5. Domain 2 – Governance and Management of IT.pdf

Full Transcript

IT Auditing 1
Corporate Governance:
 Corporate Governance is the system by which business corporations are directed
and controlled.

 It is a set of responsibilities and practices used by organizations management to
provide strategic direction, thereby ensure:
- goals are achievable
- risks are properly addressed and,
- organizational resources are properly utilized

2
 Governance consist of
- framework,
- principles,
- structure,
- processes and
- practices

to set direction and monitor compliance and performance aligned with the overall
purpose and objectives of an enterprise.

3
 IT Governance is the responsibility of the board of directors and executive
management.

 It is an integral part of enterprise governance

 Consists of the leadership, organizational structures and processes that ensures
that the organization’s IT sustains and extends the organization’s strategies and
objectives.

IT governance provides a structure for aligning IT strategy with
business strategy.
4
Implementation the GEIT framework addresses the following:

1. IT resource management

2. Performance management

3. Compliance management

5
Some of the GEIT frameworks are:

1. COBIT 5
2. ISO/IEC 27001
3. ITIL – Information technology infrastructure library
4. ISM3 – The information security management maturity model
5. ISO/IEC 3800:2008 corporate governance of IT
6. ISO/IEC 20000

6
The goals of IT governance are to ensure that:
 IT investments generate business value, and
 to mitigate IT risks.

7
Audit role in GEIT

 Audit plays a significant role in the successful implementation of IT governance
within an organization.

 Audit provide leading practice recommendations to senior management.

 Audit helps ensure compliance with GEIT initiatives implemented within an
organization.

8
The following aspects related to EGIT need to be assessed:

 How enterprise governance and EGIT are aligned

 Alignment of the IT function with the organization’s mission, vision, values, objectives and
strategies
 Achievement of performance objectives (e.g., effectiveness and efficiency) established by the
business and the IT function
 Legal, environmental, information quality, fiduciary, security and privacy requirements

 The control environment of the organization

 The inherent risk within the IS environment

 IT investment/expenditure

9
 Two committees:

1. IT Strategy Committee

2. IT Steering Committee

10
11
 IS are crucial in the support, sustainability and growth of enterprise.
 Enterprises faces internal and external threats i.e.

 IS resource abuse
Cybercrime
 Fraud
Errors and omissions

 IS strategic processes are integral components within organization governance
structure to provide reasonable assurance that both exiting and emerging
business goals and objectives will be attained as a critical facilitators for
enhancement of competitive advantage.

12
 Strategic planning from an IS standpoint relates to the long term direction an
enterprise want to take in leveraging IT for improving its business processes.

 IT department management along with IT steering committee plays a key role in
implementation of the plans.

Role of IS auditor:
 Should pay full attention to the importance of IS strategic planning, taking
management control practices into consideration.
 Focus on the importance of strategic planning process or planning framework.
 Should consider how the CIO or senior management are involved in the creation of
the overall business strategy.

13
 Enterprises face challenges of using its limited resources, including people and
money, to achieve its goals and objectives.

 An IS auditor should understand an enterprise’s investment and allocation
practices to determine whether the enterprise positioned to achieve the greatest
value from the investment of its resources.

Financial benefits: impact on the organization’s budget and finances.

Non-financial benefits: impact on operations and mission performance and results
(e.g. improved customer satisfaction, better information).

14
 Decision makers make IT project selection decisions based upon the perceived
value of the investment.

 IT value is determined by the relationship between what the organization will pay
(costs) and what it will receive (benefits).

 The larger the benefit in relation to cost, the greater value of the IT projects.

15
IT-RELATED FRAMEWORKS

The frameworks help organizations address business issues through governance and management of
information and technology.

