Page 182 - Courses
P. 182

Exploring Corrective Controls

             TOPIC 3: CONTINUINTY PROGRAM

            Overview

            To develop a plan, an organization must first perform an operational resiliency risk assessment to
            determine the impact of various possible events. Once completed, the organization can develop the
            risk mitigation strategies. For instance, for the loss of a primary data center, a risk mitigation
            strategy might include switching to an alternative data center location, temporarily using a cloud-
            based service, or directing a critical process to a third-party offsite location.

            Once the plan is complete, management should ensure that all employees are aware of the plan’s
            existence, the location of the plan, and the role each employee performs in the plan.

            The implementation process consists of many components that we will discuss in this unit.

            Continuity Program Steps

            Management Commitment to Business Continuity Management Program
               1.  Build a business case.
               2.  Understand the value.
               3.  Establish a BCM program.

            Conduct an Operational Resiliency Risk Assessment and Mitigation
               1.  Define disruptive (credible) events.
               2.  Assess the impact of disruptive events.
               3.  Develop risk mitigation strategies.

            Conduct a Business Impact Analysis (BIA)
               1.  Identify business processes.
               2.  Determine which business processes are critical.
               3.  For each process, identify other parties and physical resources required for recovery.
               4.  Define recovery time objective (RCO) and recovery point objective (RPO), maximum tolerable
                   outage (MTO), and allowable interruption window (AIW) for each process.

            Define Business Continuity and Recovery Strategies
               1.  Define staffing alternatives needed for recovery.
               2.  Define alternative sourcing of critical functions.
               3.  Define alternative offices needed for recovery.
               4.  Plan to transition back to normal operations.

            Establish Disaster Recovery
               1.  Understand business recovery requirements.
               2.  Prioritize order of restoration.
               3.  Select recovery solutions and recovery sites.
               4.  Develop restoration procedures.

            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
   177   178   179   180   181   182   183   184   185   186   187