Transcript Povezane osebe

PREDSTAVITEV SMERNICE
G32 Bussiness Continuity Plan (BCP)
Review from IT Perspective
Peter Grasselli, CISA, CISSP
SLOVENSKI INŠTITUT ZA REVIZIJO
Ljubljana
Vsebina smernice
 1. Ozadje
 2. Kratek opis NNP s perspektive IT
 3. Neodvisnost
 4. Sposobnost
 5. Načrtovanje
 6. Izvedba pregleda UNP s perspektive IT
 7. Poročanje
 8. Spremljanje
 9. Veljavnost
2
OPOZORILO
Guidelines provide guidance in applying IS auditing Standards. The IS auditor
should consider them in determining how to achieve implementation of the
standards, use professional judgment in their application and be prepared to
justify any departure.
The objective of the IS Auditing Guidelines is to provide further information on
how to comply with the IS Auditing Standards.
ISACA has designed this guidance as the minimum level of acceptable
performance required to meet the professional responsibilities set out in the
ISACA Code of Professional Ethics for IS auditors. ISACA makes no claim
that use of this product will assure a successful outcome.
3
1. Ozadje
 S6 Performance of audit work
 DS 4 Ensure continous service
 namen
 opis običajnega postopka pregleda NNP s stališča IT
 identifikacija, dokumentiranje, preverjanje in
ocenjevanje v organizaciji vpeljanih kontrol na
področju procesa NNP (z vidika IT)
 izrazoslovje
4
1.6 Izrazoslovje
 Business continuity
plan (BCP)
 Business impact
analysis (BIA)
 Disaster recovery plan
(DRP)
 načrt neprekinjenega
poslovanja (NNP)
 analiza poslovnih
posledic (APP)
BIA
OCENA
TVEGANJA
 okrevalni načrt (ON)
STRATEGIJA
UNP
UPRAVLJANJE
PROGRAMA
UNP
RAZVOJ IN
VPELJAVA
NAČRTOV UNP
VZDRŽEVANJE,
PREVERJANJE
UNP
GRADNJA
KULTURE UNP
5
2. Kratek opis NNP s perspektive IT
nepregleden
ponavljajoč
2.1.2 BCP components include the following:
 Identification—Identify potential threats and risks of
the business.
2.2.1 An essential element of BCP is risk assessment, which
involves the task of identifying and analysing the
potential vulnerabilities and threats, including the source.
6
Kazalci pomembnosti procesov:
BIA
OCENA
• proces je pomemben za življenje, zdravje
ali
TVEGANJA
varnost ljudi
• cilj procesa je zagotavljanje zakonodajnih ali
statutarnih zahtev
STRATEGIJA
UNP
• prekinitev procesa
bi pomenila izgubo prihodka
• lahko bi prišlo do izgube ugleda
strank
UPRAVLJANJE
PROGRAMA
podjetja
ali
UNP
VZDRŽEVANJE,
PREVERJANJE
UNP
Opis upravljanja neprekinjenega poslovanja:
• Blanka Šauperl,
Nataša Žabkar: Življenjski cikel upravljanja neprekinjenega
UPRAVLJANJE
poslovanja, Zbornik
12. Med. Konference o revidiranju in kontroli IS, 2004
KRIZNIH
RAZVOJ IN
SITUACIJ
VPELJAVA
Burazer, Pavle Golob:
NAČRTOV UNP
GRADNJA
UNP
neprekinjengaKULTURE
poslovanja
– tehnični
• Renato
Načrt
postavitve in preizkušanja, Zbornik 12. Med. Konference o …, 2004
• PAS 56: Vodnik po upravljanju neprekinjenega poslovanja
• ITIL: Service delivery, IT Service Continuity Management
vidik
7
3. Neodvisnost
4. Sposobnost
 Potrebno znanje in izkušnje za izvedbo pregleda
področja
in posameznih
komponent
NNP
procesov NNP
upravljanja
neprekinjenega
poslovanja
 Zmožen oceniti, če je NNP usklajen s potrebami
organizacije.
 Razumeti poslovno okolje, cilje organizacije,
zakonske zahteve, poslovne cilje, poslovne procese,
informacijske potrebe teh procesov, strateško
pomembnost IS in stopnjo usklajenosti IS s
8
strategijo organizacije.
