How To Ensure Compliance
Despite the plethora of different statutes, directives, and standards dictating that business continuity planning/disaster recovery planning is required of organizations, adherence to compliance requirements with respect to business continuity and disaster recovery can be assured by following a few uniform rules.
Various compliance frameworks can be used to assess BCP measures—ISO, COBIT, COSO, etc.—but key aspects are similar:
- COSO requires data center operation controls and transaction management controls in order to ensure data integrity and availability.
- ISO 1799 has a section entitled Business Continuity Management that requires testing, maintaining, and reassessing a business continuity plan.
- ISACA's COBIT requires uninterruptible power supplies under its Manage Facilities section.
- NIST requires contingency and continuity plans and management.
As a general rule, in order to test BCP/DR compliance within an organization, a team of qualified, knowledgeable internal auditors should be created, reporting to a different member of the board than the BCP team reports to. This team of internal auditors should test to ensure that the BCP plan and process meet the compliance requirements discussed in the following sections.
Business continuity should be an ongoing process, concerned with the development of strategies, policies, and plans that will provide protection of existing modes of operating within the organization, or will provide alternative means of carrying out that organization's business in the event of disruption that might otherwise result in loss to the organization.
This aspect can be tested by the internal auditors by asking the BCP team for the following:
- Proof of regular meetings: minutes, agendas, notes, presentation slides, etc.
- Regular scenario test runs: test plans, test results, and so on
- Evidence of recent change management (such as logs showing ongoing changes) and reviews to the BCP plan (for example, version history of the BCP plan and associated documents)
The business continuity process (which should probably be repeated annually at least) should commence with a business impact assessment (BIA) or risk assessment, in order to identify recovery objectives for all the key systems, both manual and IT-based, as well as to identify continuity-related risks to which the organization might be vulnerable.
Although some legislation, directives, and standards may apply more fully to some aspects of the organization than others—for instance, Sarbanes-Oxley seemingly applies more to financial aspects than to other areas of the organization—it's recommended that the BIA be carried out across the whole enterprise, including taking into account reliance upon external systems such as vendor-maintained systems, business partner–shared systems, and so on. This part of the risk assessment is intended to determine which areas of the business provide the most serious risk.
For example, the following kinds of risks should be considered as part of the BIA:
- Are key systems backed up regularly enough (and are they able to be restored quickly enough) to ensure that availability of data meets specific business, legislation, and standards requirements? For example, VISA makes very specific requirements of VISA merchants about the availability of credit card data after an incident; HIPAA requires 100% availability of some critical "life safety data."
- Are key systems' availability ensured using uninterruptible power supplies (UPS), failover/hot-standby facilities, or other contingency measures?
- Is the organization able to operate effectively without key personnel? Is it clear who is the "second in command" in each department? Are there at least two members of staff who know how to carry out each key job?
- Is the organization able to operate effectively without key systems (not just IT systems—telecommunications systems, manual systems, etc.)? Are contingency manual processes in place in case key systems fail?
- Is the organization able to operate effectively without key locations? Are contingency locations available in which business can temporarily be carried out if a site/location is unavailable?
- Are all important prevention mechanisms in place to avoid or reduce the effects of system failures or damage caused by floods, fires, terrorist attacks, and so forth? Particularly, this area should take into account firewalls, intrusion prevention/detection mechanisms, auditing/logging, sprinkler systems, closed-circuit TV cameras, security staff, physical security mechanisms (passcodes, keycards, receptionists, keys and locks, security fences, building design, and so on).
The risk assessment area of business continuity planning can be tested by internal auditors by obtaining a copy of the risk assessment/business impact assessment documentation, and ensuring that it covers all the required systems, locations, and personnel.
Regular Reviews and Gap Analysis
All disaster recovery plans and business continuity plans should be reviewed in light of the BIA, kept up to date, and regularly tested/reviewed thoroughly.
