DS4 Ensure Continuous Service

The need for providing continuous IT services requires developing, maintaining and testing IT continuity plans, utilising offsite backup storage and providing periodic
continuity plan training. An effective continuous service process minimises the probability and impact of a major IT service interruption on key business functions and
processes.

C o n tro l O b je c tiv e V a lu e D riv e rs R is k D riv e rs

DS4.1 IT Continuity Framework • C ontinuous service across IT • Insufficient continuity practices
D evelop a framew ork for IT continuity to support enterprisew ide business • C onsistent, documented IT • IT continuity services not managed
continuity management using a consistent process. The objective of the continuity plans properly
framew ork should be to assist in determining the required resilience of the • G overned services for business needs • Increased dependency on key
infrastructure and to drive the development of disaster recovery and IT • Achieved short- and long-range individuals
contingency plans. The framew ork should address the organisational structure objectives supporting the
for continuity management, covering the roles, tasks and responsibilities of organisation’s objectives
internal and ex ternal service providers, their management and their customers,
and the planning processes that create the rules and structures to document, test
and ex ecute the disaster recovery and IT contingency plans. The plan should also
I T

address items such as the identification of critical resources, noting key

G

dependencies, the monitoring and reporting of the availability of critical

O V E R N A N C E

resources, alternative processing, and the principles of backup and recovery.

T e s t th e C o n tro l D e s ig n
• E nquire w hether and confirm that an enterprisew ide business continuity management process is designed and approved by ex ecutive-level management.
• Inspect the current business impact analysis and determine w hether continuity planning has resulted in clear positioning of required resources to recover the business
I
N S T I T U T E

operations during a disruption.

• Inspect the business continuity framew ork to confirm that it includes all the elements required to resume business processing in the event of a business interruption
(consider accountability, communication, escalation plan, recovery strategies, IT and business service levels, and emergency procedures).

APPENDI
XIV
169
17 0
DS4 Ensure Continuous Service (cont.)

I
T ASSURANCE GUI
C o n tro l O b je c tiv e V a lu e D riv e rs R is k D riv e rs
DS4.2 IT Continuity P lans • C ontinuous service across IT, • F ailure to recover IT systems and
D evelop IT continuity plans based on the framew ork and designed to reduce the addressing the requirements for services in a timely manner
impact of a major disruption on key business functions and processes. The plans critical IT resources • F ailure of alternative decision-making
should be based on risk understanding of potential business impacts and address • D efined and documented guidelines, processes
requirements for resilience, alternative processing and recovery capability of all roles and responsibilities • L ack of required recovery resources
critical IT services. They should also cover usage guidelines, roles and • Achieved short- and long-range • F ailed communication to internal and
responsibilities, procedures, communication processes, and the testing approach. objectives supporting the ex ternal stakeholders
organisation’s objectives

T e s t th e C o n tro l D e s ig n

DE:
• C onfirm that business continuity plans ex ist for all key business functions and processes.
• R eview an appropriate sample of business continuity plans and confirm that each plan:

USI
– Is designed to establish the resilience, alternative processing and recovery capability in line w ith service commitments and availability targets
– D efines roles and responsibilities
I T

NG COBI
– Includes communication processes
– D efines the minimum acceptable recovery configuration
G
O V E R N A N C E

• O btain the overall testing strategy for business continuity plans and evidence that tests are being ex ecuted w ith the agreed-upon frequency.
• R eview the outcome of testing, and ensure that resulting actions are follow ed up.

T
I
N S T I T U T E
 DS4 Ensure Continuous Service (cont.)
C o n tro l O b je c tiv e V a lu e D riv e rs R is k D riv e rs
DS4.3 Critic al IT R es ourc es • C ost management for continuity • U navailability of critical IT resources
F ocus attention on items specified as most critical in the IT continuity plan to • E ffective management of critical • Increased costs for continuity
build in resilience and establish priorities in recovery situations. Avoid the IT resources management
distraction of recovering less-critical items and ensure response and recovery in • P rioritised recovery management • P rioritisation of services recovery not
line w ith prioritised business needs, w hile ensuring that costs are kept at an based on business needs
acceptable level and complying w ith regulatory and contractual requirements.
C onsider resilience, response and recovery requirements for different tiers, e.g.,
one to four hours, four to 2 4 hours, more than 2 4 hours and critical business
operational periods.

