Page 577 - ITGC_Audit Guides
P. 577
Assessment Objective: Testing and Plan Maintenance
Maturity Evaluation
Characteristics of Capability Method of Achievement
Optimizing BC testing is unannounced. Simulations Team members become thoroughly trained,
are developed using probable risks that were and their response is merely a reaction.
identified in a risk assessment. Tests are Minimal planning is performed in preparation
primarily measured by an expected recovery. for tests, and the planning that is performed
Entire departments work at an alternate site is done secretly by a few individuals. Response
for a defined period of time using backup and recovery team members have minimal
systems and resources. Third-party business reliance on plan documentation aside from
partners and vendors participate in testing. some technical procedures or contact lists that
Updates to the plan are automatically inte- are up-to-date. Automated tools are employed
grated through a maintenance process. to maintain plans and keep them current and
reflective of the business operations.
Managed Full BC testing, for business and IT, are regu- Test planning encompasses CM, business
larly performed. Simulations are developed resumption, and IT disaster recovery. Team
using probable risks that were identified in members are cross-trained on all relevant
a risk assessment. Tests are measured by the procedures. There is little reliance on plan
rate of recovery of critical components or documentation, although procedural and
functions such as connectivity, application contact list inaccuracies should be addressed
usage, or transaction processing. Plans are in a timely manner. Internal auditing moni-
maintained off site and updates are made at tors test planning, execution, and action items
the conclusion of testing. Internal auditing resulting from the test. Plan updates should be
observes the exercise and ensures plans are the responsibility of the process owners, with
updated. oversight from internal auditing.
PROCESS MATURITY typically on component recovery. Continuity ness process and IT asset recovery. Users test
Defined
Business and IT personnel conduct regularly
BC and IT disaster recovery tests are some-
times performed together, but the focus is scheduled BC tests, designed to address busi-
procedures are discussed using facilitated connectivity and access to applications. The
sessions to identify planning gaps. Tests are planning process for these tests is extensive
primarily measured using an expected time-
and involves internal and external personnel as
frame for recovery and overall effectiveness. facilitators and/or monitors. Internal auditing
Entire departments work at an alternate site participates in testing exercises and monitors
for a defined period of time, using backup the process for updating plans based on test
the process owner, with central coordination.
plan updates are made on a scheduled basis.
Repeatable systems. Lessons learned are documented, and results. Plan updates are the responsibility of
Testing is focused on IT disaster recovery and IT personnel conduct regularly scheduled IT
may involve end user validation of the recov- disaster recovery and component recovery
ered environment and/or the test results. In tests. The planning process for these tests is
some organizations, management engages in extensive and should involve internal and
scenario-drive, tabletop exercises of its CM external personnel as facilitators and/or moni-
capabilities. IT disaster recovery tests are tors. Internal auditing participates in testing
focused on component recovery. Internal exercises and monitors the process for updating
auditing reviews continuity procedures, if this plans based on test results. One individual is
function exists. Plan updates are made on a responsible for plan updates.
scheduled basis.
Initial IT component testing takes place internally BC planning successes, normally limited to
within the IT department, with limited IT, are present where extraordinary individual
knowledge of management and no partici- efforts are the foundation. Training, where
pation from the user community. A formal present, is limited to ER (first aid, evacuation,
testing schedule is not established, and test etc.) and IT component recovery activities.
results are rarely documented. Testing does Plan updates are the responsibility of the
not result in amendments or improvements to process owners and do not follow a standard,
response/recovery procedural documentation. monitored process.
Plans may not be well maintained or up-to-
date because the BCM process is new.
30
