Audit Questionnaire in Word Format

Program Program Functional Design and Program Plan Testing Program
Initiation Planning Requirements Development Implementation Maintenance

Management Interim Temporary General General Risk Controls BC Plan Testing Primary Site
Buy In BC Plan Assessment Assessment Change Monitoring
Program BC Program Detailed Risk Controls IT Recovery Test Evaluation Recovery Site
Evaluation Management requirements Systems Change Monitoring
Document related to
standards, rules,
and regulations
Program Program Structure Risk Management IT Systems Alternate IT BC Plan Approval Contract
Commitment Recovery Strategy Recovery Site Management
Approval Process BIA Alternate IT A Tertiary Recovery BC Plan Document Risk Controls
Recovery Site Site
Offsite Data Tertiary Recovery Offsite Data Storage BIA
Storage Site
Alternate Work Area Offsite Data Critical Record IT Systems
Storage Storage Recovery Strategy
Crisis Management Critical Record Alternate Work Area BC Plan Testing
Center (CMC) Storage
Personnel Alternate Work Crisis Management Recovery Vendor's
Area Center (CMC) BC Plan Reviews
Critical Records Crisis Assembly Location Training and

Management Awareness
Center (CMC)
SLA and Contract Assembly Location Data Communication Management
Requirements Services Process
External Data Voice External

Coordination Communication Communication Coordination
Services
Training and Voice Training and BC Audits
Awareness Communication Awareness
Salvage & Work around BC Tools BC Program
Restoration Procedures Reviews
Insurance Training and Salvage and
Requirements Awareness Restoration
BC Tools Salvage and SLA and Contracts
Restoration
Assembly Location BC Plan Document
1
PI: Program Initiation
Questions R Response and Further Actions Recommendation
ati conclusions
ng
PI.1: Management Buy In 6.4
Has the program been 7 Program was initiated BC Program needs

Initiated formally by the IT department to be raised to top
level and not just
owned by IT
What is the extent of 8 CIO and other C-level
management's awareness officers are aware of
the program but other
than CIO they don't
consider it a top priority.
Is there a Project Sponsor 6 CIO is the project
sponsor
What is the seniority and 7 CIO is the project
position of Project Sponsor sponsor
Plan exist to raise 4 Several presentations Find out if there is a Utilize Steering
awareness of management were presented to steering committee. Committee to raise
management. Some Steering committee will top level
were made on their help in raising top level awareness.
own requests. They awareness.
were a high level
presentations. There is
no formal plan to raise
awareness.
PI.2: Program Evaluation 5

and Approval .33
High level program 4 We have some Find out if objectives for Define clear
objectives, requirements program requirements the program were defined objectives for the
and drivers analyzed and analyzed as a result of in these documents (not program.
documented a recent BIA effort and clearly) Objectives should
we have recently be stated in both
updated with new general and
requirements for E- specific terms.
commerce application
environment. We also
have an extensive
document on the
reasons for establishing
a BC program.
Business case prepared 4 Yes. An informal Was a budget prepared
and evaluated business case was (Yes. We presented our
prepared. initial budget and
provided an estimate of
yearly budget to CIO)
2
Questions R Response and Further Actions Recommendation
ati conclusions
ng
Clear Go/No Go decision 8 Yes. CIO made the Go/No Go Board needs to
made and at what level of decision and presented have an active
the management this decision to senior involvement in the
management. But the overall high level
board was not involved in evaluation process.
this process.
PI.3: Program 2
Commitment .86
Full-time qualified program 2 No. We have a part- Find out if the coordinator Assign full-time BC
manager assigned time (70%) business has business continuity or responsibility to BC
continuity coordinator DRP experience (No.) coordinator
assigned to this task.
He is from the
corporate planning
department and has
been involved with
Emergency Response
Planning in the past.
Steering committee 6 A committee structure This is a definitely a
established has been proposed and strength.
awaiting approval.
(company has the
history of establishing
SC for high profile
critical projects)
Steering committee 3 No. Define clear roles
members have clear roles and responsibilities
and responsibilities defined for Steering
Committee.
BC Program is part of 1 No. Include BC
Strategic objectives and Program as part of
plan Corporate Strategic
Objectives
BC Program policy exists 2 We have a security Create a BC policy
policy which covers BC statement
from the perspective of
availability of critical
systems.
BC Program policy fully 1 No. Utilize corporate
communicated communications to
communicate BC
policy
BC culture is well 5 No. But, IT and Develop a plan to
established Business units have a improve corporate
better BC/DR culture wide BC culture.
compare to the rest of
the company.
3
PP: Program Planning
Questions Ratin Response and Further Actions Recommendation

g Conclusion s
PP.1: Interim 5
Temporary BC
Plan
Interim BC Plan exists if a 5 Yes. But, it has evolved Review all earlier
long term plan doesn't exist since it was initially written. versions.
Interim Recovery Strategy 5 Mutual Agreement with our Review
Developed strategic partner. agreements (Not
enough carefull
planning and
design.
Agreements show
weaknesses in
disaster lasts for
longer than 2 or 3
days)
Interim Agreements in place 5 Mutual Agreement.
for recovery of key
resources, sources, and
services
Interim Recovery Teams 5 Yes. The team has evolved
created since it was initially
established.
PP.2: BC Program 4.43

Management
Document
BC Program management 6 We have a project plan in Check the project Create a BC
document exist place. plan details (Project program document
plan is well which is separate
structured but a from the BC plan
complete program
document is
missing; project
plan is part of BC
plan).
A need statement prepared 7 We have a statement that Review the Research industry
(Why is the program indicates the main drivers: statements. Ask if specific BC
needed and what are the External contract they have requirements.
drivers?) requirements and SOX researched industry
compliance and it also specific
includes company's requirements (No.)
strategic objectives
Program objectives are well 4 Defined in BC plan Plan objectives are
defined, aligned and document defined in general
approved terms. Suggest
inclusion of specific
objectives.
Program Scope are defined 6 Defined in BC plan Plan scope are
and approved document defined. Suggest
including what is
not in scope as
well.
4
g Conclusion s
Program assumptions are 0 Defined in BC plan No written program State all key
stated explicitly document assumptions assumptions in
program document
Program deliverables are 8 Defined in the project plan
identified
Program risks are analyzed 0 Defined in BC plan Investigate further Assess program
and mitigation actions document (No evidence of risks and mitigation
identified program risks BC steps
Plan document)
PP.3: Program 4.7 3 (high risk factor)

