Predstavitev smernice
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

PREDSTAVITEV SMERNICE PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on
  • Presentation posted in: General

PREDSTAVITEV SMERNICE. G32 Bussiness Continuity Plan (BCP) Review from IT Perspective. Peter Grasselli, CISA, CISSP SLOVENSKI INŠTITUT ZA REVIZIJO Ljubljana. Vsebina smernice. 1. Ozadje 2. Kratek opis NNP s perspektive IT 3. Neodvisnost 4. Sposobnost 5. Načrtovanje

Download Presentation

PREDSTAVITEV SMERNICE

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Predstavitev smernice

PREDSTAVITEV SMERNICE

G32 Bussiness Continuity Plan (BCP) Review from IT Perspective

Peter Grasselli, CISA, CISSP

SLOVENSKI INŠTITUT ZA REVIZIJOLjubljana


Vsebina smernice

Vsebina smernice

  • 1. Ozadje

  • 2. Kratek opis NNP s perspektive IT

  • 3. Neodvisnost

  • 4. Sposobnost

  • 5. Načrtovanje

  • 6. Izvedba pregleda UNP s perspektive IT

  • 7. Poročanje

  • 8. Spremljanje

  • 9. Veljavnost


Predstavitev smernice

OPOZORILO

Guidelines provide guidance in applying IS auditing Standards. The IS auditor should consider them in determining how to achieve implementation of the standards, useprofessional judgment in their application and be prepared to justify any departure.

The objective of the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards.

ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics for IS auditors. ISACA makes no claim that use of this product will assure a successful outcome.


1 ozadje

1. Ozadje

  • S6 Performance of audit work

  • DS 4 Ensure continous service

  • namen

    • opis običajnega postopka pregleda NNP s stališča IT

    • identifikacija, dokumentiranje, preverjanje in ocenjevanje v organizaciji vpeljanih kontrol na področju procesa NNP (z vidika IT)

  • izrazoslovje


1 6 izrazoslovje

načrt neprekinjenega poslovanja (NNP)

analiza poslovnih posledic (APP)

okrevalni načrt (ON)

1.6 Izrazoslovje

Business continuity plan (BCP)

Business impact analysis (BIA)

Disaster recovery plan (DRP)

BIA

OCENA TVEGANJA

STRATEGIJA UNP

VZDRŽEVANJE, PREVERJANJE UNP

UPRAVLJANJE PROGRAMA UNP

RAZVOJ IN VPELJAVA NAČRTOV UNP

GRADNJA KULTURE UNP


2 kratek opis nnp s perspektive it

2. Kratek opis NNP s perspektive IT

  • nepregleden

  • ponavljajoč

2.1.2 BCP components include the following:

  • Identification—Identify potential threats and risks of the business.

    2.2.1 An essential element of BCP is risk assessment, which involves the task of identifying and analysing the potential vulnerabilities and threats, including the source.


Predstavitev smernice

BIA

OCENA TVEGANJA

STRATEGIJA UNP

VZDRŽEVANJE, PREVERJANJE UNP

UPRAVLJANJE PROGRAMA UNP

UPRAVLJANJEKRIZNIHSITUACIJ

RAZVOJ IN VPELJAVA NAČRTOV UNP

GRADNJA KULTURE UNP

  • Kazalci pomembnosti procesov:

  • proces je pomemben za življenje, zdravje ali varnost ljudi

  • cilj procesa je zagotavljanje zakonodajnih ali statutarnih zahtev

  • prekinitev procesa bi pomenila izgubo prihodka

  • lahko bi prišlo do izgube ugleda podjetja ali strank

  • Opis upravljanja neprekinjenega poslovanja:

  • Blanka Šauperl, Nataša Žabkar: Življenjski cikel upravljanja neprekinjenega poslovanja, Zbornik 12. Med. Konference o revidiranju in kontroli IS, 2004

  • Renato Burazer, Pavle Golob: Načrt neprekinjenga poslovanja – tehnični vidik postavitve in preizkušanja, Zbornik 12. Med. Konference o …, 2004

  • PAS 56: Vodnik po upravljanju neprekinjenega poslovanja

  • ITIL: Service delivery, IT Service Continuity Management


3 neodvisnost 4 sposobnost

3. Neodvisnost4. Sposobnost

  • Potrebno znanje in izkušnje za izvedbo pregleda področja NNP in posameznih komponent NNP

  • Zmožen oceniti, če je NNP usklajen s potrebami organizacije.

  • Razumeti poslovno okolje, cilje organizacije, zakonske zahteve, poslovne cilje, poslovne procese, informacijske potrebe teh procesov, strateško pomembnost IS in stopnjo usklajenosti IS s strategijo organizacije.

procesov upravljanja neprekinjenega poslovanja


5 na rtovanje

5. Načrtovanje

  • Obseg in cilji pregleda


Predstavitev smernice

uspešnostučinkovitostrazpoložljivostskladnost

zaupnostcelovitostzanesljivost


5 na rtovanje1

5. Načrtovanje

  • Obseg in cilji pregleda

  • Upoštevati razvojno fazo NNP v organizaciji


Predstavitev smernice

2 Repeatable but Intuitive when

Responsibility for ensuring continuous service is assigned. The approaches to ensuring continuous service are fragmented.

