Managing the ultimate good to bad scenario: Loss of Critical IT Services
The growing digital transformation agenda and expectations of the consumer will continue to place greater pressure on IT services. It is essential that Boards and Senior Management have confidence that the technologies and processes in place are resilient, and recovery plans are effective if required.
Technology resilience remains one of the major challenges facing businesses and yet Boards typically receive very little assurance that management understand the vulnerabilities that exist, the quality of the arrangements in place and whether testing is effective.
BDO’s Technology Resilience Assurance approach focuses on the four Technology Resilience Assurance Cornerstones:
- Vulnerability Assessment: We will evaluate for all critical services that all end to end dependencies have been identified, Recovery Time Objectives (RTOs) are assigned and all vulnerability scenarios are known (for example, security attack, natural disaster, single points of failure, infrastructure weaknesses, data centre disruption, 3rd party dependencies, data corruption, reliance on telecoms or digital platforms, people risks and critical IT processes). Using this detailed knowledge of your organisation and IT environment, we will use our insights for your relevant sector, to provide an end to end heat map identifying the resilience threats and vulnerabilities specific to your business.
- Resilience Management Assessment: Using the vulnerability assessment, we will conduct an in-depth assessment of the security and resilience plans in place. This phase will focus on the key areas below and we will provide Senior Management with a comprehensive gap analysis and action plan to address any critical priorities.
- How resilience has been built into the IT infrastructure to minimise the occurrence of key threat scenarios (for example, hardening of the It architecture to prevent sabotage attacks on IT services, data centre outages, loss of cloud services, single points of failures).
- How management monitor and predict emerging performance issues across the IT infrastructure.
- The quality of the disaster recovery plans and how roles and responsibilities are assigned.
- Testing Assessment: Our methodology focuses on a number of areas to provide feedback on the maturity of your testing approach:
- Test Plans: Are test plan adequate and cover all scenarios (for example, data centre disruption, data corruption, loss of connectivity to critical services supported by 3rd parties)
- Testing Approach: Assess the quality of the testing regime used, to determine if all elements of the recovery plan have been tested (for example, command and control structure, communication, data/systems recovery, stakeholder engagement)
- Testing Advice: If required, we can use war room testing to help simulate critical disaster scenarios to understand how effective the response plans are.
- Assurance Assessment: Determine whether the assurance provided to the Board and Senior Management is appropriate, informative, robust and timely. It is essential that the management information reported is reliable and this cornerstone will also assess the quality of the data used.