Audit Questionnaire in Word Format

Program Initiation

Program Planning

Functional Requirements

Design and Development

Program Implementation

Plan Testing Program Maintenance

Management Buy In

Interim Temporary BC Plan

General Assessment

General Assessment

Risk Controls BC Plan Testing Primary Site Change Monitoring

Program Evaluation

BC Program Management Document

Detailed requirements related to standards, rules, and regulations

Risk Controls IT Recovery Systems

Test Evaluation Recovery Site Change Monitoring

Program Commitment

Program Structure Risk Management IT Systems Recovery Strategy

Alternate IT Recovery Site

BC Plan Approval Contract Management

Approval Process BIA Alternate IT Recovery Site

A Tertiary Recovery Site

BC Plan Document Risk Controls

Offsite Data Storage

Tertiary Recovery Site

Offsite Data Storage BIA

Alternate Work Area Offsite Data Storage

Critical Record Storage

IT Systems Recovery Strategy

Crisis Management Center (CMC)

Critical Record Storage

Alternate Work Area BC Plan Testing

Personnel Alternate Work Area

Crisis Management Center (CMC)

Recovery Vendor's BC Plan Reviews

Critical Records Crisis Management Center (CMC)

Assembly Location Training and Awareness

SLA and Contract Requirements

Assembly Location Data Communication Services

Management Process

External Coordination

Data Communication Services

Voice Communication

External Coordination

Training and Awareness

Voice Communication


BC Audits

Salvage & Restoration

Work around Procedures

BC Tools BC Program Reviews

Insurance Requirements


Salvage and Restoration

BC Tools Salvage and Restoration

SLA and Contracts

Assembly Location BC Plan Document

1

PI: Program InitiationQuestions Rat

ingResponse and conclusions

Further Actions Recommendation

PI.1: Management Buy In 6.4

Has the program been Initiated formally

7 Program was initiated by the IT department

BC Program needs to be raised to top level and not just owned by IT

What is the extent of management's awareness

8 CIO and other C-level officers are aware of the program but other than CIO they don't consider it a top priority.

Is there a Project Sponsor 6 CIO is the project sponsor

What is the seniority and position of Project Sponsor

7 CIO is the project sponsor

Plan exist to raise awareness of management

4 Several presentations were presented to management. Some were made on their own requests. They were a high level presentations. There is no formal plan to raise awareness.

Find out if there is a steering committee. Steering committee will help in raising top level awareness.

Utilize Steering Committee to raise top level awareness.

PI.2: Program Evaluation and Approval

5.33

High level program objectives, requirements and drivers analyzed and documented

4 We have some program requirements analyzed as a result of a recent BIA effort and we have recently updated with new requirements for E-commerce application environment. We also have an extensive document on the reasons for establishing a BC program.

Find out if objectives for the program were defined in these documents (not clearly)

Define clear objectives for the program. Objectives should be stated in both general and specific terms.

Business case prepared and evaluated

4 Yes. An informal business case was prepared.

Was a budget prepared (Yes. We presented our initial budget and provided an estimate of yearly budget to CIO)

2

Questions Rating

Response and conclusions

Further Actions Recommendation

Clear Go/No Go decision made and at what level of the management

8 Yes. CIO made the Go/No Go decision and presented this decision to senior management. But the board was not involved in this process.

Board needs to have an active involvement in the overall high level evaluation process.

PI.3: Program Commitment

2.86

Full-time qualified program manager assigned

2 No. We have a part-time (70%) business continuity coordinator assigned to this task. He is from the corporate planning department and has been involved with Emergency Response Planning in the past.

Find out if the coordinator has business continuity or DRP experience (No.)

Assign full-time BC responsibility to BC coordinator

Steering committee established

6 A committee structure has been proposed and awaiting approval. (company has the history of establishing SC for high profile critical projects)

This is a definitely a strength.

Steering committee members have clear roles and responsibilities defined

3 No. Define clear roles and responsibilities for Steering Committee.

BC Program is part of Strategic objectives and plan

1 No. Include BC Program as part of Corporate Strategic Objectives

BC Program policy exists 2 We have a security policy which covers BC from the perspective of availability of critical systems.

Create a BC policy statement

BC Program policy fully communicated

1 No. Utilize corporate communications to communicate BC policy

BC culture is well established

5 No. But, IT and Business units have a better BC/DR culture compare to the rest of the company.

Develop a plan to improve corporate wide BC culture.

3

PP: Program Planning

Questions Rating

Response and Conclusion

Further Actions Recommendations

PP.1: Interim Temporary BC Plan

5

Interim BC Plan exists if a long term plan doesn't exist

5 Yes. But, it has evolved since it was initially written.

Review all earlier versions.

Interim Recovery Strategy Developed

5 Mutual Agreement with our strategic partner.

Review agreements (Not enough carefull planning and design. Agreements show weaknesses in disaster lasts for longer than 2 or 3 days)

Interim Agreements in place for recovery of key resources, sources, and services

5 Mutual Agreement.

Interim Recovery Teams created

5 Yes. The team has evolved since it was initially established.

PP.2: BC Program Management Document

4.43

BC Program management document exist

6 We have a project plan in place.

Check the project plan details (Project plan is well structured but a complete program document is missing; project plan is part of BC plan).

Create a BC program document which is separate from the BC plan

A need statement prepared (Why is the program needed and what are the drivers?)

7 We have a statement that indicates the main drivers: External contract requirements and SOX compliance and it also includes company's strategic objectives

Review the statements. Ask if they have researched industry specific requirements (No.)

Research industry specific BC requirements.

Program objectives are well defined, aligned and approved

4 Defined in BC plan document

Plan objectives are defined in general terms. Suggest inclusion of specific objectives.

Program Scope are defined and approved


Plan scope are defined. Suggest including what is not in scope as well.

