Presenter Tracy Hall, MBCP IT Assurance Manager Wolf & Company, P.C Direct:

Slides:



Advertisements
Similar presentations
Disaster Preparedness I Lessons Learned Don Hall Thomson Prometric 2006 Annual ConferenceAlexandria, Virginia Council on Licensure, Enforcement and Regulation.
Advertisements

1 Disaster Recovery “Protecting City Data” Ron Bergman First Deputy Commissioner Gregory Neuhaus Assistant Commissioner THE CITY OF NEW YORK.
State/Urban Area Improvement Planning Conference.
TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Office of Inspector General (OIG) Internal Audit
TRAINING AND DRILLS. Training and Drills Ensure A comprehensive, coordinated, and documented program as an integral part of the emergency management program.
Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.
1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.
Business Continuity and You! The Ohio State University Business & Finance Enterprise Continuity Program Quarterly Update October 2008Business and Finance.
Workshop Summary ISPS Drills & Exercises Workshop Port Moresby 2006.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
Unit Introduction and Overview
Continuity of Operations Planning COOP Overview for Leadership (Date)
Challenges Faced in Developing Audit Plans and Programs 21 st March, 2013.
Module 3 Develop the Plan Planning for Emergencies – For Small Business –
Basics of OHSAS Occupational Health & Safety Management System
Unit 5:Elements of A Viable COOP Capability (cont.)  Define and explain the terms tests, training, and exercises (TT&E)  Explain the importance of a.
Unit 8:COOP Plan and Procedures  Explain purpose of a COOP plan  Propose an outline for a COOP plan  Identify procedures that can effectively support.
ISA 562 Internet Security Theory & Practice
NIST Special Publication Revision 1
Rich Archer Partner, Risk Advisory Services KPMG LLP Auditing Business Continuity Plans.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
DRP World Class Operations - Impact Workshop Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products.
Phases of BCP The BCP process can be divided into the following life cycle phases: Creation of a business continuity and disaster recovery policy. Business.
Unit 4: Operational Phases and Implementation. Unit 4 Objectives  Explain the four phases of continuity and relate their application to the continuity.
The Implementation of BPR Pertemuan 9 Matakuliah: M0734-Business Process Reenginering Tahun: 2010.
Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.
Chapter 3: Business Continuity Planning. Planning for Business Continuity Assess risks to business processes Minimize impact from disruptions Maintain.
Exercising, Maintaining and Reviewing BCM Arrangements ERMAN TASKIN
Business Continuity Disaster Planning
CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.
AUDITING BUSINESS CONTINUITY PROGRAMS AND PLANS What to Look For Presented by: Tommye White, CBCP, DRP Chuck Walts, CBCP, CRP.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
Business Continuity Planning 101
Business Continuity Steven S. Keleman, CPM. Emergency Management Prevention Response Preparation Mitigation Recovery.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XI)
For more course tutorials visit SEC 480 Entire Course For more course tutorials visit SEC 480 Week 1 DQs SEC 480 Week.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
CHAPTER 3 Management Systems. Learning Objectives Describe the basic business activities and tools necessary to implement successful industrial hygiene.

Business Continuity and Disaster Recovery
THINK DIFFERENT. THINK SUCCESS.
Planning for Application Recovery
Sample Fit-Gap Kick-off
Utilizing Your Business Continuity Plan.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
ISO 14001: 2004 Environmental Management Review Presentation
Chapter 6: Database Project Management
Business Continuity / Recovery
Project Integration Management
ISO 9001:2015 Auditor / Registration Decision Lessons Learned
Alabede, Collura, Walden, Zimmerman
ITPD ISSUE MANAGEMENT PROCESS SEPTEMBER 5, 2008
Berry College Disaster Recovery Soft Exit
Fundamentals of a Business Impact Analysis
Audit Plan Michelangelo Collura, Folake Stella Alabede, Felice Walden, Matthew Zimmerman.
Audit Planning Presentation - Disaster Recovery Plan
NRC Cyber Security Regulatory Overview
Engineering Processes
Project Management Process Groups
Project Management How to access the power of projects!
Continuity of Operations Planning
Risk Mitigation & Incident Response Week 12
Developing and testing the Plan
Cyber Security in a Risk Management Framework
Software Testing Lifecycle Practice
FEMA Emergency Management Institute
Directions for this Template
Presentation transcript:

