup and requires the least storage space on the backup media. However, incremental backups also require the longest time and the most tapes to restore.


A differential backup contains all files that have changed since the last full backup. The advantage of a differential backup is that it shortens restore time compared to a full backup or an incremental backup.


Hot siteA fully operational offsite data processing facility equipped with both hardware and system software to be used in the event of a disaster.


Warm site• Warm sites do not involve a main computer, but are partially

configured, usually with network connections and selected peripheral equipment (such as disk drives, tape drives and controllers). The backup equipment involved in warm site recovery must be turned on periodically to receive backups of data from production servers. Because the computer is the most expensive unit, warm sites are less expensive than hot sites. Additionally, warm sites often plan to have a less-powerful Central Processing Unit (CPU) than the one typically used for everyday business functions.

• After needed components are installed at the warm site, it can be ready for service within hours once the location and installation of the CPU and other missing units is complete.


Cold site• Cold sites contain the basic environment for business

operations and are ready to receive equipment in an emergency situation. Because the location will have electrical wiring, air conditioning and flooring but not any equipment, cold sites are less expensive than hot and warm sites, and activation may take several weeks.

• In a cold site backup, if machines are involved, they may have software installed and configured but may not be up to date or recently turned on.


Duplicate site• Duplicate or redundant IPFs are dedicated, self-developed

recovery sites used to back up critical applications. This recovery alternative is viable because there are two or more separate, active sites providing inherent back up to one another.

• Each site has the capacity to absorb some or all of the work of the other site for an extended period of time.

• By keeping a duplicate site, there may be fewer problems with coordination, compatibility and availability of information and systems in a disaster situation.

• Some organizations can run their own duplicate IPF, but others use a third-party vendor.


Instructions: Here are six alternative processing strategies and six descriptions. Match each term to its corresponding description. Alternative Processing Strategies

Hot siteWarm siteCold site Duplicate IPF

Descriptions • A dedicated, self-developed recovery site used to provide inherent backup for

critical applications• Back-up site that is partially configured but does not provide a main computer• Provides the equipment and office facilities needed for the organization to

continue its operations, and is fully configured and ready to operate within several hours

• Contains only the basic environment for business operations


Answers: Each term is followed by the appropriate description. • Hot site

Provides the equipment and office facilities needed for the organization to continue its operations, and is fully configured and ready to operate within several hours

• Warm siteBack-up site that is partially configured but does not involve a main computer

• Cold siteContains only the basic environment for business operations

• Duplicate IPFA dedicated, self-developed recovery site used to provide inherent backup for critical applications


All software and related documentation should have adequate offsite storage. Even when using a standard software package from a vendor, the software can vary from one location to another. Differences may include parameter settings and modifications, security profiles, reporting options, account information, or other options chosen by the organization during or subsequent to system implementation. Therefore, comprehensive backup of all critical software is essential.Backup of operating system software, application programs and utility software must be performed whenever they are modified, updated or changed. Remote journaling is a common process that records transaction logs or journals at a remote location. These logs and journals are used to recover transaction and database changes since the most recent backup.


Think About ItWhat types of information do you think should be backed up on a monthly basis? A weekly basis? A daily basis?


Think About It: AnswerFor application systems that run on a monthly basis where master or transaction files are updated, the backup must be performed after the monthly production run. Operating systems or application software may require weekly backups. Online/real-time systems that perform large-volume transaction processing may require daily, nightly or more frequent/immediate backups. These systems may also require mirrored master file updates at a separate processing facility.A consideration for all backup data is that they must allow for the continuing changes to the source materials that are being backed up. This means that not only must a copy of the source material be kept from a particular point in time, but also that all changes or transactions that happen between the time that the backup or copy is made and the current time must be recorded.


Storage and Retention• Backups need to be stored for safekeeping and be retrievable in the

event of an emergency situation. One approach is to put the backups into an offsite library, although depending on the material, onsite or third-party storage may be a viable option.

• An offsite library is a special type of manual library because it does not have technology allowing direct access to the primary processing unit. If media (a cartridge, file, tape, document, etc.) are needed from an offsite library, they must be manually located and transported to the processing facility.