4

Questions Rating



Program assumptions are stated explicitly


No written program assumptions

State all key assumptions in program document

Program deliverables are identified

8 Defined in the project plan

Program risks are analyzed and mitigation actions identified


Investigate further (No evidence of program risks BC Plan document)

Assess program risks and mitigation steps

PP.3: Program Structure

4.7 3 (high risk factor)

Program divided into logical phases

8 Project Plan has logical phases

Risk and BIA are combined as one phase (not a major concern at this time since it has been completed)

Phases are divided into activities

7 Yes.

Activities are assigned due dates, start and end times, and dependencies

7 Yes.

A BC Steering Committee exists

4 Not currently. But CIO is presenting a case to top management for such a committtee next month.

Establishment of a SC must become a high priority. It will help to resolve a number of current obstacles and issues

A BC program team structure is defined with reporting hierarchy

7 Yes. Assess team structure. Three types of teams: Emergency management, Emergency response, and Business unit teams.

Team structure includes top management, program sponsor, BC coordinator, consultants, etc.

7 Yes. Emergency management team includes President/CEO, COO, CFO, etc.

Team roles and responsibilities are well defined

2 At a high level only. Team members task's are not assigned

Define tasks for team members

Personnel assigned to the team structure with well defined responsibilities

2 No. Personnel are assigned to teams but not with well defined responsibilities

Define responsibilities for team members

Alternates to team members are assigned

2 No. Assign alternates to team members

Are there any BC team members working on a part-time capacity.

1 Yes. BC coordinator is part-time. There are two assistants to BC coordinator working part-time on BC project.

Find out what those part-time staff are responsible for and how critical those responsibilities are.

5

Questions Rating



Business unit representatives also work on a part-time and as-needed basis.

This is a high risk factor.

PP.4: Approval Process

5.17

BC Program approval process exist for budget, objective and scope, contract, projects, policy, hiring etc.

7 Only through CIO but once a steering committee concept is approved, program approval process will be defined.

Senior Management and Board level process

6 Senior management will be presenting the case for a formal BC program in the next board meeting.

Steering committee level process

3 None

Program sponsor level 7 CIO is the program sponsor.

BC program coordinator level

7 BC program coordinator requests approval directly to CIO.

Business unit level 1 None. They are currently not involved in the approval process

6

FR: Functional Requirements

Questions Rating Response and Conclusion


FR.1: General Assessment

Functional requirements have been assessed

Partially. Complete: FR.2

Functional requirements have been documented

Not in a formal way.

Functional requirements have been reviewed by senior management

We will be presenting general requirements to Steering Committee in the near future.

Functional requirements have been approved

Not yet.

FR.2: Detailed Requirements related to Standards, rules, and regulations

4.3333

General applicable standards and guidelines have been identified

8 Yes. Documents indicate DRII and BS17799

Recommend also including NFPA 1600 standards

Industry guidelines, rules, and regulations identified

4 There hasn't been any effort to find out industry specific requirements other then SOX

Briefly research industry specific guidelines and make recommendations

Specific requirements related to standards, rules and regulations assessed and documented

1 No. There hasn't been any effort to find out industry specific requirements other then SOX

FR.2: Risk Management

3.6

Formal or Informal risk assessment was conducted and how long ago.

3 Informal assessments (brain storming) has been done every year.

Risk assessment was comprehensive in scope and aligned with Program scope

8 Limited to HQ, data center, office areas only.

Review reports

7



A qualified risk expert(s) assisted with the risk assessment

2 BC coordinator conducted risk assessment with key staff involvement.

Recommend obtaining qualified experts assistance to review and conduct threats and risk assessments.

All potential threats were considered

2 As many as we could determine.

Review list of threats and company's exposure (Not all threats were considered).

Assessment was based on sound and proven method

3 Yes. Review methods used. Quantitative vs. Qualitative approach. Are there sound basis for calculating threat probabilities (Risk assessment is based on qualitative and informal approach)

Top management reviewed the threats and risks

3 CIO and senior business unit managers only.

Company's appetite for risk identified and approved

4 Not formally

Both regional and local threats were considered

3 Local threats mostly but some regional.

Existing risk controls were considered

5 Yes.

Management concurs with Risk Assessment findings

3 CIO and senior business unit managers have reviewed the findings but have not provided feedback on concurrence.

FR.3: BIA 8.6667

A formal BIA was conducted

9 Yes. Review BIA findings

Scope of the BIA is consistent with program scope

9 Yes.

Representatives from all areas of business within scope participated in the BIA

9 Yes.

Critical business processes have been identified

9 Yes.

Financial losses analyzed 9 Yes. Operational Impacts analyzed

9 Yes.

Worst case assumptions were used

9 Yes.

Maximum Tolerable Downtime identified

9 Yes.

RTO identified 9 Yes.

8



RPO identified 9 Yes. How long ago was it completed

9 3 months ago

Critical Systems and Applications identified

9 Yes.

Qualified experts conducted BIA

9 Yes.

Key concerns and issues captured and addressed

4 Yes.

Management is aware of and concurs with BIA results

9 Yes.

FR.4: Offsite Data Storage

5.5

Offsite storage requirements analyzed thoroughly

6 Partially through the BIA

When were requirements last analyzed

7 IT department has a list of backup data requirements

Scope of storage requirements are consistent with program scope

8 We backup both critical and non-critical applications and data.

Find out which backup vendor they use. Assess vendor's service reliability. (Storage Mountain).

Data backup requirements are known for all critical applications and systems

9 We now have different RPO

Gaps in backup frequency is analyzed

9 Yes.

Backup frequency established for all critical data

9 Yes, through BIA

Backup media type requirements are known

4 Right now it is all on tapes.

Find out if any one uses media other then tape. Some users still use CD to store data on their PC. We didn't see this on the list of data backup requirements from IT.

Recommendation:

Safe handling and storage requirements documented

2 No. Assess safe handling and storage requirements

Data integraty testing requirements are known

1 No. Assess data integrity test requirements

Data classification and security requirements are documented

1 No. Check to see if there is any sensitive data (Client's credit card information is stored along with their address information)

Assess data classification and security requirements

Storage media retention 1 No. But we recyle the

9



period documented tapes from time to time.