 Examples of EGIT frameworks include the following:

1. COBIT, developed by ISACA to support EGIT which ensure that IT is aligned with business IT
enables the business and maximizes benefits, IT resources are used responsibly, and IT risk is
managed appropriately.
2. ISO/IEC 27000 series is a set of best practices that provides guidance to organizations
implementing and maintaining information security programs. ISO/IEC 27001 has become a well-
known standard in the industry.
3. The Information Technology Infrastructure Library (ITIL®) was developed by the UK Office of
Government Commerce (OGC), in partnership with the IT Service Management Forum, and is a
detailed framework with hands-on information regarding how to achieve successful operational service
management of IT. It also includes business value delivery.
4. The Open Information Security Management Maturity Model (OISM3) is a process-based ISM
maturity model for security.
5. ISO 3100:2018: Risk management—Guidelines provides guidelines on and a common approach
to risk management for organizations. 16
2.5 IT STANDARDS, POLICIES AND PROCEDURES

STANDARDS
 A standard is a mandatory requirement, code of practice or specification approved by a
recognized external standards organization.
 Professional standards refer to standards issued by professional organizations, such as
ISACA, with related guidelines and techniques that assist the professional in implementing and
complying with other standards.

POLICIES
 Policies are the high-level statements of management intent, expectations and direction.

 Well developed high-level policies in a mature organization can remain fairly static for extended
periods.
 Management should review all policies periodically. Ideally, these documents should specify a
review date, which the IS auditor should check for currency.
 Policies need to be updated to reflect new technology, changes in environment (e.g., regulatory
compliance requirements), and significant changes in business processes in exploiting IT for
efficiency and effectiveness in productivity or competitive gains.
17
 IS auditors should understand that policies are a part of the audit scope and test the policies for
compliance.

 IS controls should flow from the enterprise’s policies and IS auditors should use policies as a
benchmark for evaluating compliance.

 However, if policies exist that hinder the achievement of business objectives, these policies
must be identified and reported for improvement.

 The IS auditor should also consider the extent to which the policies apply to third parties or
outsourcers, the extent to which third parties or outsourcers comply with the policies, and
whether the policies of the third parties or outsourcers are in conflict with the enterprise’s
policies.

18
Information security policies:
 Communicate a coherent security standard to users, management and technical
staff

 Must balance the level of control with the level of productivity

 Provide management the direction and support for information security in
accordance with business requirements, relevant laws and regulations

19
Information security policies Document:

 Definition of information security
 Statement of management intent
 Framework for setting control objectives
 Brief explanation of security policies
 Definition of responsibilities
 References to documentation

20
Information Policy Groups:

 High level information security policy

 Data classification policy

 Acceptable usage policy

 End user computing policy

 Access control policies

21
Examples of Policies:

 High‐level Information Security Policy

 Data Classification Policy

 Acceptable Usage Policy

 End User Computing Policy

 Access Control Policies

22
Review of the IS Security policy document

 Information security policies should be reviewed at planned intervals or when
significant changes occur to ensure its continuing suitability, adequacy and
effectiveness

 Should have an owner who has approved management responsibility for the
development, review and evaluation of the security policy

 Review should include assessing opportunities for improvement to the organization’s
information security policy

 There should be defined management review procedures, including schedule or
period for review.

23
 Policy must be approved by senior management.
 Therefore, input to management and out of management is important.

The input to the management review should include:

 Feedback from interested parties
 Results of independent reviews
 Status of preventive and corrective actions
 Results of previous management reviews
 Process performance and information security policy compliance

24
The output from management review should include any decision related to:

 Improvement in the alignment of information security with business objectives.

 Improvement of the organization’s approach to managing information security and
its processes.

 Improvement of control objectives and control.

 Improvement in the allocation of resources and/or responsibilities.

25
How to Audit Policies: IS Auditor need to assess the following.

 Basis on which the policy has been defined

 Appropriateness of the policies

 Content of the policy

 Exception to the policy

 Policy approval process

26
 Policy implementation process

 Effectiveness of implementation of policies

 Awareness and training

 Periodic review and update process

27
 Procedures are detailed documented, defined steps for achieving policy
objectives.

 Must be derived from the parent policy

 Must implement the spirit (intent) of the policy statement

 Must be written in a clear and concise manner

28
 Guidelines for executing procedures are also the responsibility of operations.

 Guidelines should contain information that will be helpful in executing the procedures.

