Home > Articles > Cisco Network Technology > General Networking > Corporate Governance, Business Continuity Planning, and Disaster Recovery

Corporate Governance, Business Continuity Planning, and Disaster Recovery

  • Date: Dec 1, 2005.

Contents

  1. Introduction
  2. Legislation, Directives, and Standards
  3. How To Ensure Compliance
  4. Summary

Article Description

To protect business stakeholders, corporate governance focuses a sharp eye on all measures and systems within the organization to ensure compliance with laws, regulations, and standards. Michelle Johnston Sollicito points out the many required aspects of a proper business continuity plan and shows you where to look for holes in your process.

How To Ensure Compliance

Despite the plethora of different statutes, directives, and standards dictating that business continuity planning/disaster recovery planning is required of organizations, adherence to compliance requirements with respect to business continuity and disaster recovery can be assured by following a few uniform rules.

Various compliance frameworks can be used to assess BCP measures—ISO, COBIT, COSO, etc.—but key aspects are similar:

  • COSO requires data center operation controls and transaction management controls in order to ensure data integrity and availability.
  • ISO 1799 has a section entitled Business Continuity Management that requires testing, maintaining, and reassessing a business continuity plan.
  • ISACA's COBIT requires uninterruptible power supplies under its Manage Facilities section.
  • NIST requires contingency and continuity plans and management.

As a general rule, in order to test BCP/DR compliance within an organization, a team of qualified, knowledgeable internal auditors should be created, reporting to a different member of the board than the BCP team reports to. This team of internal auditors should test to ensure that the BCP plan and process meet the compliance requirements discussed in the following sections.

Ongoing Process

Business continuity should be an ongoing process, concerned with the development of strategies, policies, and plans that will provide protection of existing modes of operating within the organization, or will provide alternative means of carrying out that organization's business in the event of disruption that might otherwise result in loss to the organization.

This aspect can be tested by the internal auditors by asking the BCP team for the following:

  • Proof of regular meetings: minutes, agendas, notes, presentation slides, etc.
  • Regular scenario test runs: test plans, test results, and so on
  • Evidence of recent change management (such as logs showing ongoing changes) and reviews to the BCP plan (for example, version history of the BCP plan and associated documents)

Risk Assessment

The business continuity process (which should probably be repeated annually at least) should commence with a business impact assessment (BIA) or risk assessment, in order to identify recovery objectives for all the key systems, both manual and IT-based, as well as to identify continuity-related risks to which the organization might be vulnerable.

Although some legislation, directives, and standards may apply more fully to some aspects of the organization than others—for instance, Sarbanes-Oxley seemingly applies more to financial aspects than to other areas of the organization—it's recommended that the BIA be carried out across the whole enterprise, including taking into account reliance upon external systems such as vendor-maintained systems, business partner–shared systems, and so on. This part of the risk assessment is intended to determine which areas of the business provide the most serious risk.

For example, the following kinds of risks should be considered as part of the BIA:

  • Are key systems backed up regularly enough (and are they able to be restored quickly enough) to ensure that availability of data meets specific business, legislation, and standards requirements? For example, VISA makes very specific requirements of VISA merchants about the availability of credit card data after an incident; HIPAA requires 100% availability of some critical "life safety data."
  • Are key systems' availability ensured using uninterruptible power supplies (UPS), failover/hot-standby facilities, or other contingency measures?
  • Is the organization able to operate effectively without key personnel? Is it clear who is the "second in command" in each department? Are there at least two members of staff who know how to carry out each key job?
  • Is the organization able to operate effectively without key systems (not just IT systems—telecommunications systems, manual systems, etc.)? Are contingency manual processes in place in case key systems fail?
  • Is the organization able to operate effectively without key locations? Are contingency locations available in which business can temporarily be carried out if a site/location is unavailable?
  • Are all important prevention mechanisms in place to avoid or reduce the effects of system failures or damage caused by floods, fires, terrorist attacks, and so forth? Particularly, this area should take into account firewalls, intrusion prevention/detection mechanisms, auditing/logging, sprinkler systems, closed-circuit TV cameras, security staff, physical security mechanisms (passcodes, keycards, receptionists, keys and locks, security fences, building design, and so on).

The risk assessment area of business continuity planning can be tested by internal auditors by obtaining a copy of the risk assessment/business impact assessment documentation, and ensuring that it covers all the required systems, locations, and personnel.

