ISACA

The recognized global

leaders in IT governance,
control and assurance

2008 CISA

Review Course

Chapter 6
Business Continuity And
Disaster Recovery

Chapter Outline

6.1 Introduction
6.2 Business Continuity / Disaster Recovery
Planning
6.3 Auditing Business Continuity (DRP +
COOP + BRP)

6.1.1 Course Objectives

Review outline of Chapter 6

Discuss Task and Knowledge statements
Discuss specific topics within the chapter
Case studies
Sample questions

Exam Relevance
Ensure that the CISA candidate
Understands and can provide assurance that in the event of a
disruption the business continuity and disaster recovery processes
will ensure the timely resumption of IT services while minimizing
the business impact.
The content area in this chapter will
represent approximately 14% of
the CISA examination
(approximately 28 questions).

6.1.2 Chapter 6 Task

Statements
T6.1

T6.2

T6.3

Evaluate the adequacy of backup and restore

provisions to ensure the availability of
information required to resume processing.
Evaluate the organizations disaster recovery
plan to ensure that it enables the recovery of IT
processing capabilities in the event of a disaster.
Evaluate the organizations business continuity
plan to ensure its ability to continue essential
business operations during the period of an IT
disruption.

6.3.1 Chapter 6 Knowledge

Statements
KS6.1

KS6.2

KS6.3
KS6.4

Knowledge of data backup, storage,

maintenance, retention and restoration
processes, and practices
Knowledge of regulatory, legal, contractual
and insurance issues related to business
continuity and disaster recovery
Knowledge of business impact analysis (BIA)
Knowledge of the development and
maintenance of the business continuity and
disaster recovery plans

6.3.1 Chapter 6 Knowledge

Statements (continued)
KS6.5
KS6.6

KS6.7
KS6.8

Knowledge of business continuity and disaster

recovery testing approaches and methods
Knowledge of human resources management
practices as related to business continuity and
disaster recovery (e.g., evacuation planning,
response teams)
Knowledge of processes used to invoke the business
continuity and disaster recovery plans
Knowledge of types of alternate processing sites and
methods used to monitor the contractual agreements
(e.g., hot sites, warm sites, cold sites)

6.2 Business
Continuity/Disaster Recovery
Planning
Business continuity planning (BCP) is a process
designed to reduce the organizations business
risk
A BCP is much more than just a plan for the
information systems

6.2 Business Continuity/Disaster

Recovery Planning (continued)
Corporate risks could cause an organization to
suffer:
Inability to maintain critical customer services
Damage to market share, reputation or brand
Failure to protect the company assets including intellectual
properties and personnel
Business control failure
Failure to meet legal or regulatory requirements

Practice Question
6-1 During an audit of a large bank, the IS auditor observes that no
formal risk assessment exercise has been carried out for the
various business applications to arrive at their relative importance
and recovery time requirements. The risk to which the bank is
exposed is that the:
A. business continuity plan may not have been calibrated to the relative risk
that disruption of each application poses to the organization.
B. business continuity plan may not include all relevant applications and,
therefore, may lack completeness in terms of its coverage.
C. business impact of a disaster may not have been accurately understood
by the management.
D. business continuity plan may lack an effective ownership by the business
owners of such applications.

Practice Question
6-2 Which of the following is necessary to have
FIRST in the development of a business
continuity plan?
A. Risk-based classification of systems
B. Inventory of all assets
C. Complete documentation of all disasters
D. Availability of hardware and software

Practice Question
6-3 An IS auditor should be involved in:
A. observing tests of the disaster recovery plan.
B. developing the disaster recovery plan.
C. maintaining the disaster recovery plan.
D. reviewing the disaster recovery requirements of
supplier contracts.