Backup Tool/software requirements are known

9 We currently use IBM's Tivoli Storage Manager.

FR.5: Work Area 6

Requirements for alternate work area are analyzed and documented (space, personnel, equipment, facilities, etc.)

8 Our canadian site may be sufficient as a work area until we get the more permanent work site with SunGard

They have work area requirements in terms of number of workstations needed.

Requirements are aligned with BIA findings in terms of critical business units and applications

8 Work station requirements are aligned with critical applications.

Space requirements are known

1 No Work out the detailed work area space requirements

Support personnel are known

Yes. We know the key staff from the business areas needed in the recovery.

Workstation requirements are known

9 Yes

Network connectivity requirements are known

9 Yes

Non-IT resource requirements are known (faxes, copiers, etc.)

1 No. We will rely on whatever is available at the Canadian site

Work out the Non-IT work area requirements for long term recovery strategy.

FR.6: Crisis Management Center (CMC)

2.3

Requirements for CMC are analyzed and documented (space, personnel, equipment, facilities, etc.)

2 Emergency Operations Center (EOC) already exists as part of Emergency Response Plan.

Verfiy if BC plan is very closely integrated with EOC. (EOC team has not yet assessed the specific BC response requirements. There is an assumption that the current design of the EOC will be sufficient to include BC response activities)

Assess BC related CMT requirements and determine if the current EOC design is sufficient.

Requirements for crisis management center are analyzed and documented (space, equipment, facilities, etc.)

2 We expect to use EOC.

10



Workstation requirements 4 We will need a Workstation for each member of CM Team.

Find out if the planning tool is included in this requirement (Not yet, since they have not purchased the tool)

connectivity requirements 2 No. Non-IT resource requirements

2 No.

FR.7: Personnel 1.8

Are detailed requirements for personnel covered

No.

Contractors required 5 No. Find out if they have contractors (IT department has several contractors that support critical applications)

Contract agreement includes support during recovery period.

1 No. But we assume that they will help us out.

Include BC related support requirements in contractor agreements.

Temporary help required 1 Only if full-time staff are not available.

Identify specific temporary staff requirements to help with recovery effort

Detailed skill requirement for recovery staff

1 No. Identify detail skill requirements for key recovery staff.

Pay requirements 1 We have started talking with HR on Salary requirements during a disaster recovery time. HR wants to talk to Senior Management first on this issue.

Develop pay requirements for recovery staff during a disaster

Union rules and policies are part of the requirements

1 Company is unionized but they have not been involved in BC effort.

Work with worker's union to evaluate impact of rules and regulations on BC team and staff in general

Government labor laws are accounted for in the requirements

1 No. Work with HR to evaluate labor laws and their impact on reocovery team and their recovery assistance

Travel requirements are known

8 Yes. Team members are expected to travel to Canadian site and each is given a checklist.

Do you have BC team insurance coverage

0 No. Evaluate insurance requirements for BC team.

11



FR.8: Critical Records

5.5

Critical records recovery is part of BC program

4 It is the responsibility of business units

It seems like the IT recovery has been the biggest focus so far. Check to see if critical record is part of BC Project Plan (It is not covered). But, business unit recovery assessment shows that some units do have a critical record recovery program.

Critical record should not be responsibility of business units alone; Assign some one with central responsibility for coordinating critical record continuity.

Critical records inventory exists

4 Business units maintain their own records inventory. Critical paper records are stored with laptops to Iron Mountain.

Are there electronic records that are critical (yes, but they are not backed-up).

Assess electronic record recovery requirements.

Records are categorized (vital, important, useful, etc.)

7 Yes.

Inventory includes title of record, ownership, content type, users, etc.

7 Yes.

Record retention period determined

5 No. It is mostly paper based

Inventory includes information on backup frequency

6 It is all done weekly.

Inventory includes media storage type and capacity

5 Yes.

Requirements for document scanning assessed

0 No. We don't have any document management system.

Requirements for Document Management System analyzed

0 No. We don't have any document management system other than Iron Mountain Connect.

Suggest investigating document management system tool.

Requirement for local storage assessed

0 No.

Requirement for remote storage assessed

6 Yes.

Security requirements are documented

7 Yes.

Safe handling procedures are documented

7 Yes.

12



FR.9: SLA and Contract Requirements

7.4

SLAs and contracts identified

9 SLA with data communication services and voice services. There is also a pending SLA with our key client. We also have contracts in place with our data backup vendor. A contract is also in place for quickship of a server.

Points of contacts are documented

9 Yes. Internal procurement procedures are well structured and controlled.

General requirements and obligations analyzed

9 Yes. We follow internal contract guidelines.

Review the guidelines.

Quality of service and performance requirements are documented

9 Yes.

Worst case non-compliance scenarios and impacts assessed

1 No. It is not part of our internal guideline.

Include clauses (penalties) in SLA and contracts for worst-case non compliance scenario.

FR.10: External Coordination

4.75

All external coordination requirements analyzed

First responders and local authorities

6 Through ERP only. Review ERP for external coordination and find out if it includes BC coordination (Not very tight integration of BC and ERP)

Develop a closer integration of BC with ERP. Include a member of ERP in BC and vice versa.

Coordination requirements documented for Suppliers

Not in scope

Coordination requirements documented for Distributors

Not in scope

Coordination requirements documented for Labor unions

0 No. Review labour union rules and contracts

Recommendation: Include Labour union representative in BC team.

13



Coordination requirements documented for Service providers

9 Yes. We already have SLA for WAN, Internet, Voice services.

Review SLA to see coordination points. Check point of contacts, SLA review dates, meetings, etc.

Coordination requirements documented for Clients and Customers

6 It is part of ERP. Review ERP for external coordination and find out if it includes BC coordination

Coordination requirements documented for Landlords and building management

1 We only have one building in the area leased, but we have not coordinated with the landlord.

ERP does not include landlord coordination.