• An offsite library could be considered as an organized collection of material that may not be necessary to the support or backup of current daily processing operations. This material is typically required to be archived for some extended period of time, due to legislation, client or business process reasons.


Offsite Storage Facility: An offsite facility has processing capabilities to store, archive and retrieve data required for backup purposes of the organization's current production environment. All information at an offsite library or storage facility should be monitored. Controls over the offsite library and storage facilities should include ensuring that:• The physical construction can withstand fire or heat according to industry standards • Physical access to the media at the facility is secured (i.e., doors locked, no windows,

human surveillance) • The location of the facility is away from the data owner, preferably far enough away to

avoid the risk of a disaster affecting both facilities • Certain data are retained for specific periods of time due to state, federal, local,

organization or client requirements • A perpetual inventory of all storage media and files stored and moved in and out of the

facility is maintained along with a record of information regarding the contents, versions and location of data files

• All media or materials being shipped back and forth from the facility are securely transported. For example, data in transit should be stored and sealed in a magnetic media container.


Restoration Processes and Practices• Backup systems are not fail-safe and are of no use unless the

information on them can be recovered and restored when necessary. Accordingly, it is imperative that an organization periodically test its backup procedures and its access to the offsite data storage facility to see if it can access archived data and properly restore those data, documents or other necessary information.

• All restoration tests should be performed in a way and at a time that will not disrupt regular business operations and will truly mimic actual restoration procedures.


Instructions: Determine whether each statement in the left column is true or false, and then select the appropriate box on the right.

True False

Application software should be backed up in the same manner as operating system software.Restoration tests that disrupt regular business operations are an acceptable practice as long as the restoration truly mimics actual restoration procedures.Documentation must be backed up and stored along with software and data.An incremental backup is the fastest backup but requires the most storage space on the backup media.Data migration is a process that records transaction logs or journals at a remote location.


Instructions: Determine whether each statement in the left column is true or false, and then select the appropriate box on the right.

True False

Application software should be backed up in the same manner as operating system software.

T

Restoration tests that disrupt regular business operations are an acceptable practice as long as the restoration truly mimics actual restoration procedures.

F

Documentation must be backed up and stored along with software and data.

T

An incremental backup is the fastest backup but requires the most storage space on the backup media.

F

Data migration is a process that records transaction logs or journals at a remote location.

F


What Is the Risk?Although it is impossible for an organization to avoid all risks associated with a disaster, a company can do its best by creating Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP) that minimizes these risks. When these plans are put into place, the corporate focus will be on reestablishing business continuity and implementing disaster recovery. When these plans are needed, the last thing a company wants to worry about is forgotten, mistaken or misrepresented legalities in the BCP/DRP. Accordingly, all BCPs/DRPs must be evaluated to make sure that they address, and adhere to, any regulatory, legal, contractual and insurance issues.


Think About ItWhat questions would you ask to determine the future value of data and the organization's plans for its data insurance needs?


Think About It: AnswerWhat questions would you ask to determine the future value of data and the organization's plans for its data insurance needs?

Some questions to ask include but are not limited to: • How valuable is the data? • How is that valuation determined? • What factors were used in reaching the insurance coverage

limits elected? • Is the data insurance coverage maintained in accordance with

statutes and legal guidelines?


A critical step for an organization when developing a BCP is to perform a business impact analysis (BIA). As an IS auditor, you must be able to evaluate a BIA and understand the risks associated with an organization's critical components to effectively evaluate BCPs and DRPs. This section of the module defines the importance of a BIA, discusses how to calculate risk, and details how a BIA is used to develop an organization's business continuity plan.


Organizations create business continuity and disaster recovery plans as proactive measures. These plans reduce business risk by preparing the organization to provide critical services without interruption if a disaster, unexpected problem or other emergency situation should occur.Examples of business risks include:• Inability to maintain critical customer services • Damage to market share, image, reputation or brand • Failure to protect the company assets, including intellectual

properties and personnel • Business control failure • Failure to meet legal or regulatory requirements


The BCP process includes several life cycle phases. Each of these phases must be implemented into the plan.• Creation of a BCP and disaster recovery policy • A BIA • Classification of operations and criticality analysis • Development of a BCP and disaster recovery procedures • A training and awareness program • A testing and implementation of plan • Monitoring the BCP processThe BCP must encompass all assets and functions that an organization needs to maintain viability.


