Audit Excel Questionnaire Feb 06 06
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Audit Excel Questionnaire Feb 06 06 as PDF for free.
More details
- Words: 8,462
- Pages: 69
% Overall Comment/Reason Complete Rating
Program Initiation
90
Program Planning Functional Requirement
80 50
Design and Development
40
Implementation
40
Testing
30
Maintenance
20
Execution
N/A
Program Initiation
Program Planning Functional Requirements
Design and Program Plan Testing Program Development Implementation Maintenance
Management Buy In Program Evaluation
Interim Temporary BC Plan BC Program Management Document
General Assessment Risk Controls
Risk Controls
Program Commitment
Program Structure
General Assessment Detailed requirements related to standards, rules, and regulations Risk Management
Approval Process
BIA
IT Recovery Systems
BC Plan Testing Test Evaluation
Primary Site Change Monitoring Recovery Site Change Monitoring
IT Systems Recovery Strategy Alternate IT Recovery Site
Alternate IT Recovery Site
BC Plan Approval
Contract Management
A Tertiary Recovery Site
BC Plan Document
Risk Controls
Offsite Data Storage
Tertiary Recovery Site
Offsite Data Storage
BIA
Alternate Work Area Crisis Management Center (CMC)
Offsite Data Storage Critical Record Storage
Critical Record Storage Alternate Work Area
IT Systems Recovery Strategy BC Plan Testing
Personnel
Alternate Work Area
Crisis Management Center (CMC)
Recovery Vendor's BC Plan Reviews
Critical Records
Crisis Management Center (CMC) Assembly Location
Assembly Location
Training and Awareness
SLA and Contract Requirements
Data Communication Services External Data Voice Coordination Communication Communication Services Training and Voice Training and Awareness Communication Awareness Salvage & Work around BC Tools Restoration Procedures Insurance Training and Salvage and Requirements Awareness Restoration BC Tools Salvage and SLA and Contracts Restoration Assembly Location BC Plan Document
Management Process External Coordination BC Audits BC Program Reviews
PI: Program Initiation Questions
PI.1: Management Buy In
Rati Response and conclusions ng
7 Program was initiated by the IT department
What is the extent of management's awareness
8 CIO and other C-level officers are aware of the program but other than CIO they don't consider it a top priority. 6 CIO is the project sponsor 7 CIO is the project sponsor
PI.2: Program Evaluation and Approval High level program objectives, requirements and drivers analyzed and documented
Business case prepared and evaluated
Recommendation
6.4
Has the program been Initiated formally
Is there a Project Sponsor What is the seniority and position of Project Sponsor Plan exist to raise awareness of management
Further Actions
4 Several presentations were presented to management. Some were made on their own requests. They were a high level presentations. There is no formal plan to raise awareness.
BC Program needs to be raised to top level and not just owned by IT
Find out if there is a steering committee. Steering committee will help in raising top level awareness.
Utilize Steering Committee to raise top level awareness.
5.33 4 We have some program requirements analyzed as a result of a recent BIA effort and we have recently updated with new requirements for E-commerce application environment. We also have an extensive document on the reasons for establishing a BC program.
Find out if objectives for Define clear objectives for the program. the program were defined Objectives should be stated in both general and in these documents (not specific terms. clearly)
4 Yes. An informal business case was prepared.
Was a budget prepared (Yes. We presented our initial budget and provided an estimate of yearly budget to CIO)
Clear Go/No Go decision made and at what level of the management
PI.3: Program Commitment Full-time qualified program manager assigned
Steering committee established
8 Yes.
CIO made the Go/No Go Board needs to have an active involvement in decision and presented the overall high level evaluation process. this decision to senior management. But the board was not involved in this process.
2.86 2 No. We have a part-time (70%) Find out if the coordinator Assign full-time BC responsibility to BC business continuity coordinator has business continuity coordinator assigned to this task. He is from the or DRP experience (No.) corporate planning department and has been involved with Emergency Response Planning in the past. 6 A committee structure has been This is a definitely a strength. proposed and awaiting approval. (company has the history of establishing SC for high profile critical projects)
Steering committee members have clear roles and responsibilities defined
3 No.
Define clear roles and responsibilities for Steering Committee.
BC Program is part of Strategic objectives and plan BC Program policy exists
1 No.
Include BC Program as part of Corporate Strategic Objectives Create a BC policy statement
BC Program policy fully communicated
1 No.
Utilize corporate communications to communicate BC policy
BC culture is well established
5 No. But, IT and Business units have a better BC/DR culture compare to the rest of the company.
Develop a plan to improve corporate wide BC culture.
2 We have a security policy which covers BC from the perspective of availability of critical systems.
PP: Program Planning Questions
Ratin Response and Conclusion g
PP.1: Interim Temporary BC Plan
5
Interim BC Plan exists if a long term plan doesn't exist Interim Recovery Strategy Developed
5 Yes. But, it has evolved since it was initially written. 5 Mutual Agreement with our strategic partner.
Interim Agreements in place for recovery of key resources, sources, and services Interim Recovery Teams created
5 Mutual Agreement.
PP.2: BC Program Management Document
5 Yes. The team has evolved since it was initially established.
4.43
BC Program management document exist
6 We have a project plan in place.
A need statement prepared (Why is the program needed and what are the drivers?)
7 We have a statement that indicates the main drivers: External contract requirements and SOX compliance and it also includes company's strategic objectives 4 Defined in BC plan document
Program objectives are well defined, aligned and approved Program Scope are defined and approved
6 Defined in BC plan document
Program assumptions are stated explicitly
0 Defined in BC plan document
Program deliverables are identified Program risks are analyzed and mitigation actions identified
8 Defined in the project plan 0 Defined in BC plan document
PP.3: Program Structure
4.7 3 (high risk factor)
Program divided into logical phases
8 Project Plan has logical phases
Phases are divided into activities Activities are assigned due dates, start and end times, and dependencies A BC Steering Committee exists
7 Yes. 7 Yes.
A BC program team structure is defined with reporting hierarchy
7 Yes.
Team structure includes top management, program sponsor, BC coordinator, consultants, etc. Team roles and responsibilities are well defined
7 Yes.
Personnel assigned to the team structure with well defined responsibilities
2 No. Personnel are assigned to teams but not with well defined responsibilities 2 No.
Alternates to team members are assigned Are there any BC team members working on a part-time capacity.
PP.4: Approval Process BC Program approval process exist for budget, objective and scope, contract, projects, policy, hiring etc. Senior Management and Board level process
Steering committee level process Program sponsor level BC program coordinator level
4 Not currently. But CIO is presenting a case to top management for such a committtee next month.
2 At a high level only. Team members task's are not assigned
1 Yes. BC coordinator is parttime. There are two assistants to BC coordinator working part-time on BC project. Business unit representatives also work on a part-time and as-needed basis.
5.17 7 Only through CIO but once a steering committee concept is approved, program approval process will be defined. 6 Senior management will be presenting the case for a formal BC program in the next board meeting. 3 None 7 CIO is the program sponsor. 7 BC program coordinator requests approval directly to CIO.
Business unit level
1 None. They are currently not involved in the approval process
Further Actions
Recommendations
Review all earlier versions. Review agreements (Not enough carefull planning and design. Agreements show weaknesses in disaster lasts for longer than 2 or 3 days)
Check the project plan details (Project plan is well structured but a complete program document is missing; project plan is part of BC plan). Review the statements. Ask if they have researched industry specific requirements (No.)
Create a BC program document which is separate from the BC plan Research industry specific BC requirements.
Plan objectives are defined in general terms. Suggest inclusion of specific objectives. Plan scope are defined. Suggest including what is not in scope as well. No written program assumptions State all key assumptions in program document Investigate further (No evidence Assess program risks of program risks BC Plan and mitigation steps document)
Risk and BIA are combined as one phase (not a major concern at this time since it has been completed)
Establishment of a SC must become a high priority. It will help to resolve a number of current obstacles and issues Assess team structure. Three types of teams: Emergency management, Emergency response, and Business unit teams. Emergency management team includes President/CEO, COO, CFO, etc. Define tasks for team members Define responsibilities for team members Assign alternates to team members Find out what those part-time staff are responsible for and how critical those responsibilities are. This is a high risk factor.
FR: Functional Requirements Questions
Rating Response and Conclusion
FR.1: General Assessment Functional requirements have
Partially.
been assessed Functional requirements have been documented Functional requirements have been reviewed by senior management
General applicable standards and guidelines have been identified Industry guidelines, rules, and regulations identified
Specific requirements related to standards, rules and regulations assessed and documented
FR.2: Risk Management Formal or Informal risk assessment was conducted and how long ago. Risk assessment was comprehensive in scope and aligned with Program scope
Recommendations
Complete: FR.2
Not in a formal way. We will be presenting general requirements to Steering Committee in the near future. Not yet.
Functional requirements have been approved
FR.2: Detailed Requirements related to Standards, rules, and regulations
Further Actions
4.33
8 Yes. Documents indicate DRII and BS17799 4 There hasn't been any effort to find out industry specific requirements other then SOX 1 No. There hasn't been any effort to find out industry specific requirements other then SOX
Recommend also including NFPA 1600 standards Briefly research industry specific guidelines and make recommendations
3.6 3 Informal assessments (brain storming) has been done every year. 8 Limited to HQ, data Review reports center, office areas only.
A qualified risk expert(s) assisted with the risk assessment
All potential threats were considered
Assessment was based on sound and proven method
Top management reviewed the threats and risks Company's appetite for risk identified and approved Both regional and local threats were considered Existing risk controls were considered Management concurs with Risk Assessment findings
FR.3: BIA A formal BIA was conducted Scope of the BIA is consistent with program scope Representatives from all areas of business within scope participated in the BIA Critical business processes have been identified Financial losses analyzed Operational Impacts analyzed Worst case assumptions were used Maximum Tolerable Downtime identified RTO identified RPO identified How long ago was it completed
2 BC coordinator conducted Recommend obtaining risk assessment with key qualified experts staff involvement. assistance to review and conduct threats and risk assessments. 2 As many as we could Review list of threats and determine. company's exposure (Not all threats were considered). 3 Yes. Review methods used. Quantitative vs. Qualitative approach. Are there sound basis for calculating threat probabilities (Risk assessment is based on qualitative and informal approach) 3 CIO and senior business unit managers only. 4 Not formally 3 Local threats mostly but some regional. 5 Yes. 3 CIO and senior business unit managers have reviewed the findings but have not provided feedback on concurrence.
8.67 9 Yes. 9 Yes. 9 Yes. 9 Yes. 9 Yes. 9 Yes. 9 Yes. 9 Yes. 9 Yes. 9 Yes. 9 3 months ago
Review BIA findings
Critical Systems and Applications identified Qualified experts conducted BIA Key concerns and issues captured and addressed Management is aware of and concurs with BIA results
FR.4: Offsite Data Storage
9 Yes. 9 Yes. 4 Yes. 9 Yes.
5.5
Offsite storage requirements analyzed thoroughly When were requirements last analyzed
6 Partially through the BIA
Scope of storage requirements are consistent with program scope
8 We backup both critical and non-critical applications and data.
Data backup requirements are known for all critical applications and systems Gaps in backup frequency is analyzed Backup frequency established for all critical data Backup media type requirements are known
9 We now have different RPO
Safe handling and storage requirements documented Data integraty testing requirements are known Data classification and security requirements are documented
2 No.
Storage media retention period documented Backup Tool/software requirements are known
1 No. But we recyle the tapes from time to time. 9 We currently use IBM's Tivoli Storage Manager.
7 IT department has a list of backup data requirements Find out which backup vendor they use. Assess vendor's service reliability. (Storage Mountain).
