SECTION VII AUDITOR’S PERSPECTIVE OF BUSINESS CONTINUITY
Chapter 34 How IS Auditors Can Enhance Business Continuity Planning
How IS Auditors Can Enhance Business
Continuity Planning
Douglas B. Hoyt
ALTHOUGH ALMOST ALL SYSTEMSMANAGEMENT PROFESSIONALS AGREE THAT PROPER DISASTER OR CONTINGENCY PLANNING IS IMPORTANT,
MANY THINK THEIR OWN ORGANIZATIONS’ PLANS FALL SHORT OFWHAT THEY SHOULD BE. These planning deficiencies are generally due to a lack of senior management support, improper priorities, or simple procrastina- tion. This chapter describes the steps for creating and maintaining a sound disaster plan. It also covers recent technological developments that can help in disaster planning and identifies support that can be obtained from five outside areas: software, consulting, backup facilities services, associa- tions, and seminars. Case examples of effective methods are cited, and guidelines are included to help IS auditors evaluate existing plans.
Disruptions from earthquakes, tornadoes, volcanoes, and power and telephone outages have made managers aware of disasters that cannot be predicted but must be prepared for. Because computer operations are such an integral part of most organizations, the IS auditor’s vision and lead- ership are essential to successful disaster planning. The potential dangers to information systems are increased by the widespread use of microcom- puters, which are typically operated without centralized safeguards , by the vulnerability inherent in data transmission over local and wide area networks, and by other communications devices and techniques.
In addition, several legal considerations make sound business continu- ity plans necessary. The Foreign Corrupt Practices Act of 1977 makes cor- porate officers subject to fines for not properly protecting their companies’
assets. Bank regulators expect and require suitable business continuity plans. Contractors with the federal government also must meet business continuity plan regulations.
0-8493-0907-7/00/$0.00+$.50
AU0907/frame/ch34 Page 359 Monday, July 31, 2000 5:24 PM
AUDITOR’S PERSPECTIVE OF BUSINESS CONTINUITY PLANNING
DEFINING BUSINESS CONTINUITY PLANNING
In this chapter, business continuity planning includes preparations for handling events that could impair computer operations and telecommuni- cations — as well as other vital activities of an organization — to minimize disruption and losses from the effects of disasters that are not preventable.
The chapter also covers measures that can be taken to prevent disasters from occurring. (The terms contingency planning and disaster recover y planning are used synonymously. Because of the importance of consider- ing the business as a whole, this chapter uses the term business continuity planning.)
A 1987 University of Texas survey showed that only 63% of 160 respon- dents had disaster plans, and 39% of those who had disaster plans had never tested them, though 85% said they heavily depended on computer systems.1 There are many reasons for inadequate planning. Disaster plan- ning is easy to delay because disasters rarely seem imminent. Preparation for possible future difficulties therefore receives lower priority than cur- rent real problems.
These reasons for insufficient disaster planning may seem valid, but the benefits of preparing and maintaining a workable business recovery plan far outweigh the excuses. According to the booklet Business Recovery and Planning System, an effective recovery plan:
• Minimizes potential economic loss.
• Reduces potential legal liability.
• Minimizes disruptions to operations.
• Ensures organizational stability.
• Provides the mechanism for an orderly recovery.
• Decreases potential exposures.
• Reduces the probability of occurrence or recurrence.
• Minimizes insurance premiums.
• Protects employees.
• Protects assets.
• Reduces reliance on key personnel.
• Minimizes decision making during a disaster.
• Reduces delays during the recovery process.2 ROLE OF THE IS AUDITOR AND OTHERS
The IS Auditor. The IS auditor should take the initiative in promoting, developing, and maintaining a sound and effective business continuity plan. Securing the necessary time and budget usually requires convincing senior management of the importance and value of business continuity planning.
AU0907/frame/ch34 Page 360 Monday, July 31, 2000 5:24 PM
How IS Auditors Can Enhance Business Continuity Planning
Because information systems are the main element in business continu- ity planning, IS auditors are often asked to participate in business continu- ity planning for other vital functions. Information systems business conti- nuity planning must at the very least be coordinated with planning for such other activities as earmarking alternative office facilities should the head- quarters building be destroyed or ensuring that extra copies of legal docu- ments be kept at a remote site in case the originals are burned or lost.