Regular Reviews and Gap Analysis

All disaster recovery plans and business continuity plans should be reviewed in light of the BIA, kept up to date, and regularly tested/reviewed thoroughly.

This review process and gap analysis, the responsibility of the BCP team, should include the following:

  • Security assessment carried out by an independent assessor (CISSP certified auditor or independent security consultancy)
  • BCP scenario testing, such as a simulation of a terrorist bomb attack on the organization's headquarters, or simulation of a virus attack bringing down the network
  • Regular reviews of the plan and process by the BCP team to identify any changes that should be made in light of changes to legislation; changes to the way in which business is carried out (for example, a merger that adds a new business location to the plan or discontinues a business relationship with a partner, removing a location from the plan); or just in the light of new experiences or information (for example, many organizations have reviewed their BCP and DR plans in the light of 9/11, hurricane Katrina, etc.)

Part of the review process should include checks to ensure that the backup plan for each key system is really being implemented correctly:

  • Backup personnel can produce the backup tapes for these key systems when requested.
  • Data-restoration requirements can be met.
  • Firewalls, intrusion detection/prevention systems, authentication systems (login, passwords, etc.), and logging/auditing systems are operating effectively and logs are being reviewed and acted upon on a regular basis.
  • Appropriate physical security measures are in place and are effective; for example, security personnel are patrolling key areas regularly, visitors are always accompanied, security fences are in place, closed-circuit TV cameras are in place and are being watched, security passes are required to access key areas of buildings.
  • Procedures and policies are in place to prevent data integrity or availability being compromised; for example, checks and controls ensure data integrity, and separation of duties ensures that no single person can seriously affect data integrity and/or availability.

This review process can be tested by internal auditors in the following ways:

  • Obtaining copies of the reports of any external auditors, consultants, or security assessors.
  • Obtaining copies of any minutes/agendas of meetings reviewing the BCP plan and process.
  • Reviewing documentation of testing scenarios (test plans, test results, etc.).
  • Requesting proof that any issues/problems identified were acted upon and resolved. Proofs can include logs, change request documentation, printouts of software or hardware configurations, etc.
  • Specifying dates for which the backup team should provide the backup tapes of all the key systems, and verifying that the backup tapes are restored effectively and correctly within data-restoration timeframes.

Call Lists

It should be clear who should be called in different scenarios, and their contact details should be widely available to all who need them.

The internal audit team can test this requirement by requesting a copy of the latest call list and calling the people on the list to ensure that the telephone numbers are up to date and that the people listed know what to do in various scenarios. It's useful to keep a copy of the call list, and a log of the results of calling the numbers, for use by the external auditors, who will later use this evidence to ensure compliance.

Publication of the BCP Plan and Process

The BCP plan should not only exist; it should be published, reviewed regularly, and republished to all the key players in the process. It should be clear who is responsible for the plan, which members of staff support the BCP process, and what their responsibilities are. The BCP plan must include the following information:

  • Data backup plan for each key system
  • Emergency response plan indicating the chain of command and contact info in emergency scenarios
  • Contingency plan indicating backup locations, systems, and personnel to be employed in the event of key locations, systems, and/or personnel being unavailable

The internal auditors should ensure that the various versions of the BCP plan exist, and should obtain proof that new versions are published to key personnel (for example, obtain the email sending the latest version out to all staff, or obtain a distribution list to which copies were sent).

The internal audit team should ensure that the latest version of documentation is accurate and up to date by interviewing the key individuals to ensure that they understand their revised responsibilities and how to respond to various scenarios, by checking that changes incorporated are understood by key staff, and by verifying that documents affected by these changes are updated accordingly.

The internal auditors should also check that the backup locations, systems, and personnel are available when required; this can be ensured by carrying out surprise visits to the locations with very little notice, asking for access to the backup systems, and interviewing personnel at key points in time to ensure that they're ready to take over if needed.

Awareness of the BCP Plan and Process

The entire organization must be aware of what the business continuity process is and how it relates to each individual.

This requirement can be tested by the internal audit team by submitting questionnaires to or interviewing individuals at different levels in the organization and asking them what they would do in various scenarios. The number of individuals to question should be determined in consultation with external auditors.

