PART 5 – CISA Domain 2 – Governance and Management of IT
- What is the classification of systems and their criticality analysis?
- What are the components of Business Continuity Planning (BCP)?
- What is Plan testing?
13. Classification of systems and criticality analysis:
- Critical – These functions cannot be performed unless they are replaced by identical capabilities
- Vital – These functions can be performed manually, but only for a brief period of time (usually five days or less)
- Sensitive – These functions can be performed manually, at a tolerable cost and for an extended period of time. While they can be performed manually, it usually is a difficult process and requires additional staff to perform.
- Non-sensitive – These functions may be interrupted for an extended period of time, at little or no cost to the company, and require little or no catching up when restored.
|Points to remember:
- The first resource to be protected when designing continuity plan provisions and processes – Human Resource/ People
- The first step in business continuity life cycle is – BCP scope, followed by Risk assessment
- The insurance that covers loss incurred from dishonest or fraudulent acts by employees – Fidelity coverage
14. Components of Business Continuity Planning (BCP)
- Business Continuity Planning (BCP) – Provides procedures for sustaining mission/business operations while recovering from a significant disruption
- Continuity of Operations Plan (COOP) – Provides procedures and guidance to sustain an organization’s MEFs (Mission Essential Functions) at an alternate site for up to 30 days;
- Business resumption plan – Provides procedures for relocating information systems operations to an alternate location.
- Continuity of support plan / IT contingency plan
- Crisis communications plan
- Incident response plan
- Transportation plan
- Occupant emergency plan (OEP)
- Evacuation and emergency relocation plan
|Points to remember:
- The authority to make a disaster declaration is Business Continuity Coordinator or backup personnel identified in the succession plan
- The primary responsibility for establishing organization-wide contingency plans lies with the Board of Directors.
- Should be scheduled during a time that will minimize disruptions to normal operations
- Key recovery team members be involved in the test process and allotted the necessary time to put their full effort into it
- Should address all critical components and simulate actual primetime processing conditions, even if the test is conducted in off hours.
- Plan Execution: Pre-test, Test, Post-Test
Types of tests:
- Desk-based evaluation/paper test – A paper walk-through of the plan, involving major players in the plan’s execution who reason out what might happen in a particular type of service disruption.
- Preparedness test – Usually a localized version of a full test, wherein actual resources are expended in the simulation of a system crash
- Full operational test—This is one step away from an actual service disruption. The organization should have tested the plan well on paper and locally before endeavoring to completely shut down operations.