Structure
Program divided into logical 8 Project Plan has logical Risk and BIA are
phases phases combined as one
phase (not a major
concern at this time
since it has been
completed)
Phases are divided into 7 Yes.
activities
Activities are assigned due 7 Yes.
dates, start and end times,
and dependencies
A BC Steering Committee 4 Not currently. But CIO is Establishment of a
exists presenting a case to top SC must become a
management for such a high priority. It will
committtee next month. help to resolve a
number of current
obstacles and
issues
A BC program team 7 Yes. Assess team

structure is defined with structure. Three
reporting hierarchy types of teams:
Emergency
management,
Emergency
response, and
Business unit
teams.
Team structure includes top 7 Yes. Emergency
management, program management team
sponsor, BC coordinator, includes
consultants, etc. President/CEO,
COO, CFO, etc.
Team roles and 2 At a high level only. Team Define tasks for
responsibilities are well members task's are not team members
defined assigned
Personnel assigned to the 2 No. Personnel are assigned Define
team structure with well to teams but not with well responsibilities for
defined responsibilities defined responsibilities team members
Alternates to team 2 No. Assign alternates to
members are assigned team members
5
g Conclusion s
Are there any BC team 1 Yes. BC coordinator is Find out what those
members working on a part- part-time. There are two part-time staff are
time capacity. assistants to BC responsible for and
coordinator working part- how critical those
time on BC project. responsibilities are.
Business unit This is a high risk
representatives also work factor.
on a part-time and as-
needed basis.
PP.4: Approval 5.17

Process
BC Program approval 7 Only through CIO but once
process exist for budget, a steering committee
objective and scope, concept is approved,
contract, projects, policy, program approval process
hiring etc. will be defined.
Senior Management and 6 Senior management will be
Board level process presenting the case for a
formal BC program in the
next board meeting.
Steering committee level 3 None
process
Program sponsor level 7 CIO is the program
sponsor.
BC program coordinator 7 BC program coordinator
level requests approval directly
to CIO.
Business unit level 1 None. They are currently
not involved in the approval
process
6
FR: Functional Requirements
Questions Rating Response and Further Actions Recommendations
Conclusion
FR.1: General
Assessment
Functional requirements Partially. Complete: FR.2
have been assessed
Functional requirements Not in a formal way.
have been documented
Functional requirements We will be presenting
have been reviewed by general requirements
senior management to Steering Committee
in the near future.
Functional requirements Not yet.
have been approved
FR.2: Detailed 4.3333

Requirements
related to
Standards, rules,
and regulations
General applicable 8 Yes. Documents Recommend also
standards and guidelines indicate DRII and including NFPA 1600
have been identified BS17799 standards
Industry guidelines, rules, 4 There hasn't been any Briefly research
and regulations identified effort to find out industry specific
industry specific guidelines and make
requirements other recommendations
then SOX
Specific requirements 1 No. There hasn't been
related to standards, rules any effort to find out
and regulations assessed industry specific
and documented requirements other
then SOX
FR.2: Risk 3.6

Management
Formal or Informal risk 3 Informal assessments
assessment was (brain storming) has
conducted and how long been done every year.
ago.
Risk assessment was 8 Limited to HQ, data Review reports
comprehensive in scope center, office areas
and aligned with Program only.
scope
A qualified risk expert(s) 2 BC coordinator Recommend obtaining
assisted with the risk conducted risk qualified experts
assessment assessment with key assistance to review
staff involvement. and conduct threats
and risk assessments.
7
Conclusion
All potential threats were 2 As many as we could Review list of threats

considered determine. and company's
exposure (Not all
threats were
considered).
Assessment was based on 3 Yes. Review methods used.
sound and proven method Quantitative vs.
Qualitative approach.
Are there sound basis
for calculating threat
probabilities (Risk
assessment is based
on qualitative and
informal approach)
Top management reviewed 3 CIO and senior

the threats and risks business unit
managers only.
Company's appetite for risk 4 Not formally
identified and approved
Both regional and local 3 Local threats mostly
threats were considered but some regional.
Existing risk controls were 5 Yes.
considered
Management concurs with 3 CIO and senior
Risk Assessment findings business unit
managers have
reviewed the findings
but have not provided
feedback on
concurrence.
FR.3: BIA 8.6667

A formal BIA was 9 Yes. Review BIA findings
conducted
Scope of the BIA is 9 Yes.
consistent with program
scope
Representatives from all 9 Yes.
areas of business within
scope participated in the
BIA
Critical business processes 9 Yes.
have been identified
Financial losses analyzed 9 Yes.
Operational Impacts 9 Yes.
analyzed
Worst case assumptions 9 Yes.
were used
Maximum Tolerable 9 Yes.
Downtime identified
RTO identified 9 Yes.
RPO identified 9 Yes.
How long ago was it 9 3 months ago
completed
Critical Systems and 9 Yes.
Applications identified
8
Conclusion
Qualified experts 9 Yes.

conducted BIA
Key concerns and issues 4 Yes.
captured and addressed
Management is aware of 9 Yes.
and concurs with BIA
results
FR.4: Offsite Data 5.5

Storage
Offsite storage 6 Partially through the
requirements analyzed BIA
thoroughly
When were requirements 7 IT department has a
last analyzed list of backup data
requirements
Scope of storage 8 We backup both Find out which backup
requirements are critical and non-critical vendor they use.
consistent with program applications and data. Assess vendor's
scope service reliability.
(Storage Mountain).
Data backup requirements 9 We now have different
are known for all critical RPO
applications and systems
Gaps in backup frequency 9 Yes.
is analyzed
Backup frequency 9 Yes, through BIA
established for all critical
data
Backup media type 4 Right now it is all on Find out if any one Recommendation:
requirements are known tapes. uses media other then
tape. Some users still
use CD to store data
on their PC. We didn't
see this on the list of
data backup
requirements from IT.
Safe handling and storage 2 No. Assess safe

requirements documented handling and storage
requirements
Data integraty testing 1 No. Assess data integrity
requirements are known test requirements
Data classification and 1 No. Check to see if there Assess data
security requirements are is any sensitive data classification and
documented (Client's credit card security
information is stored requirements
along with their
address information)
Storage media retention 1 No. But we recyle the
period documented tapes from time to
time.
Backup Tool/software 9 We currently use IBM's
requirements are known Tivoli Storage
Manager.
9
Conclusion
FR.5: Work Area 6
Requirements for alternate 8 Our canadian site may They have work area
work area are analyzed be sufficient as a work requirements in terms
and documented (space, area until we get the of number of
personnel, equipment, more permanent work workstations needed.
facilities, etc.) site with SunGard
Requirements are aligned 8 Work station
with BIA findings in terms requirements are
of critical business units aligned with critical
and applications applications.
Space requirements are 1 No Work out the
known detailed work area
space requirements
Support personnel are Yes. We know the key
known staff from the business
areas needed in the
recovery.
Workstation requirements 9 Yes
are known
Network connectivity 9 Yes
requirements are known
Non-IT resource 1 No. We will rely on Work out the Non-IT
requirements are known whatever is available work area
(faxes, copiers, etc.) at the Canadian site requirements for
long term recovery
strategy.
FR.6: Crisis 2.3

