ISCA (Business Continuity Planning & Disaster Recovery Plan)

A J M C O M M E R C E A C A D E M Y C A F I N A L N O T E S I N F O R M A T I O N S Y S T E M S C O N T R O L A N D A U D I T F O R M A Y 2 0 1 6 C A A K H I L M I T TA L Self-Study Guide for ISCA CA Akhil Mittal Page | 2 Subject: Information Systems Control and Audit Profession: CA Final Paper VI Chapter No.: 4 Chapter Name: Business Continuity Planning And Disaster Recovery Planning Number of pages: 22 Contents: あ Introduction あ Need for business continuity plan あ BCM Policy あ Business continuity Planning あ Developing a business continuity Planning あ Components of BCM process あ BCM management Process あ BCM information collection Process あ BCM strategy process あ BCM development and implementation Process あ BCM Testing and maintenance program あ BCM Training Process あ Types of Plans あ Types of Back Up あ Alternate Processing facility arrangements あ Disaster Recovery procedure Plan あ Audit of BCP/DRP Self-Study Guide for ISCA CA Akhil Mittal Page | 3 INDEX Business Continuity Planning And Disaster Recovery Planning -- Introduction -- Need for business continuity plan -- BCP Manual -- Scope of business Continuity -- Advantages of business Continuity -- BCM Policy -- Business continuity Planning -- Developing a business continuity Planning -- Components of BCM process -- BCM management Process -- BCM information collection Process -- BCM strategy process -- BCM development and implementation Process -- BCM Testing and maintenance program -- BCM Training Process -- Types of Plans -- Types of Back Up -- Alternate Processing facility arrangements -- Disaster Recovery procedure Plan -- Audit of BCP/DRP Self-Study Guide for ISCA CA Akhil Mittal Page | 4 CHAPTER – 4 BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY PLANNING 1. INTRODUCTION: Business continuity management (BCM) has emerged very effective management process to help enterprises to manage all kinds of disruption and to ensure safeguards to prevent such disruptions. In order to ensure effective implementation of the BCM, enterprise must conduct internal audit at regular interval. The findings of such audit must be reported to management necessary to take corrective measures and improvements. This chapter provides insight into BCM policy, BCM processes of management, assessment, strategy etc. This facilitates understanding of the concept, planning, implementation and continuous improvement of BCP’s. 2. NEED FOR BUSINESS CONTINUITY MANAGEMENT: Enterprises must implement time tested, well-defined plans and procedures to ensure accomplishment of the objectives and continuity of the services and operations. Here are some of the terms related to BCM: A. BUSINESS CONTINGENCY: -- It is an event with the potential to disrupt computer operations, thereby disrupting business missions and functions. -- E.g.: power failure, hardware failure etc. B. BCP PROCESS: -- BCP is process designed to reduce the risk to an enterprise from an unexpected disruption. -- The purpose of BCP is to ensure vital business functions are recovered and operationalized within an acceptable timeframe. -- BCP identifies all critical functions of the enterprise and resources required to support them. C. BUSINESS CONTINUITY PLANS: -- It refers to ability of enterprise to recover from the disaster and continue operation with least impact. -- Every business must have business continuity plan as relevant to the activities of the enterprises. BCP MANUAL: BCP manual is a documented description of actions to be taken, resources to be used and procedure to be followed before, during and after an event that disrupts the business functions or operations. BCP is expected to provide the following assurance: Self-Study Guide for ISCA CA Akhil Mittal Page | 5 1. Assurance to senior management about the recover capabilities of the system from unexpected incident or disaster. 2. Anticipate various types of incident/disaster scenario and outline action plan for recovering from incident. SCOPE OF BUSINESS CONTINUITY: Top management is entrusted with the task to define the scope of BCM program by identifying the key products and services that are undertaken to accomplish the organisational objectives, goals and missions. ADVANTAGES OF BUSINESS CONTINUITY: Following are the objectives of Business continuity management (BCM): A. Proactively assess the risks or threat scenario.(खतर� क� scenario का आकलन) B. Enterprise has planned response to disruptions which may cause the damage and minimise the impact of the damages. (Business खतर� के �लए तैयार है by using planned response). C. Enterprise is able to demonstrate a response through process of regular testing and trainings. 