T e s t th e C o n tro l D e s ig n
• O btain a list of business functions w ith their respective business criticality, and ensure that continuity plans ex ist for the most critical business functions, supporting
processes and resources.
I T

• R eview the plans to ensure that they are designed (and tested) to meet business objectives and legal and regulatory requirements.
• D etermine how consistency betw een plans is ensured.
G
O V E R N A N C E

C o n tro l O b je c tiv e V a lu e D riv e rs R is k D riv e rs

DS4.4 M aintenanc e of th e IT Continuity P lan • Appropriate IT continuity plans • Inappropriate recovery plans
E ncourage IT management to define and ex ecute change control procedures to supporting the organisation’s • P lans failing to reflect changes to
I
N S T I T U T E

ensure that the IT continuity plan is kept up to date and continually reflects objectives business needs and technology
actual business requirements. C ommunicate changes in procedures and • C hange control procedures for IT • L ack of change control procedures
responsibilities clearly and in a timely manner. continuity plans
• F amiliarity of IT continuity plans for
appropriate individuals

T e s t th e C o n tro l D e s ig n
• E nquire w hether and confirm that all copies of the IT continuity plan are updated w ith revisions and are stored on- and offsite
• E nquire w hether and confirm that all critical changes to IT resources are communicated to the continuity manager for update of the IT continuity plan.
• E nquire w hether and confirm that changes to the continuity plan are made at intervals appropriate for the triggers and follow accepted change control procedures.

APPENDI
XIV
17 1
17 2
DS4 Ensure Continuous Service (cont.)

I
T ASSURANCE GUI
C o n tro l O b je c tiv e V a lu e D riv e rs R is k D riv e rs
DS4.5 Tes ting of th e IT Continuity P lan • E ffective recovery of IT systems • S hortcomings in recovery plans
Test the IT continuity plan on a regular basis to ensure that IT systems can be • S taff ex perienced in the recovery • O utdated recovery plans that do not
effectively recovered, shortcomings are addressed and the plan remains relevant. processes for IT systems reflect the current architecture
This requires careful preparation, documentation, reporting of test results and, • U pgraded plans overcoming • Inappropriate recovery steps and
according to the results, implementation of an action plan. C onsider the ex tent of shortcomings in the restoration of processes
testing recovery of single applications to integrated testing scenarios to end-to- systems • Inability to effectively recover should
end testing and integrated vendor testing. real disaster occur

T e s t th e C o n tro l D e s ig n
• E nquire w hether and confirm that IT continuity tests are scheduled and completed on a regular basis after changes to the IT infrastructure or business and related

DE:
applications.
• E nsure that new components and updates are included in the schedule.

USI
• E nquire w hether and confirm that a detailed test schedule has been created and includes testing details and event chronology to ensure a logical and real sequence of
occurring interruptions.
I T

NG COBI
• E nquire w hether and confirm that a test task force has been established, and the members are not key personnel defined in the plan and the reporting is appropriate.
G

• E nquire through interview s w ith key staff members w hether debriefing events occur and, w ithin these events, w hether failures are analysed and solutions are developed.
O V E R N A N C E

• E nquire through interview s w ith key staff members w hether alternative means are evaluated w hen testing is not feasible.
• E nquire w hether and confirm that success or failure of the test is measured and reported and the consequential change is made to the IT continuity plan.
• R eview results and evaluate how the results are review ed to determine operating effectiveness.

T
I
N S T I T U T E

C o n tro l O b je c tiv e V a lu e D riv e rs R is k D riv e rs

DS4.6 IT Continuity P lan Training • S taff ex perienced in the recovery • O utdated training schedules
P rovide all concerned parties w ith regular training sessions regarding the processes for IT systems • F ailure to recover as ex pected due to
procedures and their roles and responsibilities in case of an incident or disaster. • S taff trained in the recovery processes inadequate or outdated training
V erify and enhance training according to the results of the contingency tests. • S cheduled training for all responsible
staff members
• Training plans updated to reflect the
results of the contingency tests

T e s t th e C o n tro l D e s ig n
• E nquire through interview s w ith key staff members w hether regular training is performed.
• E nquire w hether and confirm that training needs and schedules are assessed and updated regularly.
• R eview schedules and training material to determine operating effectiveness.
• E nquire through interview s w ith key staff members w hether IT continuity aw areness programmes are being performed on all levels.
 DS4 Ensure Continuous Service (cont.)
C o n tro l O b je c tiv e V a lu e D riv e rs R is k D riv e rs
DS4.7 Dis trib ution of th e IT Continuity P lan • S taff ex perienced in the recovery • C onfidential information in the plans
D etermine that a defined and managed distribution strategy ex ists to ensure that processes for IT systems compromised
plans are properly and securely distributed and available to appropriately • S taff trained in the recovery processes • P lans not accessible to all required
authorised interested parties w hen and w here needed. Attention should be paid to • P lans available and accessible to all parties
making the plans accessible under all disaster scenarios. affected parties • U pgrades of the plan not performed in
a timely manner due to uncontrolled
distribution strategies

T e s t th e C o n tro l D e s ig n
• E nquire w hether and confirm that a distribution list for the IT continuity plan is created, defined and maintained. R eview w hether the need-to-know principles have been
maintained during development of the list.
• O btain the distribution procedure from management.
• E valuate the procedure and verify compliance.
I T

• E nquire w hether and confirm that all digital and physical copies of the plan are protected in an appropriate manner and that the documents are accessible only by
authorised personnel.
G
O V E R N A N C E

C o n tro l O b je c tiv e V a lu e D riv e rs R is k D riv e rs

DS4.8 IT Serv ic es R ec ov ery and R es ump tion • M inimised recovery times • S hortcomings in recovery plans
P lan the actions to be taken for the period w hen IT is recovering and resuming • M inimised recovery costs • Inappropriate recovery steps and
C o n tro l O b je c tiv e
I

services. This may include activation of backup sites, initiation of alternative • P rioritised recovery of business-critical processes
N S T I T U T E

processing, customer and stakeholder communication, and resumption tasks • F ailure to recover business-critical
procedures. E nsure that the business understands IT recovery times and the systems and services in a timely
necessary technology investments to support business recovery and resumption manner
needs.