9 Yes. 9 Yes, through BIA 4 Right now it is all on tapes.
Find out if any one uses Recommendation: media other then tape. Some users still use CD to store data on their PC. We didn't see this on the list of data backup requirements from IT.
1 No. 1 No.
Check to see if there is any sensitive data (Client's credit card information is stored along with their address information)
Assess safe handling and storage requirements Assess data integrity test requirements Assess data classification and security requirements
FR.5: Work Area
6
Requirements for alternate work area are analyzed and documented (space, personnel, equipment, facilities, etc.)
8 Our canadian site may be sufficient as a work area until we get the more permanent work site with SunGard
Requirements are aligned with BIA findings in terms of critical business units and applications Space requirements are known Support personnel are known
8 Work station requirements are aligned with critical applications.
Workstation requirements are known Network connectivity requirements are known Non-IT resource requirements are known (faxes, copiers, etc.)
FR.6: Crisis Management Center (CMC)
They have work area requirements in terms of number of workstations needed.
1 No
Work out the detailed work area space requirements
Yes. We know the key staff from the business areas needed in the recovery. 9 Yes 9 Yes 1 No. We will rely on whatever is available at the Canadian site
Work out the Non-IT work area requirements for long term recovery strategy.
2.3
Requirements for CMC are analyzed and documented (space, personnel, equipment, facilities, etc.)
2 Emergency Operations Center (EOC) already exists as part of Emergency Response Plan.
Requirements for crisis management center are analyzed and documented (space, equipment, facilities, etc.) Workstation requirements
2 We expect to use EOC.
connectivity requirements Non-IT resource requirements
2 No. 2 No.
4 We will need a Workstation for each member of CM Team.
Verfiy if BC plan is very Assess BC related CMT closely integrated with requirements and determine if the EOC. (EOC team has not current EOC design is sufficient. yet assessed the specific BC response requirements. There is an assumption that the current design of the EOC will be sufficient to include BC response activities)
Find out if the planning tool is included in this requirement (Not yet, since they have not purchased the tool)
FR.7: Personnel Are detailed requirements for personnel covered Contractors required
1.8 No. 5 No.
Contract agreement includes support during recovery period. Temporary help required
1 No. But we assume that they will help us out.
Detailed skill requirement for recovery staff Pay requirements
1 No.
Union rules and policies are part of the requirements
1 Company is unionized but they have not been involved in BC effort.
Government labor laws are accounted for in the requirements
1 No.
Travel requirements are known
8 Yes. Team members are expected to travel to Canadian site and each is 0 given No. a checklist.
Do you have BC team insurance coverage
FR.8: Critical Records Critical records recovery is part of BC program
Find out if they have contractors (IT department has several contractors that support critical applications) Include BC related support requirements in contractor agreements. Identify specific temporary staff requirements to help with recovery effort Identify detail skill requirements for key recovery staff. Develop pay requirements for recovery staff during a disaster
1 Only if full-time staff are not available.
1 We have started talking with HR on Salary requirements during a disaster recovery time. HR wants to talk to Senior Management first on this issue.
Work with worker's union to evaluate impact of rules and regulations on BC team and staff in general Work with HR to evaluate labor laws and their impact on reocovery team and their recovery assistance
Evaluate insurance requirements for BC team.
5.5 4 It is the responsibility of business units
It seems like the IT recovery has been the biggest focus so far. Check to see if critical record is part of BC Project Plan (It is not covered). But, business unit recovery assessment shows that some units do have a critical record recovery program.
Critical record should not be responsibility of business units alone; Assign some one with central responsibility for coordinating critical record continuity.
Critical records inventory exists
Records are categorized (vital, important, useful, etc.) Inventory includes title of record, ownership, content type, users, etc. Record retention period determined Inventory includes information on backup frequency Inventory includes media storage type and capacity Requirements for document scanning assessed Requirements for Document Management System analyzed Requirement for local storage assessed Requirement for remote storage assessed Security requirements are documented Safe handling procedures are documented
FR.9: SLA and Contract Requirements
4 Business units maintain their own records inventory. Critical paper records are stored with laptops to Iron Mountain. 7 Yes.
Are there electronic records that are critical (yes, but they are not backed-up).
Assess electronic record recovery requirements.
7 Yes. 5 No. It is mostly paper based 6 It is all done weekly. 5 Yes. 0 No. We don't have any document management system. 0 No. We don't have any document management system other than Iron Mountain Connect. 0 No.
Suggest investigating document management system tool.
6 Yes. 7 Yes. 7 Yes.
7.4
SLAs and contracts identified
9 SLA with data communication services and voice services. There is also a pending SLA with our key client. We also have contracts in place with our data backup vendor. A contract is also in place for quickship of a server.
Points of contacts are documented
9 Yes.
Internal procurement procedures are well structured and controlled.
General requirements and obligations analyzed
9 Yes. We follow internal contract guidelines.
Review the guidelines.
Quality of service and performance requirements are documented Worst case non-compliance scenarios and impacts assessed
FR.10: External Coordination All external coordination requirements analyzed First responders and local authorities
Coordination requirements documented for Suppliers Coordination requirements documented for Distributors Coordination requirements documented for Labor unions
9 Yes. 1 No. It is not part of our internal guideline.
Include clauses (penalties) in SLA and contracts for worst-case non compliance scenario.
4.75
6 Through ERP only.
Review ERP for external Develop a closer integration of coordination and find out BC with ERP. Include a member if it includes BC of ERP in BC and vice versa. coordination (Not very tight integration of BC and ERP)
Not in scope Not in scope 0 No.
Review labour union rules Recommendation: Include and contracts Labour union representative in BC team. Review SLA to see coordination points. Check point of contacts, SLA review dates, meetings, etc. Review ERP for external coordination and find out if it includes BC coordination ERP does not include Recommend establishing landlord coordination. disaster coordination with landlords and building management.
Coordination requirements documented for Service providers
9 Yes. We already have SLA for WAN, Internet, Voice services.
Coordination requirements documented for Clients and Customers
6 It is part of ERP.
Coordination requirements documented for Landlords and building management
1 We only have one building in the area leased, but we have not coordinated with the landlord. 3 Insurance documents are Review insurance attached to our Interim BC documents plan. 8 Mutual agreement includes coordination information and but we also have coordination information with SunGard.
Coordination requirements documented for Insurance company Recovery vendors
Recommend communication and coordination with insurance agents and adjustors.
Data backup vendors
FR.11: Training and Awareness
5 So far there has been any major problem with coordination with the backup vendor. We have a yearly contract in place. We deal with issues as they arise. 6.5
Training and awareness is part of BC Program
8 Our BC coordinator and her assistance have been to BC conferences and training courses. BC coordinator has documented the need for training and awareness.
Personnel requiring training identified Experience levels assessed
6 BC team members only.
Training needs documented
0
All critical resources for salvage and restoration identified Physical areas and buildings for salvage and restorations assessed Salvage and restoration scenarios for critical resources and areas assessed
0 Critical documents are the responsibilities of business units 0 Facilities is responsible for this.
Disaster insurance exists and who is responsible for it's purchase internally. Insurance purchase process is integrated with BC program
Assess requirements for personnel outside of BC teams.
6 No. Focus of training is primarily on BC team members. 6 Yes. Only for BC team members.
FR.12: Salvage & Restoration
FR.13: Insurance Requirements
Recommend better coordination with data backup vendor.
Recommend evaluating and documenting salvage and restoration requirements.
0 No.
3.5 3 We have a standard disaster clause in our insurance policy; Finance is responsible for it. 0 No.
Review insurance policy for comprehensive disaster coverage. Integrate insurance purchase process with BC program.
Insurance requirements to report and claim a disaster are known Secondary sites insurance requirements
0 No.
FR.14: BC Tools
5
BC tools and software requirements are known
5 Yes. We need a tool that is web based and allows business unit plans and integration of IT and ERP. Easy to maintain and learn. Security is also important.
High level descriptions of tool's features and capabilities are identified Tools have been researched and compared Support staff resource requirements have been analyzed
6 Yes.
FR.15: Assembly Location
Determine insurance claim process.
7 Covered by the recovery vendor
8 We have evaluated four different tools. 1 No.
Assess document/record management system tool requirements.
Assess requirements for tool admin/support staff
2.75
Assembly location requirements identified Assembly location capacity requirements are known
4 ERP specifies assembly location. 1 No.
Distance location requirements are known
5 About 3 miles away from the primary site.
Ability of personnel to travel and meet at Assembly Location analyzed
1 Not specifically for BC team members.
Find out if it was used in Assess detail assembly site the last plan test (Yes. capacity requirements We were not able to get every one in the assembly location due to fire and safety regulations). Do you have another site Recommendation assessing in case this assembly site requirements for tertiary is not available (Yes, assembly location. EOC) Assess detail travel and accessibility requirements for BC team members.
Recommenda tion Type (Negative, OK, Positive)
DD: Design and Development Questions
Rating
Response and Conclusion
Further Actions
DD.1: General Assessment Designs & Development completed Designs have been documented Designs have been reviewed by senior management Designs have been approved Budget is reviewed and approved DD.2: Risk Controls
3 See Risk Assessment word file for additional assessment.
Risk control design is part of BC Program Control options have been researched and analyzed
5 Yes
Qualified risk expert(s) assisted with the risk control designs Cost of options have been compared Residual risks are known Top management reviewed the risk control options and residual risks Top management selected the best options for implementation Top management has approved the budget for control option implementation
1 No.
3 Yes. We can do a lot more given more time and resources.
2 Only for some threats 1 No. 3 Not the residual risk. 3 For some options 3 For some options
Problems in this stage is due to weaknesses in the previous functional requirement process. Initiate a risk assessment and management project with the help of risk management Not all controlexpert options and full management have been support. researched and analyzed
Find out the reasons (lack of resources and time)
DD.3: IT Systems Recovery Strategy
5.31 Focus on long-term strategy
Appropriate recovery strategies exist for all critical IT systems and applications Alternate site strategies exist
4 Yes. Completed the strategy design stages.
Quick-ship strategies exist
7 Yes for some systems.
Recovery strategies are aligned with RTO values
8 Partially.
Cost versus RTO trade-off analyzed Effort requirements analyzed Control requirements analyzed
5 Partialy.
Reliability requirements analyzed
7 Yes.
3 No. 8 Yes. With the alternate site we have more control over the IT infrastructure. 3 We are counting on the recovery vendor for that.
Strategies aligned with system capacity requirements Strategies aligned with system performance requirements
5 Yes.
Strategies aligned with system configuration requirements
3 There are some configuration compatability issues.
Recovery system and primary systems exact in type, configuration, capacity, etc
5 No. But they are compatible.
Flexibility in upgrading the recovery systems to match primary systems upgrades
4 We don't know. We will include it in the contract agreement with the vendor.
7 Alternate systems have more capacity than our production environment
Email strategy is missing.
DD.4: Alternate IT Recovery Site
6.82 Focus on long-term strategy
Alternate site meets the strategy requirements for IT systems/servers/networks Unlikely to be effected by the same disaster Located outside of local area threats Located outside of regional area threats Alternate travel routes exists Floor plan exists A comprehensive and validated BC Program exists for Alternate Recovery Site
8 Yes.
Secondary power generator/supply exists
9 Yes.
Technical support is available at alternate site Supports connectivity to primary site supports connectivity to work areas
8 Yes.
Sufficient security exists at alternate site
8 Yes. Particularly regional disaster. 8 Yes. 8 Yes 8 Yes. 8 Yes. 7 Yes.
Review their BC program even though they are reputable and reliable Has any body visually inspected the power supply (part of the tour).
