Join Michael Lester for an in-depth discussion in this video Introduction, part of CISA Cert Prep: 2 Information Technology Governance and Management for IS Auditors.
- [Narrator] Alright, let's talk about business continuity planning and disaster recovery. So, some things you need to ask yourself, is your organization prepared for a disaster? Is the organization impact tolerant? Can it tolerate the impact of some kind of disaster that affects the whole organization? Are the people prepared and are they trained to handle certain events? Is the business continuity plan documented and approved by management? Is the staff properly trained on the recovery procedures, on what to do when the bad things happen? Get back up and running, keep the business alive.
Is the business continuity plan current and regularly tested? Those are two huge things we'll talk about. And finally, does the business continuity plan ensure the timely resumption of critical business functions? That's the real name of the game, critical business functions. That's what business continuity planning is really all about, keeping the critical business functions of the organization up and running. We'll talk about what those are. So, how do we compare disaster recovery planning to business continuity planning? Well, disaster recovery is really all about how to get back up and running.
Oh darn, the server blew up, how do we get it back up online and get it back up and running? That's a disaster recovery conversation. It tends to be very IT focused, and it's really all about getting things back up online. It's short-term as compared to the business continuity planning, or the BCP part of this. The business continuity discussions are much more long-term and they focus on how a business can stay alive, even in a crippled state. It's all about the continuity of the critical business functions of the organization, whatever those functions are.
And it's there to make sure that the business can survive. Now, it's long-term compared to those disaster recovery plan or disaster recovery procedures. So what's the purpose of a business continuity plan? First, ensure the survivability of the business. At the end of the day, we want to keep this organization doing whatever its doing, making widgets, or offering a service, or, you know, defending the country, whatever the mission of the organization is. We want to provide immediate and appropriate response to emergency situations, you want to have scripted, ready to go, the reactions you're going to take and you know who's going to do what, you always want to protect human life and safety, that's an important thing to consider, not just for the real world but also on any exam.
Whenever you see something that involves human life, that's typically the answer on the exam somewhere, right? Save the people first, that's rule number one. And there it is, we want to resume the critical business functions. That's one of the main things that we're talking about when we talk about business continuity. It's all about keeping the critical business functions of the organization up running. Well, we're a widget company, we make widgets, so, our four primary functions are we sell widgets, we have a sales function, we build widgets, we have a production function, we bill for widgets, we have a accounting function, and then maybe we have a shipping function to ship them off to the customers.
Well, those primary functions, those four things, are why we're here. If we stop any one of those, we're out of the widget making business. That's the idea. Those are the critical business functions. We'll talk about those as we go through this chapter. We want to know how we're going to work with outside vendors or other third parties during the disaster and we want to reduce the confusion, there's a fog of war effect during a crisis. Those are the real main goals of business continuity plan.
Instructor Michael Lester starts out with a description of IT governance and the role of IT policies, processes, and standards, providing examples of many of the most common types. He reviews three key areas for auditing: risk management, business continuity, and disaster recovery planning. He also explains how an IT department and its auditing team should be organized. At each stage, he explains how the auditor would address these topics in a typical audit environment.
- IT governance
- Policies, processes, and standards
- Risk management
- IT organization
- Business continuity
- Disaster recovery