Recommend establishing disaster coordination with landlords and building management.

Coordination requirements documented for Insurance company

3 Insurance documents are attached to our Interim BC plan.

Review insurance documents

Recommend communication and coordination with insurance agents and adjustors.

Recovery vendors 8 Mutual agreement includes coordination information and but we also have coordination information with SunGard.

Data backup vendors 5 So far there has been any major problem with coordination with the backup vendor. We have a yearly contract in place. We deal with issues as they arise.

Recommend better coordination with data backup vendor.

FR.11: Training and Awareness

6.5

Training and awareness is part of BC Program

8 Our BC coordinator and her assistance have been to BC conferences and training courses. BC coordinator has documented the need for training and awareness.

Assess requirements for personnel outside of BC teams.

Personnel requiring training identified

6 BC team members only.

Experience levels assessed

6 No. Focus of training is primarily on BC team members.

Training needs documented

6 Yes. Only for BC team members.

FR.12: Salvage & 0 Recommend evaluating and

14



Restoration documenting salvage and restoration requirements.

All critical resources for salvage and restoration identified

0 Critical documents are the responsibilities of business units

Physical areas and buildings for salvage and restorations assessed

0 Facilities is responsible for this.

Salvage and restoration scenarios for critical resources and areas assessed

0 No.

FR.13: Insurance Requirements

3.5

Disaster insurance exists and who is responsible for it's purchase internally.

3 We have a standard disaster clause in our insurance policy; Finance is responsible for it.

Review insurance policy for comprehensive disaster coverage.

Insurance purchase process is integrated with BC program

0 No. Integrate insurance purchase process with BC program.

Insurance requirements to report and claim a disaster are known

0 No. Determine insurance claim process.

Secondary sites insurance requirements

7 Covered by the recovery vendor

FR.14: BC Tools 5

BC tools and software requirements are known

5 Yes. We need a tool that is web based and allows business unit plans and integration of IT and ERP. Easy to maintain and learn. Security is also important.

Assess document/record management system tool requirements.

High level descriptions of tool's features and capabilities are identified

6 Yes.

Tools have been researched and compared

8 We have evaluated four different tools.

Support staff resource requirements have been analyzed

1 No. Assess requirements for tool admin/support staff

FR.15: Assembly Location

2.75

15



Assembly location requirements identified

4 ERP specifies assembly location.

Assembly location capacity requirements are known

1 No. Find out if it was used in the last plan test (Yes. We were not able to get every one in the assembly location due to fire and safety regulations).

Assess detail assembly site capacity requirements

Distance location requirements are known

5 About 3 miles away from the primary site.

Do you have another site in case this assembly site is not available (Yes, EOC)

Recommendation assessing requirements for tertiary assembly location.

Ability of personnel to travel and meet at Assembly Location analyzed

1 Not specifically for BC team members.

Assess detail travel and accessibility requirements for BC team members.

16

DD: Design and Development



DD.1: General Assessment

Designs & Development completed

Designs have been documented

Designs have been reviewed by senior management

Designs have been approved

Budget is reviewed and approved

DD.2: Risk Controls 3 See Risk Assessment

word file for additional assessment.

Problems in this stage is due to weaknesses in the previous functional requirement process. Initiate a risk assessment and management project with the help of risk management expert and full management support.

Risk control design is part of BC Program

5 Yes

Control options have been researched and analyzed

3 Yes. We can do a lot more given more time and resources.

Not all control options have been researched and analyzed

Qualified risk expert(s) assisted with the risk control designs

1 No.

Cost of options have been compared

2 Only for some threats Find out the reasons (lack of resources and time)

Residual risks are known 1 No. Top management reviewed the risk control options and residual risks

3 Not the residual risk.

Top management selected the best options for implementation

3 For some options

Top management has approved the budget for control option implementation

3 For some options

DD.3: IT Systems 5.30769 Focus on long-term Overall design is aligned

17



Recovery Strategy strategy with the requirements but there are still some gaps and room for improvents. Example: Generic applications such as email is not part of recovery strategy. Drop ship of billing system server; the ability of people to get to recovery site on time.

Appropriate recovery strategies exist for all critical IT systems and applications

4 Yes. Completed the strategy design stages.

Email strategy is missing.

Alternate site strategies exist

7 Yes.

Quick-ship strategies exist 7 Yes for some systems.

Recovery strategies are aligned with RTO values

8 Partially.

Cost versus RTO trade-off analyzed

5 Partialy.

Effort requirements analyzed

3 No.

Control requirements analyzed

8 Yes. With the alternate site we have more control over the IT infrastructure.

Reliability requirements analyzed

3 We are counting on the recovery vendor for that.

recommend tertiary site

Strategies aligned with system capacity requirements

5 Yes.

Strategies aligned with system performance requirements

7 Alternate systems have more capacity than our production environment

Strategies aligned with system configuration requirements

3 There are some configuration compatability issues.

Recommend testing compatability issues.

Recovery system and primary systems exact in type, configuration, capacity, etc

5 No. But they are compatible.

Recommend testing compatability issues.

Flexibility in upgrading the recovery systems to match primary systems upgrades

4 We don't know. We will include it in the contract agreement with the vendor.

Recommend inclusion in contract for upgrade flexibility in recovery systems.

DD.4: Alternate IT Recovery Site

6.82353 Focus on long-term strategy

18



Alternate site meets the strategy requirements for IT systems/servers/networks

8 Yes.

Unlikely to be effected by the same disaster

8 Yes. Particularly regional disaster.

Located outside of local area threats

8 Yes.

Located outside of regional area threats

8 Yes

Alternate travel routes exists

8 Yes.

Floor plan exists 8 Yes. A comprehensive and validated BC Program exists for Alternate Recovery Site

7 Yes. Review their BC program even though they are reputable and reliable

Secondary power generator/supply exists

9 Yes. Has any body visually inspected the power supply (part of the tour).

Technical support is available at alternate site

8 Yes.

Supports connectivity to primary site

7 Yes.

supports connectivity to work areas

9 Well connected. Work area and IT recovery area are with the same vendor

Sufficient security exists at alternate site

5 Yes. Find out if the servers and systems are shared by other clients of the vendor (yes they are).

Recommend: Involving IT security department in the secure design; suggest development of security policy and procedures before, during, and after disaster situations.

