TITLE : AUDITING BUSINESS CONTINUITY PLAN
i) Details of Case Study/Project(Problem)
ABC Bank is one of the largest Public Sector Banks in India. Prosys is a leading Information technology company in India offering quality software products and services both in the domestic and international markets. ABC Bank has signed a strategic IT partnership with Prosys. Accordingly, ABC Bank has licensed Prosys Banking software which includes Banksoft – the Core Banking Solution, eConnect – the Financial Middleware, and eBanker – the Internet Banking Solution. ABC Bank intends to deploy Banksoft across 1500 branches over the next 3 years
The IT solution to be deployed by ABC Bank envisages setting up of a data centre with main server(s) (Web server, Database server and application server) and back up servers. The data centre will be replicated at another location with similar type of hardware and network. The identified branches will be connected to the data centre and the back-up data centre through V-Sat and Lease lines. Each of the branches will have terminals with Windows QVT/Net Version for Telnet and I-Link Net/Win Version as interface for printing. ABC Bank is planning to offer relationship banking to its customers through which customers of any of its identified branches can transact at any other branch with a single account. Further, ABC Bank is also planning to offer Internet banking. ABC Bank has 1500 ATMs which are expected to be connected to the main servers and it intends to add another 3000 ATMs which are located at different locations. Customers of any of the 1500 branches can operate their accounts and transact on-line from anywhere.
The management of the company has appointed our firm to evaluate business continuity plan which should ensure continuity of business services for all types of delivery channels to customers – at the branches, through Internet and through ATMs. Management recognises the importance of having an effective business continuity plan and they have used best practices as required for implementation of BCP. The IS Audit involves review of Business continuity plan covering all areas of critical operations and covering technology deployment across the bank.
TITLE : AUDITING BUSINESS CONTINUITY PLAN
Project Report (solution)
About ABC Bank :
ABC Bank is one of the largest Public Sector Banks in India. Like all other public sector banks all the rules , procedures and policies are governed by Reserve Bank of India and Government of India. ABC Bank is planning to offer relationship banking to its customers through which customers of any of its identified branches can transact at any other branch with a single account. ABC Bank is also planning to offer Internet banking. ABC Bank has 1500 ATMs which are expected to be connected to the main servers and it intends to add another 3000 ATMs which are located at different locations. Customers of any of the 1500 branches can operate their accounts and transact on-line from anywhere.
The maintenance of IT infrastructure of the bank has great reliance on external vendors like profsys which is governed by SLAs.
About Prof Sys
Prosys is a leading Information technology company in India offering quality software products and services both in the domestic and international markets.
About Audit Firm
BPS and Company is Chartered Accountancy firm in set up in 1992 and has 15 partners working in Pan India level based on Raipur (Chhattisgarh). We provide variety of services example Auditing , Accounting , Complince , Risk Assessment , Advisory and Information System related services etc.
All the members of the firm are DISA qualified so firm has specialisation in information system related services including Business Continuity Audit .
ABC Bank has signed a strategic IT partnership with Prosys. Accordingly, ABC Bank has licensed Prosys Banking software which includes Banksoft – the Core Banking Solution, eConnect – the Financial Middleware, and eBanker – the Internet Banking Solution. ABC Bank intends to deploy Banksoft across 1500 branches over the next 3 years. The IT solution to be deployed by ABC Bank envisages setting up of a data centre with main server(s) (Web server, Database server and application server) and back up servers. The data centre will be replicated at another location with similar type of hardware and network. The identified branches will be connected to the data centre and the back-up data centre through V-Sat and Lease lines. Each of the branches will have terminals with Windows QVT/Net Version for Telnet and I-Link Net/Win Version as interface for printing.
The Information System policy including BCP policy is governed and regulated by Reserve Bank of India in consultation with Central Government like all other public sector banks. Inspections are performed by RBI at regular intervals to make sure that bank follows all the requirements and guidelines.
The bank also has sound internal control system which facilitates regular audit of separate dimensions of banks and take corrective actions based on that recommendations of banks.
ABC Bank is a public sector bank having its areas of operation in diversified area ,so it has clients in different areas also ABC Bank has 1500 ATMs which are expected to be connected to the main servers and it intends to add another 3000 ATMs which are located at different locations, and it aims to offer relationship banking to its customers through which customers of any of its identified branches can transact at any other branch with a single account and Internet banking Thus it is necessary for the bank to get a single software which can integrate all this diversified portfolio of business. Thus Profsys provides that solution to the bank.
