Module 7: Business Continuity Managementcit.icai.org/ISACourse2.0DVD/7.0_Business_Continuity... ·...
Transcript of Module 7: Business Continuity Managementcit.icai.org/ISACourse2.0DVD/7.0_Business_Continuity... ·...
7.0 Overview
Module 7: Business Continuity
Management
1
Salient features of ISA Course 2.0
2
Learning Objectives
Task Statements
Knowledge Statements
Relationship between Task and knowledge statements
Knowledge Statement Reference Guide
Organisation of Chapters
Task Statements
3
Task Statements … 1
7.1 Distinguish between Disaster recovery plan, Business Continuity Plan and BCM.
7.2 Evaluate the enterprise business continuity plan to assess the adequacy and capability to continue essential business operations during the period of an IT or non-IT disruptions.
7.3 Applying industry best practices and regulatory requirements as relevant for BCM such as COBIT/ISO, etc.
7.4 Map business continuity management practices to enterprise requirements, objectives and budgets.
7.5 Review the enterprise processes of business resilience in the context of BCM.
4
Task Statements … 2
7.6 Identify the business and operational risks inherent in an entity’s disaster recovery/business continuity plan.
7.7 Assess the process of business Impact analysis.
7.8 Identifying recovery strategies and their adequacy to meet business needs.
7.9 Assess impact of RPO/RTO on Computer setup and IT Service Design.
7.10 Assess adequacy of operations and end-user procedures for managing scheduled and non-scheduled break- downs and incident management.
5
Task Statements …3
7.11 Perform various types of tests for different aspects of Business continuity.
7.12 Assess adequacy of documentation and maintenance process of BCM.
7.13 Assess Service level management practices and the components within a service level agreement.
7.14 Review monitoring of third party compliance with the enterprise controls as relevant to BCM.
7.15 Evaluate adequacy of BCP processes and practices to confirm it meets business continuity requirements.
7.16 Evaluate enterprise BCM practices to determine whether it meets enterprise requirements
6
Knowledge Statements
7
Knowledge Statements … 1
7.1 DRP, BCP and BCM processes and practices and related documentation.
7.2 Industry best practices as relevant such as COBIT, ISOstandard for BCP/DRP.
7.3 IT deployment in enterprises and business continuity requirements atvarious levels of IT such as hardware, network, system software, databasesoftware, application software, data, facilities, human resources, etc.
8
Knowledge Statements … 2
7.4 System resiliency tools and techniques (e.g., fault toleranthardware, elimination of single point of failure, clustering, etc.).
7.5 Business impact analysis (BIA) related to disasterrecovery planning.
7.6 Development and maintenance of BCM, BCP and DRP.
7.7 Problem and incident management practices (e.g., help desk,escalation procedures, tracking).
9
Knowledge Statements … 3
7.8 Analyzing SLA reports and relevant provisions.
7.9 Backup & Recovery strategies, Recovery Window, RPO and RTO.
7.10 Data backup, storage, maintenance, retention and restoration practices.
7.11 Regulatory, legal, contractual and insurance issues related to BCM.
10
Knowledge Statements … 4
7.12 Types of alternate processing sites and methods (e.g.,Near site, hot sites, warm sites, cold sites).
7.13 Processes used to invoke the disaster recovery plansand BCP as relevant.
7.14 Testing methods for DRP/BCP and BCM.
7.15 Auditing the BCP-DRP plans and participation in Drills.
11
Task and Knowledge Statements Mapping
12
Task and Knowledge Statements Mapping
13
Task Statements Knowledge Statements
7.1 Distinguish between Disaster
recovery plan, Business Continuity Plan
and BCM and related documentation.
7.1 DRP, BCP and BCM processes and
practices.
7.2 Evaluate the organisation business
continuity plan to assess the adequacy and
capability to continue essential business
operations during the period of an IT or
non-IT disruptions.
7.2 Industry best practices as relevant
such as COBIT, ISO standard for
BCP/DRP.
7.3 IT deployment in organisations and
business continuity requirements at
various levels of IT such as hardware,
network, system software, database
software, application software, data,
facilities, HR, etc.
Task and Knowledge Statements Mapping
14
Task Statements Knowledge Statements
7.3 Applying industry best practices and
regulatory requirements as relevant for
BCM such as COBIT/ISO,
7.2 Industry best practices as relevant such
as COBIT, ISO standard for BCP/DRP.
7.4 Map business continuity management
practices to organisation requirements,
objectives and budgets.
