1
00:00:00,640 --> 00:00:03,040
The ability to respond to a natural or

2
00:00:03,040 --> 00:00:05,520
man-made threat, ensure continuity of

3
00:00:05,520 --> 00:00:07,200
business operations, and

4
00:00:07,200 --> 00:00:09,840
protect human resource and assets

5
00:00:09,840 --> 00:00:11,920
in the event of a disaster or a business

6
00:00:11,920 --> 00:00:14,240
disruption is the primary objective of

7
00:00:14,240 --> 00:00:15,920
any business continuity management

8
00:00:15,920 --> 00:00:17,279
program.

9
00:00:17,279 --> 00:00:18,960
Hello, and welcome to Information

10
00:00:18,960 --> 00:00:22,160
Security Governance, Risk, and Compliance.

11
00:00:22,160 --> 00:00:24,080
My name is Salvadore, and today we will

12
00:00:24,080 --> 00:00:26,480
learn how to audit a business continuity

13
00:00:26,480 --> 00:00:27,840
management program

14
00:00:27,840 --> 00:00:29,439
in 10 steps.

15
00:00:29,439 --> 00:00:31,021
Let's get started.

16
00:00:32,558 --> 00:00:35,200
Point number one: Check and verify that a business

17
00:00:35,200 --> 00:00:38,000
continuity management policy is created

18
00:00:38,000 --> 00:00:40,960
and reviewed on a regular basis.

19
00:00:40,960 --> 00:00:43,280
Ensure the policy contains the roles and

20
00:00:43,280 --> 00:00:44,719
responsibilities,

21
00:00:44,719 --> 00:00:47,440
workforce training, a framework for setting

22
00:00:47,440 --> 00:00:49,680
business continuity objectives,

23
00:00:49,680 --> 00:00:51,840
and organizational risk appetite and

24
00:00:51,840 --> 00:00:53,760
tolerance to plan,

25
00:00:53,760 --> 00:00:56,320
deliver, and support capabilities in the

26
00:00:56,320 --> 00:00:59,555
event of a business disruption.

27
00:01:00,320 --> 00:01:02,800
Point number two: Make sure a business

28
00:01:02,800 --> 00:01:05,680
impact analysis is performed.

29
00:01:05,680 --> 00:01:08,720
The business impact analysis contains

30
00:01:08,720 --> 00:01:11,360
identification of critical products and

31
00:01:11,360 --> 00:01:14,240
services with their inherent risks,

32
00:01:14,240 --> 00:01:17,200
the likelihood and impact of each risk,

33
00:01:17,200 --> 00:01:20,320
countermeasures to prevent, detect, and

34
00:01:20,320 --> 00:01:22,640
react to the identified risks,

35
00:01:22,640 --> 00:01:25,040
recovery time objectives, and recovery

36
00:01:25,040 --> 00:01:28,000
point objectives.

37
00:01:28,240 --> 00:01:30,400
Point number three: Ensure a business

38
00:01:30,400 --> 00:01:32,880
continuity strategy is developed to

39
00:01:32,880 --> 00:01:35,439
reduce the impact of a disaster,

40
00:01:35,439 --> 00:01:38,079
ensure business continuity, and recover

41
00:01:38,079 --> 00:01:40,240
from business disruptions within the

42
00:01:40,240 --> 00:01:42,720
enterprise risk appetite.

43
00:01:42,720 --> 00:01:44,560
Make sure that the strategy includes

44
00:01:44,560 --> 00:01:46,479
unavailability of all relevant

45
00:01:46,479 --> 00:01:47,680
components,

46
00:01:47,680 --> 00:01:50,399
and all activities and processes within

47
00:01:50,399 --> 00:01:54,640
the scope whether on-premise or on cloud.

48
00:01:54,640 --> 00:01:56,640
Point number four: Check and verify that

49
00:01:56,640 --> 00:01:59,520
a business continuity plan is created

50
00:01:59,520 --> 00:02:02,399
and reviewed on a regular basis.

51
00:02:02,399 --> 00:02:04,159
Ensure that the plan consists of the

52
00:02:04,159 --> 00:02:05,759
following components:

53
00:02:05,759 --> 00:02:07,759
scope of activity, roles and

54
00:02:07,759 --> 00:02:10,000
responsibilities, clear lines of

55
00:02:10,000 --> 00:02:11,280
communication,

56
00:02:11,280 --> 00:02:14,080
recovery procedures, and the basis for

57
00:02:14,080 --> 00:02:16,400
BCM invocation.

58
00:02:16,400 --> 00:02:18,319
With respect to cyberattacks, ensure

59
00:02:18,319 --> 00:02:20,400
there is a skilled incident management

60
00:02:20,400 --> 00:02:23,680
technical team to manage the incidents.

61
00:02:23,680 --> 00:02:26,000
In case of a pandemic event that the world

62
00:02:26,000 --> 00:02:28,160
is going through now, the users need to

63
00:02:28,160 --> 00:02:29,760
perform the functions

64
00:02:29,760 --> 00:02:31,680
working from home.

65
00:02:31,680 --> 00:02:34,000
Ensure endpoint security and network

66
00:02:34,000 --> 00:02:36,160
communication is effective to ensure

67
00:02:36,160 --> 00:02:39,680
smooth business operations.

68
00:02:39,840 --> 00:02:42,160
Point number five: Check and verify that

69
00:02:42,160 --> 00:02:44,319
all the relevant documents, such as

70
00:02:44,319 --> 00:02:46,959
backup and restoration guidelines,

71
00:02:46,959 --> 00:02:49,200
network, and architecture diagrams,

72
00:02:49,200 --> 00:02:51,599
alternate workarounds for performing

73
00:02:51,599 --> 00:02:54,480
business functions, and incident playbooks,

74
00:02:54,480 --> 00:02:57,040
are available instantly to support

75
00:02:57,040 --> 00:02:59,120
business continuity and operational

76
00:02:59,120 --> 00:03:00,480
resilience.