6.2.1 Business
Continuity/Disaster Recovery
Planning
IS processing is of strategic importance:
Critical component of overall BCP
Most key business processes depend on the
availability of key systems and infrastructure
components

6.2.2 Disasters and Other

Disruptive Events
Disasters are disruptions that cause critical
information resources to be inoperative for a
period of time.
Good BCP will take into account impacts on IS
processing facilities

6.2.3 BCP Process

Phases of the business continuity planning
process
Creation of a business continuity and disaster recovery policy
Business impact analysis

Classification of operations and criticality analysis

Development of a business continuity plan and disaster
recovery procedures
Training and awareness program
Testing and implementation of plan
Monitoring

6.2.5 BCP Incident Management

Process
All types of incidents should be categorized:
Negligible
Minor
Major
Crisis

6.2.6 Business Impact Analysis

Critical step in developing the business
continuity plan
Three main questions to consider during BIA
phase:
1. What are the different business processes?
2. What are the critical information resources related to an
organizations critical business processes?
3. What is the critical recovery time period for information
resources in which business processing must be resumed
before significant or unacceptable losses are suffered?

6.2.6 Business Impact Analysis

(continued)
What is the systems risk ranking?

Critical
Vital
Sensitive
Nonsensitive

Practice Question
6-4 The window of time for recovery of information
processing capabilities is based on the:
A.
B.
C.
D.

criticality of the processes affected

quality of the data to be processed
nature of the disaster
applications that are mainframe-based

6.3.7 Recovery Point Objective /

Recovery Time Objective
Recovery Point Objective (RPO)
Based on acceptable data loss
Indicates earliest point in time in which it is acceptable
to recover the data

Recovery Time Objective (RTO)

Based on acceptable downtime
Indicates earliest point in time at which the business
operations must resume after a disaster

6.3.7 Recovery Point Objective /

Recovery Time Objective
(continued)
Additional parameters important in defining
recovery strategies:
Interruption window
Service delivery objective (SDO)
Maximum tolerable outages

Practice Question
6-5 When preparing a business continuity plan,
which of the following must be known to
establish a recovery point objective (RPO)?
A. The acceptable data loss in case of disruption of
operations
B. The acceptable downtime in case of disruption of
operations
C. Types of offsite backup facilities available
D. Types of IT platforms supporting critical business
functions

Practice Question
6-6 When preparing a business continuity plan,
which of the following must be known to
establish a recovery point objective (RPO)?
A. The acceptable data loss in case of disruption of
operations
B. The acceptable downtime in case of disruption of
operations
C. Types of offsite backup facilities available
D. Type of IT platforms supporting critical business
functions

6.2.8 Recovery Strategies

A recovery strategy is a combination of
preventive, detective and corrective measures.
The selection of a recovery strategy would
depend upon:
The criticality of the business process and the applications
supporting the processes
Cost
Time required to recover
Security

6.2.8 Recovery Strategies

(continued)
Recovery strategies based on the risk level
identified for recovery would include developing:
Hot sites
Warm sites
Cold sites
Duplicate information processing facilities
Mobile sites
Reciprocal arrangements with other organizations

6.2.9 Recovery Alternatives

Types of offsite backup facilities

Hot sites - Fully equipped facility
Warm sites - Partially equipped but lacking
processing power
Cold sites - Basic environment
Duplicate (redundant) information processing facility
Mobile sites
Reciprocal agreement
Contract with hot, warm or cold site
Procuring alternative hardware facilities

6.2.9 Recovery Alternatives

Types of offsite backup facilities

Hot sites - Fully equipped facility
Warm sites - Partially equipped but lacking processing
power
Cold sites - Basic environment
Duplicate (redundant) information processing facility
Mobile sites
Reciprocal agreement
Contract with hot, warm or cold site
Procuring alternative hardware facilities

6.1.9 Recovery Alternatives

(continued)
Provisions for use of third-party sites should cover:

Configurations
Disaster
Speed of availability
Subscribers per site and area
Preference
Insurance
Audit
Reliability

6.1.9 Recovery Alternatives

(continued)
Procuring alternative hardware facilities
Vendor or third-party
Off-the-shelf
Credit agreement or emergency credit cards

Practice Question
6-7 An IS auditor discovers that an organizations business
continuity plan provides for an alternate processing site that
will accommodate 50 percent of the primary processing
capability. Based on this, which of the following actions
should the IS auditor take?
A. Do nothing, because generally, less than 25 percent of all processing is
critical to an organizations survival and the backup capacity, therefore, is
adequate.
B. Identify applications that could be processed at the alternate site, and
develop manual procedures to back up other processing.
C. Ensure that critical applications have been identified and that the alternate
site could process all such applications.
D. Recommend that the information processing facility arrange for an alternate
processing site with the capacity to handle at least 75 percent of normal
processing.