Risk Analysis and Cost BenefitsEven with the most rigorous planning and commitment, it may be impossible for a business to avoid all forms of risk or potential damage. However, an organization can be prudent by attempting to identify and prepare for as many risks as possible. Accordingly, the first step in a BCP is to perform a risk analysis. The risk analysis begins by identifying threat scenarios concerning the organization's assets. The risks assessed should be: • Directly proportional to the value of each asset • Coordinated with the probability of occurrence of a perceived

threat to that asset


Risk Analysis and Cost BenefitsIn the case of DRP, the assets are the components of the information system, such as application systems. Each organization's classification of these systems is determined by:• Identifying the nature of the organization's actual business. • Classifying what each application or system component does

(how it adds or contributes value) to the organization. This value is directly proportional to the role of the application system in supporting the strategy of the organization.

• Matching elements of the information system to the various applications (e.g., the value of a computer or a network is determined by the importance of the application system that uses it).


Risk Analysis and Cost BenefitsAfter the risk assessment identifies the value of the IS components to the organization, a plan can be developed for establishing the criticality of systems and the most appropriate methods for their restoration. A subcomponent of the BCP is the IT disaster recovery plan. This plan typically details the process that IT personnel will use to restore the computer systems. DRPs may be included in the BCP or as a separate document altogether, depending on the needs of the business.


A successful Business Impact Analysis involves obtaining a thorough understanding of the organization and the essential personnel, technologies, facilities, communications systems, vital records, data and IT resources necessary to support key business processes. Creating a BIA involves breaking down the totality of operations into specific events, functions and incidents, then determining what could happen to each element that may impact operations; determining any additional resulting financial, human and reputation effects; and prioritizing those effects. The BIA also considers the impact of legal and regulatory requirements (such as the privacy and availability of customer data). Finally, a BIA includes an estimation of maximum allowable downtime and acceptable levels of data, operations and financial losses.


Three main questions that should be considered early in the BIA process include the following:• What are the organization's various business processes? • What are the critical information resources related to the

organization's critical business processes? • What is the critical recovery time period for information

resources in which business processing must be resumed before significant or unacceptable losses are suffered?

The information acquisition phase should prioritize business processes based on their importance to the organization's achievement of strategic goals. However, this prioritization should be revisited after the business processes are modeled or analyzed against various threat scenarios so that a BCP can be developed.


A system's risk ranking involves determining the risk based upon the impact derived from the critical recovery time period and the likelihood that an adverse disruption will occur. Many organizations will use a risk-of-occurrence formula to determine what it deems is a reasonable cost for being prepared. This risk-based analysis process helps prioritize critical systems and develop appropriately scaled recovery strategies. The risk-ranking procedure should be performed in coordination with IS processing and end-user personnel.


Two important parameters when establishing recovery strategies are recovery point objectives (RPOs) and recovery time objectives (RTOs). • The RPO is based on what an organization agrees is an

acceptable or permissible amount of data loss during a disruption. RPO indicates the earliest point in time at which it is acceptable to recover the data. Click for an example.

• The RTO is determined based on the acceptable downtime in case of a disruption of operations. It indicates the earliest point in time at which the business operations must resume after disaster.


A recovery strategy identifies the best way to recover a system in case of interruption, including disaster. When an organization determines which recovery strategies to act on and when, it must consider the totality of each preventive, detective and corrective measure. Recommended actions would be to:• Remove the threat altogether (if possible) • Minimize the likelihood of occurrence of the threat • Minimize the effect of occurrence of the threatRemoving the threat and minimizing the risk of occurrence can be addressed through the implementation of physical and environmental security. Minimizing the effect can be achieved by implementing built-in resilience through alternative routing and redundancy.