Access to recovery area is gauranteed in case of recovery need

4 It is on the first-come-first serve basis.

Find out if there are clauses in the contract that may deny access (yes it does)

Recommend: creating a tertiary recovery site

Organization has sufficient control over the recovery area and its resources

4 Partial Find out if there are reasons for having complete control (none)

Meeting areas exist 2 Yes but it will cost more

Basic facilities exist (HVAC, Bathrooms, etc.)

6 Yes.

Close proximity to Accommodation and Food Services/restaurants, banks, etc.

7 Yes.

19



DD.5: A Tertiary Recovery Site

0 We recommend a use of a tertiary recovery site.

A tertiary recovery site exists with sufficient recovery capabilities and capacities

0 No.

Is it used for backup of data from secondary site

0 No.

Is it used for recovery of all systems at the secondary site

0 No.

DD.6: Offsite Data Storage

Backup Strategies are aligned with RPO requirements

What is the method of data backup

Data is replicated to servers at recovery site

Data is backed-up through tape media

Data is backed-up through Electronic Vaulting

Cost versus recovery strategy options analyzed

Backup method is reliable and dependable

All data required for recovery is backed-up

Backup Tools/Software exist and their capabilities are compatable with backup strategies

Sufficient backup media capacity exist at the storage facility

Strategies exist for remote backup during the recovery period

Facilities exist to ship backup data to recovery sites in time to meet RTO requirements

Safe handling and storage procedures documented

Data integrity testing procedures are documented

Data classification and security procedures and guidelines are documented

Storage media retention procedures are

20



documentedCost and budget for the above are estimated

DD.7: Critical Record Storage Area

4.66783

Internal facilities/areas exist to store critical documents

2 They stored in filing cabinets by business units themselves

Implement an internal critical document/record management group and facility in addition to a remote storage site.

Internal facilities meet the fire and water protection requirements

0 No.

Internal facilities meet the security requirements

0 No.

External facilities/areas exist to store critical documents

7 Yes. Iron Mountain only for paper documents.

External facilities meets the heat, humidity, and other climate control requirements

7 Yes

External record storage facility is under the management and control of qualified personnel

7 Yes.

External facilities meet the security requirements

7 Yes.

External facility can ship the records to work areas/primary site within required time-frame.

7 Yes.

External facility supports 24x7 operations

7 Yes.

Appropriate record management system is reviewed and assessed

8 We are using Iron Mountain Connect™ portal to track and retrieve documents.

Is Iron Mountain Connect setup for Laptop access in the event of a disruption (No)

Critical record management procedures are developed and are aligned with the requirements

Yes.

DD.8: Alternate Work Area

4.68182 Expedite design and development of long term alternate work area

Alternate work areas exist (contracted, company owned, reciprocal ?)

4 Plan to contract out the work area from SunGard. We will use Canadian site as an interim solution

Alternate work area meets 0 N/A

21



the BIA and functional requirements for recovery personnelAcquisition strategy for workstation and servers in work area is consistent with BIA and other business process requirements

0 N/A

Floor plan exists 0 N/A

Non-IT resource acquisition strategy is in place (faxes, copiers, etc.)

0 No.

Site is unlikely to be effected by the same disaster

7 Yes.

Located outside of local area threats

7 Yes.

Located outside of regional area threats

7 Yes.

Alternate travel routes exists

7 Yes.

A comprehensive and validated BC Program exists for work area

3 Don't know

Secondary power generator/supply exists

8 Yes.

Technical support is available at alternate work site

2 Don't know

Supports connectivity to primary site

8 Yes.

supports connectivity to alternate IT recovery sites

8 Yes.

Work area is expandable depending on the need

2 Don't know

Sufficient security exists at alternate work site

8 Yes.

Contains sufficient floor space for workstation and IT infrastructure and end-users

2 Don't know

Designed to support usage 24x7

7 Yes.

Organization has sufficient control over the work area and its resources

2 Don't know

Meeting areas exist 7 Yes.

22



Basic facilities exist (HVAC, Bathrooms, etc.)

7 Yes.


7 Yes.

DD.9 Crisis Management Center (CMC)

7.25 Evaluate whether or not EOC meets the BC requirements.

CMC design meets the requirements for space, personnel, equipment, facilities, etc.

9 EOC will be used as CMC. 1st location is a leased site 30 miles away from HQ. Alternate location is a hotel meeting room to be decided at the time of disaster

Location is easily accessible for Crisis Management Team (CMT) and it is not prone to single point of failure with the primary site.

9 Yes.

Reliable and dependable 9 Yes.

CMC meets the IT requirements (workstations, laptop, printers, etc.)

3 Don't know about BC requirements.

CMC meets the Non-IT requirements (Faxes, copiers, presentation tools, etc.)

8 Yes.

CMC meets the voice connectivity requirements


CMC meets the data connectivity requirements


Designed to support usage 24x7

9 Yes.

Organization has sufficient control over the work area and its resources

9 Yes.

Meeting areas exist 9 Yes. Basic facilities exist (HVAC, Bathrooms, etc.)

8 Yes.


8 Yes.

23



DD.10: Assembly Location

5.97619 Evaluate design of assembly location to determine if it meets BC requiremens.

Assembly location meets the functional requirements

1 Don't know

Assembly location complies with safety guidelines

8 Yes.

Easily accessible, dependable, and expandable

8 Yes.

Close proximity to Food, Accommodation, banks, etc.