From the above it is clear that maintenance of continuity of business is important for its survival for the banks thus business continuity plan is necessary , Business Continuity Plan (BCP) forms a part of an organization’s overall Business Continuity Management (BCM) plan, which is the “preparedness of an organization”, which includes policies, standards and procedures to ensure continuity, resumption and recovery of critical business processes, at an agreed level and limit the impact of the disaster on people, processes and infrastructure (includes IT); Minimize the operational, financial, legal, reputational and other material consequences arising from such a disaster
Business Continuity Plan Audit ensures that the organisation has proper BCM Plan in action and it is being maintained and monitored affectively.The weaknesses if any in the business continuity plan is being found out and corrective actions are taken accordingly. Thus it helps in maintaining effectiveness of BCP plan.
The latest inspection by RBI has made observations on need for the bank to have IS Audit of the bank’s IT infrastructure primarily focusing on adequacy of BCP. The internal audit department of the bank in the recent audit of the data centre has commented on the need to get independent IS Audit to confirm the BCP of the bank is comprehensive and meets all the requirements. The maintenance of IT infrastructure of the bank has great reliance on external vendors which is governed by SLAs. The senior management has decided to have an independent IS Audit using the RBI checklist and other best practices. The RBI in its Guidance note on “Management of Operational Risk” has stressed the need to establish a disaster recovery and BCP for technology related risks as a part of ORM framework. The RBI, in its circular on “Operational Risk Management : Business Continuity Planning”, clearly states that the responsibility for effective BCP rests with the Board of Directors and the top management and has listed a set of minimum requirements for effective BCM by banks. The circular also required banks to disclose information relating to major failures of critical systems customer segment/services impacted due to the failures and steps taken to avoid such failures in future. The RBI, in its guidelines on “Outsourcing of Financial Services by Banks” in 2005, has mandated banks to ensure that the service provider has a BCP and the same is regularly tested and maintained. The RBI has made conscious efforts on an on-going basis to encourage banks to have an effective BCP plan in place and has reiterated this vide several circulars. Predominantly, the message from these circulars in relation to BCP is as follows:
1) Boards of directors are required to approve a BCP policy, allocate sufficient resources and provide
clear guidance and direction in this regard to top management.
2) Banks may provide for a comprehensive BCP rather than having only disaster recovery arrangements. 3) Banks should focus on keeping the ‘Disaster Recovery’ site current and to test it comprehensively.
As we have seen, Indian banks have had a mandate to develop, implement and maintain a BCP for many years. The sheer nature of banking business requires a robust plan to provide resilience and effectively deal with disasters, impacting the continuity of transacting its business. However, the emphasis, more often than not, has been on Information Technology Disaster Recovery Plan (DRP) and not so much on people and processes. Additionally, the terminology of DRP and BCP are used interchangeably stressing importance only on recovery of data and critical applications. The overall understanding of BCP, therefore, generally revolves around technology recovery and the most important component – the human factor- more often than not is missed out. The BCP shall insure:
1) The adequacy and appropriateness of its Business Continuity strategy.
2) Assessing the impact on the Bank’s Business Continuity Plan of additions or changes to existing business functions, Bank’s procedures, equipment, and facilities requirements.
3) Considering all factors and deciding upon declaring a “crisis”.
4) Maintaining and/or monitoring offsite office space sufficient for critical functions and to meet the facility recovery time frames.
5) Communicating changes in the “Organization IT Disaster Recovery Plan” plan that would affect groups/departments to those groups/departments in a timely manner so they can make any necessary changes in their plan.
6) Business Continuity Strategy is to recover critical business functions at the alternate site location.
7) IT Disaster Recovery Plan strategy should be there to assist in re-establishing connectivity to the departments and to establish remote communications to any alternate business site location.
8) Recovery Procedures the specific activities and tasks that are to be carried out in the recovery process. 9) Review BCP methodology used for preparation of plan.
10) Budgetary issue
Terms and Scope of assignment
• It is expected to evaluate the processes of developing and maintaining documented, communicated, and tested plans for continuity of business operations and IS processing in the event of a disruption.
• To assess the ability of the organization to continue all critical operations during a contingency and recover from a disaster within the defined critical recover time period.
• To identify residual risks which are not identified and provide recommendations to mitigate them.
