Information about http://www.auerbach-publications.com/dynamic_data/1949_872_75-20-25.pdf

75-20-25 …

Tags: adoption, auditing, bozarth, business continuity plan, business survival, cur, currency, current information, human resources, information processing, joann, new ways, nology, operating environment, recovery technology, sync, tion,
Pages: 8
Language: english
Created: Wed Feb 16 21:01:50 2000

Display cached document

Page 1

Page 2

Page 3

Page 4

Page 5

Page 6

Page 7

Page 8

75-20-25

EDP AUDITING

CHANGES THAT COULD
AFFECT THE IS BUSINESS
CONTINUITY PLAN
JoAnn Bozarth and Belden Menkus

INSIDE

Changes that Can Affect Recovery Needs; Changes in Recovery Techniques

INTRODUCTION
At one time, a review of the IS business continuity plan every two years
was recommended. And, for some aspects of the plan, that recommenda-
tion still may be sufficient. But change is occurring so fast these days that
a more frequent, perhaps even a continuing, review is needed to ensure
that, as written, the plan reflects the organization's current information
processing environment.
Changes in the IS environment can occur as a result of changes in tech-
nology, in the nature and mix of an organization's human resources, in
the enterprise's direction, and in the potential threats to its continued op-
erations. These changes can work together to create an IS environment
where the recovery challenge is more complex, yet meeting it is more crit-
ical to business survival. In response to these changed recovery needs, or-
ganizations adopt what has been called "advanced" recovery technology
and techniques to replace, or add to, their traditional recovery methods.
This article discusses some of the various types of changes, particularly
the adoption of new ways of addressing recovery needs, that could affect
the plan's currency and effectiveness.
This article does not address the me-
chanics of auditing the plan for cur- PAYOFF IDEA

rency or of keeping the plan in sync Changes in the IS operating environment, in the
nature and the types of the potential threats to
with changes as they occur.
the organization's survival, and in implemented
business continuity technologies and tech-
CHANGES THAT CAN AFFECT RECOVERY NEEDS niques are occurring faster than ever. Keeping
the written IS business continuity plan current
The types of changes discussed in with those changes is crucial to the plan's utility
this article section can affect the rele- at a time of crisis.

04/00 Auerbach Publications
� 2000 CRC Press LLC
EDP AUDITING

vance of a business impact analysis (BIA) that may have been performed
in the past as a part of the organization's contingency planning. A revised
BIA that reflects the changes that have taken place and identifies and
quantifies their expected impacts on business operations usually reveals
a need for enhanced IS recovery planning.

Changes in IS and End-User Departments
User departments and IS experience change in several areas as they
adopt new computing and telecommunication technological offerings.
Any of these changes that affect the recovery process should be incorpo-
rated into the business resumption plan. Examples of these new offerings
include enterprise resource planning, E-commerce, and data warehous-
ing. Organizations take up these new offerings as a way to solve real
business problems. The trend is to integrate all of the affected applica-
tions and data into single databases and to enter all of the data online,
making the only record of these transactions the electronic data itself.
Moreover, the trend at one time toward distributing systems from IS out
into the user departments is now reversing in some organizations toward
bringing these systems back into IS for safety and control purposes.
Where these changes occur, increasing reliance is placed on IS and the
IS infrastructure.
In IS, some changes might be software changes and equipment config-
uration changes, such as alterations in operating system software functions
and parameters, network software and node definitions, the hardware
configuration, the telecommunication capabilities, and vendor offerings.
In the case of end users, these changes might be the adoption of new,
or the modification of old, information processing applications or disk
operating procedures. Also, key management and staff member respon-
sibilities may change. These and any other revisions that impact the ex-
isting business resumption plan documentation should be incorporated
into the plan. Not to be overlooked in plan currency maintenance are the
changes to the contact lists of conventional voice telephone, cell phone,
fax, and pager numbers, as well as the relevant e-mail addresses.