3. BCM POLICY: The main objectives of BCP is minimise/eliminate the loss to enterprise’s business in terms of revenue loss, loss of image (reputation), loss of productivity and customer satisfaction. A policy document is high level document which shall be used as a guide to make a systematic approach for disaster recovery. It makes the people aware about the business continuity aspects and its importance. The main objectives of this policy are to provide a structure through which: A. Critical processes and support functions to be identified B. Operation which are crucial to business to be reassumed quickly. C. Losses to be minimized. D. Disruption to be minimized of the operations and resources. E. Safety to the people at time of the disaster. 4. BUSINESS CONTINUITY PLANNING: It is creation of a practical logistical plan for how an enterprise will recover and restore partially or fully interrupted critical functions within prescribed time after a disaster. CODE TO REMEMBER: C.O.L.D.S. Self-Study Guide for ISCA CA Akhil Mittal Page | 6 Practical logistical plan is known as BUISNESS CONTINUITY PLAN. Planning is the activity to be performed before the disaster occurs. It is important because the result of such disaster may affect the business’s operations, profitability and quality of services. When the risk manifest (जो�खम का �कट होना) itself through disruptive events, the business continuity plan is the guide document that allows the management team to continue operations. In simple words, it is a plan for running the business in stressful and time compressed (less available time) situations. Business continuity covers the following areas: 1. Business Resumption planning: Provides mission critical business operation even at time of disaster & recovery of disaster. 2. Crisis Management: It involves planning to manage crises events. The overall co-ordination of an organization’s response to a crisis effectively in time with the aim of minimizing damage to the organization profitability, operations etc. 3. Disaster Recovery planning: The technological aspect of BCP, the advance planning & preparations to minimize losses & ensure operations of critical business areas. The business continuity life cycle is being categorised in to 4 sequential sections; 1. Risk assessment (Risk का पता करना ) 2. Determination of recovery alternatives. ( Risk से बचने के �लए alternatives ढ ूं ढ़ना) 3. Recovery plan implementation. ( Recovery plans को लाग ू करना ) 4. Recovery plan validation: ( Recovery plan worked as per requirement) OBJECTIVES AND GOALS OF BUSINESS CONTINUITY PLANNING : Primary objective of the business continuity plan is to minimise the loss by minimising the cost associated with the disruption of the critical operations of the business. In order to survive in this competitive business scenario, it is imperative for the business to assure that critical operations can résumé within a reasonable time frame. The key objectives of the contingency plan are: I am hereby differentiating the points so that it will be easy to remind the points: CODE TO REMEMBER: B-C-D Self-Study Guide for ISCA CA Akhil Mittal Page | 7 5. DEVELOPING A BUSINESS CONTINUITY PLAN: The methodology for developing a BCP can e divided into 8 phases...but before going to proceed further it is important to know the subject matters on which this methodology emphasis: A. Documenting impact of loss: -- Documenting the impact of the loss to operations and key business functions. B. Comprehensive study to management : -- Providing management with comprehensive understanding of the total efforts required to develop and maintain an effective recovery plan. C. Recovery requirements: -- Defining the recovery requirements from the perspective of business functions. D. Appropriate management support : -- Obtaining commitment from appropriate management to support and participate in the efforts. E. Focus area: -- Focusing on disaster prevention and impact minimisation and orderly recovery. •CRITICAL BUSINESS OPERATIONS•SUPPORTING FUNCTIONSIDENTIFICATION OF •PEOPLE ON THE PREMISES AT THE TIME OF DISASTER PROVIDE SAFETY TO•IMMEDIATE LOSSES AND DAMAGES•DURATION OF SERIOUS DISRUPTION TO OPERATIONS AND RESOURCESMINIMISECODE TO REMEMBER: D. – C.R.A.F.T. Self-Study Guide for ISCA CA Akhil Mittal Page | 8 F. Team building: -- Selecting business continuity team ensuring balance required for plan development. The eight phases are given as under with explanation: Now explaining the each methodology one by one: 1.) PRE-PLANNING ACTIVITIES: In this phase, following aspects are being taken into consideration for effective business continuity plan: (a) Understanding existing projected systems environment of organization. (b) Steering Committee should be established to undertake planning. (c) Manager with steering committee for finalizing & implementing plan. (d) Develop policy to support BCP. (e) Awareness & education to management to participate in BCP. 2.) VULNERABILITY ASSESSMENT: In this phase, assessment of cause of disaster and probability of disaster occurrence is performed. This phase includes: (a) Analysis of possible threats. (b) Assessment of all security measures & control for IT system. (c) This assessment helps steering committee in initiating actions in timely manner. Testing the Plan Design & development of BCP Plan Detailed Definition Of requirement Business Impact Analysis Vulnerability Assessment 2. 