• To identify the plan of action for each type of expected contingency and its adequacy in meeting contingency requirements.
Identifying areas being reviewed
Banks should consider looking at BCP methodologies and standards–BS 25999 by BSI–which
follows the “Plan-Do-Check-Act Principle”.
Proposed scope of work
The Auditor will lead and assist the Bank BC/DR team in creating the following deliverables while
targeting a project conclusion date of July 2016:
Knowledge Transfer : The Auditor will provide documentation at each stage of the project including,
where applicable, specific instructions or plans so that Bank can manage BC/DR planning on an ongoing
Risk Analysis : In conjunction with Bank staff, the Auditor will evaluate identified threats like the natural,
man-made and technology-based threats to Bank, including likelihood of occurrence and vulnerability to
each threat, and prioritization of the list of threats to the organization. This deliverable is critical to build
and support a business case for implementation of the BC/DR plan.
Business Impact Analysis (BIA) : The Auditor will review the created catalog of Bank’ business
processes using objective metrics to measure the criticality of each process in order to comment/identify
critical and non-critical processes. The Auditor shall comment on created BI’s the Maximum Tolerable
Downtime (MTD) and assign a recovery time objective (RTO) and Recovery point objective (RPO) to
each business process.
DR Plan Review : The Auditor will review Bank’ IT Department’s existing DR and future
enhancement/improvement plans for the data center infrastructure and provide feedback.
Solution Design : The Auditor shall comment and whereas required will participate/design a BC/DR
solution that will meet the objective requirements established in the analysis phase. The solution will
include considerations such as:
• Communications plan
• Location of secondary work sites
• Telecommunication architecture
• Data replication methodology between primary and secondary sites
• Integration with management tools for maintenance of the plan
Implementation Plan : The outcome of these efforts will be a specific implementation plan including
budgetary figures. This will encompass the obligations of Bank for BC/DR planning and preparedness.
Testing and Acceptance Plan : In conjunction with Bank staff, the Auditor will provide a comprehensive
testing and acceptance plan of the BC/DR solution shall be based on successful execution of the entire
BC/DR test plan, not merely a subset of activities. Some of the area as shown below:-
Infrastructure and Technological Failures
Data corruption including viruses
LAN/WAN/Intranet/ Internet failure
Internal flood (sprinklers, pipes)
Voice network failure
Theft of equipment
Theft of data/information
Failure of key service providers (telephone, internet, banking etc)
MAJOR NATURAL AND REGIONAL DISASTERS
Hurricane or severe flooding
Volcanic eruption or landslide
Civil disturbance or terrorism
Logistic arrangements required
As per the requirements following were the logistic arrangements made available to by ABC Bank for assurance work:-
• A Laptop configured with a secure Internet connection.
• Physical Access into the ABC Bank office using temporary passes/cards.
• Temporary Logical Access to the system for understanding critical aspects of BCP related to information system.
• Service level agreement was provided by the company so as to understand the nature and terms and conditions with Prosys.
• Policy related to Business continuity plan & Disaster recovery plan was made available by DLF.
• Employees training records were also given for review.
Methodology and Strategy adapted for execution of assignment
Following is the methodology, Strategy and Approach adopted by for the execution of assignment:-
• Schedule: Period of audit and its expected duration
• Scoped Systems: Identified IT resources that are in the scope based on the risk assessment process
• System Overview: Details of System Environment based on the risk assessment process
• Audit Details: Details of risks and controls identified, based on the risk assessment process
• Nature and Extent of Tests: Controls testing for effectiveness of design and implementation of controls,
substantive testing for operating effectiveness of controls implemented
• Method of Internal Audit: Brief audit approach and methodology
• Team and Roles and Responsibilities: Identified skills and names of IS Auditors including their roles and
• Points of Contact: Contact names of Auditee department
• Co-ordination: Names of the project lead and higher official for escalation of issues
• Information : Report details of past audits on the subject
Audit of Critical Components of Business Continuity Management Framework
|1||BCP Methodology||Banks should consider various BCP methodologies and standards, like BS 25999, as inputs for their BCP framework|
|2||Key Factors to be considered for BCP Design||Following factors should be considered while designing the BCP:
• Probability of unplanned events, including natural or man-made disasters, earthquakes, fire, hurricanes or bio-chemical disaster
• Security threats
• Increasing infrastructure and application interdependencies
• Regulatory and compliance requirements, which are growing increasingly complex
• Failure of key third party arrangements
• Globalization and the challenges of operating in multiple countries.