8 Yes.

Controlled by the organization

3 No. MOU with another organization.

Less likely to be effected by the same local disaster

8 Likely to be effected by the local or regional disaster; but we have the EOC as an alternate.

DD.11: Data Communication Services

5.83333

Designs for Data Communication and Networking services are complete

Review design documents

Design overall meets the continuity requirements but needs some additional improvements

Design takes into account single points of failure concerns and communication redundacy requirements

7 Yes. We have redundant carrier links

do they go through the same conduit to the building (yes)

Review data link for improving redundancy and single-point-of-failure

Different transmission medium is used (wireless, satellite, land lines)

2 Same medium.

Network design for alternate recovery site exists with specifications for connectivity, capacity, throughput, reliability, etc.

7 Yes.

Network design for work area exists with specifications for connectivity, capacity, throughput, reliability, etc.

8 Yes. IT has all that worked out.

24



Network design for data backup site exists with specifications for connectivity, capacity, throughput, reliability, etc.

Yes. IT has all that worked out.

Network design for connectivity between primary site, alternate site, data backup site, and work area is complete.

4 It is complete except for work area which will is planned to be completed six weeks.

Data transmission security is par of the design.

7 Yes.

DD.12: Voice Communication

6.6

Strategies are developed for redundancy of voice communication

Design overall meets the continuity requirements but needs some additional improvements

Design takes into account single point of failures

9 Voice service provider has provided multiple voice lines going through redundant exchange routes.

Design takes into account rerouting of critical phone numbers

9 Yes. We have the capability to reroute our 1-800 numbers that customers use.

Design includes different communication mediums (cables, satellite, wireless, etc.)

3 No. They are all Land lines.

provide additional redundancy by combining voice communication mediums.

Design takes into account bandwidth requirements

Yes.

Design takes into account work area requirements

Yes.

Design takes into account CMT requirements

6 Yes.

Design takes into account Recovery Site requirements

6 Yes.

DD.13: Work around Procedures

3.86111 See business process audit file.

Ensure work around procedures for all critical areas are complete and documented with consistent format.

Work around procedures are documented for all critical business units and processes

3 Most have them documented

Each work around procedure clearly specifies its objectives and scope

3 Some do and some don't

25



Each work around procedure clearly specifies conditions for invoking the procedure


Each work around procedure clearly specifies tasks to be performed and resources required including critical records.

Yes.

Each work around procedure clearly specifies tasks depedencies


Work around procedures include recovery of lost data

6 Yes.

DD.14: Training and Awareness

5.16667 Assign training and awareness responsibility to a staff. Review current training and awareness design for additional improvements.

Training and awareness program is designed and developed

Training database/site designed and developed

7 We have an intranet site for business continuity which provides training documents and general information.

Training methods and services selected

4 We plan to have onsite training on a regular basis.

Training schedule prepared 1 No. Awareness plan developed 9 We currently have an

internal BC monthly newsletter.

Training evaluation process designed and developed

2 No.

Training responsibilities assigned

8 We are currently talking to HR training department to take on this task.

DD.15: Salvage and Restoration

0 See comments from functional requirements

The design and development for Salvage and Restoration must be based on the functional requirements once they are completed.

All critical resources for salvage and restoration identified

26



Physical areas and buildings for salvage and restorations assessed

Types of damage to critical resources and areas assessed

Salvage and restoration experts and contractors identified and contacted

Requirements and cost discussed with Salvage and Restore contractors

Contractors are selected DD.16: Program Budget Detail budget established Percentage of the IT budget or overall revenue

Detail budget and spendings established for individual projects

Detail budget and spendings established for hiring staff

Detail budget and spendings established for contracts

Detail budget established for recovery resources and services

Detail budget established for BC tools

Detail budget established for training and awarenesss

27

PP: Program Implementation


Further Actions

Recommendations

PI.1: Risk controls Problems in this stage is due to weaknesses in the functional requirement process. See recommendations in Design and Development.

All risk controls have been implemented

Some have been implemented including secondary power generator.

Implementation project plans exist and approved

We have plans to continue implementation of risk controls.

Percentage Implemented 3 30 percent. PI.2: IT Recovery Systems

6 Most systems are in place and the plans in place to acquire the rest Email systems recovery capability is not in place

Alternate IT systems purchased or leased

Yes

Quick-ship strategies implemented

Currently talking to the vendor

Percentage completed 8

PI.3: Alternate IT Recovery Site

IT recovery site is in final stages of complete implementation.

Alternate IT recovery site completed

8 Yes. SunGard

Alternae IT site inspected and approved for use

8 Yes

Percentage completed 9 90 percent PI.4: A Tertiary Recovery Site

Tertiary site completed No. Tertiary site inspected and approved for use

No.

Percentage completed N/A

28


Further Actions

Recommendations

PI.5: Offsite Data Storage

5 Backup site is currently in use. Backup frequency needs adjustments.

Remote backup site is complete

Yes.

Data backup process to remote site has started

Yes.

Percentage completed 8 90 percent PI.6: Critical Record Storage

2

Remote record backup site is complete

Implemented for document records only. It is remote only. There are no internal storage process or system

Remote record backup process has started

Yes.

Percentage completed 5 50 PI.7: Alternate Work Area

4 Expedite design and development of long term alternate work area

Alternate work areas exist (contracted, company owned, reciprocal ?)

4 Yes. Currently at the Canadian site but later at Sungard.

Work area inspected and approved

3 Partially.

Percentage completed 4 50 PI.8: Crisis Management Center (CMC)

7 EOC will be used as CMC. 1st location is a leased site 30 miles away from HQ. Alternate location is a hotel meeting room to be

CMC exists Yes

CMC inspected and approved

Yes

Percentage completed 7 100 PI.9: Assembly Location 7 Assembly

location is in place.

Assembly sites exists Yes

29


Further Actions

Recommendations

Assembly sites inspected and approved

Yes.

