How to Audit Your BC & Continuity Plan

HOW TO AUDIT YOUR BUSINESS CONTINGENCY AND CONTINUITY PLAN TO ENSURE
IT ADDRESSES SEPTEMBER 11 AND OTHER NEW GLOBAL THREATS-
APPROACHES
AND METHODOLOGY
by Javier F. Kuong and CPR-I Consulting Group

“The September 11 attacks and the wave of new cyber and infrastructure attacks strongly
suggest that your enterprise protection and business continuity plans need to be overhauled.
The new terrorism, cyberterrorism and infrastructure attacks that can deeply impact
organizations have substantially been made your plans obsolete.

“The business of protecting the enterprise against an increasing number of modern threats
and attacks in a global environment has become a high priority item for executives as it has
become a Board of Directors issue when your enterprise survival is at stake.

“Executive management needs the valuable input that a review or assessment of the existing
protection program provides. In the words of an executive from EMC Corporation at a recent
post-September 11 New York City Conference, "The future champion of security will be the
CEO". Very recently, Bill Gates also announced that security is the top priority in his
organization in view of the September 11 events and recent security flaws with some of his
company’s products, which may be vulnerable to Cyber attacks. Executives and auditors
now realize that enterprise protection must rise from a tactical issue to a full strategic
consideration in terms of both enterprise survival and competitiveness.

“Management needs to initiate a review of the existing enterprise protection program
considering more than just mundane (and probably well established) information technology
services protection. If the assessment is conducted by auditors or independent consultants,
they have a unique opportunity to provide value added and improve the chances that their
organization or client organization is better prepared for any eventuality and potential terrorist
attack that could inflict irreparable and serious loss.

“The value proposition is quite simple indeed. Before you embark in any potentially major
and costly upgrade effort, you must know the status of your enterprise protection program.
You must know, if for no other reason than being able to decide what is the direction that any
improvement or upgrade program should take, the seriousness of the vulnerabilities that are
present. These can be disclosed by an audit, which can point the way to what the
organization must do to minimize enterprise exposure from the new cadre of global threats.

“Not to know the present situation is tantamount to taking a trip without a reliable compass
and a road map. Improving the existing plan on an as we go basis is analogous to
navigating your vehicle a mile at a time without having any clear idea of the trip's destination,
the magnitude of the trip, and the distance that must be traveled. Knowing the state of the
present affairs in enterprise protection will put you in a far better position to make informed
decisions on potential needed changes to bring about cost-effective enhancements to
protect
your enterprise.

- - - - - - - - - - -

WHO CAN BENEFIT FROM THIS BOOK

? Executives and CEOs responsible for enterprise protection and continuity

? Contingency planners and quality assurance professionals and anyone with
responsibility for ensuring that business continuity plans a) exist and b) are adequate and
current

? Internal, external, and information technology auditors in profit and non-profit
organizations

? Inspectors from OIG Offices and examiners in government circles

? Chief Information officers (CIOs), business managers, risks management
professionals, user line managers and personnel who must develop their own contingency
plans or who must review the adequate of contingency plans of organizations that provide
services in support of their operations

? Information security officers and corporate contingency plan coordinators who
oversee the adequacy of corporate and divisional plans or review the adequacy of
contingency plans prepared by users groups

- - - - - - - - - - -

CONTENTS

PREFACE

1. SEPTEMBER 11 AND A LANDSCAPE OF NEW GLOBAL THREATS REQUIRE
NEW CONTINGENCY AND BUSINESS CONTINUITY PROTECTION PROVISIONS
1.1 The September 11 Events and New Global Threats Place Your Organization in
Danger
1.2 Terrorism, Cyber Terrorism, Infrastructure Attacks, Third-Party Dependencies,
Critical Infrastructure, and Collateral Loss
1.3 Key Lessons From the Recent Terrorist Attacks and Their Implications
1.4 Your Present Protection, Contingency and Business Continuity Plans Does Not
Address the New Global Threats
1.5 dire Need to Audit Your Present Contingency and Business Continuity Plans to
Determine Their Vulnerabilities and as a Basis for Upgrading
1.6 The Value Proposition and Benefits of an Audit
1.7 Management’s Fiduciary Responsibility to Ensure that Adequate Enterprise
Protection is in Place

2. WHAT IS AT STAKE AND SHOULD BE REVIEWED
2.1 The World of Contingency Planning Has Changed As a Result of the Recent Adverse
Events In The US
2.2 Controllable vs. Non-Controllable Threats
2.3 Other Audit Considerations
2.4 Key Questions to Ask

3. AUDIT APPROACH AND METHODOLOGY
3.1 Chapter Objectives
3.2 Scope and Approaches to Reviewing Contingency Planning Provisions
3.3 Auditing the Process of Business Continuity Development
3.4 Auditing the Contents of the Contingency Plan
3.5 Verifying or Testing Whether the Product or Program Works as Intended
3.6 A Pictorial View of the Audit Approach and Panorama
3.7 Identifying the Main vulnerabilities and Classes of Threats that Are Not Addressed in
the Existing Protection Plans - Audit Methodology
3.8 Audit Matrices to Conduct the Audit and Document Audit Findings
3.9 An Illustration of a Specific Audit Matrix to Meet an Audit Objective
3.9 Extending the Audit Matrix to Include Analysis, Interpretation of Findings and
Improvement Recommendations

4. PREPARING AN AUDIT PLAN FOR POST-SEPTEMBER 11 ISSUES –
COMPREHENSIVE REVIEW CHECKLISTS
4.1 The Need for an Audit Plan to Define and Execute the Audit
4.2 Illustration of a Plan of Action to Prepare and Execute the Audit
4.3 Review Checklists and Questionnaires to Assist You in the Conduct of the Audit
4.4 A Compendium of Audit Checklists for Contingency Planning and Business
Continuity Issues
4.5 Auditing Concentration of Critical Business Processes/Activities And Vital Human
Resources
4.6 A List of Other Weaknesses Revealed by the September Terrorist Attacks
4.7 Other Lessons Learned

5. WHAT TO EXPECT AND WHAT ACTIONS SHOULD ENSUE FROM THE AUDIT?
5.1 What Management Should Expect from the Assessment of the Enterprise Protection
and Business Continuity Plan
5.2 The Key Products and Deliverables of an Audit
5.3 The Auditor’s Role After the Audit Report and Recommendations are Issued
5.4 A Well-prepared Audit and Its Deliverables Should Provide a Sound Basis for
Management to Stage or Develop a Plan of Action to Reduce Vulnerabilities and Remaining
Exposures
5.5 Interpreting the Conclusions and Recommendations from the Audit and Converting
Some of the Key Recommendations Into Actions Steps
5.6 An Illustration of Interpreting Audit Findings as a Basis for Taking Actions to Reduce
Vulnerabilities in the Context of Post-September 11 Events and the New Global Threat
Panorama
5.7 Major Action Steps by Management Following the Audit
5.8 Conclusion

APPENDIX
A. Literature References

B. Glossary of Terms

C. Index

- - - - - - - - - - -
2002, 150 pages. Order #DR636
- - - - - - - - - - -

The Disaster Center Bookstore

Business Continuity, Disaster Recovery

Disaster Center Bookstore-a service of Rothstein Associates