|4||Testing a BCP||Banks must regularly test BCP to ensure that they are up to date and effective: Testing of BCP should include all aspects and constituents of a bank i.e. people, processes and resources (including technology). Banks should consider having unplanned BCP drill, Banks should involve their Internal Auditors (including IS Auditors) to audit the effectiveness of BCP etc. Various other techniques shall be used for testing the effectiveness of BCP.|
|5||Maintenance and Re-assessment of Plans||BCPs should be maintained by annual reviews and updates to ensure their continued effectiveness. Changes should follow the bank’s formal change management process in place for its policy or procedure documents. A copy of the BCP, approved by the Board, should be forwarded for perusal to the RBI on an annual basis|
|5||Procedural aspects of BCP||Banks should also consider the need to put in place necessary backup sites for their critical payment systems which interact with the systems at the Data centers of the Reserve Bank.|
|6||Infrastructural aspects of BCP||Banks should consider paying special attention to availability of basic amenities such as electricity, water and first-aid box in all offices|
|7||Human Aspect of BCP||Banks must consider training more than one individual staff for specific critical jobs, They must consider cross-training employees for critical functions and document-operating procedures.|
|8||Technology aspects of BCP||Applications and services in banking system which are highly mission critical in nature and therefore requires high availability, and fault tolerance to be considered while designing and implementing the solution.|
Management Practices and Activities
- Define the business continuity policy, objectives and scope: Define business continuity policy and scope aligned with organization and stakeholder objectives.
• Identify internal and outsourced business processes and service activities that are critical to the organization operations or necessary to meet legal and/or contractual obligations.
• Identify key stakeholders and roles and responsibilities for defining and agreeing on continuity policy and scope.
• Define and document the agreed-on minimum policy objectives and scope for business continuity and embed the need for continuity planning in the organization culture.
• Identify essential supporting business processes and related IT Services.
- Maintain a continuity strategy: Evaluate business continuity management options and choose a cost-effective and viable continuity strategy that will ensure organization recovery and continuity in the face of a disaster or other major incident or disruption.
• Identify potential scenarios likely to give rise to events that could significant disruptive incidents. • Conduct a business impact analysis to evaluate the impact overtime of a disruption to critical business functions and the effect that a disruption would have on them.
• Establish the minimum time required to recover a business process and supporting IT based on an acceptable length interruption and maximum tolerable outrage.
• Assess the likelihood of threats that could cause loss of business continuity and identify measures that will reduce the likelihood and impact through improved prevention and increased resilience.
• Analyze continuity requirements to identify the possible strategic business and technical options.
• Determine the conditions and owners of key decisions that will cause the continuity plans to be invoked.
• Identify resource requirements and costs for each strategic technical option and make strategic recommendations.
• Obtain executive business approval for selected strategic options.
- Develop and implement a business: continuity response. Develop a business continuity plan (BCP) based on the strategy that documents the procedures and information in readiness for use in an incident to enable the organization to continue its critical activities.
• Define the incident response actions and communications to be taken in the event of disruption. Define related roles and responsibilities, including accountability for policy and implementation.
• Develop and maintain operational BCPs containing the procedures to be followed to enable continued operation of critical business processes and/or temporary processing arrangements, including links to plans of outsourced service providers.
• Ensure that key suppliers and outsource partners have effective continuity plans in place. Obtain audited evidence as required.
• Define the conditions and recovery procedures that would enable resumption of business processing, including updating and reconciliation of information databases to preserve information integrity.
• Define and document the resources required to support the continuity and recovery procedures, considering people, facilities and IT infrastructure.
• Define and document the information backup requirements required to support the plans, including plans and paper documents as well as data files, and consider the need for security and off-site storage.
• Determine required skills for individuals involved in executing the plan and procedures.
• Distribute the plans and supporting documentation securely to appropriately authorize interested parties and make sure they are accessible under all disaster scenarios.
- Exercise, test and review the BCP: Test the continuity arrangements on a regular basis to exercise the recovery plans against predetermined outcomes and to allow innovative solutions to be developed and help to verify over time that the plan will work as anticipated.
• Define objectives for exercising and testing the business, technical, logistical, administrative, procedural and operational systems of the plan to verify completeness of the BCP in meeting business risk.
