Assessing Your Disaster
Recovery Plans
Gregory H.
G
H Soule,
S l CPA,
CPA CISA
CISA, CISSP
CISSP, CFE
Andrews Hooper Pavlik PLC
Andrews Hooper Pavlik PLC
Agenda
 Business Continuity Concepts
– Impact
I
t Analysis
A l i
– Risk Assessment
– Risk Management
– Testing
g
– Annual Review
 Resources
Agenda
Business Continuity
Concepts
p
Concepts
 Business Continuity vs. Disaster Recovery
 Broader than just technology
 Emergency
g
y response
p
p
planning
g
 Crisis management
 Pandemic planning
 Incident response planning
Concepts
Sources:
 Federal Financial Institution Examination
Council (FFIEC)
– Business Continuity Planning Booklet
 National Institute of Standards and
Technology (NIST)
– SP 800
800-34
34 rev 1 – Contingency Planning Guide
Concepts
FFIEC – BCP Booklet
 Specifies a cyclical, process-oriented
approach to Business Continuity Planning
– Business Impact Analysis
– Risk Assessment
– Risk Management
– Risk Monitoring and Testing
Concepts
NIST – SP 800-34 rev 1
 Specifies a seven-step lifecycle
– Develop contingency
g
y planning
g policy
y statement
– Conduct business impact analysis
– Identify preventative controls
– Create contingency strategies
– Develop an info system contingency plan
– Ensure plan testing, training, and exercises
– Ensure plan maintenance
Concepts
 Business Impact Analysis
 Risk Assessment
 Risk Management
g
 Interdependencies
 BCP Components
 Plan Testing
 Annual Review
Agenda
Business
Impact Analysis
\
Business Impact Analysis
 Purpose:
– D
Determine
t
i th
the iimpactt th
thatt a disruptive
di
ti eventt
would have on the bank.
 Goals:
G l
– Determine Criticality
– Estimate Maximum Downtime
– Evaluate Resource Requirements
Business Impact Analysis
 Determine Criticality:
– Inventory
I
t
off business
b i
functions
f
ti
and
d processes
– Assign priority ratings to business functions and
processes
– Identify interdependencies among processes
– Identify the impact of non-specific disruptions
on business processes
– Consider legal and regulatory requirements
Business Impact Analysis
 Estimate Maximum Downtime
– M
Maximum
i
ttolerable
l bl downtime
d
ti
while
hil still
till
maintaining viability
– How long can the business process be
disrupted before recovery becomes impossible?
– Consider dependencies and critical path
– Recovery Time Objectives (RTOs)
– Recovery Point Objectives (RPOs)
Business Impact Analysis
 Evaluate Resource Requirements
– Wh
Whatt iis required
i d tto resume critical
iti l operations
ti
(and interdependencies)
– Facilities
– Personnel
– Equipment
– Software / Data Files
– Third Parties
Business Impact Analysis
Four Cyclical Steps
 Gather information
 Perform vulnerability assessment
 Analyze information
 Document results
Business Impact Analysis
Gather Information
 Who does what and how?
 Departmental and Enterprise-wide
Enterprise wide
– Interrelationships
 Critical operations / processes
 Start to establish processing priorities
 Start to establish alternate procedures
Business Impact Analysis
Vulnerability Assessment
 Potential impact of disruptive events
 Loss criteria: Quantitative or Qualitative
 Identify internal and external threats
 Estimate likelihood
 Assess impact
 Assess internal and external resources
available
il bl tto h
handle
dl th
the th
threats
t
Business Impact Analysis
Analysis
 Consider all information gathered
 Estimate max downtime for each
function/process
– Nonessential – 30 days
– Normal – 7 days
– Important – 72 hours
– Urgent – 24 hours
– Critical – minutes to hours
Business Impact Analysis
Analysis
 Identify highest priority business functions
 Establish RTOs and RPOs
 Establish recovery priorities
 Consider the impact of an event, rather
than an event itself
Business Impact Analysis
Results
 Summarize all activity performed
 Report to board and senior management
Agenda
Risk
Assessment
\
Risk Assessment
 Evaluate BIA assumptions against various
threats
 Assess impact and probability
 Assess resulting severity
 Align assessed threats with prioritized
business processes
 Perform
P f
gap analysis
l i ffor recovery
– Current state vs. needed state
Risk Assessment
Threat Categories
 Malicious activity
– Fraud, theft, blackmail, sabotage,
g vandalism,
terrorism
 Natural disasters
– Fire, floods, water damage, weather, air
contaminants,, hazardous spill
p
Risk Assessment
Threat Categories
 Technical disasters
– Communications failure, customers, employees,
y
electronic payment system providers, third
parties, affiliates, power failure, equipment and
software failure,
failure transportation system
disruptions, water system disruptions
Agenda
Risk
Management
\
Risk Management
 Develop, implement, maintain the BCP
 Critical BCP success factors:
– Based on BIA and risk assessment
– Documented in a written program
– Reviewed by board and management annually
– Disseminated to applicable employees
– Specific implementation parameters
– Focused on impact vs. specific events
Risk Management
 Example of impact vs. specific events
– C
Critical
iti l personnell are nott available
il bl and
d cannott
be contacted vs. airplane crash
– Buildings are not accessible vs
vs. tornado
– Equipment has malfunctioned vs. flood damage
– Utilities are not available vs. ice storm
 Assumptions
– Access to buildings, personnel, technical staff,
communication systems
Risk Management
 External Components
– Heightened
H i ht
d iimportance
t
– Reliance on third parties
– Coordination
 Mitigation Strategies
– Redundancy, backups, alternate power sources
– Additional inventory – supplies, equipment, etc
Interdependencies
 Telecommunications
– Single
Si l point
i t off ffailure
il
(SPOF)
– Multiple vendors, subcontract
 Vendor reliance
– Vendor BCP
 Contracted BCP
– Staffing, supplies
– Facilities,, hardware,, software
Interdependencies
 Internal Dependencies
– Departments
D
t
t and
d processes
– Workflow analysis
– Technology dependencies

