PART 5 – CISA Domain 2 – Governance and Management of IT

PART 5 – CISA Domain 2 – Governance and Management of IT

What is the classification of systems and their criticality analysis?
What are the components of Business Continuity Planning (BCP)?
What is Plan testing?

13. Classification of systems and criticality analysis:

Critical – These functions cannot be performed unless they are replaced by identical capabilities
Vital – These functions can be performed manually, but only for a brief period of time (usually five days or less)
Sensitive – These functions can be performed manually, at a tolerable cost and for an extended period of time. While they can be performed manually, it usually is a difficult process and requires additional staff to perform.
Non-sensitive – These functions may be interrupted for an extended period of time, at little or no cost to the company, and require little or no catching up when restored.

*Points to remember:* The first resource to be protected when designing continuity plan provisions and processes – Human Resource/ People The first step in business continuity life cycle is – BCP scope, followed by Risk assessment The insurance that covers loss incurred from dishonest or fraudulent acts by employees – Fidelity coverage

14. Components of Business Continuity Planning (BCP)

Business Continuity Planning (BCP) – Provides procedures for sustaining mission/business operations while recovering from a significant disruption
Continuity of Operations Plan (COOP) – Provides procedures and guidance to sustain an organization’s MEFs (Mission Essential Functions) at an alternate site for up to 30 days;
Business resumption plan – Provides procedures for relocating information systems operations to an alternate location.
Continuity of support plan / IT contingency plan
Crisis communications plan
Incident response plan
Transportation plan
Occupant emergency plan (OEP)
Evacuation and emergency relocation plan

*Points to remember:* The authority to make a disaster declaration is Business Continuity Coordinator or backup personnel identified in the succession plan The primary responsibility for establishing organization-wide contingency plans lies with the Board of Directors.

15.Plan Testing:

Should be scheduled during a time that will minimize disruptions to normal operations
Key recovery team members be involved in the test process and allotted the necessary time to put their full effort into it
Should address all critical components and simulate actual primetime processing conditions, even if the test is conducted in off hours.
Plan Execution: Pre-test, Test, Post-Test

Types of tests:

- - Desk-based evaluation/paper test – A paper walk-through of the plan, involving major players in the plan’s execution who reason out what might happen in a particular type of service disruption.
  - Preparedness test – Usually a localized version of a full test, wherein actual resources are expended in the simulation of a system crash
  - Full operational test—This is one step away from an actual service disruption. The organization should have tested the plan well on paper and locally before endeavoring to completely shut down operations.

Part 1, Part 2, Part 3, Part 4, Part 5

AUTHOR
Aswini Srinath ()
Writer And Editor

“ I am a qualified Chartered Accountant based out of Chennai, with 8+ years of experience in various roles in finance domain including CA Practice, financial reporting and auditing. I have always been keen to challenge myself by exploring potential capabilities outside of my core competency. Picked up Information Security as one such thing. Cleared CISA with 2nd Rank in ISACA Chennai Chapter in 2019. Since then, i have been sharing my learning and experience to a small group of avid followers, helping them prepare for their CISA exams. This article is also one such attempt, where I summarize the key areas in each domain based on the importance and weightage from an exam point of view. “