This review process and gap analysis, the responsibility of the BCP team, should include the following:
- Security assessment carried out by an independent assessor (CISSP certified auditor or independent security consultancy)
- BCP scenario testing, such as a simulation of a terrorist bomb attack on the organization's headquarters, or simulation of a virus attack bringing down the network
- Regular reviews of the plan and process by the BCP team to identify any changes that should be made in light of changes to legislation; changes to the way in which business is carried out (for example, a merger that adds a new business location to the plan or discontinues a business relationship with a partner, removing a location from the plan); or just in the light of new experiences or information (for example, many organizations have reviewed their BCP and DR plans in the light of 9/11, hurricane Katrina, etc.)
Part of the review process should include checks to ensure that the backup plan for each key system is really being implemented correctly:
- Backup personnel can produce the backup tapes for these key systems when requested.
- Data-restoration requirements can be met.
- Firewalls, intrusion detection/prevention systems, authentication systems (login, passwords, etc.), and logging/auditing systems are operating effectively and logs are being reviewed and acted upon on a regular basis.
- Appropriate physical security measures are in place and are effective; for example, security personnel are patrolling key areas regularly, visitors are always accompanied, security fences are in place, closed-circuit TV cameras are in place and are being watched, security passes are required to access key areas of buildings.
- Procedures and policies are in place to prevent data integrity or availability being compromised; for example, checks and controls ensure data integrity, and separation of duties ensures that no single person can seriously affect data integrity and/or availability.
This review process can be tested by internal auditors in the following ways:
- Obtaining copies of the reports of any external auditors, consultants, or security assessors.
- Obtaining copies of any minutes/agendas of meetings reviewing the BCP plan and process.
- Reviewing documentation of testing scenarios (test plans, test results, etc.).
- Requesting proof that any issues/problems identified were acted upon and resolved. Proofs can include logs, change request documentation, printouts of software or hardware configurations, etc.
- Specifying dates for which the backup team should provide the backup tapes of all the key systems, and verifying that the backup tapes are restored effectively and correctly within data-restoration timeframes.
It should be clear who should be called in different scenarios, and their contact details should be widely available to all who need them.
The internal audit team can test this requirement by requesting a copy of the latest call list and calling the people on the list to ensure that the telephone numbers are up to date and that the people listed know what to do in various scenarios. It's useful to keep a copy of the call list, and a log of the results of calling the numbers, for use by the external auditors, who will later use this evidence to ensure compliance.
Publication of the BCP Plan and Process
The BCP plan should not only exist; it should be published, reviewed regularly, and republished to all the key players in the process. It should be clear who is responsible for the plan, which members of staff support the BCP process, and what their responsibilities are. The BCP plan must include the following information:
- Data backup plan for each key system
- Emergency response plan indicating the chain of command and contact info in emergency scenarios
- Contingency plan indicating backup locations, systems, and personnel to be employed in the event of key locations, systems, and/or personnel being unavailable
The internal auditors should ensure that the various versions of the BCP plan exist, and should obtain proof that new versions are published to key personnel (for example, obtain the email sending the latest version out to all staff, or obtain a distribution list to which copies were sent).
The internal audit team should ensure that the latest version of documentation is accurate and up to date by interviewing the key individuals to ensure that they understand their revised responsibilities and how to respond to various scenarios, by checking that changes incorporated are understood by key staff, and by verifying that documents affected by these changes are updated accordingly.
The internal auditors should also check that the backup locations, systems, and personnel are available when required; this can be ensured by carrying out surprise visits to the locations with very little notice, asking for access to the backup systems, and interviewing personnel at key points in time to ensure that they're ready to take over if needed.
Awareness of the BCP Plan and Process
The entire organization must be aware of what the business continuity process is and how it relates to each individual.
This requirement can be tested by the internal audit team by submitting questionnaires to or interviewing individuals at different levels in the organization and asking them what they would do in various scenarios. The number of individuals to question should be determined in consultation with external auditors.
All staff within the organization should receive some training about their roles in the event of emergency scenarios. Some of this training will consist of scenario testing, in which a situation is simulated and staff are expected to respond as they would in the real situation; for example, simulation of a terrorist bomb attack on the headquarters building, fire drills, etc. Other training will simply be awareness training, ensuring that staff understand the need for a business continuity plan, know which phone numbers to call in the event of an emergency or relocation, are clear on what they're supposed to do in case of an emergency, and so on.