6.2.10 Development of Business

Continuity and Disaster Recovery
Plans
Factors to consider when developing the plans:
Predisaster readiness
Evacuation procedures
Circumstances under which a disaster should be declared
Identification of plan responsibilities
Identification of contract information
Recovery option explanations
Identification of resources for recovery and continued operation
of the organization
Application of the constitution phase

6.2.11 Organization and

assignment of Responsibilities
The emergency management team coordinates the activities of
all other recovery teams. This team oversees:

Retrieving critical and vital data from offsite storage

Installing and testing systems software and applications at the systems recovery

Identifying, purchasing, and installing hardware at the system recovery site

Operating from the system recovery site

Rerouting network communications traffic

Reestablishing the user/system network

Transporting users to the recovery facility

Reconstructing databases

Supplying necessary office goods, i.e., special forms, check stock, paper

Arranging and paying for employee relocation expenses at the recovery facility

Coordinating systems use and employee work schedules

6.2.12 Other Issues in

Plan Development
Management and user involvement is vital to the
success of BCP
Essential to the identification of critical systems, recovery
times and resources
Involvement from support services, business operations
and information processing support

Entire organization needs to be considered for

BCP

6.2.13 Components of a Business

Continuity Plan
A business continuity plan may consist of more
than one plan document:

Continuity of operations plan (COOP)

Disaster recovery plan (DRP)
Business resumption plan
Continuity of support plan/IT contingency plan
Crisis communications plan
Incident response plan
Transportation plan
Occupant emergency plan (OEP)

6.2.13 Components of a Business

Continuity Plan (continued)
Components of the plan:
Key decision-making personnel
Backup of required supplies
Telecommunication networks disaster recovery
methods
Redundant array of inexpensive disks (RAID)
Insurance

Practice Question
6-8 In a business continuity plan, which of the
following notification directories is the MOST
important?
A. Equipment and supply vendors
B. Insurance company agents
C. Contract personnel services
D. A prioritized contact list

Practice Question
6-9 Which of the following components of a
business continuity plan is PRIMARILY the
responsibility of an organizations IS
department?
A. Developing the business continuity plan
B. Selecting and approving the strategy for the business
continuity plan
C. Declaring a disaster
D. Restoring the IS systems and data after a disaster.

6.2.13 Components of a Business

Continuity Plan (continued)
Telecommunication networks disaster recovery
methods:
Redundancy
Alternative routing
Diverse routing
Long haul network diversity
Last mile circuit protection
Voice recovery

6.2.13 Components of a Business

Continuity Plan (continued)
Redundant array of inexpensive disks (RAID)
Provide performance improvements and fault
tolerant capabilities via hardware or software
solutions.
Provide the potential for cost-effective mirroring
offsite for data back-up.

6.2.13 Components of a Business

Continuity Plan (continued)
Insurance

IS equipment and facilities

Media (software) reconstruction
Extra expense
Business interruption
Valuable papers and records
Errors and omissions
Fidelity coverage
Media transportation

6.2.14 Plan Testing

Schedule testing at a time that will
minimize disruptions to normal operations
Test must simulate actual processing
conditions
Test execution:
Documentation of results
Results analysis
Recovery/continuity plan maintenance

Practice Question
6-10 In an audit of a business continuity plan
which of the following findings is of MOST
concern?
A. There is not insurance for the addition of assets during the
year.
B. The business continuity plan manual is not updated on a
regular basis.
C. Testing of the backup of data has not been done regularly.
D. Records for maintenance of the access system have not
been maintained

6.2.15 Backup and Restoration

Offsite library controls

Security and control of offsite facilities
Media and documentation backup
Periodic backup procedures
Frequency of rotation
Types of media and documentation rotated
Record keeping for offsite storage
Business continuity management best
practices