Reporting on system availability is sporadic, may be incomplete and does not take business impact into account. There is no documented IT continuity plan, although there is commitment to continuous service availability and its major principles are known.

An inventory of critical systems and components exists, but it may not be reliable. Continuous service practices are emerging, but success relies on individuals.

3 Defined Process when

Accountability for the management of continuous service is unambiguous. Responsibilities for continuous service planning and testing are clearly defined and assigned. The IT continuity plan is documented and based on system criticality and business impact.

There is periodic reporting of continuous service testing. Individuals take the initiative for following standards and receiving training to deal with major incidents or a disaster. Management communicates consistently the need to plan for ensuring continuous service.

High-availability components and system redundancy are being applied. An inventory of critical systems and components is maintained.

4 Managed and Measurable when

Responsibilities and standards for continuous service are enforced. The responsibility to maintain the continuous service plan is assigned. Maintenance activities are based on the results of continuous service testing, internal good practices, and the changing IT and business environment. Structured data about continuous service are being gathered, analysed, reported and acted upon. Formal and mandatory training is provided on continuous service processes. System availability good practices, are being consistently deployed. Availability practices and continuous service planning influence each other. Discontinuity incidents are classified and the increasing escalation path for each is well known to all involved. KGIs and KPIs for continuous service have been developed and agreed upon but may be inconsistently measured.

5 Optimised when

Integrated continuous service processes take into account benchmarking and best external practices. The IT continuity plan is integrated with the business continuity plans and is routinely maintained. Requirement for ensuring continuous service is secured from vendors and major suppliers. Global testing of the IT continuity plan occurs, and test results are input for updating the plan. Gathering and analysis of data are used for continuous improvement of the process. Availability practices and continuous service planning are fully aligned. Management ensures that a disaster or a major incident will not occur as a result of a single point of failure. Escalation practices are understood and thoroughly enforced. KGIs and KPIs on continuous service achievement are measured in a systematic fashion. Management adjusts the planning for continuous service in response to the KGIs and KPIs.

0 Non-existent when

There is no understanding of the risks, vulnerabilities and threats to IT operations or the impact of loss of IT services to the business. Service continuity is not considered as needing management attention.

1 Initial/Ad Hoc when

Responsibilities for continuous service are informal and the authority to execute responsibilities is limited. Management is becoming aware of the risks related to and the need for continuous service. The focus of management attention on continuous service is on infrastructure resources, rather than on the IT services. Users implement workarounds in response to disruptions of services. The response of IT to major disruptions is reactive and unprepared. Planned outages are scheduled to meet IT needs but do not consider business requirements.

IZBOLJŠUJOČA

stalno izboljševanje

procesov

NADZIRANA

procesi se

kvantitativno merijo

DOLOČENA

procesi so formalizirani

in odobreni

UNP

PONOVLJIVA

odvisno od posameznikov

ZAČETNA


6 izvedba pregleda unp s perspektive it

6. Izvedba pregleda UNP s perspektive IT

6.1. Izvedba

  • pregled dokumentacije

    • najmanj osnovna ocenatveganj in tveganjna področjuIT


6 izvedba pregleda unp s perspektive it1

6. Izvedba pregleda UNP s perspektive IT

6.1. Izvedba

  • pregled dokumentacije

  • POZOR! pomanjkljivosti NNP in izvedene spremembe

  • poročila o incidentih

  • poročila o testiranju

  • poročila pregledov

  • intervjuji z zaposlenimi in serviserji

  • pregled opreme


6 izvedba pregleda unp s perspektive it2

6. Izvedba pregleda UNP s perspektive IT

6.1. Izvedba

  • pregled dokumentacije

  • POZOR! pomanjkljivosti NNP in izvedene spremembe

  • testiranje

  • Pregledati načrt testiranja:

  • točnost in popolnost NNP

  • oceni delo osebja

  • izurjenost ekip

  • koordinacijo med ekipami

  • razpoložljivost in zmogljivost rezervne lokacije

  • stanje in količino opreme premeščene na rezervno lokacijo

  • priprava na testiranje

  • testiranje

  • zaključek testiranja

  • poročilo o testiranju

  • test praviloma izvesti v času testiranja NNP


6 izvedba pregleda unp s perspektive it3

6. Izvedba pregleda UNP s perspektive IT

  • 6.2. Vidiki pregleda

    • Zakaj je potrebno narediti?

    • Kako bomo naredili?

    • Kdo bo naredil? Kdo bo vzdrževal?

    • Kaj je potrebno narediti?

    • Kdaj mora biti narejeno? Kdaj je nesreče končana?

    • Katere politike, pravila in standarde bomo upoštevali?