• Define and agree on with stakeholders exercises that are realistic, validate continuity procedures, and include roles and responsibilities and data retention arrangements that cause minimum disruption to business processes.
• Assign roles and responsibilities for performing continuity plan exercises and tests.
• Schedule exercises and test activities as defined in the continuity plan.
• Conduct a post-exercise debriefing and analysis to consider the achievement.
• Develop recommendations for improving the current continuity plan based on the results of the review.
- Review, maintain and improve the continuity plan: Conduct a management review of the continuity capability at regular intervals to ensure its continued suitability, adequacy and effectiveness. Manage changes to the plan in accordance with the change control process to ensure that the continuity plan is kept up to date and continually reflects actual business requirements.
• Review the continuity plan and capability on a regular basis against any assumptions made and current business operational and strategic objectives.
• Consider whether a revised business impact assessment may be required, depending on the nature of the change.
• Recommend and communicate changes in policy, plans, procedures, infrastructure, and roles and responsibilities for management approval and processing via the change management process.
• Recommend and communicate changes in policy, plans, procedures, infrastructure, and roles and responsibilities for management approval and processing via the change management process.
• Review the continuity plan on a regular basis to consider the impact of new or major changes to: organization, business processes, outsourcing arrangements, technologies, infrastructure, operating systems and application systems.
- Conduct continuity plan training:. Provide all concerned internal and external parties with regular training sessions regarding the procedures and their roles and responsibilities in case of disruption.
• Define and maintain training requirements and plans for those performing continuity planning, impact assessments, risk assessments, media communication and incident response. Ensure that the training plans consider frequency of training and training delivery mechanisms.
• Develop competencies based on practical training including participation in exercises and tests.
• Monitor skills and competencies based on the exercise and test results.
- Manage backup arrangements: Maintain availability of business critical information.
• Backup systems, applications, data and documentation according to a defined schedule, considering: • Frequency (monthly, weekly, daily, etc.)
• Mode of backup (e.g., disk mirroring for real-time backups vs. DVD-ROM for long-term retention) • Type of backup (e.g., full vs. incremental)
• Type of media
• Ensure that systems, applications, data and documentation maintained or processed by third parties are adequately backed up or otherwise secured. Consider requiring return of backups from third parties. Consider escrow or deposit arrangements.
• Define requirements for on-site and off-site storage of backup data that meet the business requirements. Consider the accessibility required to back up data.
• Roll out BCP awareness and training.
• Periodically test and refresh archived and backup data.
- Conduct post-resumption review : Assess the adequacy of the BCP following the successful resumption of business processes and services after a disruption.
• Assess adherence to the documented BCP.
• Determine the effectiveness of the plan, continuity capabilities, roles and responsibilities, skills and competencies, resilience to the incident, technical infrastructure, and organisational structures and relationships.
• Identify weaknesses or omissions in the plan and capabilities and make recommendations for improvement.
• Obtain management approval for any changes to the plan and apply via the organisation change control process.
Business Continuity Policy
|Audit objective: To assess whether there is an effective business continuity policy in the organization|
|AUDIT Issue 1: Does the organization have a contingency plan and policy for business continuity?|
Organizational policy on business continuity containing roles and responsibilities, scope, resource allocation criteria/
principles, training requirements, maintenance schedule, testing schedule, back up plans etc and approval levels and related parties.
Alternative: The organization has a published contingency plan and policy in place which comprehensively covers all areas of contingency operations and clearly identifies training requirements and testing schedules
Business Continuity Policy Document
IT Policy Document
Approval process for adoption of business policy objectives
Correspondence and minutes of meetings related to business continuity
Document review for assessing that the policy is consistent with the organization’s overall IT policies Document review to assess that the policy addresses requirements of business continuity by defining organisation’s contingency objectives, organizational framework and responsibilities for contingency planning
Review or interview personnel to determine how often the policy is updated if conditions change Review policy to determine who approved it and when was it last distributed / Interview a sample of business users to assess if the policy has been sufficiently communicated within the organization
List of Document required understanding the system to comment on BCP
a) Brief background of the organization
b) Organizational chart of the entity with detail of reporting responsibility including for BCP
c) Personnel policy d) Regulation and Laws that affect the organization e) Network and application architecture, including client server architecture
f) Organizational structure of the IT Department with job description
g) IT Departments responsibility with reference to specific application
h) Detail of hardware & software
i) Database detail
j) Data flow diagram, data Dictionary, Table Listing
k) Detail of Interfaces with other system
l) System Manual, User Manual& Operation Manuel
m) Performance analysis report
n) List of users with permission
o) Test Data & Test Result
p) Security Setup for the System
q) Access matrix
r) Previous Audit report
s) Internal Audit report
t) User feedback about the system
u) Methodology adopted for preparing BCP
v) SLA with vendor
w) Recovery Priorities for Critical Business Functions
x) Alternate Site Recovery Resource Requirements, General & Technical
y) Emergency Operations Center (EOC) Locations
z) Severity Impact Assessments Matrix
1. ISA Information System Audit 2.0 Module VII “Business Continuity Plan” under Committee of Information Technology (CIT) of Indian Institute of charted Accountants (ICAI)
2. Basel Committee Publication No. 96: Sound Practices for the Management and Supervision of Operational Risk, February 2003.
