Corporate Governance, Business Continuity Planning, and Disaster Recovery

Date: Dec 1, 2005 By Michelle Johnston Sollicito.
To protect business stakeholders, corporate governance focuses a sharp eye on all measures and systems within the organization to ensure compliance with laws, regulations, and standards. Michelle Johnston Sollicito points out the many required aspects of a proper business continuity plan and shows you where to look for holes in your process.

Introduction

Until recently, corporations had been obliged to protect the interests of shareholders, but not necessarily other stakeholders. Stakeholders of an organization include not just the shareholders, but employees, customers, business partners, and even those living in the neighborhood of or society affected by the activities of the organization.

In light of various corporate scandals (Enron, WorldCom) as well as huge disasters (9/11, the December 2004 tsunami, recent hurricanes such as Katrina and Rita), and the high availability requirements of eCommerce, shareholder interest in corporate governance is increasing, particularly in relationship to business continuity/availability. Corporate governance is the buzzword covering all measures and systems within an organization, aimed at controlling and managing the organization in order to protect stakeholders.

In recent years, corporate governance has taken on increased significance in the U.S. as more and more legislation, regulations, and external standards require organizations to provide proof of control measures to external auditors and assessors. Compliance with these laws, regulations, and standards is a key concern of business continuity planning/disaster recovery (BCP/DR) personnel.

Organizations not only must have disaster recovery plans, but full business continuity plans to ensure that key parts of the organization—not just the IT systems, but also the personnel, functions, and processes—can continue operating in the event of an emergency.

Business continuity plans and disaster recovery plans include the following information:

  • Who is responsible for which aspects of the business continuity procedures and plans
  • How disasters will be avoided and mitigated
  • Which risks have been identified
  • How various scenarios will be handled
  • How people will be evacuated and to where
  • How medical emergencies will be handled
  • Alternate site locations and how they will be used
  • Communications/notification procedures
  • How the business continuity plan will be tested, updated, reviewed, and approved

Many BCP/DR personnel are aware of these requirements, but are not sure how to demonstrate compliance. This article explains how compliance can be ensured, measured, and maintained.

Legislation, Directives, and Standards

The Sarbanes-Oxley Act of 2002, drawn up in response to corporate scandals such as Enron and WorldCom/MCI, made many of these concerns more acute in the U.S. (Equivalent legislation is gradually coming into effect in many European countries.) Section 404 of the Act requires that corporations have good financial controls, especially IT-related controls. In modern times, because most organizations store much of their financial information in IT systems, and many can go out of business if IT systems are not available 24x7 every day of the year, business continuity and disaster recovery measures must be effective and must be regularly audited in order to comply with the Act.

TIP

For more on Sarbanes-Oxley, check out the PowerPoint presentation on my site and the Vendor-Neutral Sarbanes-Oxley site.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) passed in the U.S. to ensure that customers are able to switch between health insurance providers as smoothly as possible without unavailability, total loss, or loss of integrity of their health data, dictates that organizations must have a contingency plan in place in order to conform to the Act. Organizations dealing with "life safety data" must provide continuous availability of such data in order to be HIPAA-compliant. This contingency plan is in addition to other measures required to ensure continuous availability of critical data and to ensure the "chain of integrity" of data.

TIP

For more on HIPAA, see the Department of Health & Human Services HIPAA page.

The following list describes several other U.S. acts that require affected organizations to have a business continuity plan/disaster recovery plan in place:

  • The Gramm-Leach Bliley Act (GLBA) affects financial institutions and their storage of personal financial data. Such data must be kept secure even in the event of disaster, of course.
  • The Federal Information Security Management Act (FISA) affects all federal computer systems.
  • The Occupational Safety and Health Act (OSH Act) dictates organizations' need to be prepared for emergencies.
  • The California Security Breach Notification Act requires organizations to provide strong security for personal information as well as notification of breaches to security of personal information (social security numbers, drivers' licenses, credit card info) to all those affected.

In the UK, the Civil Contingencies Bill, introduced in April 2005, requires that government and local authority agencies carry out proper business continuity management. It's hoped that this requirement will have a knock-on effect in the business community that—alongside existing data protection legislation, tougher standards requirements and directives from various industry organizations, and so on—will prevent the need for formal legislation similar to Sarbanes-Oxley.

