IIA Tucson Chapter April 2014

Discussion topics DR ▪ Black swans

BCP ▪ IT Application inventory

BIA ▪ Critical vendors

2 2

Disaster Recovery (DR) What we think about first with the term “Disaster

Recovery”

3 3

Black Swans (risks) Japan Nuclear Disaster at

the Fukushima Daiichi power plants (March 2011)

4 4

Disaster Recovery (DR) Natural catastrophes cause average economic losses

of $60 billion to $100 billion each year, though losses incurred in a single large-scale disaster in a major urban centre can exceed this figure, according to the report. For instance, the March 2011 earthquake off the coast of Japan and subsequent tsunami caused total losses of an estimated $235 billion and is considered the costliest natural disaster in history.

SOURCE: CGMA MAGAZINE 4/4/14 Ten riskiest cities for natural disasters http://www.cgma.org/magazine/news/pages/20149859.aspx?cm_mmc=CGMANL-_-NA-_-NA-_-na&utm_source=cgmanl&utm_medium=04Apr14&utm_term=TopNews&cm_em=jon.bruflat@vwestcu.org&cm_mmc=AICPA-_-Cheetahmail-_-CGMA_S1_AIAPR113-_-APR14

5 5

Black Swans (risks) West Virginia (2014)

▪ http://thedailyshow.cc.com/videos/umqysw/coal-miner-s-water

6 6

Black Swans (risks) Black swan – power grid down

Memo put out by the Federal Energy Regulatory Commission in June warned that if nine key substations were destroyed, along with one transformer manufacturer, the entire United States power grid would be down for at least 18 months, probably longer.

Cost: approximately $8M to build

http://www.marketplace.org/topics/sustainability/us-relies-transformers-and-thats-little-scary by David Weinberg Thursday, March 13, 2014

7 7

Disaster Recovery Crisis management plan Crisis communication plan Recovery Restoration

8 8

Business Continuity Planning Details of the recovery phase of DR ▪ Where do people go to work? ▪ Alternate sites, VPN, COLO

▪ How will they work? ▪ Their day job or can they help others?

▪ For how long?

http://www.youtube.com/watch?v=6UUH7Kt6ybg

9 9

Business Impact Analysis Measures the company operations ▪ People ▪ Processes ▪ System dependencies ▪ Vendor dependencies (link to VM and IT Application Inventory)

Identify what is critical to operations Identify what is critical to revenue generation

10 10

Business Impact Analysis RTO – Recovery Time Objective ▪ The time period in which systems, applications and/or

business functions must be recovered after an outage

RPO – Recovery Point Objective ▪ The data loss tolerance for a business function or

application

Source: Protiviti – Guide to BCM 3rd Edition (2013) http://www.protiviti.com/en-US/Documents/Resource-Guides/Guide-to-BCM-Third-Edition-Protiviti.pdf

11 11

Resources – professional organizations BSI ▪ https://www.bsi.bund.de/EN/Home/home_node.html

DRII ▪ https://drii.org/

ISO - International Organization for Standardization (Business continuity - ISO 22301)

▪ http://www.iso.org/iso/home/news_index/news_archive/news.htm?refid=Ref1602

12 12

Resources - consulting firms Protiviti ▪ http://www.protiviti.com/en-US/Pages/Business-

Continuity-Management.aspx

MHA-IT ▪ http://www.mha-it.com/knowledge-center/

Quantivate ▪ http://quantivate.com/

13 13

Resources – guides and certifications Protiviti FAQ (and

certifications – see 42. What are the available certification options?)

IIA Guidance – GTAG 10

14 14

Questions, final thoughts

Jon Bruflat – CPA, CRMA AVP Enterprise Risk Management Vantage West Credit Union jon.bruflat@vantagewest.org

15 15