Predstavitev smernice

6.2.2 Organisational aspects should be reviewed to consider that:

The BCP is consistent with the organisational overall mission, strategic goals and operating plans

The BCP is routinely updated and considered current

The BCP is periodically tested, reviewed and verified for continuing suitability

Budget allocation is available for the BCP testing, implementation and maintenance

Risk analyses are performed routinely

A formal procedure is in place to regularly update the IT and telecom inventory

Management and personnel of the organisation have the required skills to apply the BCP and an appropriate training programme is in place

Measures to maintain an appropriate control environment (such as segregation of duties and control access to data and media) are in place in case of a contingency

Enablers are identified and the individuals’ roles and responsibilities are adequately defined, published and communicated.Core teams such as: the emergency action team, damage assessment team, emergency management team,…

Communication channels are fully documented and publicised within the organisation

The interface and its impact between departments/divisions within the organisation is understood

Roles and responsibilities of external service providers are identified, documented and communicated

Coordination procedures with external service providers and customers are documented and communicated.

BCP teams have been identified for various BCP tasks, clearly establishing roles and responsibilities and management reporting that defines accountability

Compliance with statutory and regulatory requirements is maintained

6.2.3 Planning aspects should be reviewed to consider that:

A methodology to determine activities that constitute each process is in place as part of a key business process analysis

The planned IS technology architecture for the BCP is feasible and will result in safe and sound operations if a business interruption impacts key IT processes

A risk assessment and BIA were performed before the BCP implementation

BIA includes changes in the risks and corresponding effect on the BCP

The BIA identifies the key recovery time frames of the critical business processes

There is a periodic review of risks-

There are appropriate incident response plans in place to manage, contain and minimise problems arising from unexpected events, including internal or external events

An appropriate schedule is in place for BCP testing and maintenance

An onsite test, simulation, triggering of events and their potential impacts should be performed

A BCP life cycle exists and whether it is followed during development, maintenance and upgrade

The BCP is reviewed at periodic intervals to confirm its continuing suitability to the organisation

6.2.4 Procedural aspects should be reviewed to consider that:

Top management is a serious driving force in implementation of the BCP

Top priority is provided for safety of employees, personnel and critical resources

Resources and their recovery have been prioritised and communicated to the recovery teams

Awareness is created across the entire organisation on the effect to the business in the event of a disaster

Adequate emergency response procedures are in place and tested

The people involved in the disaster assessment/recovery process are clearly identified and roles and responsibilities are delineated throughout the organisation

Appropriate levels of training are conducted including mock test drills

Evacuation plans are in place and are periodically tested

Backup human resources are identified and available

Cell, telephone or other such communication call trees are reviewed, tested and routinely updated

Alternative communications strategies are identified

Backup and recovery procedures are part of the BCP

Backups are retrievable

An appropriate backup rotation practice is in place

Offsite locations (hot, warm or cold sites) are tested for availability and reliability

Appropriate offsite records are maintained

Confidentiality and integrity of data and information are maintained

Media liaison strategies are in place, where appropriate

The BCP is periodically tested and test results documented

Corrective actions are initiated based upon test results

There is adequate insurance protection

6. Izvedba pregleda UNP s perspektive IT

  • 6.2. Vidiki pregleda

    • Zakaj je potrebno narediti?

    • Kako bomo naredili?

    • Kdo bo naredil? Kdo bo vzdrževal?

    • Kaj je potrebno narediti?

    • Kdaj mora biti narejeno? Kdaj je nesreče končana?

    • Katere politike, pravila in standarde bomo upoštevali?


6 izvedba pregleda unp s perspektive it4

6. Izvedba pregleda UNP s perspektive IT

6. 3 Zunanje izvajanje storitev

  • usklajenost NNP uporabnika/dobavitelja

  • kako je uporabnik storitve zagotovil, da bo storitev v skladu z njegovim NNP

  • ali pogodba predvideva možnost revizijskega pregleda s stranu uporabnika

  • ali je uporabnik primerno zaščiten v primeru prekinitev poslovanja ponudnika

  • ali pogodba predvideva zagotavljanje storitev v primeru nesreče

  • zagotavljanje celovitosti, zaupnosti in razpoložljivosti podatkov pri ponudniku

  • dostopne kontrole in upravljanje varnosti pri ponudniku

  • ponudnik poroča o incidentih in ukrepih po njih

  • nadzor nad mrežo, upravljanjem sprememb in testiranjem


7 poro anje

7. Poročanje

  • revizijskemu odboru

  • vodstvu

  • slabosti NNP:

    • lastniku poslovnega procesa

    • odgovornemu za NNP v IS

    • pomembne: vodstvu


8 spremljanje

8. Spremljanje

Posledice slabosti v NNP običajno zajemajo široko področje in predstavljajo visoko tveganje.

Revizor IS naj, če je to primerno, sprotno in v zadostni meri spremlja, če je vodstvo takoj ukrepalo .

Za primerno zagotovitev učinkovitosti pregleda naj revizor IS izvede ponovni pregled in preveri, če so bila priporočila izvedena in če so vpeljani popravljalni ukrepi učinkoviti.


9 smernico je potrebno upo tevati od 1 9 2005

9. Smernico je potrebno upoštevati od 1.9.2005

VPRAŠANJA


  • Login