 Guidelines can be useful in many other circumstances as well, but they are considered here in
the context of information security governance.

29
The process of identifying vulnerabilities and threats to the information resources
used by an organization in achieving business objectives and deciding what
countermeasures (controls) to take in reducing risk to an acceptable level.

2.8.1 Developing a Risk Management Program:

 Establish the purpose of the risk management program

 Assign responsibility for the risk management plan

30
 Identification and classification of information resources or assets that need
protection

 Assess threats and vulnerabilities and the likelihood of their occurrence

 Once the elements of risk have been established they are combined to form an
overall view of risk

31
COBIT 5 provides a risk management process, APO12 managing risks, which
includes:

1. Collect Data
2. Analyze Risk
3. Maintain a Risk Profile
4. Articulate Risk
5. Define a Risk Management Action Portfolio
6. Respond to Risk

32
 To ensure that an enterprise manages its risk consistently and appropriately, an organization
should identify and establish a repeatable process to manage its IT risk.
 Basic steps in the risk management is a 5 step process.

33
Step 1: Asset Identification

Examples of typical assets associated with information and IT include:

 Information and data
 Hardware
 Software
 Services
 Documents
 Personnel

34
Step 2: Evaluation of Threats and Vulnerabilities to Assets
Common classes of threats are:
 Errors
 Malicious damage/attack
 Fraud
 Theft
 Equipment/software failure

Examples of vulnerabilities are:
 Lack of user knowledge
 Lack of secure functionality
 Inadequate user awareness/ education (poor choice of passwords)
 Untested technology
 Transmission of unprotected communication

35
Step 2: Evaluation of Threats and Vulnerabilities to Assets (conti)

Typical human threat actors are:
 Novices (Script Kiddies)
 Hacktivists
 Cyber Criminals
 Terrorists
 Nation states
 Riot / Civil unrest

Typical environmental threats are:
 Floods
 Lightning
 Earthquakes

36
Step 3: Evaluation of the impact
The result of a threat agent exploiting a vulnerability is called an impact.

Examples of impact (loss) are:
 Direct loss of money
 Breach of legislation
 Loss of reputation
 Endangering of staff or customers
 Loss of business opportunities
 Interruption of business activity

37
Step 4: Calculation of risk

 After establishment of risk, they are combined to form an overall view of risk.

 A common method of combining the elements is to calculate for each threat =
(probability of occurrence) X (Magnitude of impact)

38
Step 5: Evaluation of and response of risk

 After risk identification,
- existing controls have been evaluated, or
- design new controls,
to reduce the vulnerabilities to an acceptable level of risk

 These controls are called countermeasures or safeguards, which include:
- actions
- devices
- procedures
- techniques

39
Three methods are there for Risk Analysis:

1. Qualitative Analysis Method
2. Semi-quantitative Analysis Method
3. Quantitative Analysis Method (during BIA)

Management and IS auditors should keep in mind certain considerations:
 Risk management should be applied to IT functions throughout the company

 Senior management responsibility

40
 Information Technology Management Practices reflect the implementation of
policies and procedures developed for various IS‐related management activities.

 The role of IT within organization is spread out to all departments i.e. finance,
marketing, sales, production and HR.

 IS auditor must understand and appreciate the extent to which a well-managed IT
department is crucial to achieving the organization’s objectives.

41
 Management activities to review the policy/ procedure formulations and their
effectiveness within the IT department include:
- HR management
- Sourcing management
- IT change management
- Financial management
- Quality management
- Information security management
- Performance optimization

42
An organization’s hiring practices are important to ensure that the most effective and
efficient staff is chosen ad that the company is in compliance with legal recruitment
requirements.