5. Načrtovanje
Obseg in cilji pregleda
9
uspešnost
učinkovitost
razpoložljivost
skladnost
zaupnost
celovitost
zanesljivost
10
5. Načrtovanje
Obseg in cilji pregleda
Upoštevati razvojno fazo NNP v organizaciji
11
IZBOLJŠUJOČA
stalno izboljševanje
procesov
NADZIRANA
procesi se
kvantitativno merijo
DOLOČENA
procesi so formalizirani
in odobreni
PONOVLJIVA
odvisno od
posameznikov
ZAČETNA
UNP
12
6. Izvedba pregleda UNP s perspektive IT
6.1. Izvedba
pregled dokumentacije
 najmanj osnovna ocena
tveganj in tveganj
na področju
IT
TVA
DS
VO
TI
OS
P
N
N
IH
U
ZA
IZN
JA
IKA ZAVE P
KR
LIT
VAN
PO VA O IJA UN JANJA
SLO
A
PO
IZJ ATEG RAVL
A
G
P
EN
STR RT U IJ
INJ NJA
Č
C
NA ITUA PREK BLJA
NP
E
S
A
B U
T N SPOS NJA
R
EM
Č
NA RT U STIRA PREM
S
Č
E
T
A
E
N
J
T
AN
ČR
NA AVLJ
R
UP
VODENJE
PROGRAMA UNP
NAČRTI NEPREKINJENEGA
POSLOVANJA
IZVAJANJE PROGRAMA UNP
JA
VAN
.
RT
AČ ČRTI T .. OSLO
P
A
R
KI N
IJS LNI N I NAČ ENGA
C
J
AK EVA ALN
KIN
R
OK KREV EPRE ES 1
O
N
OC
RTI A ¸PR CES 2
Č
NA P Z PRO
NN ZA
P
NN
...
E
LEN
OS
ZAP
SE
V
A
AZ
DIL
VO RTOV
NA
Č
TKA JE NA STOV
1
A
KR JAN E TE
ES
A
OC S 2
JA
IZV JANJ
AN A – PR OCE
A
IR
V
R
T
J
P
IZ
AN A –
ETS
TI T TESTIR ANJ
IR
ČR
NA ČRT TEST
I ...
NA RT
VEZ
Č
VZ
NA
ILA ERJU
D
.
..
VO RAT
NA
E
NA O OP
IL
LOV
DE VOD
A
N
...
13
6. Izvedba pregleda UNP s perspektive IT
6.1. Izvedba
pregled dokumentacije
POZOR! pomanjkljivosti NNP in izvedene
spremembe
•poročila o incidentih
•poročila o testiranju
•poročila pregledov
•intervjuji z zaposlenimi in serviserji
•pregled opreme
14
6. Izvedba pregleda UNP s perspektive IT
6.1. Izvedba
pregled dokumentacije
POZOR! pomanjkljivosti NNP in izvedene
Pregledati načrt testiranja:
spremembe
• točnost in popolnost NNP
testiranje
• oceni delo osebja
• izurjenost ekip
• priprava na testiranje
• koordinacijo med ekipami
• razpoložljivost in
• testiranje
zmogljivost rezervne
lokacije
• zaključek testiranja
• stanje in količino opreme
premeščene na rezervno
• poročilo o testiranju
lokacijo
15
• test praviloma izvesti v času testiranja NNP
6. Izvedba pregleda UNP s perspektive IT
6.2. Vidiki pregleda





Zakaj je potrebno narediti?
Kako bomo naredili?
Kdo bo naredil? Kdo bo vzdrževal?
Kaj je potrebno narediti?
Kdaj mora biti narejeno? Kdaj je nesreče
končana?
 Katere politike, pravila in standarde bomo
upoštevali?
16
6.2.2 Organisational aspects should be reviewed to consider that:
6. Izvedba pregleda UNP s perspektive IT
The BCP is consistent with the organisational overall mission, strategic goals and operating plans
The BCP is routinely updated and considered current
The BCP is periodically tested, reviewed and verified for continuing suitability
Budget allocation is available for the BCP testing, implementation and maintenance
Risk analyses are performed routinely
6.2.
Vidiki
pregleda
A formal procedure is in place to regularly update the IT and telecom inventory
 Zakaj je potrebno narediti?
 Kako bomo naredili?
Measures to maintain an appropriate control environment (such as segregation of duties and control
access to data and media) are in place in case of a contingency
 Kdo bo naredil? Kdo bo vzdrževal?
Enablers are identified and the individuals’ roles and responsibilities are adequately defined, published
and communicated.Core
such as: the emergency
action team, damage assessment team,
 Kaj je teams
potrebno
narediti?
emergency management team,…
 Kdaj
mora
biti narejeno?
Kdaj
je nesreče
Communication
channels
are fully documented
and publicised within
the organisation
The interface
and its impact between departments/divisions within the organisation is understood
končana?
Roles and responsibilities of external service providers are identified, documented and communicated
 Katere politike, pravila in standarde bomo
Coordination procedures with external service providers and customers are documented and
upoštevali?
communicated.