Changes in the Organization
Organizations may undergo major changes such as mergers or takeovers;
reengineering of the organization's main business, even a refocusing of
various aspects of its business, leading to the establishment of new busi-
ness partnerships; or the actual control of the enterprise passing to a larg-
er organization. (The last change may involve, for example, the control
of a hospital passing to a health management organization, or the control
of the organization passing to an acquiring conglomerate. In these situa-
tions, both IS production and its recovery may have to be synchronized
with those of these other enterprises.) But even incremental changes may

Auerbach Publications
� 2000 CRC Press LLC
CHANGES THAT COULD AFFECT THE IS BUSINESS CONTINUITY PLAN

affect the plan's currency and utility. In the case of a major change, the
business continuity plan may need more than updating. Its complete re-
vision may be necessary.
Also, changes in approaches to filling personnel requirements, for ex-
ample, the switch to the widespread use of temporary workers or tele-
commuters may impact recovery efforts and should be allowed for in the
plan. For example, the existing plan provisions for onsite cleanup after a
flood or fire may have to be altered to reflect the realities that have been
imposed by these new approaches.

Other Changes
Individuals assigned to specific tasks and responsibilities under the exist-
ing IS business continuity plan no longer may be employed by the orga-
nization or may have taken positions in the organization that are
inappropriate for their assignment under the plan. Or, they may not be
familiar with changes made to the plan since their last exposure to it.
(This may be true, as well, of the contact people assigned to the organi-
zation by the vendors who will play a role in the recovery effort.) Con-
tractual arrangements with telecommunication and hardware vendors
may have expired and not been renewed. Instead, other vendors may
have been contracted with and their representatives may lack the desired
familiarity with the provisions of the business continuity plan. Possibly,
the key vendors who were expected to be involved in the operations
restoration process cannot be counted on now. They may have gone out
of business, or simply ceased to be a key vendor. The hot-site or similar
alternate operations facility no longer may be large enough or have suf-
ficient capability to fit current IS operational needs.
Any rise in the level of the existing corporate commitment to distrib-
uted computing should be reflected in the plan. As applications become
increasingly interdependent, even low-priority applications can take on
some of the attributes of criticality assigned to those applications that are
most important to the organization's business survival. (This interdepen-
dence may involve a complicated set of differing relations with a chang-
ing mix of suppliers, principal customers, and divergent government
bodies. And, it may include the handling of both complex graphics as
well as conventional textual materials.)

CHANGES IN RECOVERY TECHNIQUES
Traditional recovery techniques may have informed the initial develop-
ment and the subsequent revisions and reviews of the IS business conti-
nuity plan. The abandonment by the organization of any or all of those
techniques in favor of implementing one or more of the so-called tech-
nologically advanced recovery techniques, since the last plan revision or
review, may call for an extensive overhaul of the plan.

Auerbach Publications
� 2000 CRC Press LLC
EDP AUDITING

Why Organizations Change to Advanced Techniques
Technologically advanced recovery techniques are considered and
adopted by organizations as senior executives come to realize the serious
impact that unplanned interruption to critical applications can have on
their business activities in a changed environment. A senior executive
may have become concerned because of the disaster-related problems
experienced by a competitor, another organization, or by the impact of
natural disasters or other events on their industry or the geographic area
in which the executive's organization does business. But, usually, the in-
strument that converts concern to a decision to turn to advanced recov-
ery techniques is a revised BIA -- one that identifies and quantifies the
impacts in a changed environment if relying on conventional recovery
methods currently in place.
An organization may select a combination of techniques to create a
customized solution. Also, with limited resources and competing priori-
ties, a phased approach for introducing such a solution may be required.
Which of the numerous advanced recovery options that an organiza-
tion selects depends on the organization's key objectives for recovery as
identified in the revised BIA. In the BIA, management establishes the re-
covery time objective (RTO) and recovery point objective (RPO). (Recov-
ery time refers to the amount of time that elapses from the point when a
business operation was disrupted until that operation is resumed and
current business transactions can be applied. By contrast, recovery point
reflects the age of the last-available data that was captured before the in-
terruption. The closer these points are together, the greater the need for
quick recovery.)