Network

Database
– Personnel
– Records and data
Agenda
BCP Components
\
BCP Components
 Strategy definition
– P
Personnel,
l C
Communication,
i ti
T
Technology,
h l
Facilities, Liquidity, etc
– Identify goals of BCP
– Short term vs. long term BCP goals
BCP Components
 Personnel
– Preparing
P
i employees
l
– Management decision making
– Employee / family matters
– Communications / contact trees
– Vendor contact
– Security
Sec rit
BCP Components
 Personnel
– Employee
E l
ttraining
i i – documentation
d
t ti
– Staffing
– Creation of BCP Teams
 Communication
– Communication systems redundancy
– External communications
– Media relations
BCP Components
 Technology
– H
Hardware,
d
S
Software,
ft
Data
D t files,
fil
operations
ti
equipment
– Split operations (active/active)
– Hot site (mirroring)

Virtualization
– Warm site
– Cold site
– Tertiary (back up of the back up)
BCP Components
 Technology
– Service
S i b
bureaus

Consider ability to provide services during widespread
d sas e s
disasters
– Reciprocal agreements

Due diligence
BCP Components
 Technology – Backups
– Structure
St t
and
d strategy
t t
– Network data
– Core files
– Operating
p
g system
y
software,, application
pp
software
– Databases, utilities
– Primary
Primar location vs.
s branch locations
– Documented procedures and testing
 Off-site storage
BCP Components
 Facilities
– Relocate
R l
t employees
l
and
d workspaces
k
 Electronic banking systems
– Internet banking, cash management, mobile
 Off-site
Off site storage
 Purchase authority
 Manual procedures
Agenda
Testing
\
Plan Testing
 Board and Senior Management
involvement
 Departmental testing
– Department managers
– Information technology
– Facilities
 Crisis management
 Continuous cycle
 Planned vs. Unplanned
Plan Testing
 Testing strategy and plan
 Staffing
– Succession
 Technology
– Backup
B k integrity
i t it
– System restoration
 Facilities
– Power,
Power HVAC,
HVAC relocation
Plan Testing
 Communications
 Test scripts
– Assumptions

Staff availability
– Objectives
j
– Procedures
Plan Testing
 Types of tests
– Tabletop
T bl t exercise
i
– Simulation test
– Parallel test
– Full-scale test
 Documentation!
Agenda
Annual Review
\
Annual Review
 At least annually
 Based on test results, changes to
environment
 Issue tracking
 Changes to BCP and test program
 Distribution
Agenda
Resources
\
Resources
 National Institute of Standards and
Technology
– Computer Security Resource Center
– http://csrc.nist.gov
 Federal Emergency Management Agency
– http://www.fema.gov
Resources
 Ready Campaign
– http://www.ready.gov/business
 FFIEC
– http://ithandbook.ffiec.gov
Questions?
\
Contact Information
Gregory H. Soule – CPA, CISA, CISSP, CFE
Senior Manager
Andrews Hooper Pavlik PLC
691 N
N. Squirrel Road
Road, Suite 280
Auburn Hills, MI 48326
p: 248-340-6050
f: 248-340-6104
e: gregory
gregory.soule@ahpplc.com
soule@ahpplc com
www.ahpplc.com
Thank You
\
This presentation was produced in connection with an educational and informational program. It represents the statements and
views of the author(s) alone and does not necessarily represent the official policies or positions of Andrews Hooper Pavlik PLC,
PLC its
partners, or any sponsor of this program. This presentation is not intended to be, nor should it be construed as constituting tax,
accounting, auditing, security, or consulting advice with regard to specific cases, transactions, or situations used by the author(s).
Any specific products, services, or organizations mentioned are provided purely for example purposes and do not represent
specific endorsement.
As required by IRS rules,
rules although this presentation may address certain tax issues,
issues the presenter did not intend nor design the
advice to be used to avoid any penalty imposed by a taxing authority, nor may the user/recipient of this presentation use this
presentation’s tax advice for that purpose. Nor may it be used to promote, market or recommend to another party any transaction
or matter addressed herein.