Systems Staff Members. Developing and implementing a business conti- nuity plan requires the participation of many specialists within the sys- tems organization. The systems staff members’ individual business conti- nuity planning responsibilities should be spelled out in their job descriptions as well as in the business continuity manual written as a part of the business continuity plan development.
Senior Management. Ideally, senior management should take the initia- tive in pushing for and supporting business continuity planning. In many cases, however, such initiative does not exist, and IS auditors must educate their superiors about why the plan is necessary and how it should be accomplished. Either way, management must authorize the time and expense required to develop and maintain a sound and effective business continuity plan and participate in determining policy issues that arise dur- ing planning.
Security Administration. The role of security administration varies widely among organizations. In some organizations, a strong security administration function plays a significant role in the development and maintenance of the business continuity plan.
Users. Users served by information systems are responsible for the sys- tem input and receive and use the system output. Their viewpoint is a valu- able element in evaluating both potential risks to the system and alterna- tive protective measures. It is essential that they be a part of the team effort to design and maintain the business continuity plans.
CREATING THE DISASTER PLAN
The following sections describe the steps involved in creating a busi- ness continuity plan. Because these steps typically overlap to some degree, they are not strictly sequential.
Assessing Vulnerabilities
The first logical action in developing a business continuity plan is to sys- tematically determine events that could cause operations to cease or be severely disrupted and to assess the potential consequence of these
AU0907/frame/ch34 Page 361 Monday, July 31, 2000 5:24 PM
AUDITOR’S PERSPECTIVE OF BUSINESS CONTINUITY PLANNING
events. The most effective means of doing this is to have the planning team brainstorm to come up with as many problems as possible (e.g., earth- quakes, fires, terrorism, loss of power, pipes breaking, downed phone lines, misbehavior by a disgruntled employee, or disruption to a key supplier).
This should include even problems that may seem unlikely but are possible.
This step should also involve discussions with key executives in all areas of the organization to ensure that all important possibilities have been considered and to help pave the way for protective actions that will be recommended. The evaluation should be organized analytically by giv- ing some measures of the likelihood of each event and of the value of the damage that could result. In organizations with multiple locations, the functions and geography of the various locations must be taken into account during this evaluation process.
Using Outside Support
Many programs can help guide this vulnerability assessment. Some are combined with programs for planning the protective actions and maintain- ing the business continuity plans.
A variety of vendors are eager to furnish services to assist in business continuity planning. These services include software, which helps guide the planning process and manual preparation; consulting services, which provide evaluation and planning assistance; and facilities backup, which provides the buildings or hardware needed for business continuity. Micro- computer packages that provide business continuity planning support range from $350 to $14,500 or more for a single copy, with special rates for corporate licenses.
IS auditors can find many sources for information in addition to vendors, books, and magazines. To stay up to date in the field, it would be most help- ful for auditors to become active in one or more of the associations serving the field or to have their specialists who are responsible for developing and coordinating business continuity plans join and participate in these groups.
If a member of a systems staff needs greater knowledge or training in some specific business continuity planning area, the IS auditor should encourage attendance at a seminar or course at which the staff member may gain the required guidance and develop useful contacts with others who have common interests.
Gaining Senior Management Understanding and Support
The information and estimates gathered during the assessment of vul- nerabilities can help convince senior management of the need for a sound,
AU0907/frame/ch34 Page 362 Monday, July 31, 2000 5:24 PM
How IS Auditors Can Enhance Business Continuity Planning
effective, and continuing business continuity plan. If senior management is not already convinced at this stage, the IS auditor can use documentation of the possible dangers the organization faces as one means to help gain the necessary support for taking a proactive approach to business continuity.
Planning Software and Information Backup
Most computer operations have routines for backing up transaction data, databases, and related software programs so that if a problem occurs in processing, the backup can be used to immediately restart operations.
However, a severe disaster (e.g., a fire that destroys a main computer cen- ter and its library) requires further measures if operations are to be rees- tablished within a reasonable time. Ideally, it is desirable to have two extra backups (each at a different location) so that survival during a crisis does not depend on only one backup. In addition, it is preferable that these safe- guarded backups be transmitted off site immediately as records are cre- ated and modified, eliminating the risk and time otherwise required to reconstruct current records.
