SECTION VII AUDITOR’S PERSPECTIVE OF BUSINESS CONTINUITY
Chapter 33 Using Audit Resources in IT Business Continuity Planning
Using Audit Resources
in IT Business
Continuity Planning
JoAnn Bozarth Belden Menkus
EVALUATING IS BUSINESSCONTINUITYPLANSANDPARTICIPATINGINTHE DEVELOPMENT OF THEM CONSUME VALUABLE AUDIT RESOURCES. While the implementation of audit management techniques and the use of rele- vant high-quality audit work programs are the principal means of stretch- ing these resources, attention to the details described in this chapter can boost the effectiveness of those measures. This chapter discusses the importance of focusing on the goal of IS business continuity, several aspects of the plan that often are overemphasized or misunderstood, and the four main aspects of the IS business continuity plan on which to concentrate.
THE GOAL
The concept of anticipating possible disasters and planning ways of recovering from them is not new. And although the strategies and proce- dures for meeting new and changing challenges have evolved over time, the essential goal of disaster planning and recovery has remained the same.
That goal is to protect and restore the organization’s critical activities as soon as possible with little loss of revenue or operational control in order to enable the organization to meet its business objectives with minimum disruption. With that goal in mind, the decisive consideration in developing and evaluating an IS business continuity plan is that employees know their role in that process and recognize the realities of doing their part.
0-8493-0907-7/00/$0.00+$.50
AU0907/frame/ch33 Page 349 Monday, July 31, 2000 5:18 PM
AUDITOR’S PERSPECTIVE OF BUSINESS CONTINUITY PLANNING
OVEREMPHASIZED AND MISUNDERSTOOD CONSIDERATIONS
Plan developers and evaluators will want to avoid spending resources on activities that do not aid in reaching the goal of disaster planning just described. Attention to several issues can help in staying focused on achieving the main purpose.
Misdirected Emphases
IS business continuity plans commonly include three issues that IS audi- tors dwell on unnecessarily in their evaluation of a plan. These issues relate to persuading management of the benefits of contingency planning, risk assessment, and the material characteristics of the written plan itself.
Persuasion. IS contingency planning advisers correctly recommend that top management and even IS management must be sold on the need for an IS business continuity plan and on the value that will accrue from having such a plan because unless they are so sold, the plan is likely to come to naught. However, planners and evaluators should be concerned less with the selling effort itself than with the resulting demonstrated commitment by management.
Risk Assessment. Assessing the potential risk to the organization from loss due to disaster is a necessary prelude to developing appropriate responses to the identified likely threats to the survival of IS operations and the probabilities that they will occur. A report of this activity and the results of this activity is an appropriate part of the written plan. As such, it must be reviewed in connection with the IS audit of the plan. However, IS auditors need not get bogged down in the details of this risk assessment report. Instead, they need to concentrate on the report’s currency and the relevance of the risks it considers.
Risk assessment, regardless of the methodology used, is still largely a matter of (1) best-guess estimates by busy managers in the user depart- ments and (2) IS-related damage or loss experience that may not be appli- cable to the organization or to its industry group. The application of a mathematical formula to these weights or rankings in the assessment pro- cess does not make them more valid, no matter how hard and firm the resulting numbers appear to be. Because both the basis for the estimates upon which the ratings have been made and the company’s experience with actual losses may change over time, the risk assessment cannot be considered to be done once and never to be reconsidered or repeated. Pro- vision should be made for the risk assessment to be redone periodically. In particular, the risks that are considered should distinguish between those that the company can control and those that it cannot. Such things as the disruption of electric power utility and telecommunication carrier services fall into this latter risk category.
AU0907/frame/ch33 Page 350 Monday, July 31, 2000 5:18 PM
Using Audit Resources in IT Business Continuity Planning Material Characteristics. In developing or evaluating the IS business continuity plan, the auditor will want to guard against being misled by the written plan’s heft, formality, number of appendices and attachments, and attractive graphics and binding. These qualities are not necessarily proof of the plan’s efficacy in preparing key individuals in the IS group to respond positively, realistically, and expeditiously whenever disaster hits. For example, a document’s length may mean unnecessary wordiness that obfuscates. Or its heft may impede its handiness. Recognize that the artful use of graphics can help clarify procedures or directions, but that mere decoration or cuteness may obscure the document’s lack of substance or may distract users at their moment of critical need for information.
