This chapter is from the book
This chapter is from the book
This chapter is from the book
Exercises
4.1 Business Impact and Risk
Estimated time: 10 minutes
For this exercise, you need to walk through the profile and then answer the following questions.
Kerney, Cleveland, and Glass Law Firm
Driving concern: This law firm, located in the Washington, D.C., area has serviced a who’s who of individuals inside and outside the Beltway. The firm recently suffered a major network outage after a key server failed, and it was determined that the backup media was corrupt. Management has existing business continuity plans but could not contact the person in charge of cloud backups during this late-night problem. They are now worried that the plans are not adequate.
Overview: The firm has two offices: one in the D.C. area and the other on the West Coast. The firm handles many confidential documents, often of high monetary value. The firm is always looking for ways to free up the partners from administrative tasks so that they can have more billable hours. Partners access their data from wireless LANs and remotely through a corporate VPN.
The two offices are connected by a T1 leased line. Each office has a connection to the Internet. The West Coast office connects to the Internet through the D.C. office. The wireless network supports Windows servers in the D.C. office. Partners also carry laptop computers that contain many confidential documents needed at client sites. The law firm has a bring-your-own-device (BYOD) policy and allows users to connect almost any device to the network. No encryption is used, and there is no insurance to protect against downtime or disruptions.
Which of the following items would you consider a priority if you were asked to audit the law firm’s business continuity plan?
Verify that the business continuity plan provides for the recovery of all systems? Yes/No
Require that you or another auditor is present during a test of the business continuity plan? Yes/No
Verify that the notification directory is being maintained and is current? Yes/No
Verify that the IS department is responsible for declaring a disaster if such a situation occurred? Yes/No
Suggest that the law firm increase its recovery time objective? Yes/No
Determine the most critical finding?
Examine the list from Question 1 and compare your answers with the following:
Verify that the business continuity plan provides for the recovery of all systems? Yes/No (Typically, only 50% of information is critical.)
Require that you or another auditor is present during a test of the business continuity plan? Yes/No (The auditor should be present to make sure the test meets required targets.)
Verify that the notification directory is being maintained and is current? Yes/No (Without a notification system, there is no easy way to contact employees or for them to check in case of disaster.)
Verify that the IS department is responsible for declaring a disaster if such a situation occurred? Yes/No (Senior management should designate someone for that task.)
Suggest that the law firm increase its recovery time objective? Yes/No (This would increase recovery time, not decrease it.)
Determine the most critical finding? Lack of insurance/Loss of data (The most vital asset for an organization is its data.)