Developing An Effective Business Continuity/Disaster Recovery Testing Program CBAG May 2017

Presenter Tracy Hall, MBCP IT Assurance Manager Wolf & Company, P.C Direct: 413-726-6884 thall@wolfandco.com

Testing and Disaster Preparedness How much have you tested? https://youtu.be/9yslB3BkDm8

Exercise/Discussion Write down the biggest challenge within your organization regarding Business Continuity Testing

Testing Mistakes to Avoid Define the assumptions, scope and objectives of the test Develop a scenario for the test Develop and document the test process Alert other departments of the test Define team responsibilities in the test Ensure that all elements needed in the test, e.g., networks, databases, firewalls, load balancers, data, applications, hardware, have been prepared for the test Contact all relevant test participants Get approval for the test Complete an after-action report on the test results Update the DR plan based on test findings and lessons learned Brief management on test outcomes Schedule the next test

Why Testing? Regulatory Guidance “Because we have to” Industry Best Practice Protecting Your Business/Assets Ensures that what you say can be done ACTUALLY can be done Practices response in a less stressful situation

Priority for Examiners Many companies have 100s of pages but can they actually prove it can work? Want test results

FFIEC Guidance Action Summary Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the: Incorporation of the BIA and risk assessment into the BCP and testing program; Development of an enterprise-wide testing program; Assignment of roles and responsibilities for implementation of the testing program; Completion of annual, or more frequent, tests of the BCP; Evaluation of the testing program and the test results by senior management and the board; Assessment of the testing program and test results by an independent party; and Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results.

FFIEC Guidance Principles: Roles and responsibilities for implementation and evaluation of the testing program should be specifically defined; The BIA and risk assessment should serve as the foundation of the testing program, as well as the BCP that it validates; The breadth and depth of testing activities should be commensurate with the importance of the business process to the institution, as well as to critical financial markets; Enterprise-wide testing should be conducted at least annually, or more frequently, depending on changes in the operating environment; Testing should be viewed as a continuously evolving cycle, and institutions should work towards a more comprehensive and integrated program that incorporates the testing of various interdependencies; Institutions should demonstrate, through testing, that their business continuity arrangements have the ability to sustain the business until permanent operations are reestablished; The testing program should be reviewed by an independent party; and Test results should be compared against the BCP to identify any gaps between the testing program and business continuity guidelines, with notable revisions incorporated into the testing program or the BCP, as deemed necessary.

How do we get started?

Testing Schedule More frequent, dynamic testing Should be multi-year (3 year) Should be built off of most current BIA (Business Impact Analysis) DO NOT SAY: “All we need is Core, Core is most critical”

Types of Testing Many ways to achieve “testing” Evacuation Drills Communication Drills Structured Walkthrough Simulation Tabletop Technology Recovery Test

Types of Testing Evacuation Drills Fire Drills Floor Wardens Posted signs Meeting Places Accounting for personnel

Types of Testing Communication Drills Call Trees Has contact information been kept up to date? Where are the bottlenecks? Automatic Notification Systems Has contact information been kept up to date? Feeds from HR? Are notifications delivered properly? What is response time?

Types of Testing Structured Walkthrough Smaller groups Review plan details Roles and Responsibilities More of an understanding of what to do

Types of Testing Tabletop / Simulation Testing Who is involved? Experience Authority Incorporates Scenarios Decision making in a structured environment Roles and Responsibilities Technology Business Tests entire timeline of an event

Types of Testing Tabletop / Simulation Testing cont. How to incorporate scenarios from the Risk Assessment: Loss of Building Loss of Technology Loss of People

Types of Testing Technology Testing/ Functional Test/ Parallel Test Roles and Responsibilities Validates RTOs and MADs for technologies that support business functions Incorporate business lines for transaction processing

