Business continuity and disaster recovery auditing explained

Given organizations' increasing dependency on information technology (IT) to run their operations, business continuity planning covers the entire organization, while disaster recovery focuses on IT.

Auditing documents covering an organization's business continuity and disaster recovery (BCDR) plans provides a third-party validation to stakeholders that the documentation is complete and does not contain material misrepresentations.

Overview

Often used together, the terms business continuity (BC) and disaster recovery (DR) are very different. BC refers to the ability of a business to continue critical functions and business processes after the occurrence of a disaster, whereas DR refers specifically to the IT functions of the business, albeit a subset of BC.[1] [2]

Metrics

The primary objective is to protect the organization in the event that all or part of its operations and/or computer services are rendered partially or completely unusable.

DR metrics

Minimizing downtime and data loss during disaster recovery is typically measured in terms of two key concepts:

The auditor's role

An auditor examines and assesses

Documentation

Disaster recovery plan

A disaster recovery plan (DRP) is a documented process or set of procedures to execute an organization's disaster recovery processes and recover and protect a business IT infrastructure in the event of a disaster.[3] It is "a comprehensive statement of consistent actions to be taken before, during and after a disaster".[4] The disaster could be natural, environmental or man-made. Man-made disasters could be intentional (for example, an act of a terrorist) or unintentional (that is, accidental, such as the breakage of a man-made dam or even "fat fingers" - or errant commands entered - on a computer system).

Types of plans

Although there is no one-size-fits-all plan,[5] there are three basic strategies:[3] [5]

  1. prevention, including proper backups, having surge protectors and generators
  2. detection, a byproduct of routine inspections, which may discover new (potential) threats
  3. correction[6]

The latter may include securing proper insurance policies, and holding a "lessons learned" brainstorming session.[7] [8]

Best practices

To maximize their effectiveness, DRPs are most effective when updated frequently, and should:

Adequate records need to be retained by the organization. The auditor examines records, billings, and contracts to verify that records are being kept. One such record is a current list of the organization's hardware and software vendors. Such list is made and periodically updated to reflect changing business practices and as part of an IT asset management system. Copies of it are stored on and off site and are made available or accessible to those who require them. An auditor tests the procedures used to meet this objective and determine their effectiveness.

Relationship to BCPs

Disaster recovery is a subset of business continuity. Where DRP encompasses the policies, tools and procedures to enable recovery of data following a catastrophic event, BCP involves keeping all aspects of a business functioning regardless of potential disruptive events. As such, a business continuity plan is a comprehensive organizational strategy that includes the DRP as well as threat prevention, detection, recovery, and resumption of operations should a data breach or other disaster event occur. Therefore, BCP consists of five component plans:[9]

The first three components (business resumption, occupant emergency, and continuity of operations plans) do not deal with the IT infrastructure. The incident management plan (IMP) does deal with the IT infrastructure, but since it establishes structure and procedures to address cyber attacks against an organization's IT systems, it generally does not represent an agent for activating the DRP; thus DRP is the only BCP component of active interest to IT.[9]

Testing

The overall categorization of tests are functional- and discussion-based. Types of tests include: tabletop exercises,[10] checklists, simulations, parallel processing (testing recovery site while primary site is in operation), and full interruption (fail over) tests.[11] [12] These apply to both BC and DR.

Benefits

Like every insurance plan, there are benefits that can be obtained from proper business continuity planning, including:[13] Studies have shown a correlation between higher spending on auditing fees and lower rates of incidents.[14]

Planning and testing methodology

According to Geoffrey H. Wold of the Disaster Recovery Journal, the entire process involved in developing a Disaster Recovery Plan consists of 10 steps:

Initial testing can be plan is done in sections and after normal business hours to minimize disruptions. Subsequent tests occur during normal business hours.

Caveats/controversies

Due to high cost, various plans are not without critics. Dell has identified five "common mistakes" organizations often make related to BCP/DR planning:[15]

Decisions and strategies

Site designation: choice of a backup site. A hot site is fully equipped to resume operations while a cold site does not have that capability. A warm site has the capability to resume some, but not all operations.

A cost-benefit analysis is needed.

Data backup: An audit of backup processes determines if (a) they are effective, and (b) if they are actually being implemented by the involved personnel.[16] [17] The disaster recovery plan also includes information on how best to recover any data that has not been copied. Controls and protections are put in place to ensure that data is not damaged, altered, or destroyed during this process.

Drills: Practice drills conducted periodically to determine how effective the plan is and to determine what changes may be necessary. The auditor's primary concern here is verifying that these drills are being conducted properly and that problems uncovered during these drills are addressed.

Backup of key personnel - including periodic training, cross-training, and personnel redundancy.

Other considerations

Insurance issues

The auditor determines the adequacy of the company's insurance coverage (particularly property and casualty insurance) through a review of the company's insurance policies and other research. Among the items that the auditor needs to verify are: the scope of the policy (including any stated exclusions), that the amount of coverage is sufficient to cover the organization's needs, and that the policy is current and in force. The auditor also ascertains, through a review of the ratings assigned by independent rating agencies, that the insurance company or companies providing the coverage have the financial viability to cover the losses in the event of a disaster.