Artificial Distinctions
Conventional wisdom regarding IS business continuity makes artificial distinctions between backup, recovery, and emergency operations. Such distinctions unnecessarily complicate both the planning and the recovery processes. To be successful, the business continuity process must be inte- grated completely.
Confusions
Planners and plan evaluators often tend to confuse the impact of real disasters with any interruption of processing activities. In the context of IS disaster planning, disaster is defined properly as “any condition or event that reduces materially or terminates the organizations’s ability to process data on a timely and accurate basis.” Using that definition, a power or com- munications outage lasting less than a single shift is not a disaster; a circumstance that without forewarning forces abandonment of a main- frame processing site or makes it impossible for employees to use some components of a client/server arrangement for an extended period of time is a disaster.
Underestimations
IS business continuity plans typically underestimate the number, extent, and possible severity of the threats that must be protected against. For example, plans for IS operational sites away from the West Coast may not consider an earthquake as a possible threat; yet there are active seismic faults in such areas as the Mississippi River Delta and metropolitan New York City. An earthquake measuring 5.0 on the Richter Scale was centered within 30 miles of Cleveland, Ohio. While earthquakes in that range are not considered by seismologists to be major earthquakes, they do have the potential for creating significant damage to water, gas, and electrical distri- bution facilities, as well as to telecommunications lines.
AU0907/frame/ch33 Page 351 Monday, July 31, 2000 5:18 PM
AUDITOR’S PERSPECTIVE OF BUSINESS CONTINUITY PLANNING
In all parts of the country, some IS disaster planners and plan evaluators underestimate the effect of the loss of telecommunications facilities. They assume that any post-disaster loss of telecommunications facilities will be relatively minor, the impact on message traffic will be comparatively lim- ited, and repairs and service restoration will be completed expeditiously.
That is no longer a reasonable assumption. For example, a fire in San Juan, Puerto Rico, destroyed a building that housed electronic switching equip- ment. In effect, the fire terminated all voice and data telephone traffic between the United States mainland and Puerto Rico. It also it interrupted this traffic between the U.S. mainland and Spain and those European coun- tries where messages are routed normally through Spain. Among the IS activities impacted by this service loss were those in the securities, tour- ism, and banking industries. Multimillion dollar losses were apparently incurred. Reportedly, service was not fully restored after more than a week.
FOUR MAIN ASPECTS OF AN IS BUSINESS CONTINUITY PLAN
The continued ability of an organization’s information systems to pre- vent or recover from a disaster is the sole reason for auditors to devote resources to assisting in the development of an IS business continuity plan or to evaluating one. An IS business continuity plan as a whole should deal with these four main aspects:
1. commitment to the IS business continuity preparedness effort on the part of both corporate management and MIS management 2. impact on corporate IS asset protection and post-disaster limitation
of business disruption
3. functional and practical scope of the business continuity prepared- ness effort
4. operational effectiveness of the business continuity provisions The following series of questions and discussions related to each of these aspects can be the vehicle for developing the plan or can be studied as background in preparing to conduct the plan evaluation. The ideal answer to each underlined question is “Yes” and the support for that answer should be specific and complete.
Management Commitment
Have sufficient funds to create and sustain this effort been included in the regular IS operating budget? Management should demonstrate its will- ingness to invest on a frequent and regular basis in such things as maintain- ing spare or backup facilities, staff training in business continuity pre- paredness responsibilities, and preparedness readiness tests. (The issuance of policy statements and comparable gestures are not an ade- quate measure of commitment on the part of corporate management or MIS management.)
AU0907/frame/ch33 Page 352 Monday, July 31, 2000 5:18 PM
Using Audit Resources in IT Business Continuity Planning
Has responsibility for sustaining this effort been assigned to a key, or lead, person on the IS staff? Staff people will judge the degree of manage- ment commitment to this preparedness effort by the relative organiza- tional status of the person selected to be responsible for making it suc- ceed. This individual should not be a clerk, administrative assistant, or other junior staff member.