The IS auditor should identify all the software programs, databases, and transaction files that are important. After evaluating each item in relation to the cost of various backup approaches, the IS auditor should determine an appropriate backup location and method for each item. The location may be another site of the organization or may be provided by electronic, paper, and microfilm warehousing services. Most of these services provide pickup and delivery, have the appropriately controlled storage environ- ments, and carefully document the movements to and from their storage facilities. IS auditors who are responsible for noncomputer business conti- nuity planning should also ensure that other vital records are identified and safeguarded by extra copies at remote sites.
Planning Facilities Backup
Many considerations are involved in the selection of and arrangements for an alternative site for the information processing function if the original equipment cannot be used because of some disaster. The systems manager must weigh such recovery issues as the speed needed, the site’s location and cost, and the reliability of the service provider if it is a vendor.
Hot Sites. These are the facilities provided by a vendor equipped with the necessary hardware and related equipment and ready to be used on demand by a customer. Customers pay a monthly fee to be on the list and usually pay another fee to reserve the facilities whenever they declare a disaster and still another fee when the facilities are actually used. Periodic tests are scheduled, for an additional fee, to make sure the conversion will work and to correct any errors.
AU0907/frame/ch34 Page 363 Monday, July 31, 2000 5:24 PM
AUDITOR’S PERSPECTIVE OF BUSINESS CONTINUITY PLANNING
Cold Sites. Cold sites are similar to hot sites, but without the basic com- puter hardware. The customer must arrange for hardware to be made available from a hardware vendor or hardware lessor.
Warm Sites. Warm sites are located near the customer’s place of busi- ness and can be earmarked for use on a contingency basis. They have tele- communications and office facilities available but are not equipped for mainframe or minicomputer operations.
Portable Facilities. These are simply cold sites that can be moved in modules and assembled at the customer’s location.
Alternative Locations. Organizations that have two or more facilities with identical computer equipment can sometimes plan to use their own alter- native locations if one becomes inoperable because of a disaster. This arrangement is workable only if there is excess capacity available or if low- priority work can be deferred during the emergency. Some organizations may deem their computer operations so essential that they set up a com- pletely redundant operation as a contingency safeguard. Although this is expensive, it is usually the most secure option because most vendors’ ser- vices are available only on a first-come, first-served basis.
Mutual Agreement. Some organizations make reciprocal arrangements with other organizations that have similar hardware configurations.
Mutual agreements generally do not work well, often because the impor- tant testing can be annoying and inconvenient to both parties and because during an actual disaster the servicing organization’s processing needs take priority.
Hardware Lessors. At least one mainframe equipment lessor guarantees delivery of equipment specified by a customer within five days of the report of a disaster. This option can be combined with contracts for cold sites or portable facilities.
Coordinating with Non-Information Systems Function Recovery
Each organization’s business continuity plan must encompass the pos- sible dangers to the whole organization, not just to information systems.
The systems manager must either take the initiative in resolving the con- tingency needs of noncomputer activities, or coordinate with the person assigned to computer business continuity planning for those other func- tions. Protective plans must be included for such vital functions as research and development, patents and legal activities, personnel, and manufacturing processes.
Preventing Disasters and Minimizing Their Effects
The IS auditor must coordinate decisions on the measures to take to pre- vent disasters and to minimize the consequences of disasters that cannot
AU0907/frame/ch34 Page 364 Monday, July 31, 2000 5:24 PM
How IS Auditors Can Enhance Business Continuity Planning
be prevented. This requires discussing decisions with the appropriate users and systems specialists, documenting the decisions, and implement- ing the actions chosen. These actions vary widely. They can include such preventive measures as drawing up a contract with a hot site vendor, buy- ing plastic sheets to cover hardware in case pipes break, installing fire detectors, securing an uninterrupted power source, and making copies of vital legal records and storing them off site.
Planning the Steps to Take When a Disaster Strikes
The step-planning process involves deciding on and documenting the sequence of actions (and who is responsible for each action) to recover from all the possible disruptions that have been identified in the risk assessment reviews. This process should also reflect the varying degrees of disruption. For example, it should differentiate flooding in a small area caused by a pipe bursting from flooding that disables the central main- frame, peripherals, and the library. The IS auditor should discuss all the disaster possibilities and recovery options with the concerned systems specialists and users, reach a consensus, and document that consensus.