Management
Center (CMC)
Requirements for CMC are 2 Emergency Operations Verfiy if BC plan is Assess BC related
analyzed and documented Center (EOC) already very closely integrated CMT requirements
(space, personnel, exists as part of with EOC. (EOC team and determine if the
equipment, facilities, etc.) Emergency Response has not yet assessed current EOC design
Plan. the specific BC is sufficient.
response
requirements. There
is an assumption that
the current design of
the EOC will be
sufficient to include BC
response activities)
Requirements for crisis 2 We expect to use
management center are EOC.
analyzed and documented
(space, equipment,
facilities, etc.)
Workstation requirements 4 We will need a Find out if the planning
Workstation for each tool is included in this
member of CM Team. requirement (Not yet,
since they have not
purchased the tool)
connectivity requirements 2 No.
10
Conclusion
Non-IT resource 2 No.

requirements
FR.7: Personnel 1.8

Are detailed requirements No.
for personnel covered
Contractors required 5 No. Find out if they have
contractors (IT
department has
several contractors
that support critical
applications)
Contract agreement 1 No. But we assume Include BC related
includes support during that they will help us support
recovery period. out. requirements in
contractor
agreements.
Temporary help required 1 Only if full-time staff Identify specific
are not available. temporary staff
requirements to help
with recovery effort
Detailed skill requirement 1 No. Identify detail skill
for recovery staff requirements for key
recovery staff.
Pay requirements 1 We have started Develop pay
talking with HR on requirements for
Salary requirements recovery staff during
during a disaster a disaster
recovery time. HR
wants to talk to Senior
Management first on
this issue.
Union rules and policies 1 Company is unionized Work with worker's
are part of the but they have not been union to evaluate
requirements involved in BC effort. impact of rules and
regulations on BC
team and staff in
general
Government labor laws are 1 No. Work with HR to
accounted for in the evaluate labor laws
requirements and their impact on
reocovery team and
their recovery
assistance
Travel requirements are 8 Yes. Team members
known are expected to travel
to Canadian site and
each is given a
checklist.
Do you have BC team 0 No. Evaluate insurance
insurance coverage requirements for BC
team.
FR.8: Critical 5.5

Records
11
Conclusion
Critical records recovery is 4 It is the responsibility It seems like the IT Critical record should
part of BC program of business units recovery has been the not be responsibility
biggest focus so far. of business units
Check to see if critical alone; Assign some
record is part of BC one with central
Project Plan (It is not responsibility for
covered). But, coordinating critical
business unit recovery record continuity.
assessment shows
that some units do
have a critical record
recovery program.
Critical records inventory 4 Business units Are there electronic Assess electronic
exists maintain their own records that are critical record recovery
records inventory. (yes, but they are not requirements.
Critical paper records backed-up).
are stored with laptops
to Iron Mountain.
Records are categorized 7 Yes.
(vital, important, useful,
etc.)
Inventory includes title of 7 Yes.
record, ownership, content
type, users, etc.
Record retention period 5 No. It is mostly paper
determined based
Inventory includes 6 It is all done weekly.
information on backup
frequency
Inventory includes media 5 Yes.
storage type and capacity
Requirements for 0 No. We don't have any
document scanning document
assessed management system.
Requirements for 0 No. We don't have any Suggest
Document Management document investigating
System analyzed management system document
other than Iron management system
Mountain Connect. tool.
Requirement for local 0 No.
storage assessed
Requirement for remote 6 Yes.
storage assessed
Security requirements are 7 Yes.
documented
Safe handling procedures 7 Yes.
are documented
FR.9: SLA and 7.4

Contract
Requirements
12
Conclusion
SLAs and contracts 9 SLA with data

identified communication
services and voice
services. There is also
a pending SLA with our
key client. We also
have contracts in place
with our data backup
vendor. A contract is
also in place for
quickship of a server.
Points of contacts are 9 Yes. Internal procurement
documented procedures are well
structured and
controlled.
General requirements and 9 Yes. We follow Review the guidelines.
obligations analyzed internal contract
guidelines.
Quality of service and 9 Yes.
performance requirements
are documented
Worst case non- 1 No. It is not part of our Include clauses
compliance scenarios and internal guideline. (penalties) in SLA
impacts assessed and contracts for
worst-case non
compliance scenario.
FR.10: External 4.75

Coordination
All external coordination
requirements analyzed
First responders and local 6 Through ERP only. Review ERP for Develop a closer
authorities external coordination integration of BC
and find out if it with ERP. Include a
includes BC member of ERP in
coordination (Not very BC and vice versa.
tight integration of BC
and ERP)
Coordination requirements Not in scope
documented for Suppliers
Coordination requirements Not in scope
documented for
Distributors
Coordination requirements 0 No. Review labour union Recommendation:
documented for Labor rules and contracts Include Labour union
unions representative in BC
team.
Coordination requirements 9 Yes. We already have Review SLA to see
documented for Service SLA for WAN, Internet, coordination points.
providers Voice services. Check point of
contacts, SLA review
dates, meetings, etc.
Coordination requirements 6 It is part of ERP. Review ERP for
documented for Clients external coordination
and Customers and find out if it
includes BC
coordination
13
Conclusion
Coordination requirements 1 We only have one ERP does not include Recommend
documented for Landlords building in the area landlord coordination. establishing disaster
and building management leased, but we have coordination with
not coordinated with landlords and
the landlord. building
management.
Coordination requirements 3 Insurance documents Review insurance Recommend
documented for Insurance are attached to our documents communication and
company Interim BC plan. coordination with
insurance agents
and adjustors.
Recovery vendors 8 Mutual agreement
includes coordination
information and but we
also have coordination
information with
SunGard.
Data backup vendors 5 So far there has been Recommend better
any major problem coordination with
with coordination with data backup vendor.
the backup vendor.
We have a yearly
contract in place. We
deal with issues as
they arise.
FR.11: Training 6.5

and Awareness
Training and awareness is 8 Our BC coordinator Assess requirements
part of BC Program and her assistance for personnel outside
have been to BC of BC teams.
conferences and
training courses. BC
coordinator has
documented the need
for training and
awareness.
Personnel requiring 6 BC team members
training identified only.
Experience levels 6 No. Focus of training
assessed is primarily on BC
team members.
Training needs 6 Yes. Only for BC team
documented members.
FR.12: Salvage & 0 Recommend

evaluating and
Restoration documenting
salvage and
restoration
requirements.
All critical resources for 0 Critical documents are
salvage and restoration the responsibilities of
identified business units
Physical areas and 0 Facilities is responsible
buildings for salvage and for this.
restorations assessed
14
Conclusion
Salvage and restoration 0 No.