In addition to legislation, many organizations are required to abide by standards and directives governing aspects of their business, and these often require business continuity plans. Here are some examples:

  • The National Association of Security Dealers (NASD) rules 3510 and 3520 require that all members have a BCP in place and provide emergency contact information.
  • FDA regulations (such as FDA 21 CFR 11) require backup power and backup software for key systems.
  • SEC regulations (for example, SEC 17 CFR 240) require that financial transaction histories be maintained for all electronic securities transactions, and backup power be in place to maintain continuity.
  • Basel II requires accurate maintenance of historical transaction data and continuous availability of all components of distributed financial systems involved in the Bank of International Settlements (BIS) systems. RIPA in the UK and COB in France are precursors to this requirement in their respective countries.
  • Office of Management and Budget (OMB) Circulars (for instance, A-130, dated November 2000) require disaster recovery plans to be in place.
  • ISO 17799 (the code of practice for IT security management) compliance requires business continuity and disaster recovery plans to be in place.
  • COBIT audits require a BCP to be in place and to be effective in order to meet compliance requirements.
  • Business continuity and disaster recovery plans are a key component of any ISACA audit.
  • Many organizations are voluntarily adhering to IT Infrastructure Library (ITIL), a set of best practices in IT service management. ITIL has strong guidelines for the business continuity planning process and documentation.

The gist of these laws, regulations, and standards in terms of business continuity and disaster recovery is the same in all cases: The organization must ensure that critical data and systems are available at all times, even in the event of a crisis situation, and various penalties will be imposed on the organizations if such systems and data are not available. However, compliance is a moving target, with requirements increasing constantly; accordingly, the BCP process must be changed in the light of changing requirements.

How To Ensure Compliance

Despite the plethora of different statutes, directives, and standards dictating that business continuity planning/disaster recovery planning is required of organizations, adherence to compliance requirements with respect to business continuity and disaster recovery can be assured by following a few uniform rules.

Various compliance frameworks can be used to assess BCP measures—ISO, COBIT, COSO, etc.—but key aspects are similar:

  • COSO requires data center operation controls and transaction management controls in order to ensure data integrity and availability.
  • ISO 1799 has a section entitled Business Continuity Management that requires testing, maintaining, and reassessing a business continuity plan.
  • ISACA's COBIT requires uninterruptible power supplies under its Manage Facilities section.
  • NIST requires contingency and continuity plans and management.

As a general rule, in order to test BCP/DR compliance within an organization, a team of qualified, knowledgeable internal auditors should be created, reporting to a different member of the board than the BCP team reports to. This team of internal auditors should test to ensure that the BCP plan and process meet the compliance requirements discussed in the following sections.

Ongoing Process

Business continuity should be an ongoing process, concerned with the development of strategies, policies, and plans that will provide protection of existing modes of operating within the organization, or will provide alternative means of carrying out that organization's business in the event of disruption that might otherwise result in loss to the organization.

This aspect can be tested by the internal auditors by asking the BCP team for the following:

  • Proof of regular meetings: minutes, agendas, notes, presentation slides, etc.
  • Regular scenario test runs: test plans, test results, and so on
  • Evidence of recent change management (such as logs showing ongoing changes) and reviews to the BCP plan (for example, version history of the BCP plan and associated documents)

Risk Assessment

The business continuity process (which should probably be repeated annually at least) should commence with a business impact assessment (BIA) or risk assessment, in order to identify recovery objectives for all the key systems, both manual and IT-based, as well as to identify continuity-related risks to which the organization might be vulnerable.

Although some legislation, directives, and standards may apply more fully to some aspects of the organization than others—for instance, Sarbanes-Oxley seemingly applies more to financial aspects than to other areas of the organization—it's recommended that the BIA be carried out across the whole enterprise, including taking into account reliance upon external systems such as vendor-maintained systems, business partner–shared systems, and so on. This part of the risk assessment is intended to determine which areas of the business provide the most serious risk.

For example, the following kinds of risks should be considered as part of the BIA:

  • Are key systems backed up regularly enough (and are they able to be restored quickly enough) to ensure that availability of data meets specific business, legislation, and standards requirements? For example, VISA makes very specific requirements of VISA merchants about the availability of credit card data after an incident; HIPAA requires 100% availability of some critical "life safety data."
  • Are key systems' availability ensured using uninterruptible power supplies (UPS), failover/hot-standby facilities, or other contingency measures?
  • Is the organization able to operate effectively without key personnel? Is it clear who is the "second in command" in each department? Are there at least two members of staff who know how to carry out each key job?
  • Is the organization able to operate effectively without key systems (not just IT systems—telecommunications systems, manual systems, etc.)? Are contingency manual processes in place in case key systems fail?
  • Is the organization able to operate effectively without key locations? Are contingency locations available in which business can temporarily be carried out if a site/location is unavailable?
  • Are all important prevention mechanisms in place to avoid or reduce the effects of system failures or damage caused by floods, fires, terrorist attacks, and so forth? Particularly, this area should take into account firewalls, intrusion prevention/detection mechanisms, auditing/logging, sprinkler systems, closed-circuit TV cameras, security staff, physical security mechanisms (passcodes, keycards, receptionists, keys and locks, security fences, building design, and so on).

