Business Continuity Management

Business Continuity Management

Field Report from an Audit Point of View

ISACA Swiss Chapter - After Hour Seminar – 28 August 2006 - Urs Voigt - Group Internal Audit

GENERALLY ACCESSIBLE

2 ISACA After Hour Seminar – 28 August 06 - Business Continuity Management - Urs Voigt, Group Internal Audit-IT

Table

of

Contents

SECTION 1

Introduction

SECTION 2

Approach

SECTION 3

Framework

SECTION 4

Report and Follow-Up

SECTION 5

Summary

SECTION 6

Supplementary Information

SECTION 1

4 ISACA After Hour Seminar – 28 August 06 - Business Continuity Management - Urs Voigt, Group Internal Audit-IT

UBS

Global Group, 50 countries, ~70'000 employees, distributed IT infrastructure

Three Business Groups / Corporate Center

Business Continuity Management for every Business Group

Group Internal Audit organisation with ~ 300 employees

Interfaces

Group Internal Audit Regulators (EBK, FED, FSA, ...) External Audit Staff members Board of Directors Chairman's Office / Audit Committee A ud ite e Group Executive Board Corporate Center / Business Groups

Goals for the Presentation

Audit Scope

–

UBS Global WM&BB, Switzerland

–

Important business areas and processes

–

Top business applications and IT infrastructure services

Presentation Objectives

–

Field report of the BCM framework from an audit perspective

–

Status Business Continuity Management

–

Point to critical areas for BCM

Possible Definition for BCM

"Business Continuity Management is a holistic management process that

identifies potential impacts that threaten an organisation and provides a

framework for building resilience with the capability for an effective response

that safeguards the interests of its key stakeholders, reputation, brand and

value creating activities."

SECTION 2

Approach

7 ISACA After Hour Seminar – 28 August 06 - Business Continuity Management - Urs Voigt, Group Internal Audit-IT

Approach not risk based

Does not focus on core business processes

Impact not always quantified

Disaster scenarios in detail not defined

The Chinese Disaster Prediction

8 ISACA After Hour Seminar – 28 August 06 - Business Continuity Management - Urs Voigt, Group Internal Audit-IT

UBS Approach

Address important external requirements such as:

–

Regulators (e.g. EBK, FED

1

₎

–

Financial service providers (e.g. SNB)

–

Clients

Address important internal requirements such as:

–

Group Risk Policy

–

BCM strategy

o

Identify critical business processes (applications)

o

Governance and reporting model

o

Macro Risk Assessment

–

Standards, Guidelines (e.g. COBIT, ISO17799, ISF, COSO)

–

Sponsor (e.g. business)

1

_{Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System, April 2003}

Threats

Changes to systems and processes

Disruption of services or facilities

Misuse of infrastructure

Loss of facilities (e.g. earthquake)

Loss of staff (e.g. fire, pandemic)

Human errors

Third party failure

10 ISACA After Hour Seminar – 28 August 06 - Business Continuity Management - Urs Voigt, Group Internal Audit-IT

BCM Workflow Process

Strategic

1.

Commitment from sponsors (senior management)

2.

Risk Policy

3.

Strategy

Tactic & Operations

4.

Implementation Plan

5.

Test Concept

6.

Measurement and Review

SECTION 3

12 ISACA After Hour Seminar – 28 August 06 - Business Continuity Management - Urs Voigt, Group Internal Audit-IT

Framework

Regulatory

Requirements

Governance

Model

BCM Group

Risk Policy

BCM

Strategy

Standards &

Guidelines

Business Impact

Analysis

Test

Strategy

First Cut

Risk Analysis

Crisis

Mgmt.

Terms of

Reference

BCM

Concept

Test

Plan

Working

Group

Backup &

Recovery

SLA

Document

Mgmt.

Awareness

Initiative

IT Infra.

Services

Business

Apps.

Risk

Register

Training

Program

The Basis

Are the basis for industry-specific requirements in the

countries (e.g. FED (US), FSA (UK), MAS (Singapore))

Provides guidance on certain aspects of sound BCM that must

be applied

Aims to ensure full compliance with the regulatory

requirements and the group operational risk policy

The ToR specify the time scale, data loss and functional

requirements for appropriate disaster mitigation

Regulatory

Requirements

BCM Group

Risk Policy

BCM

Strategy

Terms of

Reference

14 ISACA After Hour Seminar – 28 August 06 - Business Continuity Management - Urs Voigt, Group Internal Audit-IT

The Basis

(cont.)

The FCRA investigates the impact (risk) on the business

process of unavailability of key staff and critical IT

applications (e.g. financial losses, reputation risk).

The BIA analyse the critical business processes and their

requirements re continuity (e.g. identification of key

personnel and their recovery location).

Establish Departmental Recovery Plans defining recovery

strategy, staff recovery, recovery location information and

dependencies. Summary contact information and activity

check list complement the DRP.

Defines the requirements and provide guidance

(e.g. test standards, risk policy).

