|
 Members of the Business Recovery Managers Association (BRMA) and the Information Systems Audit & Control Association (ISACA) met jointly on March 31st at SBC Communications in San Ramon, CA. The meeting focused on auditing business continuity and disaster recovery plans. Each of the four presentations spawned considerable audience feedback and discussion.
FFIEC Guidelines and the business continuity plan
Barry Cardoza, manager of Contingency Planning & Disaster Recovery for Union Bank of California demonstrated how to use the 12 FFIEC Guidebooks to improve a company's business continuity plan. He distributed an electronic workbook containing major business continuity related points from the FFIEC guidebooks. The workbook makes it easier to compare current business continuity plan status to the guidelines. The second tool is a training aid to generate interest in the topic and test an individual's knowledge of BCP-related FFIEC Guidelines. Attendees received the two tools on CD. and they are also available on the members-only section of WWW.BRMA.com.
Auditing business continuity plans
Kathleen McGrorty and Neville Morcom of Deloitte and Touche described specific business continuity plan audit techniques. They recommended tailoring the audit to the maturity of the business continuity program and the focus of managerial priorities. They led a discussion on the advantage of predetermining risk levels (high to low risk) for each audit item, and then risk ratings (absent to adequate) that would be used to rate the status of each item.
How IT security and continuous operations are integral to business continuity planning
Dan Lam of San Jose State University gave the group an illuminating view of business continuity planning from an IT audit perspective. He explained that business continuity is only one part of IT continuous operations. Lam said that IT control criteria which are missing from Sarbanes-Oxley are ‘IT security,’ ‘IT maintenance,’ ‘application integrity,’ and ‘IT availability.’ He said, "SOX only looks for controls; it doesn't test them." Controls must be tested to be deemed adequate and compliant. He stressed that successful backup/restore testing, and testing of the business continuity and disaster recovery plans should be done by different individuals/departments to assure a clear separation of duties and that the necessary checks and balances are in place.
Business readiness: what businesses need to know to get ready for a disaster
Wendy Walsh of the Department of Homeland Security explained that the ‘Ready Business’ program focuses on business emergency preparedness. Details of these programs are on www.ready.gov. She explained that Citizen Corps (www.citizencorps.gov) met the post-WTC Crisis need to coordinate volunteers. She reminded the group that Community Emergency Response Team (CERT) training is a valuable resource that the department provides at no charge. Her speaking partner, Alfred E. Judd of the Small Business Administration, explained that the SBA covers non-farm businesses of all sizes (not only small businesses) for the purpose of promoting emergency preparedness.
The Business Recovery Managers Association (BRMA), a professional association, consists of corporate and government continuity planners, and emergency response managers from financial, recovery services, manufacturing, healthcare, insurance, education, research, and retail sectors. BRMA meets in various locations around the SF Bay on the last Thursday of the month and the meetings are usually close to BART stations.
Interested business recovery planning professionals may attend as guests. For details and directions see the BRMA Web Site at www.brma.com or call the BRMA Hotline (925) 355-8660
•Date: 6th April 2005 • Region: N.America •Type:
Article •Topic:
BC general
Rate this article or make a comment - click
here
|
