Audit and Assurance

Expand all | Collapse all

IT Disaster Recovery Plan and BCP

  • 1.  IT Disaster Recovery Plan and BCP

    Posted 06 Sep, 2019 03:32
    Hello,
    who is suppose to own or steer the IT DR plan  and organization BCP.
    Thank you

    ------------------------------
    Getrude Kimani
    Senior Information System Auditor
    ------------------------------


  • 2.  RE: IT Disaster Recovery Plan and BCP

    Posted 06 Sep, 2019 18:36
    Business executives.  For practical reasons, you may form a committee of business functions and IT heads, each owning elements relevant to their units.

    The chair depends on the organization - in my experience, it's usually the SVP/CFO chairing it for obvious reasons that this role has the widest appreciation of the business, and understands the concept of risk management and controls.

    ------------------------------
    Marino Mata
    Auditor
    ------------------------------



  • 3.  RE: IT Disaster Recovery Plan and BCP

    Online Forum Topic Leader
    Posted 08 Sep, 2019 17:40
    Hello Gertrude,

    IT DR is linked to the organization's Business Continuity Management System. The accountability lies with the Board of Directors and the CEO. They may delegate the BC to the BC Manager and the IT DR to the IT Manager/CIO. He or she has to closely co-ordinate with the BC Manager to meet the business RTOs and RPOs.
    This the international best practice.
    Cheers!
    Nalin

    ------------------------------
    Nalin Wijetilleke MBA, CISA, CGEIT, AFBCI, PMP, CMC
    2019 Online Forum Topic Leader
    Managing Director, ContinuityNZ Ltd.
    ------------------------------



  • 4.  RE: IT Disaster Recovery Plan and BCP

    Posted 09 Sep, 2019 02:48
    Hi
    I agree, the IT DR is linked to the BCM and the accountability lies with the Board of Directors. BCM should be the most important piece of the purpose and strategy of any organizations. By such it is owned by a Senior Manager of the organization. Business should not have RTOs nor RPOs.
    From IT DR prospective, there are RTOs and RPOs. While operated by IT Organization, the IT DR should be owned by the owner of BCM.
    Business has MTD or MTO (Maximum Tolerable Downtime or Outage), and MTD is the outcome of the Business Impact Analysis (BIA).
    MTD = RTO + WRT
    The WRT is the Work Recovery Time, which is the necessary time to recover from the data loss. As there is a loss of data from the last consistent back-up to the disaster, these data or some equivalent information should be reconstructed before resuming normal operations.
    The picture below provides a view of all these elements of BCM.


    ------------------------------
    Mamane IBRAHIM
    PMP, CISA, CRISC, CISSP, CCSP, GPEN, ISO 27k Lead Auditor
    Audit Director, Information Security & Privacy
    ------------------------------



  • 5.  RE: IT Disaster Recovery Plan and BCP

    Online Forum Topic Leader
    Posted 10 Sep, 2019 03:32
    Hello Mamane,

    Thanks for your input. With regard to your statement to say that 'business should not have RTOs nor RPOs', I disagree. In fact, that is the crux of the Analysis to arrive at designing 'fit-for-purpose' strategies for response and recovery and Business Continuity Plans are developed accordingly. (Reference ISO 22301:2012 Business Continuity Management System Standards AND The Business Continuity Institute Good Practice Guidelines(GPG) 2018 GPG Lite 2018 Editionhttps://www.thebci.org/resource/gpg-lite-2018-edition.html )

    Cheers!

    Nalin


    ------------------------------
    Nalin Wijetilleke MBA, CISA, CGEIT, FBCI, PMP, CMC
    2019 Online Forum Topic Leader
    Managing Director, ContinuityNZ Ltd.
    ------------------------------



  • 6.  RE: IT Disaster Recovery Plan and BCP

    Posted 10 Sep, 2019 07:17
    ​Hello Nalin
    The MTD is defined during the Business Impact Analysis, and from there all the different concept are added. The Business will not say: "I want RTO=4hrs and RPO=8hrs"! They are more able to say: "I can't accept an outage of more than 6hrs" or whatever.
    IT Operations will translate that in RTO and RPO. My point is that usually the WRT is not factored in and you can end-up having an application recovered without business personnel being able to resume normal operations.
    BCM wise, a disaster may have many causes and still the Business defined MTD remains. That's why the Senior Business Executives should focus on MTD (which by the way factor-in the RPO & RTO!).
    Cheers!
    Mamane

    ------------------------------
    Mamane IBRAHIM
    PMP, CISA, CRISC, CISSP, CCSP, GPEN, ISO 27k Lead Auditor
    Audit Director, Information Security & Privacy
    ------------------------------



  • 7.  RE: IT Disaster Recovery Plan and BCP

    Online Forum Topic Leader
    Posted 10 Sep, 2019 17:09
    Hello Mamane,

    I agree with you 100% that MTD or MTPD is determined during the BIA. It is the first time measurement that has to be set for a product, process or activity, before determining the RTO. I may state the ISO definition, ' MTPD - the time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable. Thereafter, the RTO and RPO (if relevant) are determined collectively and consensus obtained. This is a MUST. Those values are then discussed with the IT management and finalised, after making adjustments if necessary.
    As mentioned, this the global best practice, adopted by ISO as well as BCI & DRII. As an implementor, reviewer, and auditor, over the past two decades, I adhere to this approach and had no issues at all.

    Cheers!

    Nalin

    ------------------------------
    Nalin Wijetilleke MBA, CISA, CGEIT, FBCI, PMP, CMC
    2019 Online Forum Topic Leader
    Managing Director, ContinuityNZ Ltd.
    ------------------------------



  • 8.  RE: IT Disaster Recovery Plan and BCP

    Posted 11 Sep, 2019 09:49
    Good morning dear:

    I will respond to all who gave their opinion of which I respect their point of view:

    In my experience as an External IT Auditor currently of 10 Banks, through an International Audit Firm I can see that:

    The IT DR is an important part of the BCP. Senior management is responsible for BCP being effective and generally delegating to a Continuity Committee that is made up of the Continuity Manager, VP of Operations, IT VP, Information Security Manager, Risk Manager, Internal Audit (as guest or seer). All together harmoniously develop the BCP. But DR IT is developed in more detail by the IT Area, as is obvious.

    During the development of the BCP, the BIA (Business Impact Analysis) and Risk Analysis must be developed. The BIA determines the critical processes, the technological infrastructure that supports it, the RPO, the RTO and the other variables that all of you mentioned, etc. This determines the recovery strategy, replication to an Alternate Site or Backup Copies.

    At any given time, it is the Continuity Committee who verifies that the DR IT is effective, efficient and that the RPO and RTO are complied with by means of recovery tests for planned disasters.

    There is much to say about these plans, but I have tried to summarize as seen in practice and that it has given good results.

    Best regards,

    Platinum Member ISACA

    Director de Certificaciones CISA

    ISACA Santo Domingo Chapter



    ------------------------------
    Wilson Andia Cuiza
    Audit Director of Information Technology
    ------------------------------