The risk assessment area of business continuity planning can be tested by internal auditors by obtaining a copy of the risk assessment/business impact assessment documentation, and ensuring that it covers all the required systems, locations, and personnel.

Regular Reviews and Gap Analysis

All disaster recovery plans and business continuity plans should be reviewed in light of the BIA, kept up to date, and regularly tested/reviewed thoroughly.

This review process and gap analysis, the responsibility of the BCP team, should include the following:

  • Security assessment carried out by an independent assessor (CISSP certified auditor or independent security consultancy)
  • BCP scenario testing, such as a simulation of a terrorist bomb attack on the organization's headquarters, or simulation of a virus attack bringing down the network
  • Regular reviews of the plan and process by the BCP team to identify any changes that should be made in light of changes to legislation; changes to the way in which business is carried out (for example, a merger that adds a new business location to the plan or discontinues a business relationship with a partner, removing a location from the plan); or just in the light of new experiences or information (for example, many organizations have reviewed their BCP and DR plans in the light of 9/11, hurricane Katrina, etc.)

Part of the review process should include checks to ensure that the backup plan for each key system is really being implemented correctly:

  • Backup personnel can produce the backup tapes for these key systems when requested.
  • Data-restoration requirements can be met.
  • Firewalls, intrusion detection/prevention systems, authentication systems (login, passwords, etc.), and logging/auditing systems are operating effectively and logs are being reviewed and acted upon on a regular basis.
  • Appropriate physical security measures are in place and are effective; for example, security personnel are patrolling key areas regularly, visitors are always accompanied, security fences are in place, closed-circuit TV cameras are in place and are being watched, security passes are required to access key areas of buildings.
  • Procedures and policies are in place to prevent data integrity or availability being compromised; for example, checks and controls ensure data integrity, and separation of duties ensures that no single person can seriously affect data integrity and/or availability.

This review process can be tested by internal auditors in the following ways:

  • Obtaining copies of the reports of any external auditors, consultants, or security assessors.
  • Obtaining copies of any minutes/agendas of meetings reviewing the BCP plan and process.
  • Reviewing documentation of testing scenarios (test plans, test results, etc.).
  • Requesting proof that any issues/problems identified were acted upon and resolved. Proofs can include logs, change request documentation, printouts of software or hardware configurations, etc.
  • Specifying dates for which the backup team should provide the backup tapes of all the key systems, and verifying that the backup tapes are restored effectively and correctly within data-restoration timeframes.

Call Lists

It should be clear who should be called in different scenarios, and their contact details should be widely available to all who need them.

The internal audit team can test this requirement by requesting a copy of the latest call list and calling the people on the list to ensure that the telephone numbers are up to date and that the people listed know what to do in various scenarios. It's useful to keep a copy of the call list, and a log of the results of calling the numbers, for use by the external auditors, who will later use this evidence to ensure compliance.

Publication of the BCP Plan and Process

The BCP plan should not only exist; it should be published, reviewed regularly, and republished to all the key players in the process. It should be clear who is responsible for the plan, which members of staff support the BCP process, and what their responsibilities are. The BCP plan must include the following information:

  • Data backup plan for each key system
  • Emergency response plan indicating the chain of command and contact info in emergency scenarios
  • Contingency plan indicating backup locations, systems, and personnel to be employed in the event of key locations, systems, and/or personnel being unavailable

The internal auditors should ensure that the various versions of the BCP plan exist, and should obtain proof that new versions are published to key personnel (for example, obtain the email sending the latest version out to all staff, or obtain a distribution list to which copies were sent).

The internal audit team should ensure that the latest version of documentation is accurate and up to date by interviewing the key individuals to ensure that they understand their revised responsibilities and how to respond to various scenarios, by checking that changes incorporated are understood by key staff, and by verifying that documents affected by these changes are updated accordingly.

The internal auditors should also check that the backup locations, systems, and personnel are available when required; this can be ensured by carrying out surprise visits to the locations with very little notice, asking for access to the backup systems, and interviewing personnel at key points in time to ensure that they're ready to take over if needed.

Awareness of the BCP Plan and Process

The entire organization must be aware of what the business continuity process is and how it relates to each individual.

This requirement can be tested by the internal audit team by submitting questionnaires to or interviewing individuals at different levels in the organization and asking them what they would do in various scenarios. The number of individuals to question should be determined in consultation with external auditors.