Was this a career advancement or promotion for the assignee? If not, management’s commitment may be in doubt. When a “lateral arabesque”
or a “testing of juniors” is evident in this assignment, staff people may dis- count the importance of the effort.
Is the assignee permitted to devote sufficient time to this task? The assignment should be real, and not just for the record. The task requires that the person actually monitor and manage the IS business continuity preparedness effort.
Is the assignee authorized to act as sole judge of when to invoke the IS business continuity plan? If the assignee is not senior enough to make that judgment or if such a decision requires committee action, that may indi- cate that management commitment to the effort is wanting.
Is the assignee authorized to manage the IS business continuity process through to the point at which normal operations can be reestablished?
Do responsible corporate, line, and IS management participate in and monitor the results of IS business continuity preparedness readiness tests?
Among other things, provisions should be made for the representatives of the appropriate fire protection and emergency medical service groups to participate in these tests and to ensure that the software and data files used in client/server and other distributed computing arrangements are identified correctly and are included in the readiness tests. Additionally, consideration should be given to how possible access road closures and the disruption of mass transit arrangements will be handled.
Do corporate and IS management insist that identified plan and readi- ness test defects be remedied promptly? The expense of correcting these defects should be budgeted as a priority expenditure.
Impact of the Plan on Corporate IS Assets and on Business Disruption Limitation
Have those IS applications that are critical to sustaining operational con- tinuity been identified? These particular applications may not always be obvious. For example, resumption of general ledger maintenance can often be delayed for days during the post-disaster period. Again, it may be feasi- ble to have one of the organization’s banks prepare the corporate payroll throughout the business continuity period on some sort of service bureau
AU0907/frame/ch33 Page 353 Monday, July 31, 2000 5:18 PM
AUDITOR’S PERSPECTIVE OF BUSINESS CONTINUITY PLANNING
basis — using payroll lists that are deposited periodically with that ser- vice. Only those activities that are immediately related to such things as the restoration of customer service, cash flow, and compliance with essen- tial governmental regulations should be identified as and designated as critical.
Does management support and enforce the designation of certain appli- cations as noncritical during the business continuity process? Bear in mind that it is natural for managers to feel that whatever activity they are responsible for is critical — whether it is or not. Nevertheless, if an appli- cation does not contribute directly to the prompt resumption of vital busi- ness operations, it must be designated as noncritical.
Are the designations of critical and noncritical processing applications independently re-audited at least annually? The possible permanent dis- continuation of the noncritical processing applications should be recom- mended to these managers.
Have users of these critical applications been made aware of whatever processing/response limitations may be imposed during the disaster recovery period? This notification should be supported by an appropriate ongoing educational effort — involving, say, periodic notices to the affected employees or the discussion of this situation in scheduled staff training sessions. (In evaluating the plan, verify this awareness — and that which should be reflected in the next two questions — by interviewing employees selected at random. Ask them to recount in their own words what they are to do when a disaster occurs and how they are to do it.)
Have the users of the noncritical applications been made aware that nor- mal processing of these applications will be discontinued during the busi- ness continuity period?
Have these users been made aware of whatever alternate data handling methods will be followed during the recovery period? Here, too, this noti- fication should be supported by an appropriate ongoing educational effort.
Arrangements should be reviewed periodically for timely replacement of inoperable software and equipment.
Has management invested sufficient resources to ensure that suitable reserve and backup IS capabilities remain on what is essentially an imme- diate availability standby basis? The purpose of such a provision is to restore as promptly as possible processing of the critical systems men- tioned earlier. If management has permitted this processing capacity to be utilized otherwise, commitment of it to the actual business continuity pro- cess will be delayed. If this processing capacity is being used, say, for test- ing by systems developers or for some sort of routine background process- ing, provision for expeditious processing recovery may be questionable.
AU0907/frame/ch33 Page 354 Monday, July 31, 2000 5:18 PM
Using Audit Resources in IT Business Continuity Planning
Where online or so-called wide area network processing must be restored to support one or more critical applications, are arrangements in place for expeditious rerouting of carrier trunk service to the alternate operating site?