7 Yes. 9 Well connected. Work area and IT recovery area are with the same vendor 5 Yes.
Access to recovery area is gauranteed in case of recovery need
4 It is on the first-comefirst serve basis.
Organization has sufficient control over the recovery area and its resources
4 Partial
Meeting areas exist
2 Yes but it will cost more
Basic facilities exist (HVAC, Bathrooms, etc.) Close proximity to Accommodation and Food Services/restaurants, banks, etc.
6 Yes. 7 Yes.
Find out if the servers and systems are shared by other clients of the vendor (yes they are). Find out if there are clauses in the contract that may deny access (yes it does) Find out if there are reasons for having complete control (none)
DD.5: A Tertiary Recovery Site A tertiary recovery site exists with sufficient recovery capabilities and capacities Is it used for backup of data from secondary site Is it used for recovery of all systems at the secondary site
3.16
DD.6: Offsite Data Storage Backup Strategies are aligned with RPO requirements
3.63 3 1 RPO is unknown for Billing System but backups are made daily to Iron Mountain. 5 Tapes
What is the method of data backup Data is replicated to servers at recovery site Data is backed-up through tape media Data is backed-up through Electronic Vaulting
0 No. 0 No. 0 No.
1 No. 5 Yes. 2 No.
Cost versus recovery strategy options analyzed
2 No.
Backup method is reliable and dependable All data required for recovery is backed-up Backup Tools/Software exist and their capabilities are compatable with backup strategies Sufficient backup media capacity exist at the storage facility Strategies exist for remote backup during the recovery period Facilities exist to ship backup data to recovery sites in time to meet RTO requirements Safe handling and storage procedures documented Data integrity testing procedures are documented Data classification and security procedures and guidelines are documented Storage media retention procedures are documented
4 Yes. 7 Yes. 7 Yes.
7 Yes. 1 No. 5 Yes. 4 Mostly. 1 No. 5 Yes. 1 No.
Critical Record Storage Area
4.67
Internal facilities/areas exist to store critical documents
2 They stored in filing cabinets by business units themselves
Internal facilities meet the fire and water protection requirements Internal facilities meet the security requirements External facilities/areas exist to store critical documents External facilities meets the heat, humidity, and other climate control requirements External record storage facility is under the management and control of qualified personnel
0 No.
External facilities meet the security requirements External facility can ship the records to work areas/primary site within required timeframe. External facility supports 24x7 operations Appropriate record management system is reviewed and assessed
7 Yes.
Critical record management procedures are developed and are aligned with the requirements
Yes.
DD.7: Alternate Work Area
0 No. 7 Yes. Iron Mountain only for paper documents. 7 Yes 7 Yes.
7 Yes.
7 Yes. 8 We are using Iron Mountain Connectâ„¢ portal to track and retrieve documents.
4.68
Alternate work areas exist (contracted, company owned, reciprocal ?)
4 Plan to contract out the work area from SunGard. We will use Canadian site as an interim solution
Alternate work area meets the BIA and functional requirements for recovery personnel
0 N/A
Is Iron Mountain Connect setup for Laptop access in the event of a disruption (No)
Acquisition strategy for workstation and servers in work area is consistent with BIA other business Floorand plan exists process requirements Non-IT resource acquisition strategy is in place (faxes, copiers, etc.)
0 N/A
Site is unlikely to be effected by the same disaster Located outside of local area threats Located outside of regional area threats
7 Yes.
Alternate travel routes exists A comprehensive and validated BC Program exists for work area
7 Yes. 3 Don't know
Secondary power generator/supply exists Technical support is available at alternate work site
8 Yes.
Supports connectivity to primary site supports connectivity to alternate IT recovery sites
8 Yes.
Work area is expandable depending on the need
2 Don't know
Sufficient security exists at alternate work site Contains sufficient floor space for workstation and IT infrastructure and end-users
8 Yes.
Designed to support usage 24x7
7 Yes.
Organization has sufficient control over the work area and its resources
2 Don't know
Meeting areas exist
7 Yes.
Basic facilities exist (HVAC, Bathrooms, etc.)
7 Yes.
0 N/A 0 No.
7 Yes. 7 Yes.
2 Don't know
8 Yes.
2 Don't know
Close proximity to Accommodation and Food Services/restaurants, banks, etc.
DD.8 Crisis Management Center (CMC) CMC design meets the requirements for space, personnel, equipment, facilities, etc. Location is easily accessible for Crisis Management Team (CMT) and it is not prone to single point failure with the Reliable andofdependable primary site.
7 Yes.
7.25
9 EOC will be used as CMC. 1st location is a leased site 30 miles away from HQ. Alternate location is a hotel meeting room to be 9 decided Yes. at the time of disaster 9 Yes.
CMC meets the IT requirements (workstations, laptop, printers, etc.) CMC meets the Non-IT requirements (Faxes, copiers, presentation tools, etc.) CMC meets the voice connectivity requirements
3 Don't know about BC requirements.
CMC meets the data connectivity requirements
3 Don't know about BC requirements.
Designed to support usage 24x7
9 Yes.
Organization has sufficient control over the work area and its resources
9 Yes.
Meeting areas exist Basic facilities exist (HVAC, Bathrooms, etc.) Close proximity to Accommodation and Food Services/restaurants, banks, etc.
9 Yes. 8 Yes.
DD.9: Assembly Location
8 Yes.
3 Don't know about BC requirements.
8 Yes.
5.98
Evaluate design of assembly location to determine if it meets BC requiremens.
Assembly location meets the functional requirements
1 Don't know
Assembly location complies with safety guidelines Easily accessible, dependable, and expandable Close proximity to Food, Accommodation, banks, etc. Controlled by the organization
8 Yes.
Less likely to be effected by the same local disaster
8 Likely to be effected by the local or regional disaster; but we have the EOC as an alternate.
DD.10: Data Communication Services Designs for Data Communication and Networking services are complete Design takes into account single points of failure concerns and communication redundacy requirements Different transmission medium is used (wireless, satellite, land lines) Network design for alternate recovery site exists with specifications for connectivity, capacity, throughput, reliability, etc. Network design for work area exists with specifications for connectivity, capacity, throughput, reliability, etc. Network design for data backup site exists with specifications for connectivity, capacity, throughput, reliability, etc. Network design for connectivity between primary site, alternate site, data backup site, and work area is complete.
8 Yes. 8 Yes. 3 No. MOU with another organization.
5.83 Review design documents
7 Yes. We have redundant carrier links
2 Same medium. 7 Yes.
8 Yes. IT has all that worked out.
Yes. IT has all that worked out.
4 It is complete except for work area which will is planned to be completed six weeks.
do they go through the same conduit to the building (yes)
Data transmission security is par of the design. DD.11: Voice Communication Strategies are developed for redundancy of voice communication Design takes into account single point of failures
Design takes into account rerouting of critical phone numbers Design includes different communication mediums (cables, satellite, wireless, etc.) Design takes into account bandwidth requirements Design takes into account work area requirements Design takes into account CMT requirements Design takes into account Recovery Site requirements
DD.12: Work around Procedures
Work around procedures are documented for all critical business units and processes Each work around procedure clearly specifies its objectives and scope Each work around procedure clearly specifies conditions for invoking the procedure Each work around procedure clearly specifies tasks to be performed and resources required including critical records. Each work around procedure clearly specifies tasks depedencies
7 Yes.
6.6
9 Voice service provider has provided multiple voice lines going through redundant exchange routes. 9 Yes. We have the capability to reroute our 1-800 numbers that customers use. 3 No. They are all Land lines.
Yes. Yes. 6 Yes. 6 Yes.
3.86 See business process audit file.
3 Most have them documented 3 Some do and some don't 3 Some do and some don't Yes.
3 Some do and some don't
Work around procedures include recovery of lost data
DD.13: Training and Awareness
6 Yes.
5.17
Training and awareness program is designed and developed Training database/site designed and developed
7 We have an intranet site for business continuity which provides training documents and general information.
Training methods and services selected
4 We plan to have onsite training on a regular basis. 1 No. 9 We currently have an internal BC monthly newsletter. 2 No.
Training schedule prepared Awareness plan developed Training evaluation process designed and developed Training responsibilities assigned
DD.14: Salvage and Restoration
All critical resources for salvage and restoration identified Physical areas and buildings for salvage and restorations assessed Types of damage to critical resources and areas assessed Salvage and restoration experts and contractors identified and contacted
8 We are currently talking to HR training department to take on this task.
0 See comments from functional requirements
Requirements and cost discussed with Salvage and Restore contractors Contractors are selected
Recommendations
Recomme ndation Type (Negative, OK, Positive)
Overall design is aligned with the requirements but there are still some gaps and room for improvents. Example: Generic applications such as email is not part of recovery strategy. Drop ship of billing system server; the ability of people to get to recovery site on time.
recommend tertiary site
Recommend testing compatability issues.
Recommend testing compatability issues.
Recommend inclusion in contract for upgrade flexibility in recovery systems.
Recommend: Involving IT security department in the secure design; suggest development of security policy and procedures before, during, and after disaster Recommend: creating a tertiary situations. recovery site
We recommend a use of a tertiary recovery site.
Implement an internal critical document/record management group and facility in addition to a remote storage site.
Expedite design and development of long term alternate work area
Evaluate whether or not EOC meets the BC requirements.
Design overall meets the continuity requirements but needs some additional improvements Review data link for improving redundancy and single-point-offailure
Design overall meets the continuity requirements but needs some additional improvements
provide additional redundancy by combining voice communication mediums.
Ensure work around procedures for all critical areas are complete and documented with consistent format.
Assign training and awareness responsibility to a staff. Review current training and awareness design for additional improvements.
The design and development for Salvage and Restoration must be based on the functional requirements once they are completed.
PP: Program Implementation Questions
PI.1: Risk controls
Rating
Response and Conclusion
3
All risk controls have been implemented
Percentage Implemented
3
PI.2: IT Recovery Systems
6 Most systems are in place and the plans in place to acquire the rest Email systems recovery capability is not in place
30 percent.
Alternate IT systems purchased or leased
Yes
Quick-ship strategies implemented Percentage completed
Currently talking to the vendor
Alternate IT recovery site completed Alternae IT site inspected and approved for use Percentage completed
PI.4: A Tertiary Recovery Site Tertiary site completed Tertiary site inspected and approved for use Percentage completed
8 8 IT recovery site is in final stages of complete 8 Yes. SunGard implementation. 8 Yes 9 90 percent
No. No. N/A
Recommendations
Problems in this stage is due to weaknesses in the functional requirement process. See recommendations in Design and Development.
Some have been implemented including secondary power generator. We have plans to continue implementation of risk controls.
Implementation project plans exist and approved
PI.3: Alternate IT Recovery Site
Further Actions
PI.5: Offsite Data Storage
Remote backup site is complete Data backup process to remote site has started Percentage completed PI.6: Critical Record Storage Remote record backup site is complete
5 Backup site is currently in use. Backup frequency needs adjustments. Yes. Yes. 8 90 percent 2 Implemented for document records only. It is remote only. There are no internal storage process or system Yes.