Percentage completed 7 100 PI.10: Data Communication Services

8

Data Communication and Networking services are complete

Yes

Connectivity between Primary site and alternate IT recovery site is complete

Yes

Connectivity between primary site and data backup site is complete

Yes

Connectivity between alternate IT site and work area is complete

Yes

Connectivity between CMC and alternate IT site is complete

Yes

Connectivity between CMC and alternate work area is complete

Yes

Percentage Complete 8 80 PI.11: Voice Communication

8

VC infrastructure and services are complete

Yes.

Percentage completed 8 80

PI.12: Training and Awareness

2 Expedite initiation of training and awareness program.

Training and awareness program activated

Not fully.

Percentage implemented 2 10 percent PI.13: BC Tools 2 BC tool is purchased 2 No. we are still

evaluating toolsExpedite tool evaluation to begin tool usage and deployment

Tool training is complete

30


Further Actions

Recommendations

Plans and information from paper/computer sources have been imported into the tool

Security and access control is in place

BC tool is deployed A dedicated staff manages and maintains the BC tool

Team members have access to the tool

Percentage Complete PI.14: Salvage and Restoration

0 Salvage and restoration is not yet included in BCP

Salvage and restoration contracts are in place

No.

Salvage and restoration procedures are documented

No.

Percentage Complete 0 0 PI.15: Personnel 4 Are all required personnel hired

5 Most have been hired but we are still waiting to hire two more staff reporting to the Coordinator.

Responsibilities assigned to personnel.

5 Mostly assigned

BC team insurance purchased

0 No.

Percentage Complete 4 60 PI.16: SLA and Contracts

7

SLA have been negotiated and implemented

6 The key SLA are in place

Contracts have been negotiated and implemented

6 Yes. Work area contract is under review.

Percentage Complete 7 80 PI.17: BC Plan Document

Plan document is complete

Executive Summary

31


Further Actions

Recommendations

Plan components Objective Scope Assumptions Constraints and limitations Risk Assessment BIA Recovery Strategies Plan Execution phases BC Team Structure Contact List Call Tree Alternate contacts Contact Procedures Disaster Definition Disaster Declaration Procedures

Service Level Agreements Insurance policy Critical resource inventory Critical Staff Crisis Communication Plan

Emergency Response Plan

Business unit plans Disaster Recovery Plan Recovery site Information Data backup procedures Data backup site information

Critical record backup procedures

Critical record backup site information

Critical record recovery procedures

Plan execution logistic procedures

Security requirements and procedures

Recovery logistics Team responsibilities Salvage and Restoration procedures

IT recovery procedures Data network recovey procedures

Voice communication recovery procedures

Work area site information Work area recovery procedures

Critical service recovery procedures

32


Further Actions

Recommendations

Assembly location procedure

Assembly location information

Crisis management center or EOC information

Plan execution timeline and schedule

Disaster scenarios and recovery procedures

BC Plan change controls BC plan distribution list BC plan appendices

33

PT: Plan Testing


Further Actions

Recommendations

PT.1: BC Plan Testing 3.714285714 Test plans exist for testing BC plan

6 Interim plans has been tested

Test objectives cover all essential elements of BC plan

2 No. It is missing testing of key business areas

Types of testing conducted so far

2 Table top and some systems at hotsite

No testing of notification procedures; EOC location, Work areas, etc.

Recommend testing of notification procedures; EOC, and work areas.

Types of testing planned for future

7 Hot site testing of all systems

Test scenarios are realistic 1 No real scenarios have been tested

conduct likely scenario based testing.

Tests have been completed for all required parts of BC plan

3 No. It is missing testing of key business areas

Conduct testing of all key aspects of BC plan

Tests have been conducted according to test plans

5 Yes.

PT.2: Test Evaluation 8 Tests have been

evaluated well, particularly for hotsite testing. Evaluation included lessons learned. Many issues related hotsite vendor support and coordination were identified and resolved.

This is one of the strength area. A good test evaluation process is in place.

Test results have been evaluated

8

What criteria used to evaluate tests

8

Testing met all of test objectives

8

What were the strengths identified by the test

8

What were the weaknesses identified by the test

8

PT.3: BC Plan Approval 4 The long term plan

document is not yet complete.

BC Plan is approved BC Plan is approved by program sponsor and BC steering committee

BC plan is distributed to all staff and personnel on

34


Further Actions

Recommendations

distribution list PT.4: BC Plan Document Which parts of the plan below have been tested?

Objective Scope Assumptions Constraints and limitations Risk Assessment BIA Recovery Strategies Plan Execution phases BC Team Structure Contact List Call Tree Alternate contacts Contact Procedures Disaster Definition Disaster Declaration Procedures

Service Level Agreements Insurance policy Critical resource inventory Critical Staff Crisis Communication Plan Emergency Response Plan Business unit plans Disaster Recovery Plan Recovery site Information Data backup procedures Data backup site information Critical record backup procedures

Critical record backup site information

Critical record recovery procedures

Plan execution logistic procedures

Security requirements and procedures

Recovery logistics Team responsibilities Salvage and Restoration procedures

IT recovery procedures Data network recovey procedures

Voice communication recovery procedures

Work area site information Work area recovery procedures

35


Further Actions

Recommendations

Critical service recovery procedures

Assembly location procedure Assembly location information Crisis management center or EOC information

Plan execution timeline and schedule

Disaster scenarios and recovery procedures

BC Plan change controls

36

PM: Program Management


Further Actions

Recommendations

PM.1: Primary Site Change Monitoring

3.143 Extend change management to beyond IT related changes.

Process is in place to monitor changes

4 Yes. BC Coordinator monitors all changes by attending all IT change management meetings.

IT level changes are monitored

4 Yes. Through IT change management

Business process changes are monitored

1 Not at this time.

Critical record changes are monitored

4 By business units only.

Business units have people assigned to this task.