3. 4. 5. 6. 7. Maintenance Program Pre planning Activities Initial Plan testing and implementation 1. 8. Self-Study Guide for ISCA CA Akhil Mittal Page | 9 (d) Scope of planning efforts. 3) BUSINESS IMPACT ANALYSIS: In this phase, possible impact of disasters on the business is analyzed. This enables the business to know or identify critical systems, processes & functions and access economic impact of various incidents. Following some matters are covered: (a) Identify risks or disasters (b) Identify critical processes (c) Identify & quantify the threats to critical processes (d) Identify the type & quantity of resources required for recovery etc. 4) DETAILED DEFINITION OF REQUIRMENTS: Once BIA is prepared and accepted, the next step is searching of the details of disaster recovery requirement by the business continuity team. This report includes details of resources like hardware, software, documents, office facility and personnel for business. Here various strategies are determined i.e. SHORT TERM, MEDIUM TERM & LONG TERM OUTAGES. 5) DESIGN & DEVELOPMENT OF BCP PLAN: This phase is extended phase of definitions requirement plans. Here recovery plans components are defined and plans are documented. The objective of this phase is to DETERMINE THE AVAILABLE OPTIONS & formulate the appropriate plan/strategy to provide timely recovery. Recovery mode is 2 tiered: (a) Business- Logistics, accounting, human resources etc. (b) Technical- Information Technology. 6) TESTING THE PLAN: The testing program is established in this phase. Testing goals are established and alternative testing strategies are evaluated. Unless the plan is tested on a regular basis, there is no assurance that in event the plan is activated, the organization will survive a disaster. Following objectives of performing BCP tests to ensure: Recovery Procedure must be Workable 1.) Competence of personal in performance. 2.) Manual recovery procedures & IT backup are operational. 3.) Business processes resources are obtainable & operational. 4.) Success & failure of the business continuity training program is monitored. 1 Self-Study Guide for ISCA CA Akhil Mittal Page | 10 7) Maintenance program: It is imperative to the success for actual recovery. It is critical that existing resources are revised to take recovery plan maintenance into account. Various tasks are undertaken under this phases which are as follows: 1. Determining the Responsibility for maintaining the BCP strategies. 2. Ensure that any changes in organization are Communicated to the personnel who are accountable for up to date updates of the plans. 3. Maintenance Processes to update the plan. 4. Control procedures to ensure that plan is maintained up-to-date. 8) Initial plan testing and implementation; Once plans are developed, initial test of plans are conducted and any necessary modifications are beign made based on the test analysis. Some of the activities invploved in this phase are as given below: -- Why tests are needed (TEST क� ज�रत �य� है) -- Identify the test team (TEST के �लए टे �ट ट�म तैयार करना) -- Structure the test (How to perform the test – TEST कै से करना है) -- Conduct the test (TEST conduct करना है ) -- Analysis test results (Test के rseult का analysis करना है) -- Modify the plans as appropiate 6. COMPONENTS OF BCM PROCESS: The following diagram will provide you an outlook of BCM process components: -- Assessing Needs -- BIA analysis -- Measure results -- Risk assessment -- Organising BCM strategies -- Implement mgmt. Plan -- Process level BCM strategies -- Business continuity plan -- Testing of BCM plans -- Resource recovery BCM strategies -- BCM maintenance -- BCM audit & review CODE TO REMEMBER: RC – PC Me ans PC ke li y e we wi ll be i nc urri ng re pai r c o st , so MAI NT ENANCE BCM MANAGEMENT PROCESS BCM Strategies Testing and maintenance Development & Implementation BCM Strategies Information collection Self-Study Guide for ISCA CA Akhil Mittal Page | 11 BCM - MANAGEMENT PROCESS -- It enables the business continuity, capacity and capability to be established and maintained. -- Capacity and capability is to be established as per the requirements of the enterprises. BCM – INFORMATION COLLECTION PROCESS -- It involves prioritisation of the entity’s service and products and urgency of the activities. -- That sets the requirements that will determine the selection of appropriate BCM strategies. BCM – STRATEGY PROCESS -- To finalise the strategy it is important to assess the wide range of the strategies. -- The selection of the strategy requires taking into account the processes and technologies present there with. BCM – DEVELOPMENT AND IMPLEMENTATION PROCESS -- Development of management framework and structure of business continuity, business recovery and restoration plans. BCM – TESTING AND MAINTENANCE PROCESS -- BCM testing, maintenance and audit ensures that plans are complete, accurate and current. BCM – TRAINING PROCESS -- Extensive training in BCM framework, business continuity and recovery and restoration plans ensures that enterprises can cope up with any disruptions. It enhances the stakeholders’ confidence in the entity too. 7. BCM MANAGEMENT PROCESS: A BCM policy must be at its place in the organisation so as to ensure that proper responsibilities and accountability has been provided to the management. It provides organisation structure with responsibilities and authority. BCM processes are mapped as follows: 7.1.ORGANISATION STRUCTURE: The organisation must nominate a person or team with appropriate seniority and authority to be accountable for BCM policy implementation and maintenance. It should clearly define the person responsible for the business continuity within the enterprise and responsibilities. 7.2.IMPLEMENTING BUSINESS CONTINUITY IN THE ENTERPRISE AND MAINTENANCE: In establishing and implementing the BCM system, managers from each function on the site represent their areas of the operations. They are wholly responsible for the on-going operation and maintenance of the system. Top management must appoint manager (BCM) who will be responsible for the policy implementation and maintenance. Self-Study Guide for ISCA CA Akhil Mittal Page | 12 The policy must be communicated to all stakeholders with appropriate training. In implementation, following activities are undertaken: -- Defining the scope -- Defining roles and responsibilities -- Involving all stake holders -- Testing the program on regular basis -- Reviewing, updating and reworking continuity capabilities, risk assessments etc. -- Managing benefit and costs associated. 7.3.BCM DOCUMENTATION AND RECORDS: All documents are subject to document control and record control processes. The following documents are being classified as part of business continuity management system: I am here by trying to enumerate the points in a way so that it will be easy to remember: The policies include: (Policy म� �या होता है) 1. The business continuity plans. 2. The business continuity management system 3. Business continuity strategies. 4. The business continuity policy. What are the functions undertaken in the BCM system: 1.Aim and objective of each function. 2.Activities undertaken by each function. 3.Incident log 4.Training program Control measures through reporting and analysis: 1.The Business impact analysis report. 2.The risk assessment report. 3.Preventive actions, corrective actions, document and record control processes. 4.Exercise schedule and results Self-Study Guide for ISCA CA Akhil Mittal Page | 13 8. BCM INFORMATION COLLECTION PROCESS: It is indeed pertinent for the company to understand the enterprise from all the perspective i.e. interdependence of activities, external atmosphere and also includes: A. Enterprise objectives, stakeholder obligations, statutory duties etc. B. Activities, assets and resources that supports the delivery of those products and services. C. Threats that may disrupt the entity’s products and services. Before developing the BCP plans it is important to pre-plan the things which involve collection of the information. However it is important to note that the results of BCM plans are reviewed by top management. Business impact analysis (BIA) and risk assessment will be viewed as part of annual BCM management review. Now explaining the both assessment procedure in detail: I. BUSINESS IMPACT ANAYSIS: It means systematically assessing the potential impacts resulting from various events or incidence. This process determines and documents impact of the disruption of the activities. It enables the TEAM to identify the critical process and systems AND assess the impact of the disaster. The enterprise should: I. Identify the critical business processes. II. Assess the impact of the disaster on the activities of the entity. III. Identify the period within which the activities need to be resumed. IV. Identify the inter-dependent activities, assets that have to be maintained continuously or recovered over time. Self-Study Guide for ISCA CA Akhil Mittal Page | 14 II. CLASSIFICATION OF CRTITICAL ACTIVITIES: BCP team and its leader in consultation with the function owner shall carry out business impact analysis. BIA helps in categorisation of infrastructure, disasters and disaster causes. The categorisation is as follow: 1. BUSINESS CATEGORISATION: In deciding whether a function is vital/essential/desirable, following parameters are considered LOSS OF REVENUE LOSS OF REPUTATION DECREASE IN CUSTOMER SATISFACTION LOSS OF PRODUCTIVITY Theses parameters shall be graded in a 3 point scale: 