3. Basel Committee on Banking Supervision – International Convergence of Capital Measurement and Capital Standards: A Revised Framework, June 2004
4. Basel Committee on Banking Supervision (The Joint Forum) – High-level principles for business continuity, August 2006
5. RBI circular Ref. DBS.CO.ITC.BC. 10/31.09.001/ 97-98 on “Risks and Control in Computer and Telecommunication Systems”, February 4, 1998
6. RBI Information Systems Audit Policy for the banking and financial sector, October, 2001
7. RBI Guidance Note on Management of Operational Risk, October 2005
8. RBI circular Ref. RBI/2004-05/420 DBS.CO.IS Audit. No. 19/31.02.03/2004-05 on ‘Operational Risk Management; Business Continuity Planning
9. RBI – Mid-Term Review of Annual Policy Statement for the Year 2007-08
|S.No.||Check Points / Particulars|
|Policy and Procedures|
|1||Is business continuity plan documented and implemented?|
|2||Whether the scope and objectives of a BCP are clearly defined in the policy document? (Scope to cover all critical activities of business. Objectives should clearly spell out outcomes of the BCP)|
|3||Whether there exist any exceptions to the scope of BCP i.e. in terms of location or any specific area, and whether the management has justifications for exclusion of the same.|
|4||What is the time limit for such exclusion and what is the current strategy of covering such exclusions|
|5||Are the policy and procedure documents approved by the Top Management? (Verify sign off on policy and procedure documents and budget allocations made by the management for a BCP)|
|6||Does the business continuity plan ensure the resumption of IS operations during major information system failures? (Verify that the IS disaster recovery plan is in line with strategies, goals and objectives of corporate business continuity plan).|
|7||Are users involved in the preparation of business continuity plan? (Managerial, operational, administrative and technical experts should be involved in the preparation of the BCP and DRP).|
|8||Does the policy and procedure documents include the following
List of critical information assets.
List of vendor for service level agreements.
Current and future business operations.
Identification of potential threats and vulnerabilities.
Business impact analysis
Involvement of technical and operational expert in preparation of BCP and Disaster recovery plans.
Recovery procedure to minimize losses and interruptions in business operations.
Disaster recovery teams.
Training and test drills.
Compliance with statutory and regulatory requirements
|9.||Are the BCP policy and procedures circulated to all concerned? (Verify availability and circulation of the BCP & DRP to all concerned, including onsite and offsite storage).|
|10||Is the business continuity plan updated and reviewed regularly? (Verify minutes of meeting where policy and procedures are reviewed. Verify amendments made to the policy and procedure documents due to the change in business environment).|
|1||Has the management identified potential threats/vulnerabilities to business operations? (Verify the business environment study report. Risk Assessment Report?)|
|2||Are the risks evaluated by the Management? (Verify the probability or occurrence of the threat / vulnerability review carried out by the management).|
|3||Has the organization selected the appropriate method for risk evaluation?|
|4||Has the organization carried out the assessment of internal controls? (Verify the internal controls mitigating the risk).|
|5||Has the organization taken an appropriate decision on the risks identified? (Verify the decision-making on the options – accepted, reduced, avoided or transferred – for the risks identified).|
|6||Are the risk assessment carried out at regular interval? (Verify the review frequency.)|
|BUSINESS IMPACT ANALYSIS|
|1||Does the organization carry out business impact analysis (BIA) for business operations?|
|2||Has the organization identified a BIA team?|
|3||Are RTO and RPO defined by the management?|
|4||Whether the SDO has been defined based upon RTO & RPO|
|5||Whether the organization has measured BIA? (Impact of risks on business operations can be measured in the form of business loss, loss of goodwill etc.)|
|6||Is the business impact analysis carried out at a regular interval?|
|DEVELOPMENT AND IMPLEMENTATION OF BCP AND DRP|
|1||Has the organization prioritized recovery of interrupted business operations? (Prioritization of activities is based on RTO and RPO)|
|2||Has the organization identified the various BCP and DRP Teams? (Verify employees are identified, informed and trained to take an action in the event of disaster).|
|3||Are the responsibilities for each team documented? (Verify the roles and responsibilities assigned to employees for actions to be taken in the event of incident/disaster)|
|4||Does the BCP document(s) include the following?