Remote record backup process has started Percentage completed
5
PI.7: Alternate Work Area
4
Alternate work areas exist (contracted, company owned, reciprocal ?) Work area inspected and approved Percentage completed
4 Yes. Currently at the Canadian site but later at Sungard. 3 Partially.
PI.8: Crisis Management Center (CMC)
7 EOC will be used as CMC. 1st location is a leased site 30 miles Yes away from HQ. Alternate Yes location is a hotel 7 meeting room to be 100
CMC exists CMC inspected and approved Percentage completed PI.9: Assembly Location Assembly sites exists Assembly sites inspected and approved Percentage completed
PI.10: Data Communication Services
4
50 Expedite design and development of long term alternate work area
50
7 Assembly location is in place. Yes Yes. 7
8
100
Data Communication and Networking services are complete Connectivity between Primary site and alternate IT recovery site is complete Connectivity between primary site and data backup site is complete Connectivity between alternate IT site and work area is complete Connectivity between CMC and alternate IT site is complete Connectivity between CMC and alternate work area is complete Percentage Complete
Yes Yes Yes Yes Yes Yes 8
PI.11: Voice Communication VC infrastructure and services are complete
8
Percentage completed
8
PI.12: Training and Awareness
2
80
Yes. 80
Expedite initiation of training and awareness program.
Training and awareness program activated
Not fully.
Percentage implemented
2 10 percent
PI.13: BC Tools BC tool is purchased
2 2 No. we are still evaluating tools
Tool training is complete Plans and information from paper/computer sources have been imported into the tool Security and access control is in place BC tool is deployed
Expedite tool evaluation to begin tool usage and deployment
A dedicated staff manages and maintains the BC tool Team members have access to the tool Percentage Complete PI.14: Salvage and Restoration Salvage and restoration contracts are in place Salvage and restoration procedures are documented Percentage Complete
PI.15: Personnel Are all required personnel hired
Responsibilities assigned to personnel.
0 Salvage and restoration is not yet included in BCP No. No. 0
0
4 5 Most have been hired but we are still waiting to hire two more staff reporting to the Coordinator. 5 Mostly assigned
BC team insurance purchased
0 No.
Percentage Complete
4
PI.16: SLA and Contracts SLA have been negotiated and implemented Contracts have been negotiated and implemented
7 6 The key SLA are in place 6 Yes. Work area contract is under review.
Percentage Complete
7
PI.17: BC Plan Document Plan document is complete Executive Summary Plan components Objective Scope Assumptions Constraints and limitations Risk Assessment BIA Recovery Strategies Plan Execution phases BC Team Structure
3
60
80
Contact List Call Tree Alternate contacts Contact Procedures Disaster Definition Disaster Declaration Procedures Service Level Agreements Insurance policy Critical resource inventory Critical Staff Crisis Communication Plan Emergency Response Plan Business unit plans Disaster Recovery Plan Recovery site Information Data backup procedures Data backup site information Critical record backup procedures Critical record backup site information Critical record recovery procedures Plan execution logistic procedures Security requirements and procedures Recovery logistics Team responsibilities Salvage and Restoration procedures IT recovery procedures Data network recovey procedures Voice communication recovery procedures Work area site information Work area recovery procedures Critical service recovery procedures Assembly location procedure Assembly location information Crisis management center or EOC information Plan execution timeline and schedule
Disaster scenarios and recovery procedures BC Plan change controls BC plan distribution list BC plan appendices
PT: Plan Testing Questions
PT.1: BC Plan Testing Test plans exist for testing BC plan
Rating
Response and Conclusion Further Actions
3.71 6 Interim plans has been tested
Test objectives cover all essential elements of BC plan Types of testing conducted so far
2 No. It is missing testing of key business areas 2 Table top and some systems No testing of at hotsite notification procedures; EOC location, Work areas, etc.
Types of testing planned for future
7 Hot site testing of all systems
Test scenarios are realistic
1 No real scenarios have been tested 3 No. It is missing testing of key business areas 5 Yes.
Tests have been completed for all required parts of BC plan Tests have been conducted according to test plans PT.2: Test Evaluation
8 Tests have been evaluated well, particularly for hotsite testing. Evaluation included lessons learned. Many issues related hotsite vendor support and coordination were identified and resolved.
Test results have been evaluated What criteria used to evaluate tests Testing met all of test objectives What were the strengths identified by the test What were the weaknesses identified by the test
8 8
PT.3: BC Plan Approval
4 The long term plan document is not yet complete.
BC Plan is approved BC Plan is approved by program sponsor and BC steering committee
8 8 8
BC plan is distributed to all staff and personnel on distribution list PT.4: BC Plan Document Which parts of the plan below have been tested? Objective Scope Assumptions Constraints and limitations Risk Assessment BIA Recovery Strategies Plan Execution phases BC Team Structure Contact List Call Tree Alternate contacts Contact Procedures Disaster Definition Disaster Declaration Procedures Service Level Agreements Insurance policy Critical resource inventory Critical Staff Crisis Communication Plan Emergency Response Plan Business unit plans Disaster Recovery Plan Recovery site Information Data backup procedures Data backup site information Critical record backup procedures Critical record backup site information Critical record recovery procedures Plan execution logistic procedures Security requirements and procedures Recovery logistics Team responsibilities Salvage and Restoration procedures IT recovery procedures Data network recovey procedures Voice communication recovery procedures Work area site information Work area recovery procedures
Critical service recovery procedures Assembly location procedure Assembly location information Crisis management center or EOC information Plan execution timeline and schedule Disaster scenarios and recovery procedures BC Plan change controls
Recommendations
Recommend testing of notification procedures; EOC, and work areas.
conduct likely scenario based testing. Conduct testing of all key aspects of BC plan
This is one of the strength area. A good test evaluation process is in place.
PM: Program Management Questions
PM.1: Primary Site Change Monitoring Process is in place to monitor changes
IT level changes are monitored Business process changes are monitored Critical record changes are monitored
People changes are monitored Critical resource related changes are monitored Critical services related changes are monitored
Rating Response and Conclusion
3.14
4 By business units only.
Recommendations
Extend change management to beyond IT related changes.
4 Yes. BC Coordinator monitors all changes by attending all IT change management 4 Yes. Through IT meetings. change management 1 Not at this time. Business units have people assigned to this task.
3 We have been talking to HR to keep us in the loop. 3 Not at this time. 3 Yes. We plan to go through regular review of service and resource related changes.
PM.2: Recovery Site Change Monitoring
3
Process is in place to monitor changes at the recovery sites
3 We expect vendor to notify us of any changes. 3 Yes.
Hardware changes are monitored Software changes are monitored Network changes are monitored Facility changes are monitored Policy changes are monitored Security procedures are monitored
Further Actions
3 Yes. 3 Yes. 3 Yes. 3 Yes. 3 Yes.
Implement proactive process for monitoring recovery site changes.
PM.3: Contract Management BC related contracts management process established
Contracts are reviewed on a regular basis Contracts include maintenance and upgrades Procurement and legal departments are involved in the contract management
PM.4: Risk Controls Risk assessment occurs periodically Existing controls are reviewed and inspected on a regular basis
Risk experts are involved in risk assessment and control process Risk assessment reports are presented to and reviewed by management PM.5: BIA
7 7 BC coordinator and procurement representative conduct a frequent review/update of contracts. 7 Yes. 7 Yes. 7 Yes.
3 3 No. 3 Facilities is responsible for reviewing physical controls such as secondary power generator. 3 No. 3 No.
4 We plan to do it regularly.
BIA is conducted periodically Gaps are identified Results are reported to and reviewed by management Recovery strategy gaps are evaluated
PM.6: IT Systems Recovery Strategy Recovery strategies are reviewed regularly Alternate sites are inspected for changes and problems. Quick-ship strategies are reviewed regularly
4 We plan to review it regularly.
PM.7: BC Plan Testing
4 We plan to do it regularly
A plan exists for regular testing of BC Plan Both minor and major tests are carried out regularly Tests are reviewed and evaluated Test results are well documented and reported to management Test issues are resolved effectively Backup data integrity checks are done regularly Work around procedures are tested regularly PM.8: Recovery Vendor's BC Plan Reviews Recovery vendors' BC plans are reviewed regularly Recovery strategies and capabilities of vendors' are reviewed regularly
4 We will include it in our program
BC audit reports of vendors are reviewed
PM.9: Training and Awareness Training and awareness program is monitored, evaluated and updated
Currently not in maintenance stage.
New hire orientation includes BC information Program includes learning resource/database Program includes newsletters Program includes regular BC informational meetings Program includes BC tool training
PM.10: Management Process
5
Steering committee is actively involved in the maintenance phase
4 Steering Committee will be establish in few months.
Program sponsor is actively involved in the maintenace phase BC Management meetings are held on weekly, monthly, and quarterly periods
8 Yes.
Reports from the steering committee are presented to Board and senior management Rules and regulations are monitored and reviewed
4 Steering Committee will be establish in few months.
PM.11: External Coordination
3
BC plan is coordinated with external public authorities
3 Through ERP.
BC plan is coordinated with business partners
1 No.
BC plan is coordinated with recovery vendors Meetings are held regularly to coordinate BC plan with external entities
7 Yes.
8 Weekly with the sponsor and monthly with business unit managers
1 No.
1 No.
BC Audits are conducted periodically BC Audits include internal and external auditors Audit recommendations are followed through Audits are done through expert auditors PM.12: BC Program Reviews BC program is reviewed periodically
6.25 7 We hold monthly meeting with all business units to review relevant BC program activities and sections.
Improve external coordination related to BC plan Coordinate with ERP team to include BC plan's coordination requirements. Coordinate BC plan with business partners on a regular basis
Arrange regular meetings with external entities to coordinate BC plan activities
BC plan document is reviewed frequently Review involves all BC team members
Results of the reviews are presented to steering committtee and program sponsor
PM.13: Plan Document Maintenance Stored offsite and onsite
Easily accessible during a disaster Secured Need-to-know list maintained
Distribution list maintained
7 BC coordinator and his team review the plan biweekly. 7 Most team members depending on what we are discussing at the time. 4 Not yet. But we present it to our program sponsor.
5.4 6 One copy is always with BC coordinator on a memory card. One copy is with Iron Mountain. 5 Yes
Recommend storing a BC document at the hot site. If possible use web-based planning tool.
8 Yes. It is encrypted. 3 No. We have a common distribution list with access to all parts of the plan. 5 Yes.
Develop a need-to-know distribution list.
Program Budget
5.33
Separate annual budget allocated Business area supporting the BC Program budget Source of budget
5 It is part of IT budget 8 Yes. Business Managers are very supportive. 3 IT
Detail budget established for BC tools
5 Yes.
Overall budget estimates established
5 We do not have an yearly budget but last year we spent $240K and this year it has increased to $300K.
Percentage of BC budget relative to annual revenue
3 IT budget is about 2.5M. Last year we spent about 240 k on BC beyond people resources. 7 Business units have their own budgets for BC activities. 7 We have put the request to hire two more staff for next year. 7 The budget for contracts will come out of the overall BC budget. 3 Our recovery resource and service Find out if this budget is mostly part of the overall budget is outside IT budget. of the BC budget. Yes it is outside of the IT budget. Last year approximately 60K was spend on the recovery resources and services.
Overall budget established for individual projects Overall budget established for hiring staff Overall budget established for contracts Overall budget established for recovery resources and services
Does it account for a specific and its cost (We know the tool we want and its cost)
BC program needs a separate budget; Work out detail budget for each phase, project, and activities. The budget needs to be at between $500K to $800K
BC program needs a separate budget and not simply be part of IT budget.
The budget needs to be at between $500K to $800K
BC budget needs to be about 20 to 30 percent of IT budget.