scenarios for critical
resources and areas
assessed
FR.13: Insurance 3.5

Requirements
Disaster insurance exists 3 We have a standard Review insurance
and who is responsible for disaster clause in our policy for
it's purchase internally. insurance policy; comprehensive
Finance is responsible disaster coverage.
for it.
Insurance purchase 0 No. Integrate insurance
process is integrated with purchase process
BC program with BC program.
Insurance requirements to 0 No. Determine insurance
report and claim a disaster claim process.
are known
Secondary sites insurance 7 Covered by the
requirements recovery vendor
FR.14: BC Tools 5
BC tools and software 5 Yes. We need a tool Assess
requirements are known that is web based and document/record
allows business unit management system
plans and integration tool requirements.
of IT and ERP. Easy to
maintain and learn.
Security is also
important.
High level descriptions of 6 Yes.
tool's features and
capabilities are identified
Tools have been 8 We have evaluated
researched and compared four different tools.
Support staff resource 1 No. Assess requirements
requirements have been for tool
analyzed admin/support staff
FR.15: Assembly 2.75

Location
Assembly location 4 ERP specifies
requirements identified assembly location.
Assembly location capacity 1 No. Find out if it was used Assess detail
requirements are known in the last plan test assembly site
(Yes. We were not capacity
able to get every one requirements
in the assembly
location due to fire and
safety regulations).
15
Conclusion
Distance location 5 About 3 miles away Do you have another Recommendation

requirements are known from the primary site. site in case this assessing
assembly site is not requirements for
available (Yes, EOC) tertiary assembly
location.
Ability of personnel to 1 Not specifically for BC Assess detail travel
travel and meet at team members. and accessibility
Assembly Location requirements for BC
analyzed team members.
16
DD: Design and Development
Conclusion
DD.1: General
Assessment
Designs & Development
completed
Designs have been
documented
Designs have been
reviewed by senior
management
Designs have been
approved
Budget is reviewed and
approved
DD.2: Risk Controls 3 See Risk Assessment Problems in this

word file for additional stage is due to
assessment. weaknesses in the
previous functional
requirement
process. Initiate a
risk assessment
and management
project with the
help of risk
management
expert and full
management
support.
Risk control design is part 5 Yes
of BC Program
Control options have been 3 Yes. We can do a lot Not all control
researched and analyzed more given more time options have been
and resources. researched and
analyzed
Qualified risk expert(s) 1 No.
assisted with the risk
control designs
Cost of options have been 2 Only for some threats Find out the
compared reasons (lack of
resources and
time)
Residual risks are known 1 No.
Top management reviewed 3 Not the residual risk.
the risk control options and
residual risks
Top management selected 3 For some options
the best options for
implementation
Top management has 3 For some options
approved the budget for
control option
implementation
17
Conclusion
DD.3: IT Systems 5.30769 Focus on long-term Overall design is aligned

Recovery Strategy strategy with the requirements
but there are still some
gaps and room for
improvents. Example:
Generic applications
such as email is not part
of recovery strategy.
Drop ship of billing
system server; the ability
of people to get to
recovery site on time.
Appropriate recovery 4 Yes. Completed the Email strategy is
strategies exist for all strategy design missing.
critical IT systems and stages.
applications
Alternate site strategies 7 Yes.
exist
Quick-ship strategies exist 7 Yes for some
systems.
Recovery strategies are 8 Partially.
aligned with RTO values
Cost versus RTO trade-off 5 Partialy.
analyzed
Effort requirements 3 No.
analyzed
Control requirements 8 Yes. With the
analyzed alternate site we have
more control over the
IT infrastructure.
Reliability requirements 3 We are counting on recommend tertiary site
analyzed the recovery vendor
for that.
Strategies aligned with 5 Yes.
system capacity
requirements
Strategies aligned with 7 Alternate systems
system performance have more capacity
requirements than our production
environment
Strategies aligned with 3 There are some Recommend testing
system configuration configuration compatability issues.
requirements compatability issues.
Recovery system and 5 No. But they are Recommend testing

primary systems exact in compatible. compatability issues.
type, configuration,
capacity, etc
Flexibility in upgrading the 4 We don't know. We Recommend inclusion in

recovery systems to match will include it in the contract for upgrade
primary systems upgrades contract agreement flexibility in recovery
with the vendor. systems.
18
Conclusion
DD.4: Alternate IT 6.82353 Focus on long-term

Recovery Site strategy
Alternate site meets the 8 Yes.
strategy requirements for
IT
systems/servers/networks
Unlikely to be effected by 8 Yes. Particularly
the same disaster regional disaster.
Located outside of local 8 Yes.
area threats
Located outside of regional 8 Yes
area threats
Alternate travel routes 8 Yes.
exists
Floor plan exists 8 Yes.
A comprehensive and 7 Yes. Review their BC
validated BC Program program even
exists for Alternate though they are
Recovery Site reputable and
reliable
Secondary power 9 Yes. Has any body
generator/supply exists visually inspected
the power supply
(part of the tour).
Technical support is 8 Yes.
available at alternate site
Supports connectivity to 7 Yes.
primary site
supports connectivity to 9 Well connected.
work areas Work area and IT
recovery area are
with the same vendor
Sufficient security exists at 5 Yes. Find out if the Recommend: Involving
alternate site servers and IT security department in
systems are the secure design;
shared by other suggest development of
clients of the security policy and
vendor (yes they procedures before,
are). during, and after disaster
situations.
Access to recovery area is 4 It is on the first-come- Find out if there Recommend: creating a
gauranteed in case of first serve basis. are clauses in the tertiary recovery site
recovery need contract that may
deny access (yes
it does)
Organization has sufficient 4 Partial Find out if there
control over the recovery are reasons for
area and its resources having complete
control (none)
Meeting areas exist 2 Yes but it will cost
more
Basic facilities exist 6 Yes.
(HVAC, Bathrooms, etc.)
Close proximity to 7 Yes.
Accommodation and Food
Services/restaurants,
banks, etc.
19
Conclusion
DD.5: A Tertiary Recovery 0 We recommend a use of