Effective DR plans take into account the extent of a company's responsibilities to other entities and its ability to fulfill those commitments despite a major disaster. A good DR audit will include a review of existing MOA and contracts to ensure that the organization's legal liability for lack of performance in the event of disaster or any other unusual circumstance is minimized. Agreements pertaining to establishing support and assisting with recovery for the entity are also outlined. Techniques used for evaluating this area include an examination of the reasonableness of the plan, a determination of whether or not the plan takes all factors into account, and a verification of the contracts and agreements reasonableness through documentation and outside research.

Communication issues

The auditor must verify that planning ensures that both management and the recovery team have effective communication hardware, contact information for both internal communication and external issues, such as business partners and key customers.

Audit techniques include

Emergency procedures

Procedures to sustain staff during a round-the-clock disaster recovery effort are included in any good disaster recovery plan. Procedures for the stocking of food and water, capabilities of administering CPR/first aid, and dealing with family emergencies are clearly written and tested. This can generally be accomplished by the company through good training programs and a clear definition of job responsibilities. A review of the readiness capacity of a plan often includes tasks such as inquires of personnel, direct physical observation, and examination of training records and any certifications.

Environmental issues

The auditor must review procedures that take into account the possibility of power failures or other situations that are of a non-IT nature.

See also

References

Notes and References

  1. Book: 9780124114517 . Susan Snedaker . 2013 . Business continuity and disaster recovery planning for IT professionals . Elsevier Science . Burlington . 2.
  2. Web site: 2019-11-25 . What Is the Difference Between Disaster Recovery and Business Continuity . Cloudian.
  3. Web site: 5 Tips to Build an Effective Disaster Recovery Plan . Small Business Computing . 14 June 2012 . 9 August 2012 . Bill Abram.
  4. Web site: Disaster Recovery Planning Process . Geoffrey H. . Wold . Disaster Recovery Journal . Adapted from Volume 5 #1 . Disaster Recovery World . 1997 . 8 August 2012 . dead . https://web.archive.org/web/20120815054111/http://www.drj.com/new2dr/w2_002.htm . 15 August 2012 .
  5. Web site: Disaster Recovery Planning - Step by Step Guide . Michigan State University . 9 May 2014 . dead . https://web.archive.org/web/20140308022707/http://www.drp.msu.edu/Documentation/StepbyStepGuide.htm . 8 March 2014.
  6. Web site: Backup Disaster Recovery . Email Archiving and Remote Backup . 2010 . 9 May 2014 . https://archive.today/20130122083319/http://emailarchivingandremotebackup.com/backup-disaster-recovery.html . 22 January 2013 . dead .
  7. Web site: 5 Tips to Build an Effective Disaster Recovery Plan . Small Business Computing . 14 June 2012 . 9 August 2012 . Bill Abram.
  8. Web site: Disaster Recovery & Business Continuity Plans . Stone Crossing Solutions . 2012 . 9 August 2012 . dead . https://web.archive.org/web/20120823045007/http://www.stonecrossingsolutions.com/technical-solutions/disaster-recovery/ . 23 August 2012.
  9. Web site: The Disaster Recovery Plan . Chad Bahan. . June 2003 . 24 August 2012.
  10. Web site: Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities . . 21.
  11. Web site: What is the difference between a tabletop exercise, a drill, a functional exercise, and a full-scale exercise?.
  12. Web site: Homeland Security Exercise and Evaluation Program (HSEEP) . Jan 2020 . Homeland Security.
  13. Web site: Disaster Recovery Planning Process . Geoffrey H. . Wold . Disaster Recovery Journal . Adapted from Volume 5 #1 . Disaster Recovery World . 1997 . 8 August 2012 . dead . https://web.archive.org/web/20120815054111/http://www.drj.com/new2dr/w2_002.htm . 15 August 2012 .
  14. Are External Auditors Concerned about Cyber Risk disclosure . Auditing: A Journal of Practice & Theory . 24 Nov 2021 . 10.2139/ssrn.2880928 . 168198159 . Li . He . No . Won Gyun . Boritz . J. Efrim.
  15. Web site: Five Mistakes That Can Kill a Disaster Recovery Plan . Cormac Foster . Dell Corporation . 25 October 2010 . 8 August 2012. https://web.archive.org/web/20130116112225/http://content.dell.com/us/en/enterprise/d/large-business/mistakes-that-kill-disaster.aspx . 2013-01-16 .
  16. News: . Constance Gustke . Hurricane Joaquin Highlights the Importance of Plans to Keep Operating . October 7, 2015 .
  17. Berman, Alan. : Constructing a Successful Business Continuity Plan. Business Insurance Magazine, March 9, 2015. http://www.businessinsurance.com/article/20150309/ISSUE0401/303159991/constructing-a-successful-business-continuity-plan