Program Initiation
90
Program Planning Functional Requirement
80 50
Design and Development
40
Implementation
40
Testing
30
Maintenance
20
Execution
N/A
Program Initiation
Program Planning Functional Requirements
Design and Program Plan Testing Program Development Implementation Maintenance
Management Buy In Program Evaluation
Interim Temporary BC Plan BC Program Management Document
General Assessment Risk Controls
Risk Controls
Program Commitment
Program Structure
General Assessment Detailed requirements related to standards, rules, and regulations Risk Management
Approval Process
BIA
IT Recovery Systems
BC Plan Testing Test Evaluation
Primary Site Change Monitoring Recovery Site Change Monitoring
IT Systems Recovery Strategy Alternate IT Recovery Site
Alternate IT Recovery Site
BC Plan Approval
Contract Management
A Tertiary Recovery Site
BC Plan Document
Risk Controls
Offsite Data Storage
Tertiary Recovery Site
Offsite Data Storage
BIA
Alternate Work Area Crisis Management Center (CMC)
Offsite Data Storage Critical Record Storage
Critical Record Storage Alternate Work Area
IT Systems Recovery Strategy BC Plan Testing
Personnel
Alternate Work Area
Crisis Management Center (CMC)
Recovery Vendor's BC Plan Reviews
Critical Records
Crisis Management Center (CMC) Assembly Location
Assembly Location
Training and Awareness
SLA and Contract Requirements
Data Communication Services External Data Voice Coordination Communication Communication Services Training and Voice Training and Awareness Communication Awareness Salvage & Work around BC Tools Restoration Procedures Insurance Training and Salvage and Requirements Awareness Restoration BC Tools Salvage and SLA and Contracts Restoration Assembly Location BC Plan Document
Management Process External Coordination BC Audits BC Program Reviews
PI: Program Initiation Questions
PI.1: Management Buy In
Rati Response and conclusions ng
7 Program was initiated by the IT department
What is the extent of management's awareness
8 CIO and other C-level officers are aware of the program but other than CIO they don't consider it a top priority. 6 CIO is the project sponsor 7 CIO is the project sponsor
PI.2: Program Evaluation and Approval High level program objectives, requirements and drivers analyzed and documented
Business case prepared and evaluated
Recommendation
6.4
Has the program been Initiated formally
Is there a Project Sponsor What is the seniority and position of Project Sponsor Plan exist to raise awareness of management
Further Actions
4 Several presentations were presented to management. Some were made on their own requests. They were a high level presentations. There is no formal plan to raise awareness.
BC Program needs to be raised to top level and not just owned by IT
Find out if there is a steering committee. Steering committee will help in raising top level awareness.
Utilize Steering Committee to raise top level awareness.
5.33 4 We have some program requirements analyzed as a result of a recent BIA effort and we have recently updated with new requirements for E-commerce application environment. We also have an extensive document on the reasons for establishing a BC program.
Find out if objectives for Define clear objectives for the program. the program were defined Objectives should be stated in both general and in these documents (not specific terms. clearly)
4 Yes. An informal business case was prepared.
Was a budget prepared (Yes. We presented our initial budget and provided an estimate of yearly budget to CIO)
Clear Go/No Go decision made and at what level of the management
PI.3: Program Commitment Full-time qualified program manager assigned
Steering committee established
8 Yes.
CIO made the Go/No Go Board needs to have an active involvement in decision and presented the overall high level evaluation process. this decision to senior management. But the board was not involved in this process.
2.86 2 No. We have a part-time (70%) Find out if the coordinator Assign full-time BC responsibility to BC business continuity coordinator has business continuity coordinator assigned to this task. He is from the or DRP experience (No.) corporate planning department and has been involved with Emergency Response Planning in the past. 6 A committee structure has been This is a definitely a strength. proposed and awaiting approval. (company has the history of establishing SC for high profile critical projects)
Steering committee members have clear roles and responsibilities defined
3 No.
Define clear roles and responsibilities for Steering Committee.
BC Program is part of Strategic objectives and plan BC Program policy exists
1 No.
Include BC Program as part of Corporate Strategic Objectives Create a BC policy statement
BC Program policy fully communicated
1 No.
Utilize corporate communications to communicate BC policy
BC culture is well established
5 No. But, IT and Business units have a better BC/DR culture compare to the rest of the company.
Develop a plan to improve corporate wide BC culture.
2 We have a security policy which covers BC from the perspective of availability of critical systems.
PP: Program Planning Questions
Ratin Response and Conclusion g
PP.1: Interim Temporary BC Plan
5
Interim BC Plan exists if a long term plan doesn't exist Interim Recovery Strategy Developed
5 Yes. But, it has evolved since it was initially written. 5 Mutual Agreement with our strategic partner.
Interim Agreements in place for recovery of key resources, sources, and services Interim Recovery Teams created
5 Mutual Agreement.
PP.2: BC Program Management Document
5 Yes. The team has evolved since it was initially established.
4.43
BC Program management document exist
6 We have a project plan in place.
A need statement prepared (Why is the program needed and what are the drivers?)
7 We have a statement that indicates the main drivers: External contract requirements and SOX compliance and it also includes company's strategic objectives 4 Defined in BC plan document
Program objectives are well defined, aligned and approved Program Scope are defined and approved
6 Defined in BC plan document
Program assumptions are stated explicitly
0 Defined in BC plan document
Program deliverables are identified Program risks are analyzed and mitigation actions identified
8 Defined in the project plan 0 Defined in BC plan document
PP.3: Program Structure
4.7 3 (high risk factor)
Program divided into logical phases
8 Project Plan has logical phases
Phases are divided into activities Activities are assigned due dates, start and end times, and dependencies A BC Steering Committee exists
7 Yes. 7 Yes.
A BC program team structure is defined with reporting hierarchy
7 Yes.
Team structure includes top management, program sponsor, BC coordinator, consultants, etc. Team roles and responsibilities are well defined
7 Yes.
Personnel assigned to the team structure with well defined responsibilities
2 No. Personnel are assigned to teams but not with well defined responsibilities 2 No.
Alternates to team members are assigned Are there any BC team members working on a part-time capacity.
PP.4: Approval Process BC Program approval process exist for budget, objective and scope, contract, projects, policy, hiring etc. Senior Management and Board level process
Steering committee level process Program sponsor level BC program coordinator level
4 Not currently. But CIO is presenting a case to top management for such a committtee next month.
2 At a high level only. Team members task's are not assigned
1 Yes. BC coordinator is parttime. There are two assistants to BC coordinator working part-time on BC project. Business unit representatives also work on a part-time and as-needed basis.
5.17 7 Only through CIO but once a steering committee concept is approved, program approval process will be defined. 6 Senior management will be presenting the case for a formal BC program in the next board meeting. 3 None 7 CIO is the program sponsor. 7 BC program coordinator requests approval directly to CIO.
Business unit level
1 None. They are currently not involved in the approval process
Further Actions
Recommendations
Review all earlier versions. Review agreements (Not enough carefull planning and design. Agreements show weaknesses in disaster lasts for longer than 2 or 3 days)
Check the project plan details (Project plan is well structured but a complete program document is missing; project plan is part of BC plan). Review the statements. Ask if they have researched industry specific requirements (No.)
Create a BC program document which is separate from the BC plan Research industry specific BC requirements.
Plan objectives are defined in general terms. Suggest inclusion of specific objectives. Plan scope are defined. Suggest including what is not in scope as well. No written program assumptions State all key assumptions in program document Investigate further (No evidence Assess program risks of program risks BC Plan and mitigation steps document)
Risk and BIA are combined as one phase (not a major concern at this time since it has been completed)
Establishment of a SC must become a high priority. It will help to resolve a number of current obstacles and issues Assess team structure. Three types of teams: Emergency management, Emergency response, and Business unit teams. Emergency management team includes President/CEO, COO, CFO, etc. Define tasks for team members Define responsibilities for team members Assign alternates to team members Find out what those part-time staff are responsible for and how critical those responsibilities are. This is a high risk factor.
FR: Functional Requirements Questions
Rating Response and Conclusion
FR.1: General Assessment Functional requirements have
Partially.
been assessed Functional requirements have been documented Functional requirements have been reviewed by senior management
General applicable standards and guidelines have been identified Industry guidelines, rules, and regulations identified
Specific requirements related to standards, rules and regulations assessed and documented
FR.2: Risk Management Formal or Informal risk assessment was conducted and how long ago. Risk assessment was comprehensive in scope and aligned with Program scope
Recommendations
Complete: FR.2
Not in a formal way. We will be presenting general requirements to Steering Committee in the near future. Not yet.
Functional requirements have been approved
FR.2: Detailed Requirements related to Standards, rules, and regulations
Further Actions
4.33
8 Yes. Documents indicate DRII and BS17799 4 There hasn't been any effort to find out industry specific requirements other then SOX 1 No. There hasn't been any effort to find out industry specific requirements other then SOX
Recommend also including NFPA 1600 standards Briefly research industry specific guidelines and make recommendations
3.6 3 Informal assessments (brain storming) has been done every year. 8 Limited to HQ, data Review reports center, office areas only.
A qualified risk expert(s) assisted with the risk assessment
All potential threats were considered
Assessment was based on sound and proven method
Top management reviewed the threats and risks Company's appetite for risk identified and approved Both regional and local threats were considered Existing risk controls were considered Management concurs with Risk Assessment findings
FR.3: BIA A formal BIA was conducted Scope of the BIA is consistent with program scope Representatives from all areas of business within scope participated in the BIA Critical business processes have been identified Financial losses analyzed Operational Impacts analyzed Worst case assumptions were used Maximum Tolerable Downtime identified RTO identified RPO identified How long ago was it completed
2 BC coordinator conducted Recommend obtaining risk assessment with key qualified experts staff involvement. assistance to review and conduct threats and risk assessments. 2 As many as we could Review list of threats and determine. company's exposure (Not all threats were considered). 3 Yes. Review methods used. Quantitative vs. Qualitative approach. Are there sound basis for calculating threat probabilities (Risk assessment is based on qualitative and informal approach) 3 CIO and senior business unit managers only. 4 Not formally 3 Local threats mostly but some regional. 5 Yes. 3 CIO and senior business unit managers have reviewed the findings but have not provided feedback on concurrence.
8.67 9 Yes. 9 Yes. 9 Yes. 9 Yes. 9 Yes. 9 Yes. 9 Yes. 9 Yes. 9 Yes. 9 Yes. 9 3 months ago
Review BIA findings
Critical Systems and Applications identified Qualified experts conducted BIA Key concerns and issues captured and addressed Management is aware of and concurs with BIA results
FR.4: Offsite Data Storage
9 Yes. 9 Yes. 4 Yes. 9 Yes.
5.5
Offsite storage requirements analyzed thoroughly When were requirements last analyzed
6 Partially through the BIA
Scope of storage requirements are consistent with program scope
8 We backup both critical and non-critical applications and data.
Data backup requirements are known for all critical applications and systems Gaps in backup frequency is analyzed Backup frequency established for all critical data Backup media type requirements are known
9 We now have different RPO
Safe handling and storage requirements documented Data integraty testing requirements are known Data classification and security requirements are documented
2 No.
Storage media retention period documented Backup Tool/software requirements are known
1 No. But we recyle the tapes from time to time. 9 We currently use IBM's Tivoli Storage Manager.
7 IT department has a list of backup data requirements Find out which backup vendor they use. Assess vendor's service reliability. (Storage Mountain).
