Page 575 - ITGC_Audit Guides
P. 575
Assessment Objective: Plan Development and Strategy Implementation
Maturity Evaluation
Characteristics of Capability Method of Achievement
Optimizing Crisis, disaster recovery, and business Senior executive strategy sessions drive
resumption plans are integrated in plan- the planning priorities and alignment.
ning and execution. Team membership Standardized training and awareness
is cross-functional and cross-regional. programs featuring BCM content are deliv-
Expectations are clearly understood by all ered to all planning participants. Plan
stakeholders. Plan maintenance is tightly development responsibilities rest with
integrated with organizational change those closest to the issues, and plans are
management processes. vetted for content and alignment. Expert
independent review is scheduled and drives
both tactical and strategic change.
Managed Coordination among CM, business A combination of centralized and decen-
resumption, and IT disaster recovery tralized planning efforts exists, with all
plans and teams is well defined. Plans personnel trained regarding their plan
are maintained on an as-needed basis, as documentation roles and responsibilities.
opposed to a minimal standard (e.g. annu- Plan updates are driven by organizational
ally). Plan documentation is reviewed by and technology change, as well as test/
a central authority, or signed off by senior exercise results.
management. Testing results and day-to-
day experiences drive plan improvement.
Documentation is appropriately secured
and disseminated on an as-needed basis. Each plan is assigned an owner who is
PROCESS MATURITY disaster recovery plans are documented tenance (using an organization template
CM (including ER and crisis commu-
Defined
nications), business resumption, and IT responsible for its development and main-
and include organizational detail. All standard as a starting point). The appro-
plans are updated annually. Although priate parties drive content of the plans,
roles and responsibilities are clear, and quality control remains with the plan
coordination among the plans is poorly owner. Scheduled maintenance drives plan
updates. Internal auditing is seen as a BC
defined.
planning partner and is part of the contin-
uous improvement process.
Repeatable The focus of the planning effort is IT Plan documentation is driven by internal
disaster recovery documentation and ER or third-party audit findings. The tech-
planning (building evacuation, first aid, nology leadership team is leading the plan
etc.). Some CM documentation exists, documentation effort; therefore little exists
but its focus is on IT incident response. outside of IT.
The primary reason for plan documenta-
tion is to avoid audit comments. Plans
are often updated in an ad hoc manner.
Initial Where plans exist, they are developed Produced by a lack of understanding
in silos, lacking detailed business and and focus on BCM. Plans often start
technology procedural details. BCM with publicly available or software-based
stakeholders do not know their roles templates, and little is done to customize
and responsibilities or, in some cases, the content. Plans often focus on ER and
even their involvement in response and the theory of recovery planning.
recovery execution. Plans are often out
of date. Response and recovery relies on
memory, and execution is often ad hoc
and led by a few key employees.
28