Scope and objective.
Roles and responsibilities of BCP and DRP Teams.
Evacuation and stay-in procedure.
Human resource and welfare procedure.
Procedure for resumption of business activities.
Legal and statutory requirements.
Backup and restore procedures.
Offsite operating procedures
|5||Are the copies of up-to-date BCP Documents stored offsite?|
|6||Does the offsite facility have the adequate security requirements? (Verify the logical access, physical access and environmental control of the offsite).|
|7||Does the BCP include training to employees? (Verify the evidences of training given).|
|8||Whether the organization has an adequate media and document backup and restoration procedures? (Verify the backup and restoration schedules adopted by the organization)|
|9||Are logs for backup and restoration maintained and reviewed? (Verify the logs maintained and review of the same by an independent person).|
|10||Whether the media library has an adequate access control? (Verify the physical and logical access controls to the media library).|
|11||Are the BCP and DRP communicated to all the concerned? (Verify availability and circulation of BCP & DRP to all concerned, including Onsite and offsite storage).|
|MAINTENANCE OF BCP AND DRP|
|1||Whether the business continuity plan is tested at regular interval?|
|2||Has the organization reviewed the gap analysis of testing results? (Review process that includes a comparison of test results to the planned results).|
|3||How has the organization decided to reduce the gaps identified, what is the time limit set for addressing the same?|
|4||Has the organization got a testing plan? (Verify copy of test plan and updates).|
|5||Are test drills conducted at appropriate intervals?|
|6||Do organization documents and analyses have testing results? (Verify the corrective copies of test results and analysis of the report)|
|7||Has the organization prepared action points to rectify the testing results? (Verify the corrective action plan for all problems encountered during the test drill)|
|8||Does the organization carry out retesting activity for action points? (Verify the evidences of retesting activities).|
|9||Does the organization review the BCP and DRP at regular intervals?|
FINDINGS AND RECOMMENDATIONS
|1||Inadequate IT Security policy implementation: During the audit it was observed that, an information security policy was formulated which appeared to be promotional document for network solution rather than an internal document of bank. This was kept on Bank’s internet site which is restricted to System Administrator only and no other means of its dissemination to the operational level were adopted. Thus, inadequate dissemination of the policy at branch resulted in most of the staff being ignorant of this policy.||There should be proper access control over the information system and document shall prepare and made available at site and should be proper implemented with periodic testing. Access document shall be made available at each of the required level of management.|
|2||Inadequate Security at Data Center: Bank’s IT operation managed at Delhi which coordinates more than 360 branches of and act as a backup site for 230 ATMs of the bank requiring high security and maintenance audit of the Data center, however reveled the following security lapses:-
Security cameras were inadequate and their placement had not been as per approved design. There was no monitoring through CCTVs and even the cameras not working properly
The heavy duty fire fighting equipments procured at data center neither been tested nor commissioned and the fire alarm system was not being maintained.
The Data Center was provided water sprinklers for fire extinguishing which is detrimental to computer, data and other equipments
The UPS installed at Data Center had never been tested; any output failure from UPS causes failure of network devices and shut down of all critical business services
|Physical Access Control: Even in the most sophisticated and web enabled computerized environment it can be ensured that certain control tasks cannot be performed remotely. A very strict access control regime can prevent number of major problems. Such access control regime should be in place for following assets: Servers/ Back up servers and central routing machines
Data backup machines and hardware Printers and other output media
Magnetic media storage
For sensitive computer equipment fire can be very devastating and dangerous. It must be ensured that best of coverage is provided for computer establishments for prevention of fires. In typical offices 90% fires are due to short circuits and special precautions this regard are must. Like testing of equipments on regular interval.