Other Factors that Affect the Selection Process
In addition to the possible impact on RTO/RPO of a given advanced re-
covery solution, other factors may play a role in an organization's selection
of a particular solution. For example, because some of these solutions are
more costly to implement than others, the balance of budget constraints
against the impacts quantified in the BIA often define the selection pro-
cess. Also, a consideration could be that the use of certain advanced re-
covery techniques, in contrast to certain others, may offer a projected
reduction in the time required for completing recovery testing and a po-
tential for carrying out more in-depth testing in the same timeframe.
Another consideration that could influence selection is that an organiza-
tion's preferred telecommunication and business continuity vendors may
not offer all of these solutions, limiting the acceptable available options. In
that case (or if it is known that a vendor's operations could be affected at
the same time that the organization's operations are impacted, such as
when a flood or a tornado or hurricane occurs), the organization may rec-
ognize a need to develop in-house an advanced recovery capability.

Auerbach Publications
� 2000 CRC Press LLC
CHANGES THAT COULD AFFECT THE IS BUSINESS CONTINUITY PLAN

Factors related to IS production could bear on the selection of ad-
vanced recovery technology. These deserve a bit more explanation be-
cause of their likely effect on the computing environment.

Factors Related to IS Production. Certain advanced recovery technol-
ogies offer the potential for improvement in several important aspects of
IS production. These include the disk I/O response and throughput, and
the response of the particular application that is affected, the tape write
times, and database update performance. The possibility of improved IS
production performance and a consequent improved return on invest-
ment may sway the selection process outcome to one solution or another.
Another IS production concern is whether a recovery methodology
that is being considered for selection will provide for business continuity
testing that does not disrupt the recovery capability of IS production. This
provision is likely to require that the organization maintain separate cop-
ies of its data for testing purposes and for carrying out the actual recovery
process.
IS production that involves the use of an advanced recovery site will
be influenced in various ways if the telecommunication connection with
that site is lost and then regained. In making a recovery solution selec-
tion, the reconnection effects of that solution may be considered. A main
consideration could be whether the product is able to detect communi-
cation loss. How a product resynchronizes the principal and recovery
sites after the restoration of communications is an important consider-
ation. The state of the data can affect the ability of the organization to re-
cover during this resynchronization, depending on the solution that has
been chosen.

Advanced Recovery Techniques
A variety of technologically advanced recovery techniques are available.
The variety of these offerings can be expected to grow as the business
continuity-related uses of computing technology continue to develop.
Advanced recovery offerings, in general, can be categorized as electronic
vaulting mechanisms or structural mechanisms, as follows.

Electronic Vaulting Mechanisms. Electronic vaulting provides an al-
ternative to the lengthy process of transporting and staging, as well as lo-
cating and having returned by some form of courier arrangement,
particular backup records that are maintained on magnetic tape in a des-
ignated secure recovery location. Electronic vaulting is the process of
routine bulk transmission of data to an appropriate recovery location. It
can take several forms. These include remote transaction journaling, da-
tabase shadowing, and remote mirroring.

Auerbach Publications
� 2000 CRC Press LLC
EDP AUDITING

Remote Transaction Journaling. This is based on the concurrent inter-
ception of the writes to a local database transaction log or journal and the
transmitting of this intercepted data offsite in a real-time mode. This
mechanism will provide a recovery point that will occur in an ideal set-
ting. It will happen within seconds of the failure.

Database Shadowing. This is the aggressive combination of the mainte-
nance of a point-in-time copy of a database on disk (essentially, it can be
thought of as a standby database) as well as remote journaling with the
regular, scheduled application of the log/journal updates to the database.
Database shadowing is a flexible option for meeting a time-critical appli-
cation-specific RTO. Database shadowing allows for application updates
to be shadowed as often as may be required to meet the RTO. Applica-
tions requiring shorter RTOs will need more frequent updates to the da-
tabase. Regardless of the recovery time required, here too the recovery
point will occur within seconds of the failure.