1- Low (L) 2- Medium (M) 3- High (H) 2. DISASTER SECENARIO: This includes nature of disaster (major, minor, trivial and catastrophic). These can be represented with the help of following matrix: Likelihood Consequences 5 Almost certain 5 Calamity 4 Probable 4 Serious loss of business 3 Possible 3 Loss of business 2 Unlikely or Unfortunate 2 Inconvenience 1 Rare almost no chance 1 No real loss Self-Study Guide for ISCA CA Akhil Mittal Page | 15 III. RISK ASSESSMENT: Risk assessment is the assessment of disruption of critical activities, which are supported by the resources such as people, process, technology etc. The enterprise should determine threats, vulnerabilities of each resources and its impact on the business. THREATS may be described as event or action that causes impact on the resources. E.g. effect of flood, power failure, staff loss etc. VULNERABILITIES might occur as weakness within the resources and sometimes exploited by the threats. E.g. single point failure, weakness in IT security, inadequacies in the fire protection etc. Impact might result from exploitation of vulnerabilities by threats. The enterprise under BIA must identify and take measures to: 1) Reduce the likelihood of the disruption. 2) Shorten the period of disruption. 3) Limit the impact of disruption on the products and services. 9. BCM STRATEGY PROCESS: I will first of all explain BCM strategy process with an example: Risks at ABC company Likelihood Cons. Score Loss of primary connection to internet 2 5 10 Loss of Power at Data Centre 3 5 15 Fire in Data Room 2 5 10 Fire at head office 2 5 10 Loss of primary web server 3 5 15 Loss of Domain controller 3 5 15 Loss of Database server 3 5 15 DoS Attack 3 4 12 Hack of database or web site 2 4 8 Loss of data on disk drive due to failure 4 5 20 Human Error 3 5 15 Loss of key personnel 2 2 4 Key personnel on holiday or unavailable 4 2 8 Requirement for External support 3 3 9 Self-Study Guide for ISCA CA Akhil Mittal Page | 16 “A war has been broke out between two nations. Both the nations’ armed forces will try to protect his nation from the invasion of enemy. As such the heads of the armed forces will make strategy to cope up with the invasion in order to protect the nation” Now replacing the words: NATION protect करना है : Critical functions of the enterprises. ARMED FORCES : Enterprise. STRATEGY : Strategy of enterprise. (जैसे सेना द ु �मन से रा�� क� र�ा करता है similarly �यापार के काय� क� र�ा के �लए strategy is necessary by enterprise) There is need for implementing the strategies for protecting critical functions (nation) by the enterprise (Armed forces). For example, establish the procedures for backing up files and applications. Establish contracts and agreements to protect the critical functions. Enterprises must document a series of plans which enable them to effectively manage an incident. However it is pertinent to say that non –critical functions and their recovery process is also included in the business continuity plan. 10. BCM DEVELOPMENT AND IMPLEMENTATION PROCESS: An enterprise should have an incident management team, crisis management team for an effective response and recovery from the disruption. There must exist a structure to enable the enterprise to: - Ascertain nature and extent of incident impact. - Control of situation. - Contain the incident. - Communicate with the stakeholders - Coordinate appropriate response. Some of BCP Plans 1. INCIDENT MANAGEMENT PLAN: -- To manage the initial phase of an incident, the crisis is handled by IMP. -- IMP should have top management support with appropriate budget for development & maintenance -- Features of a good IMP: -- They should be flexible, feasible and relevant. -- It must be easy to read and understand. -- It must provide basis for managing all possible issues including shareholder issues etc. Recovery from disruptionIncident Management PlanThe Buisness continuity Plan Self-Study Guide for ISCA CA Akhil Mittal Page | 17 2. BUSINESS CONTINUITY PLAN: -- To recover or maintain the activities in the event of the disruption to a normal operation. -- The recovery strategy may be two tiered: BUSINESS : Logistics, human resources etc. TECHNICAL : Information technology e.g. desktop, data, client server, voice networks etc. 11. BCM TESTING AND MAINTENANCE PROCESS: We will study both the concept one by one A. BCM TESTING: A BCP has to be tested for any flaws that may be inherited in the planning and implementation phase. Responsibility for keeping the BCP updated has to be clearly defined in the BCP plans. BCM testing must be within the scope of BCP plans. An exercise program must assure that the BCP will work as anticipated when required. The testing includes testing of technical, logistical, procedural, and other operational system, BCM arrangements and infrastructure, technology and telecommunication recovery, relocating of staff etc. It also improves BCP capability by: A. Practicing Recovery ability of the enterprise. B. Identification of all critical activities and their dependencies and priorities of the enterprise and ensure that BCP incorporated all. C. Confidence building among the exercise participants. D. Effectiveness and timeliness of restoration activities is being validated. E. Demonstrating competence of the primary response team and their alternatives. The frequency of BCP testing differs from entity to entity. However, motto or objective of BCP testing is the same for all enterprise. AS such BCP tests must ensure that: 1. Recovery processes are complete and workable. 