HOW
TO AUDIT CONTINGENCY AND BUSINESS CONTINUITY PLANS AND ASSESS VULNERABILITIES FROM NEW
TERRORISM, INFRASTRUCTURE AND CYBER ATTACK THREATS
-
CS-11 - 2 DAY SEMINAR
Attend this timely seminar and ensure that your organization’s protection, contingency, and business continuity plans address the new global threats of terrorism, cyber, bio terrorism and infrastructure attacks and other major new threats.
BOSTON: JUNE 16-17, 2003 inquire for other future dates
------------------------------------------------------------------------------------------------------------------------------------------------
Business contingency planning and business continuity saw a modicum of impetus with the anticipated problems of the Year 2000 but was soon forgotten. The recent events of September 11 have awaken us all to the dire need to ensure that enterprise security and protection programs can handle the new global threats of terrorism, cyber terrorism and infrastructure attacks that can deeply impact organizations.
Management, audit and security professionals in government and the private sector are fearful that current contingency and business continuity plans are not adequate to cope with the new global terrorism and cyber terrorism and infrastructure attack threats. The Office of Homeland Security has recently issued a directive for government organizations to ensure that their emergency preparedness and contingency plans are adequate to protect people, assets and business continuity.
The recent September 11 events have given new impetus to the need to conduct independent audits of the prevailing contingency and business continuity plans in government and business organizations of all types to uncover deficiencies and recommend improvements to contingency plans.
This timely and unique seminar provides you practical approaches and methodologies to audit contingency and business continuity plans, including guidelines to prepare effective audit programs with emphasis on the new global threats.
The seminar focuses on these key major aspects of contingency plan auditing:
1. How to audit the “Process” by which contingency and business continuity were developed or are being developed
2. How to audit the adequacy of the “structure and contents” of a plan with a view to determining deficiencies.
3. Provide approaches and methodologies to use in “preparing an effective “audit plan” to assess the adequacy of the contingency plans.
4. Discuss weaknesses and deficiencies likely to be encountered in auditing contingency plans that fail to consider the new global terrorism and infrastructure attack threats
Workshop sessions are scheduled to enable participants to apply the knowledge provided and assist participants in preapring an audit plan.
YOU WILL LEARN…
· Background, approaches, methodologies and audit guidelines to plan and conduct effective independent audits of Contingency and Business Continuity Plans that will save you person-years of development effort.
· How to effectively audit contingency plans to determine if they respond to the contemporaneous threats and uncover deficiencies
· How to offer constructive recommendations for improving existing plans and correct their deficiencies.
WHO NEEDS TO ATTEND
· Executives that bear responsibility for enterprise protection and continuity
· Inspectors from OIG Offices and examiners in government circles
· Internal, external, and Information technology auditors in all types of profit and non-profit organizations
· Information security officers and corporate contingency plan coordinators who oversee the adequacy of corporate and divisional plans or review the adequacy of contingency plans prepared by users groups
· Chief Information officers (CIOs), business managers, risks management professionals, user line managers and personnel who must develop their own contingency plans or who must review the adequate of contingency plans of organizations that provide services in support of their operations,
· Contingency planners and quality assurance professionals and anyone with responsibility for ensuring that business continuity plans a) exist and b) are adequate and current.
COURSE CONTENT
1. BACKGROUND
a. The pressing need to audit your organization’s contingency and business continuity provisions to reflect the latest global and technology threats and recent mandates to ensure emergency preparedness and business continuity plans are in place
b. Present deficiencies in conventional contingency plans and failure to address the business’ mission statement and business objectives.
c. Definition of key terms
2. SCOPE AND OBJECTIVES OF A ROBUST AUDIT PROGRAM FOR CONTINGENCY PLANNING
a. Auditing the “Process” by which a contingency and business continuity is developed
b. Auditing the “overall structure” of a contingency and business continuity plan that considers the broad strategies of: anticipation, avoidance, preemption, emergency preparedness and people and asset protection, crisis period management, fast response, interim business resumption and full recovery of the business to full normalcy.
c. Auditing the “contents” of contingency planning and business continuity plans including detailed components of sound plan documentation
3. AUDITING THE CONTINGENCY PLANNING PROCESS AND ITS CYCLE
a. Auditing the full protection life cycle and contingency plan development cycle
b. Auditing the provisions for prevention and protection before any disaster and their relationship to the contingency and business continuity recovery cycle
c. Determining whether the existing plans reflect the full avoidance and contingency and recovery cycle
4. PLAN STRUCTURE AND MAJOR COMPONENTS
a. Components before a disaster and after-the-fact provisions in the contingency and business continuity sections