First Cut

Risk Analysis

Business Impact

Analysis

Governance

Model

Standards &

Guidelines

15 ISACA After Hour Seminar – 28 August 06 - Business Continuity Management - Urs Voigt, Group Internal Audit-IT

Example_1

Risk ranking (example)

- HR

- Logistics

- Account Opening

- Payments & Cash

- Securities

- Credit Monitoring

Critical Business

Processes (examples)

- Within 72 Hours

Subsidiary

- Within 24 Hours

Mission Critical

- Transparent

- Withing 3 Hours

Systemic

Targets for Business

Resumption

Criticality Business

Processes

Terms of

Reference

16 ISACA After Hour Seminar – 28 August 06 - Business Continuity Management - Urs Voigt, Group Internal Audit-IT

Example_1

(cont.)

Assessment for disaster tolerance of business applications

Redundancy, Separation, Capacity

Terms of

Reference

Example_2

Critical business applications

Key people and 3 / 24 / 72 hour team

Backup IT environment at the alternate site

Business Impact

Analysis

18 ISACA After Hour Seminar – 28 August 06 - Business Continuity Management - Urs Voigt, Group Internal Audit-IT

Example_3

BCM Steering

Committee

BCM Working

Group

Risk Control

Committee

Business Group

Business

Areas

IT Operations

Risk

Management

Risk Control

Governance

Model

Group Steering Committee

BG

19 ISACA After Hour Seminar – 28 August 06 - Business Continuity Management - Urs Voigt, Group Internal Audit-IT

Testing in Production

Test framework

–

Dimensions:

Time, place, frequency, budget

–

Elements:

Test types, objectives, business units

–

Relationship:

Test organisation, tasks, documentation, actions

Example:

Parties Involved

Responsibility

Frequency

Use

Test Type

Business Units

Security Risk Mgmt.

IT

Business or IT

• Annually for very

critical processes

• 2-3 year intervals

In case of IT

fail-over, exercises

Front to Back tests

(F2B) have to be

negotiated

• Highly critical

processes /

infrastructure

• After big moves,

reorganizations

Front to Back (F2B)

End-to-end process

test with all units

involved in the test

procedure

Test

Plan

20 ISACA After Hour Seminar – 28 August 06 - Business Continuity Management - Urs Voigt, Group Internal Audit-IT

Testing

(cont.)

Test Case 1 (Infrastructure Test)

Data

Center

Apps.

Business

Location

Alternate Site

Primary Site

Testing

(cont.)

Test Case 2 (Business Test)

Data

Center

Apps.

Business

Location

Alternate Site

Primary Site

SECTION 4

Reporting and Follow-up Process

23 ISACA After Hour Seminar – 28 August 06 - Business Continuity Management - Urs Voigt, Group Internal Audit-IT

Process

Report

Executive summary

Issue description, risk

Audit recommendation

Management comment

(action, responsibility, deadline)

Chairman's Office,

Group Executive Board,

Line/Functional Management

Planning

•

Risk Identification

Assessment

Fieldwork

•

Control Measures

Test Pgm.

Reporting

•

Findings

Report

Follow-Up

•

Monitor Action

Evidence

SECTION 5

Summary, Q & A

Summary

Governance: Management committment

Strategy: High complexity due to the dependency between business

processess, business organisation, culture and IT

Risk Management: High expectations from the regulators, the industry

and the clients

Testing: Maintenance and test arrangements

SECTION 6

Supplementary Information

27 ISACA After Hour Seminar – 28 August 06 - Business Continuity Management - Urs Voigt, Group Internal Audit-IT

Useful Links

EBK

http://www.ebk.admin.ch/d/

BSI

http://www.bsi.de

ISF

http://www.securityforum.org/html/frameset.htm

SNB

http://www.snb.ch/d/index3.html

R/D

http://recovery-disaster.info/?gclid=CLrs2pbi1IMCFSVaEAodnVLH5A

MI5

http://www.mi5.gov.uk/output/Page267.html

Business Continuity World

http://www.business-continuity-world.com/

ISO 17799

http://www.17799central.com/

Infosyssec

http://www.infosyssec.net/infosyssec/security/buscon1.htm

ISACA

http://www.isaca.org/template.cfm?section=home

COSO

http://www.coso.org/

ITIL

http://www.itil.org/

BCF

http://www.continuitysoftware.com/TheBCForum/

NIST

http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/chapter11.html#84

BCM Institute

http://www.thebci.org/

28 ISACA After Hour Seminar – 28 August 06 - Business Continuity Management - Urs Voigt, Group Internal Audit-IT

Standards

PAS 56 (2003)

Public Availability Specifications

www.bsi-global.com

(to be replaced by BS 25999)

ISO / IEC 20000

Specification for IT service management

www.iso.org

ISO / IEC 27001

Guidance for information security management

ISO / ICE TR 18044

Technical report

NIST 800-34

National Institute of Stndards and Technology

csrc.nist.gov

(contingency planning guide)

ISF

Standard of good practice

www.securityforum.org

Urs Voigt

UBS AG

Group Internal Audit - IT

Flueelastrasse 32

8098 Zürich

[email protected]