9 Yes. 9 Yes, through BIA 4 Right now it is all on tapes.
Find out if any one uses Recommendation: media other then tape. Some users still use CD to store data on their PC. We didn't see this on the list of data backup requirements from IT.
1 No. 1 No.
Check to see if there is any sensitive data (Client's credit card information is stored along with their address information)
Assess safe handling and storage requirements Assess data integrity test requirements Assess data classification and security requirements
FR.5: Work Area
6
Requirements for alternate work area are analyzed and documented (space, personnel, equipment, facilities, etc.)
8 Our canadian site may be sufficient as a work area until we get the more permanent work site with SunGard
Requirements are aligned with BIA findings in terms of critical business units and applications Space requirements are known Support personnel are known
8 Work station requirements are aligned with critical applications.
Workstation requirements are known Network connectivity requirements are known Non-IT resource requirements are known (faxes, copiers, etc.)
FR.6: Crisis Management Center (CMC)
They have work area requirements in terms of number of workstations needed.
1 No
Work out the detailed work area space requirements
Yes. We know the key staff from the business areas needed in the recovery. 9 Yes 9 Yes 1 No. We will rely on whatever is available at the Canadian site
Work out the Non-IT work area requirements for long term recovery strategy.
2.3
Requirements for CMC are analyzed and documented (space, personnel, equipment, facilities, etc.)
2 Emergency Operations Center (EOC) already exists as part of Emergency Response Plan.
Requirements for crisis management center are analyzed and documented (space, equipment, facilities, etc.) Workstation requirements
2 We expect to use EOC.
connectivity requirements Non-IT resource requirements
2 No. 2 No.
4 We will need a Workstation for each member of CM Team.
Verfiy if BC plan is very Assess BC related CMT closely integrated with requirements and determine if the EOC. (EOC team has not current EOC design is sufficient. yet assessed the specific BC response requirements. There is an assumption that the current design of the EOC will be sufficient to include BC response activities)
Find out if the planning tool is included in this requirement (Not yet, since they have not purchased the tool)
FR.7: Personnel Are detailed requirements for personnel covered Contractors required
1.8 No. 5 No.
Contract agreement includes support during recovery period. Temporary help required
1 No. But we assume that they will help us out.
Detailed skill requirement for recovery staff Pay requirements
1 No.
Union rules and policies are part of the requirements
1 Company is unionized but they have not been involved in BC effort.
Government labor laws are accounted for in the requirements
1 No.
Travel requirements are known
8 Yes. Team members are expected to travel to Canadian site and each is 0 given No. a checklist.
Do you have BC team insurance coverage
FR.8: Critical Records Critical records recovery is part of BC program
Find out if they have contractors (IT department has several contractors that support critical applications) Include BC related support requirements in contractor agreements. Identify specific temporary staff requirements to help with recovery effort Identify detail skill requirements for key recovery staff. Develop pay requirements for recovery staff during a disaster
1 Only if full-time staff are not available.
1 We have started talking with HR on Salary requirements during a disaster recovery time. HR wants to talk to Senior Management first on this issue.
Work with worker's union to evaluate impact of rules and regulations on BC team and staff in general Work with HR to evaluate labor laws and their impact on reocovery team and their recovery assistance
Evaluate insurance requirements for BC team.
5.5 4 It is the responsibility of business units
It seems like the IT recovery has been the biggest focus so far. Check to see if critical record is part of BC Project Plan (It is not covered). But, business unit recovery assessment shows that some units do have a critical record recovery program.
Critical record should not be responsibility of business units alone; Assign some one with central responsibility for coordinating critical record continuity.
Critical records inventory exists
Records are categorized (vital, important, useful, etc.) Inventory includes title of record, ownership, content type, users, etc. Record retention period determined Inventory includes information on backup frequency Inventory includes media storage type and capacity Requirements for document scanning assessed Requirements for Document Management System analyzed Requirement for local storage assessed Requirement for remote storage assessed Security requirements are documented Safe handling procedures are documented
FR.9: SLA and Contract Requirements
4 Business units maintain their own records inventory. Critical paper records are stored with laptops to Iron Mountain. 7 Yes.
Are there electronic records that are critical (yes, but they are not backed-up).
Assess electronic record recovery requirements.
7 Yes. 5 No. It is mostly paper based 6 It is all done weekly. 5 Yes. 0 No. We don't have any document management system. 0 No. We don't have any document management system other than Iron Mountain Connect. 0 No.
Suggest investigating document management system tool.
6 Yes. 7 Yes. 7 Yes.
7.4
SLAs and contracts identified
9 SLA with data communication services and voice services. There is also a pending SLA with our key client. We also have contracts in place with our data backup vendor. A contract is also in place for quickship of a server.
Points of contacts are documented
9 Yes.
Internal procurement procedures are well structured and controlled.
General requirements and obligations analyzed
9 Yes. We follow internal contract guidelines.
Review the guidelines.
Quality of service and performance requirements are documented Worst case non-compliance scenarios and impacts assessed
FR.10: External Coordination All external coordination requirements analyzed First responders and local authorities
Coordination requirements documented for Suppliers Coordination requirements documented for Distributors Coordination requirements documented for Labor unions
9 Yes. 1 No. It is not part of our internal guideline.
Include clauses (penalties) in SLA and contracts for worst-case non compliance scenario.
4.75
6 Through ERP only.
Review ERP for external Develop a closer integration of coordination and find out BC with ERP. Include a member if it includes BC of ERP in BC and vice versa. coordination (Not very tight integration of BC and ERP)
Not in scope Not in scope 0 No.
Review labour union rules Recommendation: Include and contracts Labour union representative in BC team. Review SLA to see coordination points. Check point of contacts, SLA review dates, meetings, etc. Review ERP for external coordination and find out if it includes BC coordination ERP does not include Recommend establishing landlord coordination. disaster coordination with landlords and building management.
Coordination requirements documented for Service providers
9 Yes. We already have SLA for WAN, Internet, Voice services.
Coordination requirements documented for Clients and Customers
6 It is part of ERP.
Coordination requirements documented for Landlords and building management
1 We only have one building in the area leased, but we have not coordinated with the landlord. 3 Insurance documents are Review insurance attached to our Interim BC documents plan. 8 Mutual agreement includes coordination information and but we also have coordination information with SunGard.
Coordination requirements documented for Insurance company Recovery vendors
Recommend communication and coordination with insurance agents and adjustors.
Data backup vendors
FR.11: Training and Awareness
5 So far there has been any major problem with coordination with the backup vendor. We have a yearly contract in place. We deal with issues as they arise. 6.5
Training and awareness is part of BC Program
8 Our BC coordinator and her assistance have been to BC conferences and training courses. BC coordinator has documented the need for training and awareness.
Personnel requiring training identified Experience levels assessed
6 BC team members only.
Training needs documented
0
All critical resources for salvage and restoration identified Physical areas and buildings for salvage and restorations assessed Salvage and restoration scenarios for critical resources and areas assessed
0 Critical documents are the responsibilities of business units 0 Facilities is responsible for this.
Disaster insurance exists and who is responsible for it's purchase internally. Insurance purchase process is integrated with BC program
Assess requirements for personnel outside of BC teams.
6 No. Focus of training is primarily on BC team members. 6 Yes. Only for BC team members.
FR.12: Salvage & Restoration
FR.13: Insurance Requirements
Recommend better coordination with data backup vendor.
Recommend evaluating and documenting salvage and restoration requirements.
0 No.
3.5 3 We have a standard disaster clause in our insurance policy; Finance is responsible for it. 0 No.
Review insurance policy for comprehensive disaster coverage. Integrate insurance purchase process with BC program.
Insurance requirements to report and claim a disaster are known Secondary sites insurance requirements
0 No.
FR.14: BC Tools
5
BC tools and software requirements are known
5 Yes. We need a tool that is web based and allows business unit plans and integration of IT and ERP. Easy to maintain and learn. Security is also important.
High level descriptions of tool's features and capabilities are identified Tools have been researched and compared Support staff resource requirements have been analyzed
6 Yes.
FR.15: Assembly Location
Determine insurance claim process.
7 Covered by the recovery vendor
8 We have evaluated four different tools. 1 No.
Assess document/record management system tool requirements.
Assess requirements for tool admin/support staff
2.75
Assembly location requirements identified Assembly location capacity requirements are known
4 ERP specifies assembly location. 1 No.
Distance location requirements are known
5 About 3 miles away from the primary site.
Ability of personnel to travel and meet at Assembly Location analyzed
1 Not specifically for BC team members.
Find out if it was used in Assess detail assembly site the last plan test (Yes. capacity requirements We were not able to get every one in the assembly location due to fire and safety regulations). Do you have another site Recommendation assessing in case this assembly site requirements for tertiary is not available (Yes, assembly location. EOC) Assess detail travel and accessibility requirements for BC team members.
Recommenda tion Type (Negative, OK, Positive)
DD: Design and Development Questions
Rating
Response and Conclusion
Further Actions
DD.1: General Assessment Designs & Development completed Designs have been documented Designs have been reviewed by senior management Designs have been approved Budget is reviewed and approved DD.2: Risk Controls
3 See Risk Assessment word file for additional assessment.
Risk control design is part of BC Program Control options have been researched and analyzed
5 Yes
Qualified risk expert(s) assisted with the risk control designs Cost of options have been compared Residual risks are known Top management reviewed the risk control options and residual risks Top management selected the best options for implementation Top management has approved the budget for control option implementation
1 No.
3 Yes. We can do a lot more given more time and resources.
2 Only for some threats 1 No. 3 Not the residual risk. 3 For some options 3 For some options
Problems in this stage is due to weaknesses in the previous functional requirement process. Initiate a risk assessment and management project with the help of risk management Not all controlexpert options and full management have been support. researched and analyzed
Find out the reasons (lack of resources and time)
DD.3: IT Systems Recovery Strategy
5.31 Focus on long-term strategy
Appropriate recovery strategies exist for all critical IT systems and applications Alternate site strategies exist
4 Yes. Completed the strategy design stages.
Quick-ship strategies exist
7 Yes for some systems.
Recovery strategies are aligned with RTO values
8 Partially.
Cost versus RTO trade-off analyzed Effort requirements analyzed Control requirements analyzed
5 Partialy.
Reliability requirements analyzed
7 Yes.
3 No. 8 Yes. With the alternate site we have more control over the IT infrastructure. 3 We are counting on the recovery vendor for that.
Strategies aligned with system capacity requirements Strategies aligned with system performance requirements
5 Yes.
Strategies aligned with system configuration requirements
3 There are some configuration compatability issues.
Recovery system and primary systems exact in type, configuration, capacity, etc
5 No. But they are compatible.
Flexibility in upgrading the recovery systems to match primary systems upgrades
4 We don't know. We will include it in the contract agreement with the vendor.
7 Alternate systems have more capacity than our production environment
Email strategy is missing.
DD.4: Alternate IT Recovery Site
6.82 Focus on long-term strategy
Alternate site meets the strategy requirements for IT systems/servers/networks Unlikely to be effected by the same disaster Located outside of local area threats Located outside of regional area threats Alternate travel routes exists Floor plan exists A comprehensive and validated BC Program exists for Alternate Recovery Site
8 Yes.
Secondary power generator/supply exists
9 Yes.
Technical support is available at alternate site Supports connectivity to primary site supports connectivity to work areas
8 Yes.
Sufficient security exists at alternate site
8 Yes. Particularly regional disaster. 8 Yes. 8 Yes 8 Yes. 8 Yes. 7 Yes.
Review their BC program even though they are reputable and reliable Has any body visually inspected the power supply (part of the tour).