7.4 System resiliency tools and techniques
(e.g., fault tolerant hardware, elimination of
single point of failure, )
7.6 Development and maintenance of BCM,
BCP and DRP.
7.5 Business impact analysis (BIA) related to
disaster recovery planning.
Task and Knowledge Statements Mapping
15
Task Statements Knowledge Statements
7.5 Review the organisation processes of
business resilience in the context of BCM.
7.5 Business impact analysis (BIA) related to
disaster recovery planning.
7.6 Identify the business and operational risks
inherent in an entity’s disaster recovery/business
continuity plan.
7.5 Business impact analysis (BIA) related to
disaster recovery planning.
7.6 Development and maintenance of BCM,
BCP and DRP.
7.7 Assess the process of Business Impact
Analysis.
7.5 Business Impact Analysis (BIA) related to
disaster recovery planning.
7.8 Identifying recovery strategies and their
adequacy to meet business needs.
7.6 Development and maintenance of BCM,
BCP and DRP.
7.7 Problem and incident management practices
(e.g., help desk, escalation procedures, tracking).
7.15 BCM documentation and maintenance
processes and procedures.
Task and Knowledge Statements Mapping
16
Task Statements Knowledge Statements
7.9 Assess impact of RPO/RTO on Computer
setup and IT Service Design.
7.9 Backup & Recovery strategies, Recovery
Window, RPO and RTO.
7.10 Data backup, storage, maintenance,
retention and restoration practices.
7.10 Assess adequacy of operations and end-user
procedures for managing disruptions and
incident management.
7.13 Processes used to invoke the disaster
recovery plans and BCP as relevant.
7.9 Backup & Recovery strategies, Recovery
Window, RPO and RTO
7.11 Perform various types of tests for different
aspects of Business continuity.
7.14 Testing methods for DRP/BCP and BCM.
7.16 Auditing the BCP-DRP plans and
participation in Drills.
7.12 Assess adequacy of documentation and
maintenance process of BCM.
7.1 BCM, BCP, DRP and related documentation.
7.10 Data backup, storage, maintenance,
retention and restoration practices.
Task and Knowledge Statements Mapping
17
Task Statements Knowledge Statements
7.13 Assess Service level
management practices and the
components within a service level
agreement.
7.8 Identifying recovery strategies
and their adequacy to meet business
needs.
7.14 Review monitoring of third
party compliance with the
organisation controls as relevant to
BCM.
7.11 Regulatory, legal, contractual
and insurance issues related to BCM.
Task and Knowledge Statements Mapping
18
Task Statements Knowledge Statements
7.15 Evaluate adequacy of BCP processes
and practices to confirm it meets business
continuity requirements.
7.9 Backup & Recovery strategies,
Recovery Window, RPO and RTO.
7.10 Data backup, storage, maintenance,
retention and restoration practices
7.12 Types of alternate processing sites and
methods (e.g., Near site, hot sites, warm
sites, cold sites)
7.1 BCM, BCP, DRP and relate
documentation.
7.16 Evaluate organisation BCM practices
to determine whether it meets organisation
requirements.
7.14 Testing methods for DRP/BCP and
BCM.
7.15 Auditing the BCP and DRP plans.
7.13 Processes used to invoke the disaster
recovery plans and BCP as relevant.
Knowledge Statement Reference Guide
19
KS 7.1 DRP, BCP, BCM processes and practices and related documentation.
20
Key Concepts Reference
Understand the difference
between BCP, DRP and BCM
process
1.1, 1.2, 1.3
Understand the meaning of
Disaster, threat.
1.5, 1.5, 1.7
Understand the objectives and
need for a BCM.
1.2, 1.3, 1.4
KS 7.2 Industry best practices as relevant such as COBIT, ISO standard for BCP/DRP
21
Key Concepts Reference
Understand regulatory
requirements and guidance on
BCP best practices
3.3 and 3.4
Understand the guidance given by
frameworks to facilitate better
BCP.
3.3 and 3.4
KS 7.3 IT deployment in organisations and business continuity requirements at various
levels of IT such as hardware, network, system software, database software,
application software, data, facilities and HR
22
Key Concepts Reference
Understand the BCP Requirements
at various level of the IT
Infrastructure and the criticality of
the functions of each level.
1.2, 1.3, 1.4
KS 7.4 System resiliency tools and techniques (e.g., fault tolerant hardware, elimination of
single point of failure, etc.)
