Assessing Your Disaster Recovery Plans Gregory H. G H Soule, S l CPA, CPA CISA CISA, CISSP CISSP, CFE Andrews Hooper Pavlik PLC Andrews Hooper Pavlik PLC Agenda Business Continuity Concepts – Impact I t Analysis A l i – Risk Assessment – Risk Management – Testing g – Annual Review Resources Agenda Business Continuity Concepts p Concepts Business Continuity vs. Disaster Recovery Broader than just technology Emergency g y response p p planning g Crisis management Pandemic planning Incident response planning Concepts Sources: Federal Financial Institution Examination Council (FFIEC) – Business Continuity Planning Booklet National Institute of Standards and Technology (NIST) – SP 800 800-34 34 rev 1 – Contingency Planning Guide Concepts FFIEC – BCP Booklet Specifies a cyclical, process-oriented approach to Business Continuity Planning – Business Impact Analysis – Risk Assessment – Risk Management – Risk Monitoring and Testing Concepts NIST – SP 800-34 rev 1 Specifies a seven-step lifecycle – Develop contingency g y planning g policy y statement – Conduct business impact analysis – Identify preventative controls – Create contingency strategies – Develop an info system contingency plan – Ensure plan testing, training, and exercises – Ensure plan maintenance Concepts Business Impact Analysis Risk Assessment Risk Management g Interdependencies BCP Components Plan Testing Annual Review Agenda Business Impact Analysis \ Business Impact Analysis Purpose: – D Determine t i th the iimpactt th thatt a disruptive di ti eventt would have on the bank. Goals: G l – Determine Criticality – Estimate Maximum Downtime – Evaluate Resource Requirements Business Impact Analysis Determine Criticality: – Inventory I t off business b i functions f ti and d processes – Assign priority ratings to business functions and processes – Identify interdependencies among processes – Identify the impact of non-specific disruptions on business processes – Consider legal and regulatory requirements Business Impact Analysis Estimate Maximum Downtime – M Maximum i ttolerable l bl downtime d ti while hil still till maintaining viability – How long can the business process be disrupted before recovery becomes impossible? – Consider dependencies and critical path – Recovery Time Objectives (RTOs) – Recovery Point Objectives (RPOs) Business Impact Analysis Evaluate Resource Requirements – Wh Whatt iis required i d tto resume critical iti l operations ti (and interdependencies) – Facilities – Personnel – Equipment – Software / Data Files – Third Parties Business Impact Analysis Four Cyclical Steps Gather information Perform vulnerability assessment Analyze information Document results Business Impact Analysis Gather Information Who does what and how? Departmental and Enterprise-wide Enterprise wide – Interrelationships Critical operations / processes Start to establish processing priorities Start to establish alternate procedures Business Impact Analysis Vulnerability Assessment Potential impact of disruptive events Loss criteria: Quantitative or Qualitative Identify internal and external threats Estimate likelihood Assess impact Assess internal and external resources available il bl tto h handle dl th the th threats t Business Impact Analysis Analysis Consider all information gathered Estimate max downtime for each function/process – Nonessential – 30 days – Normal – 7 days – Important – 72 hours – Urgent – 24 hours – Critical – minutes to hours Business Impact Analysis Analysis Identify highest priority business functions Establish RTOs and RPOs Establish recovery priorities Consider the impact of an event, rather than an event itself Business Impact Analysis Results Summarize all activity performed Report to board and senior management Agenda Risk Assessment \ Risk Assessment Evaluate BIA assumptions against various threats Assess impact and probability Assess resulting severity Align assessed threats with prioritized business processes Perform P f gap analysis l i ffor recovery – Current state vs. needed state Risk Assessment Threat Categories Malicious activity – Fraud, theft, blackmail, sabotage, g vandalism, terrorism Natural disasters – Fire, floods, water damage, weather, air contaminants,, hazardous spill p Risk Assessment Threat Categories Technical disasters – Communications failure, customers, employees, y electronic payment system providers, third parties, affiliates, power failure, equipment and software failure, failure transportation system disruptions, water system disruptions Agenda Risk Management \ Risk Management Develop, implement, maintain the BCP Critical BCP success factors: – Based on BIA and risk assessment – Documented in a written program – Reviewed by board and management annually – Disseminated to applicable employees – Specific implementation parameters – Focused on impact vs. specific events Risk Management Example