Site a tertiary recovery site.
A tertiary recovery site 0 No.
exists with sufficient
recovery capabilities and
capacities
Is it used for backup of 0 No.
data from secondary site
Is it used for recovery of all 0 No.
systems at the secondary
site
DD.6: Offsite Data

Storage
Backup Strategies are
aligned with RPO
requirements
What is the method of data
backup
Data is replicated to
servers at recovery site
Data is backed-up through
tape media
Data is backed-up through
Electronic Vaulting
Cost versus recovery

strategy options analyzed
Backup method is reliable
and dependable
All data required for
recovery is backed-up
Backup Tools/Software
exist and their capabilities
are compatable with
backup strategies
Sufficient backup media
capacity exist at the
storage facility
Strategies exist for remote
backup during the recovery
period
Facilities exist to ship
backup data to recovery
sites in time to meet RTO
requirements
Safe handling and storage
procedures documented
Data integrity testing
procedures are
documented
20
Conclusion
Data classification and

security procedures and
guidelines are documented
Storage media retention
procedures are
documented
Cost and budget for the
above are estimated
DD.7: Critical Record 4.66783

Storage Area
Internal facilities/areas 2 They stored in filing Implement an internal
exist to store critical cabinets by business critical document/record
documents units themselves management group and
facility in addition to a
remote storage site.
Internal facilities meet the 0 No.
fire and water protection
requirements
Internal facilities meet the 0 No.
security requirements
External facilities/areas 7 Yes. Iron Mountain
exist to store critical only for paper
documents documents.
External facilities meets the 7 Yes
heat, humidity, and other
climate control
requirements
External record storage 7 Yes.
facility is under the
management and control of
qualified personnel
External facilities meet the 7 Yes.
security requirements
External facility can ship 7 Yes.
the records to work
areas/primary site within
required time-frame.
External facility supports 7 Yes.
24x7 operations
Appropriate record 8 We are using Iron Is Iron Mountain
management system is Mountain Connect™ Connect setup for
reviewed and assessed portal to track and Laptop access in
retrieve documents. the event of a
disruption (No)
Critical record Yes.
management procedures
are developed and are
aligned with the
requirements
DD.8: Alternate Work 4.68182 Expedite design and

Area development of long
term alternate work area
21
Conclusion
Alternate work areas exist 4 Plan to contract out

(contracted, company the work area from
owned, reciprocal ?) SunGard. We will use
Canadian site as an
interim solution
Alternate work area meets 0 N/A

the BIA and functional
requirements for recovery
personnel
Acquisition strategy for 0 N/A
workstation and servers in
work area is consistent
with BIA and other
business process
requirements
Floor plan exists 0 N/A
Non-IT resource 0 No.

acquisition strategy is in
place (faxes, copiers, etc.)
Site is unlikely to be 7 Yes.

effected by the same
disaster
Located outside of local 7 Yes.
area threats
Located outside of regional 7 Yes.
area threats
Alternate travel routes 7 Yes.

exists
A comprehensive and 3 Don't know
validated BC Program
exists for work area
Secondary power 8 Yes.
generator/supply exists
Technical support is 2 Don't know
available at alternate work
site
Supports connectivity to 8 Yes.
primary site
supports connectivity to 8 Yes.
alternate IT recovery sites
Work area is expandable 2 Don't know
depending on the need
Sufficient security exists at 8 Yes.

alternate work site
Contains sufficient floor 2 Don't know
space for workstation and
IT infrastructure and end-
users
Designed to support usage 7 Yes.

24x7
22
Conclusion
Organization has sufficient 2 Don't know

control over the work area
and its resources
Meeting areas exist 7 Yes.

banks, etc.
DD.9 Crisis Management 7.25 Evaluate whether or not

Center (CMC) EOC meets the BC
requirements.
CMC design meets the 9 EOC will be used as
requirements for space, CMC. 1st location is a
personnel, equipment, leased site 30 miles
facilities, etc. away from HQ.
Alternate location is a
hotel meeting room to
be decided at the
time of disaster
Location is easily 9 Yes.
accessible for Crisis
Management Team (CMT)
and it is not prone to single
point of failure with the
primary site.
Reliable and dependable 9 Yes.
CMC meets the IT 3 Don't know about BC

requirements requirements.
(workstations, laptop,
printers, etc.)
CMC meets the Non-IT 8 Yes.
requirements (Faxes,
copiers, presentation tools,
etc.)
CMC meets the voice 3 Don't know about BC
connectivity requirements requirements.
CMC meets the data 3 Don't know about BC

connectivity requirements requirements.
Designed to support usage 9 Yes.
24x7
Organization has sufficient 9 Yes.
control over the work area
and its resources
Meeting areas exist 9 Yes.
23
Conclusion

banks, etc.
DD.10: Assembly 5.97619 Evaluate design of

Location assembly location
to determine if it
meets BC
requiremens.
Assembly location meets 1 Don't know
the functional requirements
Assembly location 8 Yes.

complies with safety
guidelines
Easily accessible, 8 Yes.
dependable, and
expandable
Close proximity to Food, 8 Yes.
Accommodation, banks,
etc.
Controlled by the 3 No. MOU with
organization another organization.
Less likely to be effected 8 Likely to be effected
by the same local disaster by the local or
regional disaster; but
we have the EOC as
an alternate.
DD.11: Data 5.83333

Communication Services
Designs for Data Review design Design overall meets the
Communication and documents continuity requirements
Networking services are but needs some
complete additional improvements
Design takes into account 7 Yes. We have do they go through Review data link for
single points of failure redundant carrier the same conduit improving redundancy
concerns and links to the building and single-point-of-
communication redundacy (yes) failure
requirements
Different transmission 2 Same medium.
medium is used (wireless,
satellite, land lines)
Network design for 7 Yes.
alternate recovery site
exists with specifications
for connectivity, capacity,
throughput, reliability, etc.
24
Conclusion
Network design for work 8 Yes. IT has all that

area exists with worked out.
specifications for
connectivity, capacity,
Network design for data Yes. IT has all that
backup site exists with worked out.
specifications for
connectivity, capacity,
Network design for 4 It is complete except
connectivity between for work area which
primary site, alternate site, will is planned to be
data backup site, and work completed six weeks.
area is complete.
Data transmission security 7 Yes.
is par of the design.
DD.12: Voice 6.6