2. Resources such as systems, personnel, facilities, data etc are obtainable. 3. The manual recovery procedure & IT backup systems are current and are readily operational. 4. Monitoring of the success and failure of the business continuity training program. Once plans are developed, initial test of plans are conducted and any necessary modifications are beign made based on the test analysis. Some of the activities invploved in this phase are as given below: -- Why tests are needed (TEST क� ज�रत �य� है) -- Identify the test team (TEST के �लए टे �ट ट�म तैयार करना) -- Structure the test (How to perform the test – TEST कै से करना है) -- Conduct the test (TEST conduct करना है ) -- Analysis test results (Test के rseult का analysis करना है) -- Modify the plans as appropiate CODE TO REMEMBER: R.I.C.E.D. Self-Study Guide for ISCA CA Akhil Mittal Page | 18 B. BCM MAINTENANCE: The BCM maintenance process demonstrates the documented evidences of management and governance of enterprise’s business continuity program. It is important to keep documentation up-to date. This includes contract, agreements etc. If additional is being introduced, that must be maintained and periodically replaced. Following activities are undertaken in the maintenance phase: 1. Determine ownership and responsibilities for maintaining BCP strategies. 2. Determine the maintenance process to update plan. 3. Determine the maintenance regime to ensure plans remain up-dated. 4. Ensure that any structural, organisational, operational changes are communicated to those eho are accountable for updating the plans. C. REVIEWING BCM ARRANGEMENTS: Audit or self assessment of enterprise’s BCM program must verify: 1. Priorities of BCM strategy: 2. Communication of BCM procedures to relevant staff and those staff understand their roles and responsibilities. 3. BCM Training and awareness program is being followed by the company. 4. Identification of all key products and services and their supporting critical activities and resources. 5. BCM Maintenance and exercising programs have been effectively implemented. 6. BCM competency and capabilities are Effective. 12. BCM TRAINING PROCESS: While developing BCM, competencies required for personnel assigned specific management responsibilities within the system have been determined. Some of the competencies that company require: 1. Encourage to take calculated risks. 2. Culture of positivity is created and promoted. 3. Listen to other, their ideas, views and opinions. 4. Acknowledges contribution by the colleagues. 5. Integrity. 6. Resolve problems by involving team members. CODE TO REMEMBER: P.C.- T.I.M.E. CODE TO REMEMBER: E.C.L.A.I.R. Self-Study Guide for ISCA CA Akhil Mittal Page | 19 13. TYPES OF PLANS: 14. TYPES OF BACK-UPS: When backup are taken for system and data together, they are called total system back-up. Various types of backups are as follows: 1. FULL BACKUP: --Captures all files on the disk. --Every back up generated files contains all the data. --But it involves good amount of money & time in taking backup. 2. MIRROR BACKUP: --It is identical to full backup. --Here files are not compressed in zip files & not password protected. --Most frequently used for taking backup. 3. INCREMENTAL BACKUP: --Captures files that were created/changed since last backup. --This is the most economical method -- Incremental backup are difficult to restore. 4. DIFFERNTIAL BACKUP: -- Stores files that have changed since last full backup. -- So if a file is changed after full back up, differential backup is taken. TYPE OF PLANS Emergency Plan Backup plan Recovery plan 1.Specifies actions to be taken immediately as and when the disaster occurs. 2.Action that to be taken depends on the nature of disaster. 3.All protocols to be followed must be specified clearly. 1.Specify type of backup to be kept, location of the backup resources. 2.Responsibility of the personnel to gather the backup resources. 3.Prioritization for the recovery of the systems 4.Requires the continuous updation of plans. 1.Intended to restore many operations quickly so the system keeps on performing. 2.Recovery committee to be formed that will be responsible for specifies of the recovery. 3.Specify applications to be recovered first. 