Training

All staff within the organization should receive some training about their roles in the event of emergency scenarios. Some of this training will consist of scenario testing, in which a situation is simulated and staff are expected to respond as they would in the real situation; for example, simulation of a terrorist bomb attack on the headquarters building, fire drills, etc. Other training will simply be awareness training, ensuring that staff understand the need for a business continuity plan, know which phone numbers to call in the event of an emergency or relocation, are clear on what they're supposed to do in case of an emergency, and so on.

This requirement can be tested by obtaining schedules of training courses, seminars, and so forth as well as a list of attendees of each, and then carrying out awareness interviews and questionnaires with those attendees to ensure that the training is effective.

Scenario Testing

The BCP should be tested regularly in a number of different ways. Typically, large-scale scenario tests (simulation of a terrorist bomb attack, plane crashing into the building) will occur annually, and will involve a great deal of planning; personnel involvement (including personnel outside of the organization, such as emergency responders, business partners, and community groups); and reviews to ensure that the testing was effective and to determine lessons learned.

Such scenario testing will require test plans to be drawn up, indicating what is expected of personnel involved in the testing, and allowing personnel to record whether or not they were able to carry out tasks or what unexpected problems they encountered.

Small-scale tests can occur on an ongoing basis and can consist of any number of the following types of tests:

  • Spot checks on systems ensure that when the system is taken down, it can be restored quickly and effectively as detailed in the appropriate procedures documentation. Restoration times are recorded to determine whether requirements are met; if not, issues are noted.
  • Spot checks on staff ensure that when key personnel are removed from the office, the remaining staff can work effectively without them. When the key personnel return, a postmortem is carried out to find out how well/badly the rest of the staff coped and what needs to change to help them manage more effectively in the future.
  • Alternate site tests ensure that business can be transferred to an alternate site effectively if the main site is unavailable. In this case, selected key staff can be called with no notice and told to act as though the main site has just become unavailable. Their reaction to the scenario is monitored to ensure that the alternate site is brought up effectively, or to note any problems or issues that were not foreseen within the BCP plan.
  • Planned walkthroughs of plans and procedures are designed to identify issues and problems with those plans and procedures, feeding back into the change management process. These types of walkthroughs often precede all the other types of tests and are often invaluable in reducing the amount of time wasted during the other types of tests. Key personnel get together and go step by step through plans and procedures, trying to anticipate problems and issues that may be encountered during scenario testing/other types of testing or during real incidents.

After all these types of testing, the BCP plan, procedures, and/or process should be altered in light of lessons learned, problems and issues encountered, and so on under the change management process.

Ultimate Responsibility

One person must ultimately be responsible for the business continuity process, and that person must have the backing of the board in developing and maintaining that process. In a reasonable-sized company, this person would have reasonable access to a team consisting of representatives of all parts of the organization who are empowered to provide requirements and testing for their own areas of the organization.

This aspect can be tested by reviewing the BCP documentation to identify the person who is ultimately responsible, and then interviewing that person as well as the chief executives of the organization (CEO, CIO, board members), to ensure that the person with ultimate responsibility for the BCP is fully empowered by the board.

Full Documentation

Up-to-date documentation is key to the business continuity process, and should include auditable lists of emergency contact personnel, their roles, and their contact information. Procedures should be clearly defined, and it should be clear under which scenarios those procedures would be invoked.

Testing of the documentation and procedures should be carefully planned, documented, and carried out. Any problems with existing documentation and procedures found during testing should be input to a change management process, ensuring that changes to existing procedures and documents are reviewed and approved before a new version of the business continuity plan is released to all concerned.

The results of testing will usually be audited by external auditors or assessors to ensure that the plans are adequate and will work in the event of emergencies. It is important that testing be carried out regularly and cover the most likely scenarios as well as those scenarios that would cost the organization most dearly should they occur.

External Auditors

External auditors/assessors are essential to assess compliance with legislation/standards, in most cases on an annual basis. External auditors in some cases (for example, Sarbanes-Oxley and HIPAA) must be certified, and in all cases must be independent of management.

External auditors and assessors will assess the business continuity process to ensure the following:

  • The BCP is thorough in its assessment of risks.
  • The BCP is an ongoing, repeatable, thorough process.
  • Everyone involved in business continuity responses is aware of their role and procedures they're expected to follow.
  • The process is tested regularly.

All documentation gathered during compliance testing within the organization by the internal auditors should be kept and filed carefully for the external auditors to use later in their assessment of compliance.

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020