77
00:03:00,480 --> 00:03:02,400
Make sure that all the documents are

78
00:03:02,400 --> 00:03:05,280
reviewed for any changes that happened

79
00:03:05,280 --> 00:03:07,920
previously.

80
00:03:08,159 --> 00:03:10,239
Point number six: Make sure all

81
00:03:10,239 --> 00:03:12,400
business continuity and operational

82
00:03:12,400 --> 00:03:14,879
resilience plans are tested at least

83
00:03:14,879 --> 00:03:16,480
annually.

84
00:03:16,480 --> 00:03:18,640
Check and verify that a table top exercise

85
00:03:18,640 --> 00:03:21,280
was performed, and the report generated

86
00:03:21,280 --> 00:03:22,959
to identified if there were any

87
00:03:22,959 --> 00:03:25,840
shortcomings during the call.

88
00:03:25,840 --> 00:03:27,920
Make sure that a call tree exercise was

89
00:03:27,920 --> 00:03:29,120
performed

90
00:03:29,120 --> 00:03:31,360
to ensure the communications with all

91
00:03:31,360 --> 00:03:33,200
users.

92
00:03:33,200 --> 00:03:35,519
Ensure users' contacts are stored and

93
00:03:35,519 --> 00:03:38,239
acknowledged, and that all calls and messages

94
00:03:38,239 --> 00:03:41,680
were recorded and verified.

95
00:03:41,680 --> 00:03:43,680
Check and verify the stress reports to

96
00:03:43,680 --> 00:03:45,760
identify that the tests were conducted

97
00:03:45,760 --> 00:03:49,040
as per the resilience plan.

98
00:03:49,599 --> 00:03:51,040
Point number seven:

99
00:03:51,040 --> 00:03:53,360
In times of crisis, communication among

100
00:03:53,360 --> 00:03:55,760
stakeholders and the relevant entities

101
00:03:55,760 --> 00:03:58,480
is key to successfully managing business

102
00:03:58,480 --> 00:04:00,080
disruption.

103
00:04:00,080 --> 00:04:01,680
Make sure that communication lines

104
00:04:01,680 --> 00:04:03,840
are identified and how the communication

105
00:04:03,840 --> 00:04:05,920
is sent to the relevant parties,

106
00:04:05,920 --> 00:04:08,319
whether it be the press, municipality, or business

107
00:04:08,319 --> 00:04:09,599
users.

108
00:04:09,599 --> 00:04:11,760
Make sure that response structure is

109
00:04:11,760 --> 00:04:14,159
developed to communicate early warnings

110
00:04:14,159 --> 00:04:17,379
and communications to the stakeholders.

111
00:04:18,560 --> 00:04:20,079
Point number eight:

112
00:04:20,079 --> 00:04:22,079
Business data is a key component to

113
00:04:22,079 --> 00:04:24,160
recover from a disaster or a crisis

114
00:04:24,160 --> 00:04:25,680
situation.

115
00:04:25,680 --> 00:04:27,520
Make sure that a secure backup data

116
00:04:27,520 --> 00:04:28,400
process

117
00:04:28,400 --> 00:04:31,440
is followed for storing data in times

118
00:04:31,440 --> 00:04:32,720
of crisis.

119
00:04:32,720 --> 00:04:34,880
Check sample backup and restoration

120
00:04:34,880 --> 00:04:37,440
evidence.

121
00:04:38,880 --> 00:04:40,880
Point number nine: To recover from a

122
00:04:40,880 --> 00:04:43,040
natural disaster, like flooding or

123
00:04:43,040 --> 00:04:45,360
earthquakes, and other man-made disasters

124
00:04:45,360 --> 00:04:46,639
like fire,

125
00:04:46,639 --> 00:04:48,800
ensure that systems and network devices

126
00:04:48,800 --> 00:04:51,199
are housed in environmentally safe data

127
00:04:51,199 --> 00:04:54,400
centers, as well as redundancy is always

128
00:04:54,400 --> 00:04:55,520
maintained.

129
00:04:55,520 --> 00:04:58,160
Ensure alternate sites, like hot, warm, or

130
00:04:58,160 --> 00:05:00,240
cold sites, are designed according to

131
00:05:00,240 --> 00:05:02,560
business requirements and tested for

132
00:05:02,560 --> 00:05:05,199
effectiveness.

133
00:05:05,199 --> 00:05:07,280
And finally, point number ten: Check and

134
00:05:07,280 --> 00:05:09,919
verify that a DR or disaster recovery

135
00:05:09,919 --> 00:05:11,919
activity is tested.

136
00:05:11,919 --> 00:05:12,960
Ensure that

137
00:05:12,960 --> 00:05:14,720
network switching happens automatically

138
00:05:14,720 --> 00:05:17,600
to secondary sites,

139
00:05:17,600 --> 00:05:19,919
and servers and applications run without

140
00:05:19,919 --> 00:05:22,479
any issues.

141
00:05:22,880 --> 00:05:24,400
Thank you for watching the video.

142
00:05:24,400 --> 00:05:26,639
Do provide your feedback and subscribe

143
00:05:26,639 --> 00:05:28,000
the channel for

144
00:05:28,000 --> 00:05:29,440
upcoming videos.

145
00:05:29,440 --> 00:05:31,065
Thank you.