Have suitable arrangements been made for providing the staff to be involved in the recovery process with food, water, sanitary facilities, and sleeping space? Among the things to be checked are provisions for electri- cal, heating, ventilation, air conditioning, and communications facilities at this site. (Not initiating these arrangements before a disaster is an indica- tion of lack of management commitment.)
Functional and Practical Scope of Plan
Is the IS business continuity plan based on some sort of modified worst- case scenario to avoid the understandable optimism that may afflict IS management when it is called upon to consider this sort of unpleasant possibility?
Are provisions for post-disaster IS functions and later restoration of the full scope of IS operations realistic? Have possible short-term and long- term delays in resuming operations been provided for?
Have provisions been made for the expeditious notification of key cor- porate customers of the nature and extent of IS service interruption, the time and date of its likely restoration on an emergency basis, and the impact upon their dealings with the organization in the interim? This noti- fication is not the same as that mentioned earlier as being given to corpo- rate IS service users. It is an especially critical consideration where direct order/payment interchange exists between a corporation and its key sup- pliers and customers.
Have arrangements been made for those members of the IS staff — and those of the larger organization served — whose use of IS facilities during the recovery period has been determined to be noncritical? Where will they be housed? What pre-use preparation — such as provision of electri- cal, heating, air conditioning, telecommunications facilities, and office equipment — will be required at that site? What commercial IS service and communications facilities will be made available to them? In the case of IS systems development and maintenance people, will they be furloughed during the recovery period? Will other employees, not a part of the IS staff but whose activities depend on corporate information systems, have to be furloughed during this period?
Have provisions been made for data center and communications switch site cleanup from the effects of a fire or flood? Normally, it will be necessary to contract specifically with people experienced in doing such cleanup.
AU0907/frame/ch33 Page 355 Monday, July 31, 2000 5:18 PM
AUDITOR’S PERSPECTIVE OF BUSINESS CONTINUITY PLANNING
Building maintenance people typically lack both skill and experience in handling such tasks.
Have provisions been made for the orderly restoration of normal IS operations at the close of the business continuity process? This involves resuming support of those activities and applications not sustained during the recovery period because they had been determined to be noncritical.
Have provisions been made to ensure that data integrity is not compro- mised during the entire recovery process? During this process, will unau- thorized attempts to modify database content be detected promptly? Will attempts to subvert transaction routines be detected promptly?
Operational Effectiveness of Recovery Provisions
Are IS business continuity provisions for initiating restoration of opera- tions realistic? For example, do they provide for a possible delay of up to 72 hours before efforts to restore operation on-site can begin? That is how much time may elapse after a fire officially is deemed to be out before the fire marshal or arson investigator involved will release the site for cleanup by the occupant. Again, can remotely stored tapes and DASDs be moved to an alternate operations site with sufficient haste to permit planned opera- tions resumption as expeditiously as called for by the plan?
Are periodic IS business continuity plan tests scheduled during normal work hours when IS operations are at normal performance levels? While tests scheduled on third shifts or during weekends may be less disruptive of normal work practices, typically they are so unrealistic as to be essen- tially meaningless.
Are time-critical aspects of the IS business continuity plan included in these tests? As an illustration of this, is it verified that backup tapes and DASDs can be recovered and routers and similar devices regenerated as promptly as called for by the plan? Again, have hardware and software ven- dors demonstrated that they are able to replace destroyed devices and lost object code as promptly as called for by the plan? Written promises from a vendor representative do not meet this test requirement; actual demon- stration of performance, insofar as is feasible, is what is necessary.
Have reliable provisions been made for the prompt notification of cessa- tion of normal processing activities for those users geographically distant from the main IS operations site? These people should not be left until their screens go blank to learn that there is a problem. And, the notification pro- cess should include those customers and suppliers with whom virtual pri- vate network and similar open operations arrangements exist.
Is the IS business continuity plan reviewed independently — ideally by one or more executives who are not answerable to IS management — at
AU0907/frame/ch33 Page 356 Monday, July 31, 2000 5:18 PM