Training

All staff within the organization should receive some training about their roles in the event of emergency scenarios. Some of this training will consist of scenario testing, in which a situation is simulated and staff are expected to respond as they would in the real situation; for example, simulation of a terrorist bomb attack on the headquarters building, fire drills, etc. Other training will simply be awareness training, ensuring that staff understand the need for a business continuity plan, know which phone numbers to call in the event of an emergency or relocation, are clear on what they're supposed to do in case of an emergency, and so on.

This requirement can be tested by obtaining schedules of training courses, seminars, and so forth as well as a list of attendees of each, and then carrying out awareness interviews and questionnaires with those attendees to ensure that the training is effective.

Scenario Testing

The BCP should be tested regularly in a number of different ways. Typically, large-scale scenario tests (simulation of a terrorist bomb attack, plane crashing into the building) will occur annually, and will involve a great deal of planning; personnel involvement (including personnel outside of the organization, such as emergency responders, business partners, and community groups); and reviews to ensure that the testing was effective and to determine lessons learned.

Such scenario testing will require test plans to be drawn up, indicating what is expected of personnel involved in the testing, and allowing personnel to record whether or not they were able to carry out tasks or what unexpected problems they encountered.

Small-scale tests can occur on an ongoing basis and can consist of any number of the following types of tests:

  • Spot checks on systems ensure that when the system is taken down, it can be restored quickly and effectively as detailed in the appropriate procedures documentation. Restoration times are recorded to determine whether requirements are met; if not, issues are noted.
  • Spot checks on staff ensure that when key personnel are removed from the office, the remaining staff can work effectively without them. When the key personnel return, a postmortem is carried out to find out how well/badly the rest of the staff coped and what needs to change to help them manage more effectively in the future.
  • Alternate site tests ensure that business can be transferred to an alternate site effectively if the main site is unavailable. In this case, selected key staff can be called with no notice and told to act as though the main site has just become unavailable. Their reaction to the scenario is monitored to ensure that the alternate site is brought up effectively, or to note any problems or issues that were not foreseen within the BCP plan.
  • Planned walkthroughs of plans and procedures are designed to identify issues and problems with those plans and procedures, feeding back into the change management process. These types of walkthroughs often precede all the other types of tests and are often invaluable in reducing the amount of time wasted during the other types of tests. Key personnel get together and go step by step through plans and procedures, trying to anticipate problems and issues that may be encountered during scenario testing/other types of testing or during real incidents.

After all these types of testing, the BCP plan, procedures, and/or process should be altered in light of lessons learned, problems and issues encountered, and so on under the change management process.

Ultimate Responsibility

One person must ultimately be responsible for the business continuity process, and that person must have the backing of the board in developing and maintaining that process. In a reasonable-sized company, this person would have reasonable access to a team consisting of representatives of all parts of the organization who are empowered to provide requirements and testing for their own areas of the organization.

This aspect can be tested by reviewing the BCP documentation to identify the person who is ultimately responsible, and then interviewing that person as well as the chief executives of the organization (CEO, CIO, board members), to ensure that the person with ultimate responsibility for the BCP is fully empowered by the board.

Full Documentation

Up-to-date documentation is key to the business continuity process, and should include auditable lists of emergency contact personnel, their roles, and their contact information. Procedures should be clearly defined, and it should be clear under which scenarios those procedures would be invoked.

Testing of the documentation and procedures should be carefully planned, documented, and carried out. Any problems with existing documentation and procedures found during testing should be input to a change management process, ensuring that changes to existing procedures and documents are reviewed and approved before a new version of the business continuity plan is released to all concerned.

The results of testing will usually be audited by external auditors or assessors to ensure that the plans are adequate and will work in the event of emergencies. It is important that testing be carried out regularly and cover the most likely scenarios as well as those scenarios that would cost the organization most dearly should they occur.

External Auditors

External auditors/assessors are essential to assess compliance with legislation/standards, in most cases on an annual basis. External auditors in some cases (for example, Sarbanes-Oxley and HIPAA) must be certified, and in all cases must be independent of management.

External auditors and assessors will assess the business continuity process to ensure the following:

  • The BCP is thorough in its assessment of risks.
  • The BCP is an ongoing, repeatable, thorough process.
  • Everyone involved in business continuity responses is aware of their role and procedures they're expected to follow.
  • The process is tested regularly.

All documentation gathered during compliance testing within the organization by the internal auditors should be kept and filed carefully for the external auditors to use later in their assessment of compliance.

Summary

While a business continuity plan is subject to many different legislation and business requirements, if these principles are adhered to when developing and maintaining a BCP, it will satisfy all existing requirements and the procedures and people will be in place, ready to handle growing requirements in the future.