Page 562 - ITGC_Audit Guides
P. 562

GTAG — BCM Requirements





               •   Reviewing  exercise/test  results  and  associated   annually. More frequent testing may be required for compli-
                  action  reports  for  exceptions  (e.g.,  gaps)  requiring   cated environments and those with great impact (e.g., loss)
                  remediation.                                  to the organization. Several component tests should also be
               •   Assessing  the  BCM  program  and  BC  recovery   scheduled at regular intervals throughout the year.
                  capabilities  to  ensure  they  have  been  updated  to   Exercise/test  requirements  should  be  documented  either
                  correct necessary gaps and have been implemented   inside the plan itself or in the entity-level BCM policy. Most
                  effectively.                                  of the standards used to govern BCM programs require three
                                                                basic elements of a testing regime:
                                                                   •   Tests must be held at periodic intervals. The actual
            5.8   Exercise of the Business Continuity                 period between the events is determined by the BCM
            Exercises, or tests, are generally considered the most effective   Steering  Committee  and  is  based  on  the  program
            way to keep a BCM program and BC plans current and execut-  goals and objectives.
            able. Some organizations differentiate the terms exercise and   •   Tests should address a variety of threats/scenarios and
            test, but there is no requirement to use these terms in specific   different  elements  within  the  BCM  program.  It  is
            circumstances.  Regardless  of  vernacular,  the  emphasis  on   possible to address these issues in a series of broadly-
            plan testing should be to improve the organization’s perfor-  based annual exercises or through more targeted site
            mance in an actual event. It is important to note that there   or component-level testing.
            are many types of exercises, which, when used appropriately,   •   There must be some method to track issues and gaps
            can provide assurance and add value. All major BC standards   uncovered in the test and track their resolution.
            require some sort of exercise/test regime to be an integral part
            of the BCM program. Generally, a large-scale exercise of the
            BCM programs and BC plans should be conducted at least






                    What elements of your BCM program have you exercised at least once in the past year?
                                                    (Select all that apply.)



                           12.96%

                                        48.97%
                                                                Departmental business recovery exercise
                                                                Site-specific business recovery exercise
                      40.37%                                    Alternate site (work area recover) exercise
                                                                Mock crisis/emergency management exercise

                                                                None
                                            42.55%
                            38.07%



                                                                         Source: 2008 Continuity Insights/KPMG Advisory
                                                                       Services Business Continuity Benchmarking Report


            Figure 5. Exercising BCM Program Elements








                                                             15
   557   558   559   560   561   562   563   564   565   566   567