Communication
Strategies are developed Design overall meets the
for redundancy of voice continuity requirements
communication but needs some
additional improvements
Design takes into account 9 Voice service provider
single point of failures has provided multiple
voice lines going
through redundant
exchange routes.
Design takes into account 9 Yes. We have the
rerouting of critical phone capability to reroute
numbers our 1-800 numbers
that customers use.
Design includes different 3 No. They are all Land provide additional
communication mediums lines. redundancy by
(cables, satellite, wireless, combining voice
etc.) communication
mediums.
Design takes into account Yes.
bandwidth requirements
Design takes into account Yes.
work area requirements
Design takes into account 6 Yes.
CMT requirements
Design takes into account 6 Yes.
Recovery Site
requirements
DD.13: Work around 3.86111 See business process Ensure work around
Procedures audit file. procedures for all critical
areas are complete and
documented with
consistent format.
25
Conclusion
Work around procedures 3 Most have them

are documented for all documented
critical business units and
processes
Each work around 3 Some do and some
procedure clearly specifies don't
its objectives and scope
conditions for invoking the
procedure
Each work around Yes.
procedure clearly specifies
tasks to be performed and
resources required
including critical records.
tasks depedencies
Work around procedures 6 Yes.
include recovery of lost
data
DD.14: Training and 5.16667 Assign training and

Awareness awareness responsibility
to a staff. Review current
training and awareness
design for additional
improvements.
Training and awareness
program is designed and
developed
Training database/site 7 We have an intranet
designed and developed site for business
continuity which
provides training
documents and
general information.
Training methods and 4 We plan to have
services selected onsite training on a
regular basis.
Training schedule prepared 1 No.
Awareness plan developed 9 We currently have an
internal BC monthly
newsletter.
Training evaluation process 2 No.
designed and developed
Training responsibilities 8 We are currently
assigned talking to HR training
department to take on
this task.
26
Conclusion
DD.15: Salvage and 0 See comments from The design and

Restoration functional development for Salvage
requirements and Restoration must be
based on the functional
requirements once they
are completed.
All critical resources for
salvage and restoration
identified
Physical areas and
buildings for salvage and
restorations assessed
Types of damage to critical
resources and areas
assessed
Salvage and restoration
experts and contractors
identified and contacted
Requirements and cost
discussed with Salvage
and Restore contractors
Contractors are selected
DD.16: Program Budget

Detail budget established
Percentage of the IT
budget or overall revenue
Detail budget and
spendings established for
individual projects
Detail budget and
hiring staff
Detail budget and
contracts
for recovery resources and
services
for BC tools
for training and
awarenesss
27
PP: Program Implementation
Questions Rating Response and Further Recommendations
Conclusion Actions
PI.1: Risk controls Problems in this stage is

due to weaknesses in the
functional requirement
process. See
recommendations in
Design and Development.
All risk controls have been Some have been
implemented implemented
including
secondary power
generator.
Implementation project We have plans to
plans exist and approved continue
implementation of
risk controls.
Percentage Implemented 3 30 percent.
PI.2: IT Recovery 6 Most systems are

Systems in place and the
plans in place to
acquire the rest
Email systems
recovery
capability is not in
place
Alternate IT systems Yes
purchased or leased
Quick-ship strategies Currently talking
implemented to the vendor
Percentage completed 8
PI.3: Alternate IT IT recovery site is

Recovery Site in final stages of
complete
implementation.
Alternate IT recovery site 8 Yes. SunGard
completed
Alternae IT site inspected 8 Yes
and approved for use
Percentage completed 9 90 percent
PI.4: A Tertiary Recovery

Site
Tertiary site completed No.
Tertiary site inspected and No.
approved for use
Percentage completed N/A
28
Conclusion Actions
PI.5: Offsite Data 5 Backup site is

Storage currently in use.
Backup frequency
needs
adjustments.
Remote backup site is Yes.
complete
Data backup process to Yes.
remote site has started
Percentage completed 8 90 percent
PI.6: Critical Record 2

Storage
Remote record backup Implemented for
site is complete document records
only. It is remote
only. There are
no internal
storage process
or system
Remote record backup Yes.
process has started
Percentage completed 5 50
PI.7: Alternate Work 4 Expedite

Area design and
development
of long term
alternate
work area
Alternate work areas exist 4 Yes. Currently at
(contracted, company the Canadian site
owned, reciprocal ?) but later at
Sungard.
Work area inspected and 3 Partially.
approved
PI.8: Crisis Management 7 EOC will be used

Center (CMC) as CMC. 1st
location is a
leased site 30
miles away from
HQ. Alternate
location is a hotel
meeting room to
be
CMC exists Yes
CMC inspected and Yes
approved
PI.9: Assembly Location 7 Assembly

location is in
place.
Assembly sites exists Yes
29
Conclusion Actions
Assembly sites inspected Yes.

and approved
PI.10: Data 8
Communication
Services
Data Communication and Yes
Networking services are
complete
Connectivity between Yes
Primary site and alternate
IT recovery site is
complete
primary site and data
backup site is complete
alternate IT site and work
area is complete
CMC and alternate IT site
is complete
CMC and alternate work
area is complete
Percentage Complete 8 80
PI.11: Voice 8
Communication
VC infrastructure and Yes.
services are complete
PI.12: Training and 2 Expedite

Awareness initiation of
training and
awareness
program.
Training and awareness Not fully.
program activated
Percentage implemented 2 10 percent
PI.13: BC Tools 2
BC tool is purchased 2 No. we are still Expedite tool
evaluating tools evaluation to
begin tool
usage and
deployment
Tool training is complete
30
Conclusion Actions
Plans and information

from paper/computer
sources have been
imported into the tool
Security and access
control is in place
BC tool is deployed
A dedicated staff manages
and maintains the BC tool
Team members have
access to the tool
Percentage Complete
PI.14: Salvage and 0 Salvage and

Restoration restoration is not
yet included in
BCP
Salvage and restoration No.
contracts are in place
Salvage and restoration No.
procedures are
documented
PI.15: Personnel 4
Are all required personnel 5 Most have been
hired hired but we are
still waiting to hire
two more staff
reporting to the
Coordinator.
Responsibilities assigned 5 Mostly assigned
to personnel.
BC team insurance 0 No.
purchased
PI.16: SLA and 7