People changes are monitored

3 We have been talking to HR to keep us in the loop.

Critical resource related changes are monitored

3 Not at this time.

Critical services related changes are monitored

3 Yes. We plan to go through regular review of service and resource related changes.

PM.2: Recovery Site Change Monitoring

3 Implement proactive process for monitoring recovery site changes.

Process is in place to monitor changes at the recovery sites

3 We expect vendor to notify us of any changes.

Hardware changes are monitored

3 Yes.

Software changes are monitored

3 Yes.

Network changes are monitored

3 Yes.

Facility changes are monitored

3 Yes.

Policy changes are monitored

3 Yes.

Security procedures are monitored

3 Yes.

37


Further Actions

Recommendations

PM.3: Contract Management

7

BC related contracts management process established

7 BC coordinator and procurement representative conduct a frequent review/update of contracts.

Contracts are reviewed on a regular basis

7 Yes.

Contracts include maintenance and upgrades

7 Yes.

Procurement and legal departments are involved in the contract management

7 Yes.

PM.4: Risk Controls 3 Risk assessment occurs periodically

3 No.

Existing controls are reviewed and inspected on a regular basis

3 Facilities is responsible for reviewing physical controls such as secondary power generator.

Risk experts are involved in risk assessment and control process

3 No.

Risk assessment reports are presented to and reviewed by management

3 No.

PM.5: BIA 4 We plan to do it

regularly.

BIA is conducted periodically

Gaps are identified Results are reported to and reviewed by management

Recovery strategy gaps are evaluated

PM.6: IT Systems Recovery Strategy

4 We plan to review it regularly.

Recovery strategies are reviewed regularly

Alternate sites are inspected for changes and problems.

38


Further Actions

Recommendations

Quick-ship strategies are reviewed regularly

PM.7: BC Plan Testing 4 We plan to do it

regularly

A plan exists for regular testing of BC Plan

Both minor and major tests are carried out regularly

Tests are reviewed and evaluated

Test results are well documented and reported to management

Test issues are resolved effectively

Backup data integrity checks are done regularly

Work around procedures are tested regularly

PM.8: Recovery Vendor's BC Plan Reviews

4 We will include it in our program

Recovery vendors' BC plans are reviewed regularly

Recovery strategies and capabilities of vendors' are reviewed regularly

BC audit reports of vendors are reviewed

PM.9: Training and Awareness

Currently not in maintenance stage.

Training and awareness program is monitored, evaluated and updated

New hire orientation includes BC information

Program includes learning resource/database

Program includes newsletters

Program includes regular BC informational meetings

Program includes BC tool training

39


Further Actions

Recommendations

PM.10: Management Process

5

Steering committee is actively involved in the maintenance phase

4 Steering Committee will be establish in few months.

Program sponsor is actively involved in the maintenace phase

8 Yes.

BC Management meetings are held on weekly, monthly, and quarterly periods

8 Weekly with the sponsor and monthly with business unit managers

Reports from the steering committee are presented to Board and senior management

4 Steering Committee will be establish in few months.

Rules and regulations are monitored and reviewed

1 No.

PM.11: External Coordination

3 Improve external coordination related to BC plan

BC plan is coordinated with external public authorities

3 Through ERP. Coordinate with ERP team to include BC plan's coordination requirements.

BC plan is coordinated with business partners

1 No. Coordinate BC plan with business partners on a regular basis

BC plan is coordinated with recovery vendors

7 Yes.

Meetings are held regularly to coordinate BC plan with external entities

1 No. Arrange regular meetings with external entities to coordinate BC plan activities

BC Audits are conducted periodically

BC Audits include internal and external auditors

Audit recommendations are followed through

Audits are done through expert auditors

PM.12: BC Program Reviews

6.25

BC program is reviewed periodically

7 We hold monthly meeting with all business units to review relevant

40


Further Actions

Recommendations

BC program activities and sections.

BC plan document is reviewed frequently

7 BC coordinator and his team review the plan biweekly.

Review involves all BC team members

7 Most team members depending on what we are discussing at the time.

Results of the reviews are presented to steering committtee and program sponsor

4 Not yet. But we present it to our program sponsor.

PM.13: Plan Document Maintenance

5.4

Stored offsite and onsite 6 One copy is always with BC coordinator on a memory card. One copy is with Iron Mountain.

Recommend storing a BC document at the hot site. If possible use web-based planning tool.

Easily accessible during a disaster

5 Yes

Secured 8 Yes. It is encrypted.

Need-to-know list maintained

3 No. We have a common distribution list with access to all parts of the plan.

Develop a need-to-know distribution list.

Distribution list maintained

5 Yes.

41

Program BudgetQuestions Rating Response and

ConclusionFurther Actions Recommendations

Program Budget 5.333333 BC program needs a separate budget; Work out detail budget for each phase, project, and activities.

Separate annual budget allocated

5 It is part of IT budget

Business area supporting the BC Program budget

8 Yes. Business Managers are very supportive.

Source of budget 3 IT BC program needs a separate budget and not simply be part of IT budget.

Detail budget established for BC tools

5 Yes. Does it account for a specific and its cost (We know the tool we want and its cost)

Overall budget estimates established

5 We do not have an yearly budget but last year we spent $240K

Percentage of BC budget relative to annual revenue

3 IT budget is about 2%. Last year we spent about 240 k on BC beyond people resources. We were allocated $125K originally.

Obtain more information.

Overall budget established for individual projects

7 Business units have their own budgets for BC activities.

Overall budget established for hiring staff

7 We have put the request to hire two more staff for next year.

Overall budget established for contracts

7 The budget for contracts will come out of the overall BC budget.

Overall budget established for recovery resources and services

3 Our recovery resource and service budget is mostly part of the overall IT budget.

Find out if this budget is outside of the BC budget. Yes it is outside of the IT budget. Last year approximately 60K was spend on the recovery resources and services.

42

43

Date post:	14-Nov-2014
Category:	Documents
Upload:	sentryx1
View:	148 times
Download:	1 times