b Assessing the plan structure and its major components
5. AUDITING HOW WERE CRITICAL BUSINESS PROCESSES AND SUPPORT INFRASTRUCTURE DETERMINED FOR INCLUSION IN THE PLAN.
a. Evaluating the determination of critical processes for contingency protection (Macro risk analysis)
b. Review of the risk assessment process and detailed risk and impact analysis that was used by plan developers (micro risk analysis)
c. How were the Major “sources” of threats identified that represent “single sources of failure” and “directly controllable” vs. non-controllable main sources of threats
d. What types of vulnerable areas (or single points of failure) were identified and considered in the plan for both conventional and for terrorism and infrastructure attacks
6. AUDITING THE ADMINISTRATIVE PREPARATORY PHASE
a. Determining whether the plan responds to the key business objectives and the mission statement
b. Determining the orientation of the personnel that developed the plan
b. Management involvement and support
7. AUDITING CRISIS MANAGEMENT AND PROVISIONS
a. Provisions and organization structure for the crisis period
b. Emergency Command and Control Center (ECCC) and its provisions
d. Determining how is the auditee set up for quick response provisions (Evacuation, SWAT teams, etc.)
e. Existence and adequacy of a solid communications and public relations program
8. AUDITING USER INTERIM BUSINESS CONTINUITY PROGRAM AND NORMALCY RESTORATION
a. Auditing provisions to deploy the “interim” recovery of critical functions and emergency business continuity
b. Auditing alternative backup sites and their functionality, including outsourced provisions and their vulnerabilities to common disasters
c. Evaluating “workaround” practices when alternative backup provisions are not viable
d. Provisions for quick restoration of emergency/critical services or delivery of products to critical customers or citizenry
7. AUDITING THE FULL RECOVERY AND RETURN TO NORMALCY/ RESUMPTION PROVISIONS
a. Auditing the plan’s provisions for return to full normalcy
b. Restoration of less critical business processes
c. Actualizing and synchronizing of business transactions not processed during the contingency period
d. Existence of procedures for returning to normalcy for internal operations and for customers or citizenry
8. AUDITING PLAN TESTING AND UPDATING PROVISIONS
a. Audit approaches and test techniques.
b. Auditor's role in plan testing.
c. Techniques (Passive/simulation, checklist an active testing)
10. APPROACHES AND METHODOLOGY FOR PREPARING AUDIT PLANS TO AUDIT CONTINGENCY PLANNING
a. A generalized methodology for preparing audit plans
b. Audit planning and scoping
c. Preparing audit review matrices that include specific audit objectives
d. Audit plan documentation
11. ORGANIZING AND PRESENTING FINDINGS AND RECOMMENDATIONS FOR IMPROVEMENT
a. Deficiencies typically encountered in contingency plans
b. Pointing out lack of provisions to address the new world threats (e.g., terrorism, cyber and bio terrorism, infrastructure attacks, supply chain vulnerabilities, etc.)
c. Recommending action plans for improving existing plans
Workshop or discussion sessions will be held throughout the seminar.
Seminar fee includes tuition, unique class materials and refreshments.
--------------------------------------------------------------------------------------------------------------------------------------------
REGISTRATION FORM
To: Contingency Planning & Recovery Institute - CPRI - 57 Greylock Road - P.O. Box 81151 - Wellesley Hills, MA 02481 - Voice: (781) 235-2895 - Fax: (781) 235-5446 - E-mail: jaykmasp@aol.com - Web site: WWW.MASP.COM
Please register me to attend your:
____Boston, June 16-17, 2003
Seminar: "CS-11, How to Audit Contingency and Business Continuity Plans and Assess Vulnerabilities from New Terrorism and Infrastructure Attack Threats" - Two days.
Name:____________________________________Title______________________Organization____________________________
Dept_______________
E-mail_______________________
Register early. Class size is limited for maximum interaction.
-------------------------------------------------------------------------------------------------------------------------------------------------------
INSTRUCTOR BACKGROUND AND QUALIFICATIONS
The seminar leader is Jay Kuong, Executive Director of Contingency Planning & Recovery Institute. He has over 25 years of worldwide experience in consulting and lecturing in the field of Contingency and Business Continuity and security and control. He is the author of ten manuals on contingency and business continuity, including the only book on auditing disaster recovery provisions. He recently authored the only available manual on: “Protecting your Enterprise from Terrorism, Cyber terrorism and Infrastructure Attack Threats – A Plan of Action for Survival and Business Continuity in the New Global Environment”. He has conducted many audits of business continuity plans and systems. Kuong was a managing associate at Arthur Young and Information Systems Director in two companies. He is the chief consultant for Management Advisory Services & Publications.
This course can be presented In-house
This course can economically be presented in-house for groups of four or more professionals. Key advantages of in-house courses are:
· Significantly cost savings compared to attending public seminars;
· Being
able to impart concurrent and uniform knowledge to assist in the development of consistent
audit plans;
· Focusing on issues that are of direct interest to participants
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Inquire about our low-cost quick 200-vital point audit of your contingency and continuity plans
A related seminar on upgrading you contingency plan to consider post September 11 issues is available:
CS-12 Contingency and Business Continuity You Should Include in Your Enterprise Protetcion and Continuity Plan - NEW