of impact vs. specific events – C Critical iti l personnell are nott available il bl and d cannott be contacted vs. airplane crash – Buildings are not accessible vs vs. tornado – Equipment has malfunctioned vs. flood damage – Utilities are not available vs. ice storm Assumptions – Access to buildings, personnel, technical staff, communication systems Risk Management External Components – Heightened H i ht d iimportance t – Reliance on third parties – Coordination Mitigation Strategies – Redundancy, backups, alternate power sources – Additional inventory – supplies, equipment, etc Interdependencies Telecommunications – Single Si l point i t off ffailure il (SPOF) – Multiple vendors, subcontract Vendor reliance – Vendor BCP Contracted BCP – Staffing, supplies – Facilities,, hardware,, software Interdependencies Internal Dependencies – Departments D t t and d processes – Workflow analysis – Technology dependencies Network Database – Personnel – Records and data Agenda BCP Components \ BCP Components Strategy definition – P Personnel, l C Communication, i ti T Technology, h l Facilities, Liquidity, etc – Identify goals of BCP – Short term vs. long term BCP goals BCP Components Personnel – Preparing P i employees l – Management decision making – Employee / family matters – Communications / contact trees – Vendor contact – Security Sec rit BCP Components Personnel – Employee E l ttraining i i – documentation d t ti – Staffing – Creation of BCP Teams Communication – Communication systems redundancy – External communications – Media relations BCP Components Technology – H Hardware, d S Software, ft Data D t files, fil operations ti equipment – Split operations (active/active) – Hot site (mirroring) Virtualization – Warm site – Cold site – Tertiary (back up of the back up) BCP Components Technology – Service S i b bureaus Consider ability to provide services during widespread d sas e s disasters – Reciprocal agreements Due diligence BCP Components Technology – Backups – Structure St t and d strategy t t – Network data – Core files – Operating p g system y software,, application pp software – Databases, utilities – Primary Primar location vs. s branch locations – Documented procedures and testing Off-site storage BCP Components Facilities – Relocate R l t employees l and d workspaces k Electronic banking systems – Internet banking, cash management, mobile Off-site Off site storage Purchase authority Manual procedures Agenda Testing \ Plan Testing Board and Senior Management involvement Departmental testing – Department managers – Information technology – Facilities Crisis management Continuous cycle Planned vs. Unplanned Plan Testing Testing strategy and plan Staffing – Succession Technology – Backup B k integrity i t it – System restoration Facilities – Power, Power HVAC, HVAC relocation Plan Testing Communications Test scripts – Assumptions Staff availability – Objectives j – Procedures Plan Testing Types of tests – Tabletop T bl t exercise i – Simulation test – Parallel test – Full-scale test Documentation! Agenda Annual Review \ Annual Review At least annually Based on test results, changes to environment Issue tracking Changes to BCP and test program Distribution Agenda Resources \ Resources National Institute of Standards and Technology – Computer Security Resource Center – http://csrc.nist.gov Federal Emergency Management Agency – http://www.fema.gov Resources Ready Campaign – http://www.ready.gov/business FFIEC – http://ithandbook.ffiec.gov Questions? \ Contact Information Gregory H. Soule – CPA, CISA, CISSP, CFE Senior Manager Andrews Hooper Pavlik PLC 691 N N. Squirrel Road Road, Suite 280 Auburn Hills, MI 48326 p: 248-340-6050 f: 248-340-6104 e: gregory gregory.soule@ahpplc.com soule@ahpplc com www.ahpplc.com Thank You \ This presentation was produced in connection with an educational and informational program. It represents the statements and views of the author(s) alone and does not necessarily represent the official policies or positions of Andrews Hooper Pavlik PLC, PLC its partners, or any sponsor of this program. This presentation is not intended to be, nor should it be construed as constituting tax, accounting, auditing, security, or consulting advice with regard to specific cases, transactions, or situations used by the author(s). Any specific products, services, or organizations mentioned are provided purely for example purposes and do not represent specific endorsement. As required by IRS rules, rules although this presentation may address certain tax issues, issues the presenter did not intend nor design the advice to be used to avoid any penalty imposed by a taxing authority, nor may the user/recipient of this presentation use this presentation’s tax advice for that purpose. Nor may it be used to promote, market or recommend to another party any transaction or matter addressed herein.