7 Yes. 9 Well connected. Work area and IT recovery area are with the same vendor 5 Yes.
Access to recovery area is gauranteed in case of recovery need
4 It is on the first-comefirst serve basis.
Organization has sufficient control over the recovery area and its resources
4 Partial
Meeting areas exist
2 Yes but it will cost more
Basic facilities exist (HVAC, Bathrooms, etc.) Close proximity to Accommodation and Food Services/restaurants, banks, etc.
6 Yes. 7 Yes.
Find out if the servers and systems are shared by other clients of the vendor (yes they are). Find out if there are clauses in the contract that may deny access (yes it does) Find out if there are reasons for having complete control (none)
DD.5: A Tertiary Recovery Site A tertiary recovery site exists with sufficient recovery capabilities and capacities Is it used for backup of data from secondary site Is it used for recovery of all systems at the secondary site
3.16
DD.6: Offsite Data Storage Backup Strategies are aligned with RPO requirements
3.63 3 1 RPO is unknown for Billing System but backups are made daily to Iron Mountain. 5 Tapes
What is the method of data backup Data is replicated to servers at recovery site Data is backed-up through tape media Data is backed-up through Electronic Vaulting
0 No. 0 No. 0 No.
1 No. 5 Yes. 2 No.
Cost versus recovery strategy options analyzed
2 No.
Backup method is reliable and dependable All data required for recovery is backed-up Backup Tools/Software exist and their capabilities are compatable with backup strategies Sufficient backup media capacity exist at the storage facility Strategies exist for remote backup during the recovery period Facilities exist to ship backup data to recovery sites in time to meet RTO requirements Safe handling and storage procedures documented Data integrity testing procedures are documented Data classification and security procedures and guidelines are documented Storage media retention procedures are documented
4 Yes. 7 Yes. 7 Yes.
7 Yes. 1 No. 5 Yes. 4 Mostly. 1 No. 5 Yes. 1 No.
Critical Record Storage Area
4.67
Internal facilities/areas exist to store critical documents
2 They stored in filing cabinets by business units themselves
Internal facilities meet the fire and water protection requirements Internal facilities meet the security requirements External facilities/areas exist to store critical documents External facilities meets the heat, humidity, and other climate control requirements External record storage facility is under the management and control of qualified personnel
0 No.
External facilities meet the security requirements External facility can ship the records to work areas/primary site within required timeframe. External facility supports 24x7 operations Appropriate record management system is reviewed and assessed
7 Yes.
Critical record management procedures are developed and are aligned with the requirements
Yes.
DD.7: Alternate Work Area
0 No. 7 Yes. Iron Mountain only for paper documents. 7 Yes 7 Yes.
7 Yes.
7 Yes. 8 We are using Iron Mountain Connectâ„¢ portal to track and retrieve documents.
4.68
Alternate work areas exist (contracted, company owned, reciprocal ?)
4 Plan to contract out the work area from SunGard. We will use Canadian site as an interim solution
Alternate work area meets the BIA and functional requirements for recovery personnel
0 N/A
Is Iron Mountain Connect setup for Laptop access in the event of a disruption (No)
Acquisition strategy for workstation and servers in work area is consistent with BIA other business Floorand plan exists process requirements Non-IT resource acquisition strategy is in place (faxes, copiers, etc.)
0 N/A
Site is unlikely to be effected by the same disaster Located outside of local area threats Located outside of regional area threats
7 Yes.
Alternate travel routes exists A comprehensive and validated BC Program exists for work area
7 Yes. 3 Don't know
Secondary power generator/supply exists Technical support is available at alternate work site
8 Yes.
Supports connectivity to primary site supports connectivity to alternate IT recovery sites
8 Yes.
Work area is expandable depending on the need
2 Don't know
Sufficient security exists at alternate work site Contains sufficient floor space for workstation and IT infrastructure and end-users
8 Yes.
Designed to support usage 24x7
7 Yes.
Organization has sufficient control over the work area and its resources
2 Don't know
Meeting areas exist
7 Yes.
Basic facilities exist (HVAC, Bathrooms, etc.)
7 Yes.
0 N/A 0 No.
7 Yes. 7 Yes.
2 Don't know
8 Yes.
2 Don't know
Close proximity to Accommodation and Food Services/restaurants, banks, etc.
DD.8 Crisis Management Center (CMC) CMC design meets the requirements for space, personnel, equipment, facilities, etc. Location is easily accessible for Crisis Management Team (CMT) and it is not prone to single point failure with the Reliable andofdependable primary site.
7 Yes.
7.25
9 EOC will be used as CMC. 1st location is a leased site 30 miles away from HQ. Alternate location is a hotel meeting room to be 9 decided Yes. at the time of disaster 9 Yes.
CMC meets the IT requirements (workstations, laptop, printers, etc.) CMC meets the Non-IT requirements (Faxes, copiers, presentation tools, etc.) CMC meets the voice connectivity requirements
3 Don't know about BC requirements.
CMC meets the data connectivity requirements
3 Don't know about BC requirements.
Designed to support usage 24x7
9 Yes.
Organization has sufficient control over the work area and its resources
9 Yes.
Meeting areas exist Basic facilities exist (HVAC, Bathrooms, etc.) Close proximity to Accommodation and Food Services/restaurants, banks, etc.
9 Yes. 8 Yes.
DD.9: Assembly Location
8 Yes.
3 Don't know about BC requirements.
8 Yes.
5.98
Evaluate design of assembly location to determine if it meets BC requiremens.
Assembly location meets the functional requirements
1 Don't know
Assembly location complies with safety guidelines Easily accessible, dependable, and expandable Close proximity to Food, Accommodation, banks, etc. Controlled by the organization
8 Yes.
Less likely to be effected by the same local disaster
8 Likely to be effected by the local or regional disaster; but we have the EOC as an alternate.
DD.10: Data Communication Services Designs for Data Communication and Networking services are complete Design takes into account single points of failure concerns and communication redundacy requirements Different transmission medium is used (wireless, satellite, land lines) Network design for alternate recovery site exists with specifications for connectivity, capacity, throughput, reliability, etc. Network design for work area exists with specifications for connectivity, capacity, throughput, reliability, etc. Network design for data backup site exists with specifications for connectivity, capacity, throughput, reliability, etc. Network design for connectivity between primary site, alternate site, data backup site, and work area is complete.
8 Yes. 8 Yes. 3 No. MOU with another organization.
5.83 Review design documents
7 Yes. We have redundant carrier links
2 Same medium. 7 Yes.
8 Yes. IT has all that worked out.
Yes. IT has all that worked out.
4 It is complete except for work area which will is planned to be completed six weeks.
do they go through the same conduit to the building (yes)
Data transmission security is par of the design. DD.11: Voice Communication Strategies are developed for redundancy of voice communication Design takes into account single point of failures
Design takes into account rerouting of critical phone numbers Design includes different communication mediums (cables, satellite, wireless, etc.) Design takes into account bandwidth requirements Design takes into account work area requirements Design takes into account CMT requirements Design takes into account Recovery Site requirements
DD.12: Work around Procedures
Work around procedures are documented for all critical business units and processes Each work around procedure clearly specifies its objectives and scope Each work around procedure clearly specifies conditions for invoking the procedure Each work around procedure clearly specifies tasks to be performed and resources required including critical records. Each work around procedure clearly specifies tasks depedencies
7 Yes.
6.6
9 Voice service provider has provided multiple voice lines going through redundant exchange routes. 9 Yes. We have the capability to reroute our 1-800 numbers that customers use. 3 No. They are all Land lines.
Yes. Yes. 6 Yes. 6 Yes.
3.86 See business process audit file.
3 Most have them documented 3 Some do and some don't 3 Some do and some don't Yes.
3 Some do and some don't
Work around procedures include recovery of lost data
DD.13: Training and Awareness
6 Yes.
5.17
Training and awareness program is designed and developed Training database/site designed and developed
7 We have an intranet site for business continuity which provides training documents and general information.
Training methods and services selected
4 We plan to have onsite training on a regular basis. 1 No. 9 We currently have an internal BC monthly newsletter. 2 No.
Training schedule prepared Awareness plan developed Training evaluation process designed and developed Training responsibilities assigned
DD.14: Salvage and Restoration
All critical resources for salvage and restoration identified Physical areas and buildings for salvage and restorations assessed Types of damage to critical resources and areas assessed Salvage and restoration experts and contractors identified and contacted
8 We are currently talking to HR training department to take on this task.
0 See comments from functional requirements
Requirements and cost discussed with Salvage and Restore contractors Contractors are selected
Recommendations
Recomme ndation Type (Negative, OK, Positive)
Overall design is aligned with the requirements but there are still some gaps and room for improvents. Example: Generic applications such as email is not part of recovery strategy. Drop ship of billing system server; the ability of people to get to recovery site on time.
recommend tertiary site
Recommend testing compatability issues.
Recommend testing compatability issues.
Recommend inclusion in contract for upgrade flexibility in recovery systems.
Recommend: Involving IT security department in the secure design; suggest development of security policy and procedures before, during, and after disaster Recommend: creating a tertiary situations. recovery site
We recommend a use of a tertiary recovery site.
Implement an internal critical document/record management group and facility in addition to a remote storage site.
Expedite design and development of long term alternate work area
Evaluate whether or not EOC meets the BC requirements.
Design overall meets the continuity requirements but needs some additional improvements Review data link for improving redundancy and single-point-offailure
Design overall meets the continuity requirements but needs some additional improvements
provide additional redundancy by combining voice communication mediums.
Ensure work around procedures for all critical areas are complete and documented with consistent format.
Assign training and awareness responsibility to a staff. Review current training and awareness design for additional improvements.
The design and development for Salvage and Restoration must be based on the functional requirements once they are completed.
PP: Program Implementation Questions
PI.1: Risk controls
Rating
Response and Conclusion
3
All risk controls have been implemented
Percentage Implemented
3
PI.2: IT Recovery Systems
6 Most systems are in place and the plans in place to acquire the rest Email systems recovery capability is not in place
30 percent.
Alternate IT systems purchased or leased
Yes
Quick-ship strategies implemented Percentage completed
Currently talking to the vendor
Alternate IT recovery site completed Alternae IT site inspected and approved for use Percentage completed
PI.4: A Tertiary Recovery Site Tertiary site completed Tertiary site inspected and approved for use Percentage completed
8 8 IT recovery site is in final stages of complete 8 Yes. SunGard implementation. 8 Yes 9 90 percent
No. No. N/A
Recommendations
Problems in this stage is due to weaknesses in the functional requirement process. See recommendations in Design and Development.
Some have been implemented including secondary power generator. We have plans to continue implementation of risk controls.
Implementation project plans exist and approved
PI.3: Alternate IT Recovery Site
Further Actions
PI.5: Offsite Data Storage
Remote backup site is complete Data backup process to remote site has started Percentage completed PI.6: Critical Record Storage Remote record backup site is complete
5 Backup site is currently in use. Backup frequency needs adjustments. Yes. Yes. 8 90 percent 2 Implemented for document records only. It is remote only. There are no internal storage process or system Yes.