This requirement can be tested by obtaining schedules of training courses, seminars, and so forth as well as a list of attendees of each, and then carrying out awareness interviews and questionnaires with those attendees to ensure that the training is effective.
The BCP should be tested regularly in a number of different ways. Typically, large-scale scenario tests (simulation of a terrorist bomb attack, plane crashing into the building) will occur annually, and will involve a great deal of planning; personnel involvement (including personnel outside of the organization, such as emergency responders, business partners, and community groups); and reviews to ensure that the testing was effective and to determine lessons learned.
Such scenario testing will require test plans to be drawn up, indicating what is expected of personnel involved in the testing, and allowing personnel to record whether or not they were able to carry out tasks or what unexpected problems they encountered.
Small-scale tests can occur on an ongoing basis and can consist of any number of the following types of tests:
- Spot checks on systems ensure that when the system is taken down, it can be restored quickly and effectively as detailed in the appropriate procedures documentation. Restoration times are recorded to determine whether requirements are met; if not, issues are noted.
- Spot checks on staff ensure that when key personnel are removed from the office, the remaining staff can work effectively without them. When the key personnel return, a postmortem is carried out to find out how well/badly the rest of the staff coped and what needs to change to help them manage more effectively in the future.
- Alternate site tests ensure that business can be transferred to an alternate site effectively if the main site is unavailable. In this case, selected key staff can be called with no notice and told to act as though the main site has just become unavailable. Their reaction to the scenario is monitored to ensure that the alternate site is brought up effectively, or to note any problems or issues that were not foreseen within the BCP plan.
- Planned walkthroughs of plans and procedures are designed to identify issues and problems with those plans and procedures, feeding back into the change management process. These types of walkthroughs often precede all the other types of tests and are often invaluable in reducing the amount of time wasted during the other types of tests. Key personnel get together and go step by step through plans and procedures, trying to anticipate problems and issues that may be encountered during scenario testing/other types of testing or during real incidents.
After all these types of testing, the BCP plan, procedures, and/or process should be altered in light of lessons learned, problems and issues encountered, and so on under the change management process.
One person must ultimately be responsible for the business continuity process, and that person must have the backing of the board in developing and maintaining that process. In a reasonable-sized company, this person would have reasonable access to a team consisting of representatives of all parts of the organization who are empowered to provide requirements and testing for their own areas of the organization.
This aspect can be tested by reviewing the BCP documentation to identify the person who is ultimately responsible, and then interviewing that person as well as the chief executives of the organization (CEO, CIO, board members), to ensure that the person with ultimate responsibility for the BCP is fully empowered by the board.
Up-to-date documentation is key to the business continuity process, and should include auditable lists of emergency contact personnel, their roles, and their contact information. Procedures should be clearly defined, and it should be clear under which scenarios those procedures would be invoked.
Testing of the documentation and procedures should be carefully planned, documented, and carried out. Any problems with existing documentation and procedures found during testing should be input to a change management process, ensuring that changes to existing procedures and documents are reviewed and approved before a new version of the business continuity plan is released to all concerned.
The results of testing will usually be audited by external auditors or assessors to ensure that the plans are adequate and will work in the event of emergencies. It is important that testing be carried out regularly and cover the most likely scenarios as well as those scenarios that would cost the organization most dearly should they occur.
External auditors/assessors are essential to assess compliance with legislation/standards, in most cases on an annual basis. External auditors in some cases (for example, Sarbanes-Oxley and HIPAA) must be certified, and in all cases must be independent of management.
External auditors and assessors will assess the business continuity process to ensure the following:
- The BCP is thorough in its assessment of risks.
- The BCP is an ongoing, repeatable, thorough process.
- Everyone involved in business continuity responses is aware of their role and procedures they're expected to follow.
- The process is tested regularly.
All documentation gathered during compliance testing within the organization by the internal auditors should be kept and filed carefully for the external auditors to use later in their assessment of compliance.