Management and personnel of the organisation have the required skills to apply the BCP and an
appropriate training programme is in place
BCP teams have been identified for various BCP tasks, clearly establishing roles and responsibilities
and management reporting that defines accountability
Compliance with statutory and regulatory requirements is maintained
17
There are appropriate incident response plans in place to manage, contain and minimise problems arising from unexpected events, including
internal or external events
Measures to maintain an appropriate control environment (such as segregation of duties and control access to data and media) are in place in
case of a contingency
Enablers are identified and the individuals’ roles and responsibilities are adequately defined, published and communicated.Core teams such as:
There is a periodic
BIA includes
review
changes
of risks-in the risks and corresponding effect on the BCP
the
team, have
damage
assessment
team,
emergency
management
team,…
Resourcesemergency
and theiraction
recovery
been
prioritised
and
communicated
to the
An appropriate
The schedule
BIA identifies
is in the
place
key
forrecovery
BCP testing
time and
frames
maintenance
of the critical business
recoveryCommunication
teams
channels are fully documented and publicised within the organisation
processes
onsite
test,
simulation,
triggering
events and their potential impacts should be
Roles and
responsibilities
of external service
providers
are
identified,
documented
The planned
IS technology
architecture
forAn
the
BCP is
feasible
and
will
resultand
inofcommunicated
safe
performed
are performed routinely
and sound operations if a business interruption
impactsRisk
keyanalyses
IT processes
Coordination procedures with external service providers and customers are documented and communicated.
Theoverall
BCP ismission,
The
reviewed
interface
at periodic
and goals
its impact
intervals
between
to confirm
departments/divisions
its continuing suitability
withintothe
the
The BCP
is teams
consistent
withidentified
the organisational
strategic
BCP
have been
for various BCP
tasks, clearly establishing
roles andand
responsibilities and management reporting that defines
organisation
organisation
is understood
A methodology
to determine
activities
that constitute each process is in place as part
operating
plans
accountability
of a key business
process
analysis
The
isCompliance
routinely
updated
withresources
statutory
and considered
and regulatory
currentrequirements is maintained
Adequate
emergency
are BCP
inpersonnel
place
and
tested
Top priority
is provided
forresponse
safety ofprocedures
employees,
and critical
A risk assessment/recovery
assessment
and
BIA
wereareperformed
before
BCP
BCP
is periodically
tested,
reviewed
and
verified
for continuing
suitability
The people
involved in the
disaster
process
clearly
identified
andthe
roles
and implementation
responsibilities
are delineated
throughout
Alternative
communications
strategies
are The
identified
the organisation
A BCP life cycle
exists
and whether
it is followed
during
development,
A formal
procedure
is in place
to regularly
update
the IT andmaintenance
telecom inventory
There isBackup
adequate
insurance
protection
human resources are
identified
and available
and
upgrade
Evacuation plans are in place and are periodically tested
Backup and recovery procedures
are part
of the BCP
Budget
allocation
is available for the BCP testing, implementation and maintenance
Cell,
telephone
other such have
communication
call
trees
reviewed,
tested and
Management and personnel of theor
organisation
the required
skills
to are
apply
the
Backups are retrievable
Appropriate
offsite
records
are
maintained
routinely
updated
BCP and an appropriate
training
programme is in place
An appropriate backup rotation practice is in place
Corrective actions
are initiated
based
upon
testsites)
results
locations
(hot,
warm
or cold
are
tested
for availability and reliability
Top management
isOffsite
a serious
driving
force
in implementation
of the
BCP
Confidentiality and integrity
of data and information
are maintained
The BCP is periodically
tested andon
test
entire organisation
theresults
effect documented
to the business in
the event of a disaster
Awareness
is created
across the
Media liaison strategies
are in place,
where appropriate
Appropriate levels of training are conducted including mock test drills
18
6. Izvedba pregleda UNP s perspektive IT
6. 3 Zunanje izvajanje storitev
• usklajenost NNP uporabnika/dobavitelja
• kako je uporabnik storitve zagotovil, da
bo storitev v skladu z njegovim NNP
• ali pogodba predvideva možnost revizijskega pregleda s stranu uporabnika
• ali je uporabnik primerno zaščiten v primeru prekinitev poslovanja ponudnika
• ali pogodba predvideva zagotavljanje storitev v primeru nesreče
• zagotavljanje celovitosti, zaupnosti in razpoložljivosti podatkov pri ponudniku
• dostopne kontrole in upravljanje varnosti pri ponudniku
• ponudnik poroča o incidentih in ukrepih po njih
• nadzor nad mrežo, upravljanjem sprememb in testiranjem
19
7. Poročanje
revizijskemu odboru
vodstvu
slabosti NNP:
 lastniku poslovnega procesa
 odgovornemu za NNP v IS
 pomembne: vodstvu
20
8. Spremljanje
Posledice slabosti v NNP običajno zajemajo široko
področje in predstavljajo visoko tveganje.
Revizor IS naj, če je to primerno, sprotno in v
zadostni meri spremlja, če je vodstvo takoj ukrepalo .
Za primerno zagotovitev učinkovitosti pregleda naj
revizor IS izvede ponovni pregled in preveri, če so bila
priporočila izvedena in če so vpeljani popravljalni
ukrepi učinkoviti.
21
9. Smernico je potrebno upoštevati
od 1.9.2005
VPRAŠANJA
22