6.2.16 Summary of Business

Continuity and Disaster Recovery
Business continuity plan must:
Be based on the long-range IT plan
Comply with the overall business continuity strategy

Process for developing and maintaining the BCP/DRP:

Business impact analysis
Identify and prioritize systems
Choose appropriate strategies
Develop the detailed plan for IS facilities
Develop the detailed BCP
Test the plans
Maintain the plans

6.3 Auditing Business Continuity

(DRP + COOP + BRP)
Understand and evaluate business continuity
strategy
Evaluate plans for accuracy and adequacy
Verify plan effectiveness
Evaluate offsite storage
Evaluate ability of IS and user personnel to
respond effectively
Ensure plan maintenance is in place
Evaluate readability of business continuity
manuals and procedures

6.3.1 Reviewing the Business

Continuity Plan
IS auditors should verify that basic elements of a
well-developed plan are evident including:
Currency of documents
Effectiveness of documents
Interview personnel for appropriateness and
completeness

6.3.2 Evaluation of Prior

Test Results
IS Auditor must review the test results to:
Determine whether corrective actions are in the
plan
Evaluate thoroughness and accuracy
Determine problem trends and resolution of
problems

6.3.3 Evaluation of Offsite

Storage
The IS auditor must:
Evaluate presence, synchronization and currency of
media and documentation
Perform a detailed inventory review
Review all documentation
Evaluate availability of facility

6.3.4 Interviewing Key Personnel

Key personnel must have an understanding of
their responsibilities
Current detailed documentation must be kept

6.3.5 Evaluation of Security of

Offsite Facility
The IS auditor must:
Evaluate the physical and environmental access
controls
Examine the equipment for current inspection and
calibration tags

6.3.6 Reviewing Alternative

Processing Contract
The IS auditor should obtain a copy of the
contract with the vendor
The contract should be reviewed against a
number of guidelines
Contract is clear and understandable
Organizations agreement with the rules

6.3.7 Reviewing Insurance

Coverage
Insurance coverage must reflect actual cost of
recovery
Coverage of the following must be reviewed for
adequacy
Media damage
Business interruption
Equipment replacement
Business continuity processing

Case Study Scenario

Organization revising BCP and DRP for headquarters (750 employees)
and 16 branches (each with 2035 employees and mail and file/print
server)
Current plans not updated in more than 8 years
Organization has grown by 300%
Staff connect via LAN to more than 60 applications, databases and
print servers in the corporate data centre
Staff connect via a frame relay network to the branches
Travelling users connect over the Internet using VPN
All users in the headquarters and branches connect to the Internet
through a firewall and proxy server located in the data centre

Case Study Scenario

(continued)
Critical applications have RTO of 35 days
Branch offices are located between 30 and 50 miles from one another,
with none closer to the headquarters' facility than 25 miles
Backup media for the data center are stored at a third-party facility 35
miles away
Backups for servers located at the branch offices are stored at nearby
branch offices using reciprocal agreements between offices

Case Study Scenario

(continued)
Current contract with third party hot site

3 year term, with equipment upgrades occurring at renewal

time
25 servers
Work area space with PCs for 100 employees
Separate agreement to ship 2 servers and 10 PCs to any
branch declaring a disaster
Hot site provider has multiple sites in case the primary site is
in use by another customer or rendered unavailable by the
disaster

Case Study Questions

1. On the basis of the above information, which of the following should

the IS auditor recommend concerning the hot site?

A.

Desktops at the hot site should be increased to 750

B.

An additional 35 servers should be added to the hot site

contract

C.

All backup media should be stored at the hot site to shorten

the RTO

D.

Desktop and server equipment requirements should be

reviewed quarterly

Case Study Questions

2. On the basis of the above information, which of the following
should the IS auditor recommend concerning branch office
recovery?
A. Add each of the branches to the existing hot site contract
B. Ensure branches have sufficient capacity to back each other up
C. Relocate all branch mail and file/print servers to the data center
D. Add additional capacity to the hot site contract equal to the
largest branch