BIA vs. Risk Assessment Business Impact Analysis (BIA) The process of identifying and prioritizing critical business functions and the resources required to support them into predefined RTOs. Determining RPOs for systems. This exercise is considered POST outage. Business Functions Departments Technologies

BIA vs. Risk Assessment BIA cont. Business Functions Departments Determine Criticality of Business Functions Identify Dependent Technologies and Vendors Alternate Procedures Departments Assign Resources Resources Recovery Timeframes Special Recovery Instructions Initial Steps Required for Recovery Technology Assign RPOs RTO and MAD for technologies Technology questionnaire including dependencies

BIA vs. Risk Assessment Risk Assessment The process of identifying the probability of specific threats affecting the organization and the impact on the organization if they were to occur. This exercise is considered PRE outage. Threat Assessment Control Assessment

BIA vs. Risk Assessment Risk Assessment cont. Threat Assessment Determine Probability and Impact Ratings Details of impact Control Assessment Link controls to threats they mitigate

Why are they critical to testing? Business Impact Analysis: Determines criticality of systems and other resources (BIA cannot stop at business function criticality!) Business driven, NOT IT driven Risk Assessment: Incorporates scenarios: Facilities Personnel System

Should be multi year but no more than 3 Testing Plan Should be multi year but no more than 3 Rotate technologies of varying criticality Must include supporting infrastructure Build into RTOs

Testing Plan Should incorporate: Roles and responsibilities A testing policy that includes testing strategies and test planning The execution, evaluation, independent assessment, and reporting of test results Updates to the BCP and testing program

Roles and responsibilities Testing Plan Roles and responsibilities The board and senior management are responsible for establishing and reviewing an enterprise-wide testing program Business line management, who has ownership and accountability for the testing of business operations IT management, who has ownership and accountability for testing recovery of the institution's information technology systems, infrastructure, and telecommunications Crisis management, who has ownership and accountability for testing the institution's event management processes Facilities management, who has ownership and accountability for testing the operational readiness of the institution's physical plant and equipment, environmental controls, and physical security The internal auditor (or other qualified independent party), who has the responsibility for evaluating the overall quality of the testing program and the test results

Testing Plan Testing Policy Defines test plan/strategies of varying scopes and intensities as well as scopes and assumptions Changes with the business Incorporates the BIA and Risk Assessment results Key roles and responsibilities Include TSPs Incorporate appropriate personnel from business lines

Testing Plan The execution, evaluation, independent assessment, and reporting of test results Once the tests are executed, test results should be properly documented and include the following, at a minimum: Test dates and locations An executive summary detailing a comparison between the test objectives and test results Material deviations from the test plans, including whether intended participation levels were achieved Problems identified during testing An evaluation by a qualified independent party

Testing Plan Updates to BCP and Re-testing Update BCP accordingly Close gaps Re-test before next scheduled test once gaps are addressed

Building the Test Plan from an Effective BIA Key BIA Reports Business Impact Analysis Report Department Worksheet Technology Application Summary Sheet IT BIA Worksheet

Incorporating the Risk Assessment Key Risk Assessment Reports Threat Matrix Report Detailed Risk Assessment Report

Common DR Test Gaps Replication Inconsistencies “Rolling outage” difficult to emulate Missing network resources Production servers are not taken offline; DR site uses production environment Tampering Risk Data Corruption Point in time copies never tested Insufficient DR Site Resources

“FULL” Test or no? How can we achieve this without actually performing it? Documenting actual recovery time spent on each system per resource

Test Scripts Scripts should be built as close to assumed real scenario Should incorporate all phases of the test Technology Business Lines Be as specific as possible to roles & responsibilities

Test Results/Logs There is no pass/fail! Incident Log should include: Test script timeline with time stamps Other important milestones Follow-up/Action Items Important for: Post mortem exercise/debrief Insurance

Updating the Testing Schedule As a result of changes to the BIA & Risk Assessment As technologies change As business functions change, get added, or removed As RTOs/RPOs change As new risks are defined As new controls are put in place

Thank You / Questions Tracy Hall, MBCP IT Assurance Manager Wolf & Company, P.C Direct: 413-726-6884 thall@wolfandco.com