Some of the common controls include:

 Hiring
 Employee handbook
 Promotion policies
 Training
 Scheduling and time reporting
 Employee performance evaluations
 Required vacations
 Termination policies

43
 Organizations can perform all IS functions in house or outsource all functions
across the globe

 Sourcing strategy should consider each IS function and determine which approach
allows the IS function to meet the organization's goals

44
Delivery of IS functions can include:
 Insourced - Fully performed by the organization’s staff


Outsourced - Fully performed by the vendor’s staff

 Hybrid - Performed by a mix of the organization’s and vendor’s staff; can include joint
ventures/supplemental staff IS functions can be performed across the globe, taking
advantage of time zones and arbitraging labor rates, and can include:

Staff will be:
 Onsite - Staff work onsite in the IS department

 Offsite - Also known as near shore, staff work at a remote location in the same
geographical area


Offshore - Staff work at a remote location in a different geographic region
45
Outsourcing practices and strategies

 Contractual agreements under which an organization hands over control of part or
all of the functions of the IS department to an external party

 The IS auditor must be aware of the various forms outsourcing can take as well as
the associated risks

46
Reasons for outsourcing include:

 A desire to focus on core activities

 Pressure on profit margins

 Increasing competition that demands cost savings

 Flexibility with respect to both organization and structure

An IS auditor should determine whether an enterprise considered the advantages,
disadvantages and business risks when developing its outsourcing practices and
strategies.

47
The services provided by a third party can include:
 Data entry

 Design and development of new systems

 Conversion of legacy applications to new platforms. For example, a specialist
company may web-enable the front end of an old application.

 Operating the help desk or the call center

 Operations processing

48
Possible advantages:

 Commercial outsourcing companies likely to devote more time and focus more
efficiently on a given project than in-house staff


Outsourcing vendors likely to have more experience with a wider array of
problems, issues and techniques

49
Possible disadvantages:

 Costs exceeding customer expectations
 Loss of internal IS experience
 Loss of control over IS
 Vendor failure

50
Service Level Agreement (SLA):
 A well balanced SLA is of a great importance for quality purposes and future
cooperation between the concerned parties.

 SLA should serve as an instrument of control.

 SLA stipulate and commit a vendor to a required level of service and support
options.

 SLA are contractual means of helping the It department manage information
resources that are under the control of a vendor.

51
Globalization practices and strategies

 The IS auditor can assist an organization in moving IS functions offsite or offshore
by ensuring that IS management considers the following:
- Legal, regulatory and tax issues
- Continuity of operations
- Personnel
- Telecommunication issues
- Cross‐ border and cross‐ cultural issues

52
Outsourcing and Third Part Audit Report

 IS auditor to have the assurance of controls implemented by a service provider
requires the provider a 3rd party audit report.

 These 3rd party reports cover a wide range of issues related to confidentiality,
integrity and availability of data.

53
 Change management is the discipline that guides how we prepare, equip and
support individuals to successfully adopt change in order to drive organizational
success and outcomes.

 Managing IT changes for the organization.

 Identify and apply technology improvements at the infrastructure and application
level

From auditing point of view, all changes within organization must be approved by
senior management.

54
Quality management is one of the means by which IT department-based processes
are control, measured and improved.

 Software development, maintenance and implementation
 Acquisition of hardware and software
 Day‐to‐day operations
 Service management
 Security
 Human resource management
 General administration

55
 Information security management provides the lead role to ensure that the
organization's information and the information processing resources under its
control are properly protected (Domain 5).

 This would include leading and facilitating the implementation of an organization
wide IT security program which includes the development of
Business Impact Analysis (BIA),
Business Continuity Plan (BCPs) and Disaster Recovery Plans (DRPs)
related to lS department functions in support of the organization's critical
business processes.

56
 Performance is not how well a system works.

 Performance optimization refers to the process of improving the productivity of
information systems to the highest level possible without unnecessary, additional
investment in the IT infrastructure.