1.It is a basic component of the test plan. 2.It identifies the deficiencies in the emergency, backup, recovery plans. 3.Disaster recovery plan can be tested by desk checking. Recovery plan Self-Study Guide for ISCA CA Akhil Mittal Page | 20 15. ALTERNATE PROCESSING FACILITY ARRNAGEMENTS: COLD SITE HOT SITE WARM SITE RECIPROCAL AGREEMENT 1. COLD SITE: -- Here the facilities are being stored some other place. -- It has all the facilities needed to install a mainframe system & all other facilities. -- An organization can establish its own cold site facilities. 2. HOT SITE: -- Facilities are available at the site itself. -- All hardware & operations facilities are available at hot site. -- But it is very expensive to maintain. 3. WARM SITE: -- It is a mixture of both hot & cold site. -- For instance, a warm site contains all equipments & a small mainframe with sufficient power to handle critical application. 4. RECIPROCAL AGREEMENT: -- Two or more organization agrees to provide backup facilities to each other in an event of any disaster. -- This type of backup is relatively cheaper. In case third party site is used for the backup and recovery purpose, it must be assured that contract must be in written and contain the following: A. How soon the site will be available in case of disaster. B. Number of organisation that will be allowed to use the site concurrently in event of the disaster. C. The period for which site can be used. D. Conditions under which site can be used. E. Facilities and services that site provider must agree to give. 16. DISASTER RECOVERY PROCEDURE PLAN: ( Way to learn the points covered under this topic) MAINTENANCE PLAN EMERGENCY PROCEDURES PERSONNEL FACILITIES (OTHER) FACILITY ARRANGEMENT DISASTER RECOVERY PROCEDURE PLAN Self-Study Guide for ISCA CA Akhil Mittal Page | 21 MAINTENANCE PLANS INCLUDES: 1. Maintenance schedule, specifying how & when plan to be tested. 2. Conditions for activating plans, which describe the process to be followed before each plan is activated. EMERGENCY PROCEDURES INCLUDES: 1. Emergency procedures to be taken following an incident which may affect business operations & human life. 2. Resumption procedures that describe the action to be taken to get back to normal business operations. 3. Contingency plan document list & its testing recovery procedures. PERSONNEL: 1. Awareness & educational facilities to provide an understanding about the organization. 2. Responsibilities of individuals to execute the components of plan. 3. List of phone number of all employees. 4. Name of employees trained for the emergency situation.3 5. List of vendors doing business with the organization. FACILTIES: 1. Details of airlines, hotels & transport agreements. 2. Location of data & program files, data dictionary. 3. Insurance papers & claim forms. 4. Medical procedures to be followed in case of injury. 17. AUDIT OF BCP/DRP: In this phase, auditor is entrusted with the responsibility to evaluate the process of developing and maintaining documented, communicated and tested plans for the continuity of the business operations. Main objective of the audit of BCP is to assess the ability of the enterprise to continue critical operations during the period of the contingency. Here is the sample list of BCP audit steps: Details/Test: あ Is there a disaster recovery plan? -- If a plan exists, when was it last updated? -- Whether plans are based on the impact analysis of disaster. -- Plan is simple and easy to understand and is realistic in nature. あ Where is the copy of disaster recovery plan stored? あ Whether test plan exists and plans have been tested thoroughly or not before implementing. あ Whether plan is dated each time it is revised so that latest version is used. あ Whether plan has been updated within past 12 months. あ Whether information backup procedure is sufficient to allow recovery of critical data. あ Obtain and review the existing disaster/business resumption plans. あ Obtain and review business impact analysis. あ Is there a disaster recovery implementation team (i.e., the first response team members who will react to the emergency with immediate action steps)?8 Plans and their developers Details about plan in its physical sense Self-Study Guide for ISCA CA Akhil Mittal Page | 22 あ Interview the functional managers, area managers or key employees to ascertain whether they possess clear understanding of DRP/BCP plans. -- Have key employees seen the plan and all are aware with the plans. -- Whether employees have been told their roles and responsibilities if DRP/BCP plan is put into effect. -- Does DRP/BCP plans have provision for replacement of staff when necessary? あ Impact of disaster on buildings, utilities, transportation (Infrastructure): -- Does disaster recovery plan consider the need for alternative shelter? -- Verify backup facilities are adequate based on projected needs. Will site be secure? -- Are safety aspects of building regularly monitored or not?