The purpose of testing is to identify the limitations of the BCP by determining how well the plan works and which portions of the plan need improvement.Testing plans should have the following objectives:• Evaluate the performance of the personnel involved in the

exercise • Evaluate the coordination among the BCP team and external

vendors and suppliers • Measure the ability and capacity of the backup site to perform

prescribed processing • Assess the vital records retrieval capability • Measure the overall performance of operational and IS

processing activities related to maintaining the business entity


Think About It: There can be many goals and objectives that management may want to achieve through the testing of the organization's BCPs and DRPs. What are some of the minimum objectives that management should strive to achieve through its testing process?


Answer: Management should clearly define which functions, systems or processes are going to be tested and what will constitute a successful test. The objective of a testing program is to ensure that the BCP remains accurate, relevant and operable under adverse conditions. Testing should include applications and business functions that were identified during the BIA. The BIA determines the recovery point objectives (RPOs) and recovery time objectives (RTOs), which then help determine the appropriate recovery strategy.


Testing methods vary and, although some require minimum preparation and use few resources, others can be very complex. Each has its own characteristics, objectives and benefits. The type of BCP testing used by an organization should be determined by, among other things, the organization's age and experience with BCP, as well as its size, its complexity and the nature of its business. There are five main types of BCP tests: • Checklist • Structured walk-through • Simulation • Active simulation • Full interruption


A structured walk-through test is typically the best method to use for initial BCP testing. A structured walk-through is usually performed in a conference room by people who are familiar with the plan but did not actually write the plan. Written procedures for the structured walk-through test should include: • Test Scenario• Description of event • Test assumptions • Test constraints • Time, day and month that the disaster was reported • Method of discovery of the event • Immediate damage assessment • Specific forms and reports to be used from the plan • Specific teams involved and other participants • A moderator not directly participating in the test to log the event • Documentation of the results and findings in the BCP


Test analysis should include:• An assessment of whether the test objectives were completed • An assessment of the validity of test data processed • Corrective action plans to address problems encountered • A description of any gaps between the BCP and actual test

results • Proposed modifications to the BCP • Recommendations for future tests


Think About ItWhat basic criteria should an IS auditor use to validate the appropriateness of an organization's test plan?


Think About It: AnswerThe testing plan's assumptions should be validated to ensure that they are appropriate for BCP requirements. This validation requires the participation of appropriate business, operations and technology staff. Plan assumptions requiring validation include:• Criticality of services • Volume of transactions • Interrelationships among business functions • Selection of the BCP strategy related to use of facilities and other outages • Availability and adequacy of resources required to provide the planned

service level, such as the time required to establish facilities, obtain backup files or reconstruct documents

CISA REVIEWChapter 6 – Business Continuity and Disaster Recovery• All personnel involved with any element of BCP must be made

aware of their roles and responsibilities and have the necessary experience or are appropriately trained to fulfill their duties. The plan itself must also document each participant's specific responsibilities.

• When reviewing a BCP for human resource management practices, as the IS auditor, you should ensure that: The plan identifies the teams with their assigned responsibilities in the event of an incident or disaster

• Key decision-making, IS and end-user personnel involved in implementing the BCP are identified

• The involvement of the individuals or teams depends on the level of the disruption of service and the types of assets lost or damaged


Think About ItDuring the examination of an organization's BCP, as the IS auditor, what are your responsibilities when interviewing key personnel?


Think About It: AnswerDuring the examination of an organization's BCP, your responsibilities when interviewing key personnel include determining whether he/she understands assigned tasks and verifying that he/she has documentation describing responsibilities.


Think About ItWhat is an example of a human element factor that can have a major impact on an organization's recovery in the event of a widespread disaster, such as a flood, tornado or hurricane?


Think About It: AnswerA flood, tornado or hurricane can cause personal problems for organization employees, and they may need to take care of themselves, their families or their property before they can help the organization. This factor will have a major impact on the organization's recovery. Because employees and their families could be affected as significantly as (or more significantly than) an organization in an emergency situation, management should not overlook the impact that a disruption could have on the key personnel involved in the recovery process. It may speed up recovery time if an organization locates alternative work facilities close to employee residences, or provides accommodations and services to family members of employees.

CISA REVIEW

Documents

Transcript of CISA REVIEW