Remote record backup process has started Percentage completed
5
PI.7: Alternate Work Area
4
Alternate work areas exist (contracted, company owned, reciprocal ?) Work area inspected and approved Percentage completed
4 Yes. Currently at the Canadian site but later at Sungard. 3 Partially.
PI.8: Crisis Management Center (CMC)
7 EOC will be used as CMC. 1st location is a leased site 30 miles Yes away from HQ. Alternate Yes location is a hotel 7 meeting room to be 100
CMC exists CMC inspected and approved Percentage completed PI.9: Assembly Location Assembly sites exists Assembly sites inspected and approved Percentage completed
PI.10: Data Communication Services
4
50 Expedite design and development of long term alternate work area
50
7 Assembly location is in place. Yes Yes. 7
8
100
Data Communication and Networking services are complete Connectivity between Primary site and alternate IT recovery site is complete Connectivity between primary site and data backup site is complete Connectivity between alternate IT site and work area is complete Connectivity between CMC and alternate IT site is complete Connectivity between CMC and alternate work area is complete Percentage Complete
Yes Yes Yes Yes Yes Yes 8
PI.11: Voice Communication VC infrastructure and services are complete
8
Percentage completed
8
PI.12: Training and Awareness
2
80
Yes. 80
Expedite initiation of training and awareness program.
Training and awareness program activated
Not fully.
Percentage implemented
2 10 percent
PI.13: BC Tools BC tool is purchased
2 2 No. we are still evaluating tools
Tool training is complete Plans and information from paper/computer sources have been imported into the tool Security and access control is in place BC tool is deployed
Expedite tool evaluation to begin tool usage and deployment
A dedicated staff manages and maintains the BC tool Team members have access to the tool Percentage Complete PI.14: Salvage and Restoration Salvage and restoration contracts are in place Salvage and restoration procedures are documented Percentage Complete
PI.15: Personnel Are all required personnel hired
Responsibilities assigned to personnel.
0 Salvage and restoration is not yet included in BCP No. No. 0
0
4 5 Most have been hired but we are still waiting to hire two more staff reporting to the Coordinator. 5 Mostly assigned
BC team insurance purchased
0 No.
Percentage Complete
4
PI.16: SLA and Contracts SLA have been negotiated and implemented Contracts have been negotiated and implemented
7 6 The key SLA are in place 6 Yes. Work area contract is under review.
Percentage Complete
7
PI.17: BC Plan Document Plan document is complete Executive Summary Plan components Objective Scope Assumptions Constraints and limitations Risk Assessment BIA Recovery Strategies Plan Execution phases BC Team Structure
3
60
80
Contact List Call Tree Alternate contacts Contact Procedures Disaster Definition Disaster Declaration Procedures Service Level Agreements Insurance policy Critical resource inventory Critical Staff Crisis Communication Plan Emergency Response Plan Business unit plans Disaster Recovery Plan Recovery site Information Data backup procedures Data backup site information Critical record backup procedures Critical record backup site information Critical record recovery procedures Plan execution logistic procedures Security requirements and procedures Recovery logistics Team responsibilities Salvage and Restoration procedures IT recovery procedures Data network recovey procedures Voice communication recovery procedures Work area site information Work area recovery procedures Critical service recovery procedures Assembly location procedure Assembly location information Crisis management center or EOC information Plan execution timeline and schedule
Disaster scenarios and recovery procedures BC Plan change controls BC plan distribution list BC plan appendices
PT: Plan Testing Questions
PT.1: BC Plan Testing Test plans exist for testing BC plan
Rating
Response and Conclusion Further Actions
3.71 6 Interim plans has been tested
Test objectives cover all essential elements of BC plan Types of testing conducted so far
2 No. It is missing testing of key business areas 2 Table top and some systems No testing of at hotsite notification procedures; EOC location, Work areas, etc.
Types of testing planned for future
7 Hot site testing of all systems
Test scenarios are realistic
1 No real scenarios have been tested 3 No. It is missing testing of key business areas 5 Yes.
Tests have been completed for all required parts of BC plan Tests have been conducted according to test plans PT.2: Test Evaluation
8 Tests have been evaluated well, particularly for hotsite testing. Evaluation included lessons learned. Many issues related hotsite vendor support and coordination were identified and resolved.
Test results have been evaluated What criteria used to evaluate tests Testing met all of test objectives What were the strengths identified by the test What were the weaknesses identified by the test
8 8
PT.3: BC Plan Approval
4 The long term plan document is not yet complete.
BC Plan is approved BC Plan is approved by program sponsor and BC steering committee
8 8 8
BC plan is distributed to all staff and personnel on distribution list PT.4: BC Plan Document Which parts of the plan below have been tested? Objective Scope Assumptions Constraints and limitations Risk Assessment BIA Recovery Strategies Plan Execution phases BC Team Structure Contact List Call Tree Alternate contacts Contact Procedures Disaster Definition Disaster Declaration Procedures Service Level Agreements Insurance policy Critical resource inventory Critical Staff Crisis Communication Plan Emergency Response Plan Business unit plans Disaster Recovery Plan Recovery site Information Data backup procedures Data backup site information Critical record backup procedures Critical record backup site information Critical record recovery procedures Plan execution logistic procedures Security requirements and procedures Recovery logistics Team responsibilities Salvage and Restoration procedures IT recovery procedures Data network recovey procedures Voice communication recovery procedures Work area site information Work area recovery procedures
Critical service recovery procedures Assembly location procedure Assembly location information Crisis management center or EOC information Plan execution timeline and schedule Disaster scenarios and recovery procedures BC Plan change controls
Recommendations
Recommend testing of notification procedures; EOC, and work areas.
conduct likely scenario based testing. Conduct testing of all key aspects of BC plan
This is one of the strength area. A good test evaluation process is in place.
PM: Program Management Questions
PM.1: Primary Site Change Monitoring Process is in place to monitor changes
IT level changes are monitored Business process changes are monitored Critical record changes are monitored
People changes are monitored Critical resource related changes are monitored Critical services related changes are monitored
Rating Response and Conclusion
3.14
4 By business units only.
Recommendations
Extend change management to beyond IT related changes.
4 Yes. BC Coordinator monitors all changes by attending all IT change management 4 Yes. Through IT meetings. change management 1 Not at this time. Business units have people assigned to this task.
3 We have been talking to HR to keep us in the loop. 3 Not at this time. 3 Yes. We plan to go through regular review of service and resource related changes.
PM.2: Recovery Site Change Monitoring
3
Process is in place to monitor changes at the recovery sites
3 We expect vendor to notify us of any changes. 3 Yes.
Hardware changes are monitored Software changes are monitored Network changes are monitored Facility changes are monitored Policy changes are monitored Security procedures are monitored
Further Actions
3 Yes. 3 Yes. 3 Yes. 3 Yes. 3 Yes.
Implement proactive process for monitoring recovery site changes.
PM.3: Contract Management BC related contracts management process established
Contracts are reviewed on a regular basis Contracts include maintenance and upgrades Procurement and legal departments are involved in the contract management
PM.4: Risk Controls Risk assessment occurs periodically Existing controls are reviewed and inspected on a regular basis
Risk experts are involved in risk assessment and control process Risk assessment reports are presented to and reviewed by management PM.5: BIA
7 7 BC coordinator and procurement representative conduct a frequent review/update of contracts. 7 Yes. 7 Yes. 7 Yes.
3 3 No. 3 Facilities is responsible for reviewing physical controls such as secondary power generator. 3 No. 3 No.
4 We plan to do it regularly.
BIA is conducted periodically Gaps are identified Results are reported to and reviewed by management Recovery strategy gaps are evaluated
PM.6: IT Systems Recovery Strategy Recovery strategies are reviewed regularly Alternate sites are inspected for changes and problems. Quick-ship strategies are reviewed regularly
4 We plan to review it regularly.
PM.7: BC Plan Testing
4 We plan to do it regularly
A plan exists for regular testing of BC Plan Both minor and major tests are carried out regularly Tests are reviewed and evaluated Test results are well documented and reported to management Test issues are resolved effectively Backup data integrity checks are done regularly Work around procedures are tested regularly PM.8: Recovery Vendor's BC Plan Reviews Recovery vendors' BC plans are reviewed regularly Recovery strategies and capabilities of vendors' are reviewed regularly
4 We will include it in our program
BC audit reports of vendors are reviewed
PM.9: Training and Awareness Training and awareness program is monitored, evaluated and updated
Currently not in maintenance stage.
New hire orientation includes BC information Program includes learning resource/database Program includes newsletters Program includes regular BC informational meetings Program includes BC tool training
PM.10: Management Process
5
Steering committee is actively involved in the maintenance phase
4 Steering Committee will be establish in few months.
Program sponsor is actively involved in the maintenace phase BC Management meetings are held on weekly, monthly, and quarterly periods
8 Yes.
Reports from the steering committee are presented to Board and senior management Rules and regulations are monitored and reviewed
4 Steering Committee will be establish in few months.
PM.11: External Coordination
3
BC plan is coordinated with external public authorities
3 Through ERP.
BC plan is coordinated with business partners
1 No.
BC plan is coordinated with recovery vendors Meetings are held regularly to coordinate BC plan with external entities
7 Yes.
8 Weekly with the sponsor and monthly with business unit managers
1 No.
1 No.
BC Audits are conducted periodically BC Audits include internal and external auditors Audit recommendations are followed through Audits are done through expert auditors PM.12: BC Program Reviews BC program is reviewed periodically
6.25 7 We hold monthly meeting with all business units to review relevant BC program activities and sections.
Improve external coordination related to BC plan Coordinate with ERP team to include BC plan's coordination requirements. Coordinate BC plan with business partners on a regular basis
Arrange regular meetings with external entities to coordinate BC plan activities
BC plan document is reviewed frequently Review involves all BC team members
Results of the reviews are presented to steering committtee and program sponsor
PM.13: Plan Document Maintenance Stored offsite and onsite
Easily accessible during a disaster Secured Need-to-know list maintained
Distribution list maintained
7 BC coordinator and his team review the plan biweekly. 7 Most team members depending on what we are discussing at the time. 4 Not yet. But we present it to our program sponsor.
5.4 6 One copy is always with BC coordinator on a memory card. One copy is with Iron Mountain. 5 Yes
Recommend storing a BC document at the hot site. If possible use web-based planning tool.
8 Yes. It is encrypted. 3 No. We have a common distribution list with access to all parts of the plan. 5 Yes.
Develop a need-to-know distribution list.
Program Budget
5.33
Separate annual budget allocated Business area supporting the BC Program budget Source of budget
5 It is part of IT budget 8 Yes. Business Managers are very supportive. 3 IT
Detail budget established for BC tools
5 Yes.
Overall budget estimates established
5 We do not have an yearly budget but last year we spent $240K and this year it has increased to $300K.
Percentage of BC budget relative to annual revenue
3 IT budget is about 2.5M. Last year we spent about 240 k on BC beyond people resources. 7 Business units have their own budgets for BC activities. 7 We have put the request to hire two more staff for next year. 7 The budget for contracts will come out of the overall BC budget. 3 Our recovery resource and service Find out if this budget is mostly part of the overall budget is outside IT budget. of the BC budget. Yes it is outside of the IT budget. Last year approximately 60K was spend on the recovery resources and services.
Overall budget established for individual projects Overall budget established for hiring staff Overall budget established for contracts Overall budget established for recovery resources and services
Does it account for a specific and its cost (We know the tool we want and its cost)
BC program needs a separate budget; Work out detail budget for each phase, project, and activities. The budget needs to be at between $500K to $800K
BC program needs a separate budget and not simply be part of IT budget.
The budget needs to be at between $500K to $800K
BC budget needs to be about 20 to 30 percent of IT budget.
Related Documents
Audit Excel Questionnaire Feb 06 06
April 2020 4
Audit 06
June 2020 5
Feb 06
November 2019 5
Medical Questionnaire Sept 06
December 2019 3
Chacha Feb 06
November 2019 5