Remote Mirroring. With remote mirroring, a duplicate copy of an orga-
nization's data can be maintained at a remote location. This permits a
drastic improvement in recovery point and recovery time for the protect-
ed data. The two methods of remote mirroring are host-based software
and controller-based software. Controller-based mirroring offers the abil-
ity to support enterprise storage recovery with a single product. Because
IS personnel are managing a single product in this scenario, it is likely to
require fewer resources, resulting in savings that offset some of the costs.
Host-based mirroring offers the management of the recovery point to an
absolutely consistent timestamp across all of the data protected in a de-
fined group needing to be consistent.
All of these forms of electronic vaulting can be carried out either on a
routine, or a specifically scheduled, basis. Electronic vaulting is suitable,
in particular, to be maintained through a form of virtual private network
(VPN) arrangement. Data can be moved through such an arrangement to
the electronic vault at different logical levels -- such as by tape volume,
by disk volume, or by individual file, as defined by the requirements of
the information processing application that must be recovered -- but all
provide for continuous maintenance of a remote copy of discrete data at
a specific point in time.

Structural Mechanisms. Electronic vaulting may be complemented by
using some combination of a standby operating system, a hot network
node, system replication, and system fail-over.

Standby Operating System. This refers to maintaining a remote copy of
the operating system on disk that is connected directly to the recovery

Auerbach Publications
� 2000 CRC Press LLC
CHANGES THAT COULD AFFECT THE IS BUSINESS CONTINUITY PLAN

processor. Doing this ensures that systems being protected can be hard-
ware attached and restarted immediately at the recovery site at time of
test or the occurrence of a disaster.

Hot Network Node. A hot network production node is one that is always
ready to operate. A hot network node can be located in the same loca-
tion as the recovery capability. Because the hot network node is always
in use and is monitored continually, the potential for its failure is mini-
mized. Such an arrangement promises to alleviate the complexity and
time-consuming difficulty of establishing network communications at the
time of disaster by prestaging the restoration configuration, which elimi-
nates or reduces error and excess recovery time impact. By this means,
access to systems and data by those who need them is maintained, which
is the basic requirement of an effective rapid recovery of those systems
and data.

System Replication and System Fail-over. System replication provides a
continuous operating environment by endlessly duplicating systems, da-
ta, and networks at a remote location. System fail-over functionality is the
ability for the backup system to take over immediately from the produc-
tion system at the moment of disruption. The addition of system fail-over
functionality addresses both the RTO and the RPO constraints.

An IS Auditing Concept
The effectiveness of these advanced technology business continuity
methods rests on the determined application of a concept that will be fa-
miliar to the IS auditor: consistent control of the techniques and the data
that are used in them. Special attention should be given to means for
keeping the selected and implemented technology in sync with the basic
systems and for keeping the data current. Obsolete data should be
purged from these recovery solutions promptly to avoid possible confu-
sion or error in the recovery process.

CONCLUSION
The traditional two-year cycle of reviewing and revising the IS business
continuity plan may not be adequate to ensure that the plan's contents
reflect changes that affect recovery needs and recovery methods. This ar-
ticle discussed first a sampling of some of the changes that can affect re-
covery needs. It then discussed changes in recovery methods, beginning
with some of the issues associated with selecting advanced technology
recovery solutions and going on with a brief description of some of the
advanced business continuity techniques that are available to address the
changes in recovery needs.

Auerbach Publications
� 2000 CRC Press LLC
EDP AUDITING

JoAnn Bozarth is a principal in Menkus Associates. Previously, she contributed "Questions to Answer in Assessing
Business Resumption Preparedness" and "Getting More From Audit Resources When Developing and Evaluating
IS Disaster Recovery Plans" to EDP Auditing.

Belden Menkus, CISA, CSP, CCP, CRM, is the consulting editor of the Auerbach Information Management Service
on EDP Auditing and the editor of EDPACS. He is a principal in Menkus Associates, consultants in information
systems auditing, security, and quality, of Manchester, Tennessee.

Auerbach Publications
� 2000 CRC Press LLC