T e s t th e C o n tro l D e s ig n
• O btain a copy of the incident handling procedure, and ensure that it includes steps for damage assessment as w ell as formal decision points and thresholds to activate
continuity plans.
• R eview IT recovery plans, and confirm that they meet business requirements.

APPENDI
XIV
17 3
17 4
DS4 Ensure Continuous Service (cont.)

I
T ASSURANCE GUI
C o n tro l O b je c tiv e V a lu e D riv e rs R is k D riv e rs
DS4.9 O ffs ite B ac kup Storag e • Availability of backup data in the • U navailability of backup data and
S tore offsite all critical backup media, documentation and other IT resources event of physical destruction of media due to missing documentation
necessary for IT recovery and business continuity plans. D etermine the content hardw are in offsite storage
of backup storage in collaboration betw een business process ow ners and IT • O ffsite data consistently managed • L oss of data due to disaster
personnel. M anagement of the offsite storage facility should respond to the data throughout the organisation • Accidental destruction of backup data
classification policy and the enterprise’s media storage practices. IT management • Appropriate protection of offsite • Inability to locate backup tapes w hen
should ensure that offsite arrangements are periodically assessed, at least storage needed
annually, for content, environmental protection and security. E nsure
compatibility of hardw are and softw are to restore archived data, and periodically
test and refresh archived data.

DE:
T e s t th e C o n tro l D e s ig n

USI
• E nquire w hether and confirm that data are protected w hen they are taken offsite, w hilst they are in transport and w hen they are at the storage location.
• E nquire w hether and confirm that the backup facilities are not subject to the same risks as the primary site.
I T

• E nquire w hether and confirm that regular testing is performed to ensure the quality of the backups and media.

NG COBI
• R eview testing procedures to determine operating effectiveness.
G
O V E R N A N C E

• V erify that the backup media contain all information required by the IT continuity plan, e.g., by comparing the contents of the backups and/or the restored systems w ith
the operational systems.
• E nquire w hether and confirm that sufficient recovery instructions and labelling ex ist.
• E nquire w hether and confirm that an inventory of backups and media ex ists, and verify its correctness.

T
I
N S T I T U T E

C o n tro l O b je c tiv e V a lu e D riv e rs R is k D riv e rs

DS4.10 P os t-res ump tion R ev iew • U pdated recovery plans • Inappropriate recovery plans
D etermine w hether IT management has established procedures for assessing the • O bjectives met by the recovery plans • R ecovery plans failing to meet
adequacy of the plan in regard to the successful resumption of the IT function • Adequate resumption plans according business needs
after a disaster, and update the plan accordingly. to business needs • O bjectives not met by the recovery
plans

T e s t th e C o n tro l D e s ig n
• E nquire w hether and confirm that the shortcomings of the plan have been highlighted and post-recovery meetings discussing opportunities for improvement
are performed.
• R eview plans, policies and procedures to determine operating effectiveness.
 APPENDI
XIV

Take the follow ing steps to test the outcome of the control objectives:
• D etermine the management level for establishing the continuity framew ork to support enterprisew ide business processing recovery
processes.
• D etermine the components defined to address the IT continuity accountabilities and responsibilities for supporting the business
strategy in response to a business disruption.
• Assess the IT continuity plans for recovery strategies and required service levels to meet the business processing objectives.
• D etermine the effectiveness of the communications plan created to ensure the safety of all affected parties and co-ordination w ith
public authorities.
• Assess the guidelines, roles and responsibilities achieving recovery of short- and long-range business processing requirements.
• Assess w hether IT continuity planning training is provided on a periodic basis.

Take the follow ing steps to document the impact of the control w eaknesses:
• Assess w hether the IT continuity services sufficiently support achieving business processing services to meet short- and long-
range organisation objectives.
• Assess the framew ork to determine w hether the planning invokes dependencies on key individuals rather than prioritisation of
recovery strategies.
• Assess the impact on business processing in the event IT systems are not recovered in a timely manner w ithout an alternative
decision-making process.
• D etermine the business impact required if recovery resources are not available and there is no ability to communicate w ith internal
and ex ternal stakeholders.
• E nquire of management w hether IT disruptions w ere prolonged as a result of untrained staff members w ho did not follow IT
continuity planning procedures.

I T G I
O V E R N A N C E N S T I T U T E
17 5