New Page 1

HOW TO AUDIT YOUR BUSINESS CONTINGENCY AND CONTINUITY PLAN TO ENSURE IT ADDRESSES SEPTEMBER 11 AND OTHER NEW GLOBAL THREATS

- APPROACHES AND METHODOLOGY - CP-11 NEW BOOK

Javier F. Kuong and CPR-I Consulting Group

The September 11 attacks and the wave of new cyber and infrastructure attacks strongly suggest that your enterprise protection and business continuity plans need to be overhauled. The new terrorism, cyber terrorism and infrastructure attacks that can deeply impact organizations have substantially been made your plans obsolete.

The business of protecting the enterprise against an increasing number of modern threats and attacks in a global environment has become a high priority item for executives as it has become a Board of Directors issue when your enterprise survival is at stake.

Executive management needs the valuable input that a review or assessment of the existing protection program provides. In the words of an executive from EMC Corporation at a recent post-September 11 New York City Conference, "The future champion of security will be the CEO". Very recently, Bill Gates also announced that security is the top priority in his organization in view of the September 11 events and recent security flaws with some of his company’s products, which may be vulnerable to Cyber attacks. Executives and auditors now realize that enterprise protection must rise from a tactical issue to a full strategic consideration in terms of both enterprise survival and competitiveness.

Management needs to initiate a review of the existing enterprise protection program considering more than just mundane (and probably well established) information technology services protection. If the assessment is conducted by auditors or independent consultants, they have a unique opportunity to provide value added and improve the chances that their organization or client organization is better prepared for any eventuality and potential terrorist attack that could inflict irreparable and serious loss.

The value proposition is quite simple indeed. Before you embark in any potentially major and costly upgrade effort, you must know the status of your enterprise protection program. You must know, if for no other reason than being able to decide what is the direction that any improvement or upgrade program should take, the seriousness of the vulnerabilities that are present. These can be disclosed by an audit, which can point the way to what the organization must do to minimize enterprise exposure from the new cadre of global threats.

Not to know the present situation is tantamount to taking a trip without a reliable compass and a road map. Improving the existing plan on an as we go basis is analogous to navigating your vehicle a mile at a time without having any clear idea of the trip's destination, the magnitude of the trip, and the distance that must be traveled. Knowing the state of the present affairs in enterprise protection will put you in a far better position to make informed decisions on potential needed changes to bring about cost-effective enhancements to protect your enterprise.

WHO CAN BENEFIT FROM THIS BOOK

· Executives and CEOs responsible for enterprise protection and continuity

· Contingency planners and quality assurance professionals and anyone with responsibility for ensuring that business continuity plans a) exist and b) are adequate and current

· Internal, external, and information technology auditors in profit and non-profit organizations

· Inspectors from OIG Offices and examiners in government circles

· Chief Information officers (CIOs), business managers, risks management professionals, user line managers and personnel who must develop their own contingency plans or who must review the adequate of contingency plans of organizations that provide services in support of their operations

· Information security officers and corporate contingency plan coordinators who oversee the adequacy of corporate and divisional plans or review the adequacy of contingency plans prepared by users groups

Contents

Preface

1. September 11 and a Landscape of New Global Threats Require New Contingency and Business Continuity Protection Provisions

1.1 The September 11 Events and New Global Threats Place Your Organization in Danger

1.2 Terrorism, Cyber Terrorism, Infrastructure Attacks, Third-Party Dependencies, Critical Infrastructure, and Collateral Loss

1.3 Key Lessons From the Recent Terrorist Attacks and Their Implications

1.4 Your Present Protection, Contingency and Business Continuity Plans Does Not Address the New Global Threats

1.5 Dire Need to Audit Your Present Contingency and Business Continuity Plans to Determine Their Vulnerabilities and as a Basis for Upgrading

1.6 The Value Proposition and Benefits of an Audit

1.7 Management’s Fiduciary Responsibility to Ensure that Adequate Enterprise Protection is in Place

2. What Is at Stake and Should Be Reviewed

2.1 The World of Contingency Planning Has Changed As a Result of the Recent Adverse Events In The US

2.2 Controllable vs. Non-Controllable Threats

2.3 Other Audit Considerations

2.4 Key Questions to Ask

3. Audit Approach and Methodology

3.1 Chapter Objectives

3.2 Scope and Approaches to Reviewing Contingency Planning Provisions

3.3 Auditing the Process of Business Continuity Development

3.4 Auditing the Contents of the Contingency Plan

3.5 Verifying or Testing Whether the Product or Program Works as Intended

3.6 A Pictorial View of the Audit Approach and Panorama

3.7 Identifying the Main vulnerabilities and Classes of Threats that Are Not Addressed in the Existing Protection Plans - Audit Methodology

3.8 Audit Matrices to Conduct the Audit and Document Audit Findings

3.9 An Illustration of a Specific Audit Matrix to Meet an Audit Objective

3.9 Extending the Audit Matrix to Include Analysis, Interpretation of Findings and Improvement Recommendations

4. Preparing an Audit Plan for Post-September 11 issues – COMPREHENSIVE REVIEW CHECKLISTS

4.1 The Need for an Audit Plan to Define and Execute the Audit

4.2 Illustration of a Plan of Action to Prepare and Execute the

Audit

4.3 Review Checklists and Questionnaires to Assist You in the

Conduct of the Audit

4.4 A Compendium of Audit Checklists for Contingency Planning

and Business Continuity Issues

4.5 Auditing Concentration of Critical Business Processes/

Activities And Vital Human Resources

4.6 A List of Other Weaknesses Revealed by the September

Terrorist Attacks

4.7 Other Lessons Learned

5. WHAT TO EXPECT AND WHAT ACTIONS SHOULD ENSUE FROM THE AUDIT?

5.1 What Management Should Expect from the Assessment of the Enterprise Protection and Business Continuity Plan

5.2 The Key Products and Deliverables of an Audit

5.3 The Auditor’s Role After the Audit Report and Recommendations are Issued

5.4. A Well-prepared Audit and Its Deliverables Should Provide a Sound Basis for Management to Stage or Develop a Plan of Action to Reduce Vulnerabilities and Remaining Exposures

5.5 Interpreting the Conclusions and Recommendations from the Audit and Converting Some of the Key Recommendations Into Actions Steps

5.6 An Illustration of Interpreting Audit Findings as a Basis for Taking Actions to Reduce Vulnerabilities in the Context of Post-September 11 Events and the New Global Threat Panorama

5.7 Major Action Steps by Management Following the Audit

5.8 Conclusion

APPENDIX

A. Literature References

B. Glossary of Terms

C. Index

PRICE: $125 PER COPY PLUS $10 POSTAGE AND HANDLING

ISBN 0-940706-60-1 Ring bound – 150 pages – 8 ½ x 11 format

PUBLICATIONS ORDER FORM

wpeA.jpg (108429 bytes)

Note: Two related new seminars are available:

CS-11 How to Audit Contingency and Business Continuity Plans for New Terrorism and Infrastructure Attacks .

CS-12 September 11 - Contingency Planning Provisions You Should Include to Upgrade Your Contingency Plan