Due to requests from participants on the blog of information security. ( http://groups.google.com/group/Seguridad-de-la-informacion ), I think detail is worth a bit of a methodology for testing and auditing a business continuity plan, the which according to my considerations must be examined from the perspectives of: Strategy, Process, Technology and People.
worth noting that the BS25999 standard gives a very good reference for the audit points to the continuity plan, but there's always more to add at functional.
This is what I consider relevant in an audit process at the level of business continuity plans to see you are saying.
- Validation BCP processes and strategies of continuity compared to the value chain of business and information assets that support
- Validation of resources needed to implement the processes of continuity
- Verification of approval process with the Office of Organization and Methods at the firm, as well as determination of possible gaps if there have been updates to the Introduction Infrastructure that supports the processes.
- Validation strategies and processes of continuity with third party service providers - Verification vulnerabilities and residual risks or level of exposure to risks of loss or alteration of information caused by deficiencies in infrastructure support. (Ideal consider logical attacks to support infrastructure)
- Check the stakeholders of the plan, learning of them on the service level agreement (SLA) continuity plan and the existence of tools for SLA measurement. Assessment
- knowledge through the written assessment of internalizing BCP processes as well as the roles assigned assessment through interviews as assigned roles on their knowledge of the activities carried out and finally an evaluation through simulation exercises threats. Verification
- processes of knowledge transfer and training of human resources for the continuity and recovery processes.
- Verification of the results and adjustments to the simulation process of a threat aimed at a specific area of \u200b\u200bthe IT department and / or functional areas of the company
- Assessment of compliance with procedures designed
- Evaluation of Effectiveness in restoring business operations - Verification process simulation results and a threat to reach on all IT departments and functional areas of the company.
- Assessment of compliance with procedures designed
- Evaluation of effectiveness in restoring business operations Assessment - infrastructure required for operation of the contingency operation
- operability assessment of critical systems from the location of infrastructure
- contingency coverage and scope of BCP test plan as well as measurement del nivel de efectividad del mismo.
- Definición del alcance del plan de pruebas
- Definición de las etapas del plan de pruebas
- Identificación del personal requerido para ejecutar las pruebas - Alcance y resultados de la implementación del proceso de gestión del cambio
- Verificación de plan de comunicaciones
- Resultados de la ejecución de talleres de comunicación
- Resultados y ajustes del plan de concientización y capacitación
- Contenidos asociados con talleres de capacitación en aspectos técnicos del BCP
- Contenidos asociados con de concientización relacionados con la importancia del plan de continuidad para el negocio - Verification processes for updating and ongoing maintenance of the BCP. (Roles, responsibilities, controls and records)
- Verification metric performance level of services for external and internal clients. Validate the level of alignment of the indicators with SLAs and business strategy as well as their interrelationship.
I welcome your comments and see how this better, or at least define something a little more detailed. Greetings
0 comments:
Post a Comment