Contracts
SLA have been negotiated 6 The key SLA are
and implemented in place
Contracts have been 6 Yes. Work area
negotiated and contract is under
implemented review.
PI.17: BC Plan
Document
Plan document is
complete
Executive Summary
Plan components
Objective
31
Conclusion Actions
Scope
Assumptions
Constraints and limitations
Risk Assessment
BIA
Recovery Strategies
Plan Execution phases
BC Team Structure
Contact List
Call Tree
Alternate contacts
Contact Procedures
Disaster Definition
Disaster Declaration
Procedures
Service Level Agreements
Insurance policy
Critical resource inventory
Critical Staff
Crisis Communication
Plan
Emergency Response
Plan
Business unit plans
Disaster Recovery Plan
Recovery site Information
Data backup procedures
Data backup site
information
Critical record backup
procedures
Critical record backup site
information
Critical record recovery
procedures
Plan execution logistic
procedures
Security requirements and
procedures
Recovery logistics
Team responsibilities
Salvage and Restoration
procedures
IT recovery procedures
Data network recovey
procedures
Voice communication
recovery procedures
Work area site information
Work area recovery
procedures
Critical service recovery
procedures
Assembly location
procedure
32
Conclusion Actions
Assembly location
information
Crisis management center
or EOC information
Plan execution timeline
and schedule
Disaster scenarios and
recovery procedures
BC Plan change controls
BC plan distribution list
BC plan appendices
33
PT: Plan Testing
Questions Rating Response and Further Recommendation
Conclusion Actions s
PT.1: BC Plan Testing 3.714285714

Test plans exist for testing BC 6 Interim plans has been
plan tested
Test objectives cover all 2 No. It is missing testing
essential elements of BC plan of key business areas
Types of testing conducted so 2 Table top and some No testing Recommend
far systems at hotsite of testing of
notification notification
procedures; procedures; EOC,
EOC and work areas.
location,
Work
areas, etc.
Types of testing planned for 7 Hot site testing of all
future systems
Test scenarios are realistic 1 No real scenarios have conduct likely
been tested scenario based
testing.
Tests have been completed for 3 No. It is missing testing Conduct testing of
all required parts of BC plan of key business areas all key aspects of
BC plan
Tests have been conducted 5 Yes.
according to test plans
PT.2: Test Evaluation 8 Tests have been This is one of the

evaluated well, strength area. A
particularly for hotsite good test
testing. Evaluation evaluation process
included lessons learned. is in place.
Many issues related
hotsite vendor support
and coordination were
identified and resolved.
Test results have been 8
evaluated
What criteria used to evaluate 8
tests
Testing met all of test 8
objectives
What were the strengths 8
identified by the test
What were the weaknesses 8
identified by the test
PT.3: BC Plan Approval 4 The long term plan

document is not yet
complete.
BC Plan is approved
BC Plan is approved by
program sponsor and BC
steering committee
BC plan is distributed to all
staff and personnel on
34
distribution list
PT.4: BC Plan Document

Which parts of the plan below
have been tested?
Objective
Scope
Assumptions
Constraints and limitations
Risk Assessment
BIA
Recovery Strategies
Plan Execution phases
BC Team Structure
Contact List
Call Tree
Alternate contacts
Contact Procedures
Disaster Definition
Disaster Declaration
Procedures
Service Level Agreements
Insurance policy
Critical resource inventory
Critical Staff
Crisis Communication Plan
Emergency Response Plan
Business unit plans
Disaster Recovery Plan
Recovery site Information
Data backup procedures
Data backup site information
Critical record backup
procedures
Critical record backup site
information
Critical record recovery
procedures
Plan execution logistic
procedures
Security requirements and
procedures
Recovery logistics
Team responsibilities
Salvage and Restoration
procedures
IT recovery procedures
Data network recovey
procedures
Voice communication recovery
procedures
Work area site information
Work area recovery
procedures
35
Critical service recovery

procedures
Assembly location procedure
Assembly location information
Crisis management center or
EOC information
Plan execution timeline and
schedule
Disaster scenarios and
recovery procedures
BC Plan change controls
36
PM: Program Management

Conclusion Actions
PM.1: Primary Site 3.143 Extend change

Change Monitoring management to beyond
IT related changes.
Process is in place to 4 Yes. BC
monitor changes Coordinator
monitors all
changes by
attending all IT
change
management
meetings.
IT level changes are 4 Yes. Through IT
monitored change
management
Business process 1 Not at this time.
changes are monitored
Critical record changes 4 By business units Business
are monitored only. units have
people
assigned to
this task.
People changes are 3 We have been
monitored talking to HR to
keep us in the
loop.
Critical resource related 3 Not at this time.
changes are monitored
Critical services related 3 Yes. We plan to
changes are monitored go through
regular review of
service and
resource related
changes.
PM.2: Recovery Site 3 Implement proactive

Change Monitoring process for monitoring
recovery site changes.
Process is in place to 3 We expect
monitor changes at the vendor to notify
recovery sites us of any
changes.
Hardware changes are 3 Yes.
monitored
Software changes are 3 Yes.
monitored
Network changes are 3 Yes.
monitored
Facility changes are 3 Yes.
monitored
Policy changes are 3 Yes.
monitored
Security procedures are 3 Yes.
monitored
37
Conclusion Actions
PM.3: Contract 7
Management
BC related contracts 7 BC coordinator
management process and procurement
established representative
conduct a
frequent
review/update of
contracts.
Contracts are reviewed 7 Yes.
on a regular basis
Contracts include 7 Yes.
maintenance and
upgrades
Procurement and legal 7 Yes.
departments are involved
in the contract
management
PM.4: Risk Controls 3

Risk assessment occurs 3 No.
periodically
Existing controls are 3 Facilities is
reviewed and inspected responsible for
on a regular basis reviewing
physical controls
such as
secondary power
generator.
Risk experts are involved 3 No.
in risk assessment and
control process
Risk assessment reports 3 No.
are presented to and
reviewed by management
PM.5: BIA 4 We plan to do it

regularly.
BIA is conducted
periodically
Gaps are identified
Results are reported to
and reviewed by
management
Recovery strategy gaps
are evaluated
PM.6: IT Systems 4 We plan to review

Recovery Strategy it regularly.
Recovery strategies are
reviewed regularly
Alternate sites are
inspected for changes
and problems.
38
Conclusion Actions
Quick-ship strategies are

reviewed regularly
PM.7: BC Plan Testing 4 We plan to do it

regularly
A plan exists for regular
testing of BC Plan
Both minor and major
tests are carried out
regularly
Tests are reviewed and
evaluated
Test results are well
documented and reported
to management
Test issues are resolved
effectively
Backup data integrity
checks are done regularly
Work around procedures
are tested regularly
PM.8: Recovery 4 We will include it

Vendor's BC Plan in our program
Reviews
Recovery vendors' BC
plans are reviewed
regularly
Recovery strategies and
capabilities of vendors'
are reviewed regularly
BC audit reports of
vendors are reviewed
PM.9: Training and Currently not in