Developing a Business Continuity Manual
The documentation of the entire business continuity planning process must be contained in a business continuity manual. It should contain com- plete information about the software and hardware to be safeguarded and who should do what under every type of emergency or disaster condition possible. The process of drafting this manual as well as having various people review the parts they are most concerned with can be helpful. Con- sulting those who will be responsible for carrying out the recovery pro- cess helps reinforce their initial understanding and acceptance of the prin- c i p l e s d o c u m e n t e d i n t h e m a n u a l . T h e m a n u a l s h o u l d d e fi n e responsibilities of and contain the work and home telephone numbers of all people involved in the recovery process. The recovery plan documen- tation manual should be in a looseleaf, revisable format, and several cop- ies should be located away from areas vulnerable to a disaster. Many employees will want to keep updated copies of the manual on disk. Wide- spread and heterogeneous organizations add a dimension of complexity to the job of coordinating business continuity planning throughout the enter- prise. Organizations with diverse divisions or computer centers in various locations may opt to have separate manuals for each unit, with at least a common policy.
Many firms sell microcomputer programs that are useful in planning business continuity programs as well as in documenting the facts; the man- ual produced is a by-product of the planning process. The flowchart in Exhibit 34-1 shows many of the topics that should be covered in the busi- ness continuity manual.
AU0907/frame/ch34 Page 365 Monday, July 31, 2000 5:24 PM
AUDITOR’S PERSPECTIVE OF BUSINESS CONTINUITY PLANNING
Providing Training
Training is an important step in the process of developing a recovery plan. Because the instructions for business continuity usually do not have to be followed on a regular basis, continual training is necessary to keep the requirements fresh in the minds of those who must carry out the required actions. The recovery manual contains all the policies, proce- dures, and instructions to be applied during a disaster and is therefore a helpful aid to training.
Testing the Plan
The business continuity plan cannot be considered complete until it is tested, and it must be tested regularly. The IS auditor should simulate each
Exhibit 34-1. Flowchart outlining the recovery process.
Disaster
Reaction
Management Alert Evacuation
Notify Business Recovery Administrator
Business Recovery Plan Verification and Assessment
Plan Activation
Recovery Action Planning Notification Procedures Establish Command
and Control Center
Facilities Equipment Supplies
Hot Site or Service
Center
Vendors Regulatory
Agencies
Management Team
Administrative Recovery
Team
Departmental Recovery
Team
Technical Recovery Team
Implement Recovery Operations Assemble Teams
Perform Alternate Site Operations
Begin Salvage Operations AU0907/frame/ch34 Page 366 Monday, July 31, 2000 5:24 PM
How IS Auditors Can Enhance Business Continuity Planning
type of disaster and monitor the compliance of everyone following the established emergency response instructions. In the case of a hot site, the backup data and programs must be used and compared to those from reg- ular operations. These tests invariably uncover oversights and bugs in the recovery system and reveal ways to make it work better.
There are several ways of conducting tests, which can be performed piecemeal or in a group. For example, the various procedures can be sim- ulated, and contingency actions can be discussed or checklists can be used to review whether the recovery procedures are sound or have bottle- necks. The usual way is to take all the steps that are prescribed for the disaster in question, then review the effectiveness of the actions taken. The extreme test, in which the regular operations are actually shut down unan- nounced and backup facilities and data are used, can be dangerous and is not recommended unless all other tests have not assured management of the plan’s reliability.
STEPS FOR MAINTAINING A DISASTER PLAN
Maintaining the business continuity plan is as important as developing it. A plan lying on the shelf with obsolete information and phone numbers can provide only a false sense of security, which could compound an actual disaster. The plan must be thoroughly and regularly updated and fre- quently tested. The following sections examine the steps required to main- tain a business continuity plan.
Reevaluating Vulnerabilities and Needs
Many conditions affect the vulnerability of an organization change. For instance, an acquisition or divestiture, new or modified computer systems, or new research that indicates, for example, that communications systems or building structures are more or less reliable than originally viewed, would all affect the organization’s view of its vulnerability. The organiza- tion’s original assessment of its vulnerabilities is the basis on which its first business continuity plan is founded. The plan must be changed, therefore, to conform to the revised evaluation of these dangers. This reevaluation should be conducted two or three times a year for the first few years, and annually after that.
Keeping Management Interested
In some organizations, senior management may ask the systems group to assure them that they have a sound and updated business continuity plan. It is most often up to the IS auditor to keep senior management aware of the necessity for protective measures and the need for continual action and expenditures to keep them current and effective. IS auditors can do this by making senior management aware of real-life disasters in other
AU0907/frame/ch34 Page 367 Monday, July 31, 2000 5:24 PM