 Key aspects of effective performance measurement:
1. Clear definition of performance goals
2. Establishment of effective metrics to monitor achievement of goals

57
Performance Optimization Methodologies and Tools:
1. Continuous improvement methodologies, such as PDCA cycle
2. Comprehensive best practices, such as ITIL
3. Framework, such as COBIT

Performance Optimization Tools and Techniques:
1. Six Sigma
2. IT BSC
3. KPIs
4. Business Process Reengineering (BPR)
5. Root Cause Analysis
6. Life-Cycle Cost Benefit Analysis

58
59
 Systems development manager
 Help desk
 End user
 End user support manager
 Data management
 Quality assurance manager
 Vendor and outsourcer management
 Operations manager

60
 Control group
 Media management
 Data entry
 Systems administration
 Security administration
 Quality assurance
 Database administration
 Systems analyst
 Security architect
 Applications development and maintenance
 Infrastructure development and maintenance
 Network management

61
Quality assurance manager— Responsible for negotiating and facilitating quality
activities in all areas of information technology With the increase in outsourcing,
including the use of multiple vendors, dedicated staff may be required to manage
the vendors and outsourcers, including performing the following functions:
 Act as the prime contact for the vendor and outsourcer within the IS function.

 Provide direction to the outsourcer on issues and escalate internally within the
organization and IS function.

 Monitor and report on the service levels to management.

 Review changes to the contract due to new requirements and obtain IS approvals.

62
Dividing or allocating tasks among various individuals making it possible to reduce
the risks of error and fraud.

Control measures to enforce segregation of duties include:
 Transaction authorization
 Custody of assets
 Access to data
 Authorization forms
 User authorization tables

63
Benefits include:

 Safeguarding of assets
 Accurate financial reporting
 Reduced risk of non-compliance

64
65
Compensating controls for lack of segregation of duties include:

 Audit trails
 Reconciliation
 Exception reporting
 Transaction logs
 Supervisory reviews
 Independent reviews

66
While many conditions concern the IS auditor when auditing the IT function, some of the more significant indicators of
potential problems include:

 Excessive costs
 Budget overruns

 Late projects
 High staff turnover

 Inexperienced staff
 Frequent hardware/software errors
 Poor motivation

 Slow computer response time
 Unsupported / unauthorized HW/SW purchases
 Frequent HW/SW upgrades
 A reliance on one or two key personnel

 Lack of adequate training

67
The following documents should be reviewed:

 IT strategies, plans and budgets
 Security policy documentation
 Organization/functional charts
 Job descriptions
 IT Steering committee reports
 System development and program change procedures
 Operations procedures
 Human resource manuals

The various documents reviewed should be further assessed to determine whether:
1. They were created as management authorized and intended
2. They are current and up to date
68
There are various phases to computer hardware, software and IS service
contracts, including:

 Development of contract requirements and service levels
 Contract bidding process
 Contract selection process
 Contract acceptance
 Contract maintenance
 Contract compliance

69
In reviewing a sample of contracts, the IS auditor should evaluate the adequacy of
the following terms and conditions:

 Service levels
 Right to audit or third party audit reporting
 Software escrow
 Penalties for noncompliance
 Adherence to security policies and procedures
 Protection of customer information
 Contract change process
 Contract termination and any associated penalties

70
 Critical services or products are those that must be delivered to ensure survival,
avoid causing injury, and meet legal or other obligations of an organization.

 Business Continuity Planning is a proactive planning process that ensures critical
services or products are delivered during a disruption.

71
A Business Continuity Plan takes into consideration:

 Those critical operations that are necessary to the survival of the organization.

 The personnel, information, equipment, financial allocations, legal counsel and
infrastructure protection supporting them.

72
Why is business continuity planning important

Every organization is at risk from potential disasters, that include:
 Natural disasters such as floods, earthquakes and fire
 Power and energy disruptions
 Communications, transportation, safety and service sector failure
 Cyber attacks and hacker activity.

