The ability to recover time-critical processes and supporting systems and other resources is important to every organization. To be successful, an enterprise must establish a method to rank processes, applications, systems, networks, facilities, etc. and to recover them in a timely manner.
Rating Scale: 1 = Yes 2 = Being Implemented 3 = In Development 4 = No
Factors
Rating/Value 1 2 3 4
Prelim Score
Action
Item Comments
Final Score
A. Business Impact Analysis (BIA) 1. A business impact
analysis (BIA) has been conducted for all business processes, applications, systems, networks, and facilities.
1 2 3 4
2. Continuity planning includes identification of all time-critical data, programs,
documentation, and supporting resources required in
performance of essential tasks during recovery period.
1 2 3 4
3. The BIA is reviewed and updated regularly with attention to new technologies, migration of applications to alternative platforms, business process, and organizational changes, etc.
1 2 3 4
4. Critical time frames have been identified for all support resources (i.e., applications, systems, networks, facilities, business units, etc.).
1 2 3 4
5. Executive management has reviewed and approved the prioritized list of time-critical recovery requirements.
1 2 3 4
274 Information Security Policies, Procedures, and Standards
Factors
Rating/Value 1 2 3 4
Prelim Score
Action
Item Comments
Final Score
B. Enterprise Continuity and Crisis Management Plans 1. An enterprise continuity
and crisis management planning infrastructure coordinator has been named and a mission statement identifying scope and
responsibilities has been formalized.
1 2 3 4
2. Worst-case scenario continuity plans (both IT and business operations) and crisis management infrastructure designed for timely recovery of operations within prescribed time frames has been implemented, tested, and is
maintained.
1 2 3 4
3. Emergency response procedures that detail actions in emergency situations (i.e., fire, bomb threat, flood, electrical outages, hacker and virus incidents, etc.) are formalized and strategically located throughout the facility and at off-site locations and appropriate employee training and awareness programs are in place.
1 2 3 4
4. The remote recovery facilities (i.e., IT, business operations, emergency operations centers, etc.) are located in a
geographical location unlikely to be affected by the same disruption as the primary facilities.
1 2 3 4
Factors
Rating/Value 1 2 3 4
Prelim Score
Action
Item Comments
Final Score 5. Contracts for outsourced
activities have been amended to include service providers’
responsibilities for continuity planning.
1 2 3 4
6. Continuity and crisis management plans are in place to ensure that adequate supplies of time-critical inventory inventories (i.e., hardware, software, communications, facilities, people, working space, documentation, data, transportation, etc.) are in place.
1 2 3 4
7. Lead times for IT and business operations communication lines and equipment, specialized devices, power hookups, construction, firewalls, computer
configurations, and LAN implementation have been factored into the continuity plans.
1 2 3 4
8. At least one copy of each of the continuity plans is stored at the backup site and is updated regularly.
1 2 3 4
9. Automatic restart and recovery procedures are in place to restore IT data files in the event of a processing failure.
1 2 3 4
10. Contingency arrangements are in place for hardware, software,
communications, software, facilities, business operations, and supporting staffing.
1 2 3 4
276 Information Security Policies, Procedures, and Standards
Factors
Rating/Value 1 2 3 4
Prelim Score
Action
Item Comments
Final Score
C. Testing, Maintenance, and Awareness 1. Continuity and crisis
management plans recovery activities and tasks are defined with appropriate
responsibilities assigned members of the recovery team infrastructure for each plan.
1 2 3 4
2. Training sessions are conducted for all relevant personnel on backup, recovery, crisis management, and contingency operating procedures.
1 2 3 4
3. Continuity and crisis management plan recovery team members have an active role in creating and reviewing control reliability and recovery provisions for relevant processes, applications, systems, networks, etc.
1 2 3 4
4. Appropriate recovery team representatives participate in continuity and crisis management tests.
1 2 3 4
D. Other Issues
1. Provisions are in place to maintain the security of business operations and IT processing functions in the event of an emergency.
1 2 3 4
2. Insurance coverage for losses incurred as a result of a disaster to the enterprise is in place.
1 2 3 4
Business Impact Analysis, Continuity Planning Processes
Total Score:
Interpreting the total score: Use this table of Risk Assessment questionnaire score ranges to assess resolution urgency and related actions.
If the
Score Is … And
The Assessment
Rate Is … Actions Might Include … 21 to 36 Most activities have been
implemented Most employees are
aware of the program
Superior Continuity and crisis management plans are in place and have been tested Employees are trained in
continuity and crisis management plans roles BIAs are reviewed annually Continuity and crisis
management plan coordinator(s) has been identified
If the
Score Is … And
The Assessment
Rate Is … Actions Might Include … 37 to 52 Many activities have
been implemented Many employees are
aware of the program and its objectives
Solid Continuity and crisis management plans are written
Employees are aware of their roles in the continuity and crisis management plans Management supports
and has budgeted for the continuity and crisis management planning business process 53 to 67 Some activities are under
development Most management
endorses information protection objectives
Fair Continuity and crisis management plans task force has been formed Time-critical processes,
systems, applications, network, etc. assessment has begun
Time-critical resources are being identified Backups are stored off site 68 to 84 Policies, standards,
procedures are missing or not implemented Management and
employees are unaware of the need for a program
Poor Audit has identified a weakness in continuity and crisis management planning process Management is aware of
its responsibility
278 Information Security Policies, Procedures, and Standards