COBIT is a framework of control objectives for IT governance, providing guidance and best practices that address important aspects of IT management and control. The COBIT framework helps you leverage, as well as organize your IT resources to deliver maximum value by linking business and IT goals. Any organization, irrespective of its size, can benefit from a COBIT framework implementation — provided the execution is full-blown, rather than merely implementing a small set of controls as per your business need.
The COBIT framework helps align business and IT, which is of paramount importance in a disaster recovery (DR) scenario. Here’s a list of deliver and support objectives of a COBIT framework that will help better your DR plan.
Mapping COBIT framework to DR plans
Importance of IT continuity management
Every organization must use a structured method to create a disaster recovery plan framework based on business needs, for resumption and recovery of resources. This will include the organizational structure for management of continuity, DR efforts, alternatives and identification of critical resources. Deliver and support (DS) 4.1 of the COBIT framework addresses the enterprise-wide continuity management element of a DR plan. According to DS4.4 of the COBIT framework, maintenance of the DR plan involves updating it in alignment to business requirements. Mapping the COBIT framework to your DR plan will ensure that recovery restores the organization back to a current point in the business.
The need for Individual continuity plans
A single, large continuity and recovery plan for the organization may become challenging to manage. Instead, a risk-based business assessment will assist you in identification of areas that should have individual recovery plans. According to DS 4.2 of the COBIT framework, you must carry out risk assessment and analysis to ensure that your plan design is based on a framework that will help minimize the impact of a disruption on your business operations. Keep this in mind when mapping the COBIT framework to DR plans.
Significance of resilience, recovery and prioritization
Assessment of business needs, impact of disasters on business and criticality of the business process are together considered for a business impact analysis. DS 4.3 of the COBIT framework will help you carry out a risk- and impact-based analysis to prioritize recovery plans, as well as create a strategy for recovery and resilience.
Using the risk-based analytical approach recommended by DS 4.2 of the COBIT framework, your organization’s disaster recovery plan must make sure that requirements for resilience are addressed, and also specify alternative processing methods for recovery.
Ensure response for different time periods
The COBIT framework through DS 4.3 suggests that the disaster recovery plan will have to be devised appropriately, depending on the time of the day. The response time should differ based on working and non-working hours, as well as consider processing, update and synchronization time.
Focus on regular testing and training
DS 4.5 of the COBIT framework addresses the need for regular testing. This is necessary, as it ensures that recovery procedures will be effective in the event of a disaster, and continuity will be as required.
DS 4.6 of the COBIT framework emphasizes that all stakeholders and users must undergo regular training and participate in drills. The lessons learned from drills will provide inputs for policy and process enhancements to update the DR plan document. This is an important consideration while mapping the COBIT framework to DR plans.
POA post the DR plan preparation
Proper and secure distribution to all authorized parties is vital. DS 4.7 of the COBIT framework states that the DR plans should be easily available to all authorized personnel. It must also be distributed to the security managers.
DS 4.8 of the COBIT framework addresses the importance of business understanding and investment support to the DR plan. Continuity and disaster recovery plans must have the buy-in of business units, which will also have to provide investment in terms of time and money.
Planning for recovery and resumption period
DS4.8 of the COBIT framework provides guidance for activities such as backup recovery and alternative processing during the period of recovery and resumption. The IT team and business owners must be part of decision making processes to determine storage requirements and identify critical assets that should be backed up to offsite locations. DS 4.9 of the COBIT framework provides insights on best practices for storage of all critical media, documentation and required resources.
Regular management assessment of plans
When mapping the COBIT framework to a DR plan, it is essential to perform regular management assessment of DR plans. The COBIT framework in DS 4.10 elaborates on the need for plans to be assessed regularly by all management stakeholders along with the information relating to business and risk assessments to ensure they are current and relevant.
About the author: Dinesh Bareja, CISA, CISM, ITIL, is an information security consultant specializing in strategic and customized IS solutions, MSS, SOCs, PCI, ISMS, ITSM and more. He is currently the vice president for information security at Grid Infocom. Bareja is involved in training, and conducts regular online mentoring sessions, as well as maintains thefaqproject.com for InfoSec certifications. You can connect with him through firstname.lastname@example.org.
(As told to Mitchelle R Jansen.)