Creating and maintaining a BCP helps ensure that an institution has the resources
and information needed to deal with these emergencies.

73
Creating a business continuity plan: A BCP typically includes five sections:

1. BCP Governance (Established Controls)
2. Business Impact Analysis (BIA)
3. Plans, measures, and arrangements for business continuity
4. Readiness procedures
5. Quality assurance techniques (exercises, maintenance and auditing)

74
1. Establish control
A BCP contains a governance structure often in the form of a committee that will
ensure senior management commitments and define senior management roles and
responsibilities.

Senior managers or a BCP Committee would normally:

1. approve the governance structure;

2. clarify their roles, and those of participants in the program;

3. oversee the creation of a list of appropriate committees, working groups and
teams to develop and execute the plan;

75
4. provide strategic direction and communicate essential messages;

5. approve the results of the BIA;

6. review the critical services and products that have been identified;

7. approve the continuity plans and arrangement;

8. monitor quality assurance activities; and

9. resolve conflicting interests and priorities.

76
2. Business Impact Analysis (BIA)
 Identify the organization's mandate and critical services or products; rank the
order of priority of services or products for continuous delivery or rapid
recovery; and identify internal and external impacts of disruptions.

BIA Process:
A. Identify the mandate and critical aspects of an organization

 This step determines what goods or services it must be delivered.

 Information can be obtained from the mission statement of the
organization, and legal requirements for delivering specific services and
products.

77
B. Prioritize critical services or products

 Once the critical services or products are identified, they must be
prioritized based on

1. minimum acceptable delivery levels and
2. the maximum period of time the service can be down

before severe damage to the organization results.

 To determine the ranking of critical services, information is required to
determine impact of a disruption to service delivery, loss of revenue,
additional expenses and intangible losses.
78
C. Identify impacts of disruptions

 The impact of a disruption to a critical service or business product determines:

 how long the organization could function without the service or product, and

 how long clients would accept its unavailability.

 It will be necessary to determine the time period that a service or product could
be unavailable before severe impact is felt.

79
D. Identify areas of potential revenue loss

 To determine the loss of revenue, it is necessary to determine:
 which processes and functions that support service or product delivery are
involved with the creation of revenue.

 If these processes and functions are not performed:
 is revenue lost?
 how much?
 If services or goods cannot be provided, would the organization lose revenue?
 how much revenue, and
 for what length of time?

 If clients cannot access certain services or products would they then to go to
another provider, resulting in further loss of revenue?
80
E. Identify additional expenses

 If a business function or process is inoperable, how long would it take before
additional expenses would start to add up?

 How long could the function be unavailable before extra personnel would have to
be hired?

 Would fines or penalties from breaches of legal responsibilities, agreements, or
governmental regulations be an issue, and if so, what are the penalties?

81
F. Identify intangible losses

 Estimates are required to determine the approximate cost of the
 loss of consumer and investor confidence,
 damage to reputation,
 loss of competitiveness,
 reduced market share,
 violation of laws and regulations.

 Loss of image or reputation is especially important for public institutions as they
are often perceived as having higher standards.

82
G. Insurance requirements
 Since few organizations can afford to pay the full costs of a recovery; having
insurance ensures that recovery is fully or partially financed.
 Use the BIA to help decide both what needs insurance coverage, and the
corresponding level of coverage.

H. Ranking
 Once all relevant information has been collected and assembled, rankings for the
critical business services or products can be produced.
 Ranking is based on the potential loss of revenue, time of recovery and severity of
impact a disruption would cause.
 Minimum service levels and maximum allowable downtimes are then determined.

83
I. Identify dependencies
 Identify the internal and external dependencies of critical services or products,
since service delivery relies on those dependencies.

Internal Dependency:
 include employee availability, corporate assets such as equipment, facilities, computer
applications, data, tools, vehicles, and support services such as finance, human resources,
security and information technology support.