Awareness maintenance
stage.
Training and awareness
program is monitored,
evaluated and updated
New hire orientation

includes BC information
Program includes learning
resource/database
Program includes
newsletters
Program includes regular
BC informational
meetings
Program includes BC tool
training
39
Conclusion Actions
PM.10: Management 5
Process
Steering committee is 4 Steering
actively involved in the Committee will be
maintenance phase establish in few
months.
Program sponsor is 8 Yes.
actively involved in the
maintenace phase
BC Management 8 Weekly with the
meetings are held on sponsor and
weekly, monthly, and monthly with
quarterly periods business unit
managers
Reports from the steering 4 Steering
committee are presented Committee will be
to Board and senior establish in few
management months.
Rules and regulations are 1 No.
monitored and reviewed
PM.11: External 3 Improve external

Coordination coordination related to
BC plan
BC plan is coordinated 3 Through ERP. Coordinate with ERP
with external public team to include BC plan's
authorities coordination
requirements.
BC plan is coordinated 1 No. Coordinate BC plan with
with business partners business partners on a
regular basis
BC plan is coordinated 7 Yes.
with recovery vendors
Meetings are held 1 No. Arrange regular meetings
regularly to coordinate BC with external entities to
plan with external entities coordinate BC plan
activities
BC Audits are conducted

periodically
BC Audits include internal
and external auditors
Audit recommendations
are followed through
Audits are done through
expert auditors
PM.12: BC Program 6.25

Reviews
40
Conclusion Actions
BC program is reviewed 7 We hold monthly

periodically meeting with all
business units to
review relevant
BC program
activities and
sections.
BC plan document is 7 BC coordinator
reviewed frequently and his team
review the plan
biweekly.
Review involves all BC 7 Most team
team members members
depending on
what we are
discussing at the
time.
Results of the reviews are 4 Not yet. But we
presented to steering present it to our
committtee and program program sponsor.
sponsor
PM.13: Plan Document 5.4

Maintenance
Stored offsite and onsite 6 One copy is Recommend storing a
always with BC BC document at the hot
coordinator on a site. If possible use web-
memory card. based planning tool.
One copy is with
Iron Mountain.
Easily accessible during a 5 Yes
disaster
Secured 8 Yes. It is
encrypted.
Need-to-know list 3 No. We have a Develop a need-to-know
maintained common distribution list.
distribution list
with access to all
parts of the plan.
Distribution list 5 Yes.
maintained
41
Program Budget
Conclusion
Program Budget 5.333333 BC program needs

a separate budget;
Work out detail
budget for each
phase, project, and
activities.
Separate annual budget 5 It is part of IT budget
allocated
Business area supporting the 8 Yes. Business Managers
BC Program budget are very supportive.
Source of budget 3 IT BC program needs
a separate budget
and not simply be
part of IT budget.
Detail budget established for 5 Yes. Does it account
BC tools for a specific and
its cost (We
know the tool we
want and its cost)
Overall budget estimates 5 We do not have an yearly

established budget but last year we
spent $240K
Percentage of BC budget 3 IT budget is about 2%. Obtain more
relative to annual revenue Last year we spent about information.
240 k on BC beyond
people resources. We
were allocated $125K
originally.
Overall budget established for 7 Business units have their
individual projects own budgets for BC
activities.
Overall budget established for 7 We have put the request to
hiring staff hire two more staff for next
year.
Overall budget established for 7 The budget for contracts
contracts will come out of the overall
BC budget.
Overall budget established for 3 Our recovery resource and Find out if this
recovery resources and service budget is mostly budget is outside
services part of the overall IT of the BC budget.
budget. Yes it is outside
of the IT budget.
Last year
approximately
60K was spend
on the recovery
resources and
services.
42
43

Audit Questionnaire in Word Format

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Audit Questionnaire in Word Format

Transféré par

Droits d'auteur :

Formats disponibles

Program Program Functional Design and Program Plan Testing Program

Initiation Planning Requirements Development Implementation Maintenance

Critical Records Crisis Assembly Location Training and

External Data Voice External

PI.1: Management Buy In 6.4

Has the program been 7 Program was initiated BC Program needs

PI.2: Program Evaluation 5

Questions Ratin Response and Further Actions Recommendation

PP.2: BC Program 4.43

PP.3: Program 4.7 3 (high risk factor)

A BC program team 7 Yes. Assess team

PP.4: Approval 5.17

FR.2: Detailed 4.3333

FR.2: Risk 3.6

All potential threats were 2 As many as we could Review list of threats

Top management reviewed 3 CIO and senior

FR.3: BIA 8.6667

Qualified experts 9 Yes.

FR.4: Offsite Data 5.5

Safe handling and storage 2 No. Assess safe

FR.5: Work Area 6

FR.6: Crisis 2.3

Non-IT resource 2 No.

FR.7: Personnel 1.8

FR.8: Critical 5.5

FR.9: SLA and 7.4

SLAs and contracts 9 SLA with data

FR.10: External 4.75

FR.11: Training 6.5

FR.12: Salvage & 0 Recommend

Salvage and restoration 0 No.

FR.13: Insurance 3.5

FR.15: Assembly 2.75

Distance location 5 About 3 miles away Do you have another Recommendation

DD.2: Risk Controls 3 See Risk Assessment Problems in this

DD.3: IT Systems 5.30769 Focus on long-term Overall design is aligned

Recovery system and 5 No. But they are Recommend testing

Flexibility in upgrading the 4 We don't know. We Recommend inclusion in

DD.4: Alternate IT 6.82353 Focus on long-term

DD.5: A Tertiary Recovery 0 We recommend a use of

DD.6: Offsite Data

Cost versus recovery

Data classification and

DD.7: Critical Record 4.66783

DD.8: Alternate Work 4.68182 Expedite design and

Alternate work areas exist 4 Plan to contract out

Alternate work area meets 0 N/A

Non-IT resource 0 No.

Site is unlikely to be 7 Yes.

Alternate travel routes 7 Yes.

Sufficient security exists at 8 Yes.

Designed to support usage 7 Yes.

Organization has sufficient 2 Don't know

Meeting areas exist 7 Yes.

Basic facilities exist 7 Yes.

DD.9 Crisis Management 7.25 Evaluate whether or not

CMC meets the IT 3 Don't know about BC

CMC meets the data 3 Don't know about BC

Close proximity to 8 Yes.

DD.10: Assembly 5.97619 Evaluate design of

Assembly location 8 Yes.

DD.11: Data 5.83333

Network design for work 8 Yes. IT has all that