23
Key Concepts Reference
Understand preventive
controls that will help in
reducing risk of disasters.
2.6 and 2.8
KS 7.5 Business impact analysis (BIA) related to disaster recovery planning
24
Key Concepts Reference
Understand the BIA as a key
driver of the BCP/DR
Process.
1.3, 2.2
KS 7.6 Development and maintenance of BCM, BCP and DRP
25
Key Concepts Reference
Understand the process for
developing a BCP/DCP.
1.2, 1.3, 1.4,
2.2, 2.4, 2.7
Understanding the maintenance
process of a BCP/DRP and to
check the validity of the plan in
updating technologies.
1.2, 1.3, 1.4,
2.2, 2.4, 2.7
KS 7.7 Problem and incident management practices (e.g., help desk, escalation
procedures, tracking)
26
Key Concepts Reference
Understand the need of
having an Incident
Management Process.
1.2, 1.3, 1.5,
2.2
KS 7.8 Analyzing SLA reports and relevant provisions
27
Key Concepts Reference
Understand the meaning of Service
Level Agreement (SLA) and ensure
that the services provided by the
Vendor are at par to the provisions
mentioned in the SLA.
3.2
KS 7.9 Backup & Recovery strategies, Recovery Window, RPO and RTO
28
Key Concepts Reference
Understand the Backup
and Recovery Strategies,
critical recovery time
period.
2.2, 2.6, 3.2
KS 7.10 Data backup, storage, maintenance, retention and restoration practices
29
Key Concepts Reference
Understand the corrective
controls for backup, rerun and
restoration practices.
2.6, 3.2, 3.4
KS 7.11 Regulatory, legal, contractual and insurance issues related to BCM
30
Key Concepts Reference
Understand the regulatory,
legal, contractual issues and
compliances related to BCM
3.3, 3.4
Understand the types of
Insurance that is available
2.9
KS 7.12 Types of alternate processing sites and methods (e.g. hot sites, warm sites,
cold sites)
31
Key Concepts Reference
Understand the different types
of alternate processing points
and need for having the correct
site.
2.9
KS 7.13 Processes used to invoke the disaster recovery plans and BCP as relevant.
32
Key Concepts Reference
Understand the processes to initiate a
DR process for restoration of uptime
of IT Services at the time of the
happening of a critical incident.
2.4, 3.3, 2.9
Understand the process to initiate a
BCP following a DR Process for
complete restoration of Core Business
Operations.
2.4, 3.3, 2.9
KS 7.14 Testing methods for DRP/BCP and BCM
33
Key Concepts Reference
Understand the different
types of tests for concluding
whether the BCP; DR plans
are relevant for the entity.
2.2
KS 7.15 Auditing the BCP and DRP plans
34
Key Concepts Reference
Understand the Audit of a
BCP/DRP Plan.
2.2, 3.3, 3.5
Understanding the Audit of Test of a
BCP/DRP Plan.
2.2, 3.3, 3.5
Chapter 1: Agenda
35
Chapter 1: Business Continuity Management, Business Continuity Planning, Disaster Recovery Planning
• Concept of Disaster Recovery Process, Business Continuity Plan and Business Continuity Management
• Objectives of BCM and BCP.
• Need for BCM at Business Level.
• Need for BCM at various levels of IT Environment.
• Concept of Disaster.
• Phases of disaster.
• Impact of disaster.
Chapter 2: Agenda
36
Chapter 2: Strategies for development of business continuity plan
• Pre Requisites in developing a Business Continuity Plan
• Phase 1 - Business Impact Analysis.
• Phase 2 - Risk Assessment and Methodology of Risk Assessment.
• Phase 3 – Development of BCP
• Phase 4 -Testing of BCP and DRP.
• Phase 5 -Training and Awareness.
Chapter 2: Agenda
37
Chapter 2: Strategies for development of business continuity plan
• Phase 6 - Maintenance of BCP and DRP.
• Incident Handling and Management.
• Invoking a DR Phase/BCP Phases
• Documentation - BCP Manual and BCM Policy.
• Data backup, Retention and Restoration practices.
• Backup and Recovery strategies.
• Types of Recovery and Alternative Sites.
• System Resiliency Tools and Techniques.
• Insurance and Types of Insurance.
Chapter 3: Agenda
38
Chapter 3: Audit of Business Continuity plan
• Regulation Requirements.
• Reference to Standards, Frameworks etc.
• Audit of BCP and DRP.
• Services that can be provided by an IS Auditor in BCM