External Dependency:
 include suppliers, any external corporate assets such as equipment, facilities, computer
applications, data, tools, vehicles, and any external support services such as facility
management, utilities, communications, transportation, finance institutions, insurance
providers, government services, legal services, and health and safety service.

84
3. Plans for business continuity
 Preparation of detailed response/recovery plans and arrangements to ensure
continuity.
 These plans and arrangements detail the ways and means to ensure critical
services and products are delivered at a minimum service levels within tolerable
down times.
 Continuity plans should be made for each critical service or product.

1. Mitigating threats and risks
2. Analyze current recovery capabilities
3. Create continuity plans
4. Response preparation
5. Alternate facilities
85
4. Readiness procedures

The following can be used to check organization’s readiness:

A. Training
B. Exercise
C. Goal
D. Objectives
E. Scope
F. Communications for Participants
G. Testing and Post-Exercise Evaluation

86
5. Quality assurance techniques

 Review of the BCP should assess the plan's accuracy, relevance and effectiveness.

 It uncover which aspects of a BCP need improvement.

 Continuous appraisal of the BCP is essential to maintaining its effectiveness.

 The appraisal can be performed by an internal review, or by an external audit.

87
Components of BCP
 Continuity of operation plan
 Disaster recovery plan (DRP)
 Business resumption plan

BCP may also include:
 Continuity of support plan / It contingency plan
 Crisis communication plan
 Incident response plan
 Transportation plan
 Occupant emergency plan
 Evacuation and emergent relocation plan
88
What to do when a disruption occurs

Disruptions are handled in three steps:

1. Response
2. Continuation of critical services
3. Recovery and restoration

89
BCP Plan Testing
The BCP test should achieve the following tasks:

 Verify the completeness of BCP
 Evaluate the performance of personnel involved in exercise

 Appraise the training and awareness of employees who are not members of BCP team.

 Evaluate the coordination between BCP team and external vendors and suppliers.

 Measure the ability and capacity of the backup site to perform prescribed processing.

 Assess the vital records retrieval capability.

 Evaluate state and quantity of equipment and suppliers that have been relocated to recovery site.

 Measure the overall performance of operational and IT processing activities related to maintain
the business entity.

90
BCP Test Types

1. Desk-based evaluation/ paper test – A paper walk-through of the plan, involving
major players in the plan’s execution who reason out what might happen in a
particular type of service disruption.

2. Preparedness test - Usually a localized version of a full test, wherein actual
resources are expended in the simulation of a system crash.

3. Full operation test – This one step away from an actual service disruption. The
organization should have tested the plan well on paper and locally before
endeavoring to completely shut down operations.

91
The IS auditor’s task include:
1. Understanding and evaluating business continuity strategy and its connection
to business objectives.

2. Reviewing BIA findings to ensure that they reflect current business priorities
and current controls.

3. Evaluating the BCPs to determine their adequacy and currency, by reviewing
the plans and comparing them to appropriate standards and/or government
regulations including the RTO, RPO, etc. defined by the BIA.

4. Verifying that the BCPs are effective, by reviewing the results from previous
tests performed by IT and end user personnel.

92
The IS auditor’s task include:

5. Evaluating cloud based mechanism.

6. Evaluating offsite storage to ensures its adequacy, by inspecting the facility and
reviewing its contents and security and environmental controls.

7. Verifying the arrangements for transportation backup media to ensure that
they meet the appropriate security requirements.

8. Evaluating the ability of personnel to respond effectively in emergency
situations, by reviewing emergency procedures, employee training and results of
their tests and drill.

93
The IS auditor’s task include:

9. Ensuring that the process of maintaining plan is in place and effective and
covers both periodic and unscheduled revisions.

10. Evaluating whether the business continuity manuals and procedures are written
in a simple and easy to understand manner.

94
When reviewing the developed plan, IS auditors should verify that basic elements of
a well-developed plan are evident.

 Review the Document
 Review the Application Covered by the plan
 Review the Business Continuity Teams
 Plan Testing

95
96