|3||Inadequate Network Security: Proposed use of network in the bank will exposed its LAN to outsiders, making it imperative to secure the network against unauthorized intrusion in order to protect information system assets critical to smooth operation and the comparatives well being of Bank. Audit, however , observed the following security deficiencies in the network:- The LAN of Bank Shall connected to internet through getaways. Moreover, at the Technology & Information System department there is no provision for Firewalls or Intrusion Detection System (IDS) in place to provide necessary isolation between internal & external network or to detect any unauthorized intrusion. The bank has not formulated any Instruction Prevention system or enterprises Security Solution in place while opening up new series like e-banking etc. to it’s customer. Despite the fact that the most of the branches & ATMs are going to be on network, the bank had not conducted ant penetration testing from an independent agency.||There should be proper documentation of network architecture and data maintenance. Provision for Firewalls or Intrusion Detection System (IDS) can provide security against unauthorized intrusion and secure the smooth function of entity.|
|4||Backup Controls: Any RDBMS/ERP System requires proper strategy backup and restoration to ensure that periodicity of transaction data and master data is clearly specified, backups are stored both on-site & off-site and that usability of backups regularly verified Audit observed that the backup policies and procedure had been adopted by the bank and the same disseminated to the branches by means of circular. In the inspected branches, though the backup procedure well circulated and adopted but the procedure associated with the documentation, safe custody & testing were not being implemented uniformly by the branches||For the data security and applicability of BCP, Bank should properly circulate methodology of back up procedure and review the implementation of same. Bank shall conduct employee awareness session regarding use of technology adopted and effect of non maintenance of procedure.
Systematic drill Wherein only a restricted set of people and certain identified personnel may be aware of the drill and not the floor or business personnel. In such cases banks should have a “Lookout Team”deployedatthelocationtostudy and assimilate th e responses and needs of different teams. Based on the outco me ofthisstudy, banks should revise their BCP Plan to suit the g round requirements
|6||Unplanned Data Location Center : It was observed during the audit the Bank had not conduct any technical feasibility study for its space requirement & location for setting up its data center at Gurgaon. The data center with small end serve may delay the adoption old BS system for Bank. The Data Center at ground level may not be appropriate for selection as Data Center.||Site layouts and locations: the best preventive action on part of any security conscious and concerned organization is to ensure that the sensitive establishments and assets are located in safe, secure and controlled locations. In fact good sitting of computersied operations can take care of many of subsequent concerns and that too at very minimal costs. Basics tenets for locating and layout are: Do not locate computer establishments in basements or at the top most floor of the building Do not locate it where through access to other work areas is required to be given Within the dept., the more secure areas like server rooms should be placed at the rear side It should be possible to have good access control regime Ensure that fire proofing is intrinsic to furniture standards Use quality and tested material for infrastructure UPS and generators are not part of this set up and they are fire prone so move them away as far as possible Install fire detection and instant fire fighting equipments|
|7||Recovery aspect of the plan: Business continuity planning to include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components.|
The importance of a good BCP cannot be emphasized enough. There are some points that should take
into account while implementing a BCP.
• BCP is a ‘process’ not a ‘project’: BCP does not stop at insurance, or documentation of a plan on
paper. Ongoing updating and pre-defined business continuity teams are some of the elements of a
• Holistic approach: BCP evolves beyond the information technology realm and should cover people,
processes and infrastructure
• Focus: The plan should focus on critical business processes and their dependencies
• BCP governance: Commitment, control and guidance from management, clearly documented roles
and responsibilities and formal governance process ensures that the BCP is updated regularly
• Resilience: The recovery procedure should not compromise on the control environment at the
• Involvement of business partners: All critical business partners should be considered at the time of
plan preparation including testing
• Media management: It is important to maintain corporate image during a disaster. A media
management strategy enables the organization respond to media coverage proactively /
Given the increasing threats due to terrorism and natural catastrophes and ever growing dependence on
banks in every sphere of life, implementation of BCP by Indian banks is no longer a matter of choice.
To sum-up, the implementation of IT in the functioning of ABC Bank indicate mixed result. No doubt, there are some benefits from computerization, but we found lack of adequate planning was visible in some area of BCP implementation. The Bank security policy not widely disseminated, which result in absence of physical security measures and poor back up control. Network security of the bank is inadequate putting the entire information system at risk. The audit team wishes to recognize the excellent exchange of views and support received throughout this audit.