Scribd Logo
Upload

Welcome to Scribd!

  • Helpsource: Ganapathi Subramaniam, Cisa, Cism, Has Recently

    Uploaded by

    narasi64
    27 views1 page
    d

    Original Title

    13v2-HelpSource

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    d

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    27 views1 page

    Helpsource: Ganapathi Subramaniam, Cisa, Cism, Has Recently

    Uploaded by

    narasi64
    d

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 1

    HelpSource

    Ganapathi Subramaniam,
    CISA, CISM, has recently
    joined Microsoft (India) as chief
    security officer. Prior to this, he
    was with Accenture (India), as
    part of the global information
    security function. He relocated
    to India to join Accenture in
    2007 from the UK, where he
    had spent nine years with
    PricewaterhouseCoopers and
    Ernst & Young. An avid reader,
    he is a regular columnist for
    the Journal, writes for other
    industry publications and is
    an international conference
    speaker.

    Do you have
    something
    to say about
    this article?
    Visit the Journal
    pages of the ISACA
    web site (www.isaca.
    org/journal), find the
    article, and choose
    the Comments tab to
    share your thoughts.
    Go directly to the article:

    ISACA JOURNAL VOLUME 2, 2013

    We invite you to send your information


    systems audit, control and security
    questions to:
    HelpSource Q&A
    bgansub@yahoo.com or
    publication@isaca.org

    Fax to: +1.847.253.1443


    Or mail to:
    ISACA Journal
    3701 Algonquin Road, Suite 1010
    Rolling Meadows, IL 60008 USA

    other teams. Such connections must be clearly


    identified and documented. For example, the
    disaster recovery team (as it is called in the
    BCM world) is responsible for the recovery
    of the IT systems and applications. If the IT
    systems are outsourced and run by one or more

    A crisis management plan (CMP) is
    third-party vendors, the definition of roles and

    a component of the overall business
    responsibilities becomes much more important.
    continuity management (BCM) plan. A command
    The CMT must interact with the
    and control centre (CCC), on the other hand, is a
    communications team responsible for both
    subcomponent of the overall CMP.
    internal and external communication. Policies
    An effective CMP is something that is well
    must be in place forbidding employees from
    tested and documented.
    talking to external agencies. Employees giving
    The steps to audit a CMP, which comprise the
    interviews to the press during the crisis may not
    setting up of a CCC, are as follows:
    be helpful to the organisation.
    The plan must clearly define what constitutes
    There must be a notification system in place
    a crisis because a simple event or an incident
    that can be deployed to assemble the CMT. In
    may not warrant the assembling of the
    BCM parlance, this is called the call
    crisis management team (CMT) and
    tree. It is essential that the call tree
    An effective
    executing the plan.
    structure is well tested. If the telephone
    CMPis
    well
    It is pertinent to note that such
    numbers prove to be invalid during
    tested and
    incidents and events may also
    actual crisis management, it may
    documented.
    require resolution.
    aggravate the crisis situation.
    The plan must contain steps that
    The CCC must be located at a reasonable
    would lead to the assembling of the CMT in the
    physical distance from the actual location of
    CCC.
    crisis. Depending on the nature of the crisis,
    A proper venue must be pre-identified and
    the CCC can be located at the same primary
    designated as the crisis management room to
    location from where the business functions.
    handle the crisis.
    However, it is essential to have more than one
    The crisis management room or the CCC must
    location identified in advance. Depending on
    be equipped with all kinds of communication
    where the crisis strikes and the nature of the
    devices and equipment.
    crisis, the CCC location can be chosen from the
    The communication links must be redundant
    identified locations.
    links other than the primary links. Imagine a
    The lead of the CCC must have sufficient
    scenario where the crisis is the failure of the
    authority and mandate to make decisions.
    primary connectivity linksredundant links
    He/she must be someone who has complete
    are a must.
    knowledge of the business.
    The roles for individuals comprising the CMT
    Individuals must be identified to interact
    must be clearly identified. In particular, it is
    with external agencies such as press and law
    essential to identify the leader of the team.
    enforcement.
    There cannot be a debate at the time of crisis as
    The above is an indicative list of how to
    to who is going to lead the effort and take calls
    effectively operate a CCC in the event of a crisis.
    or make decisions.
    As always, the list is not exhaustive.
    The CMT will not be able to deliver on its
    own. It will have dependencies on various

    How do you audit the effectiveness of

    a command centre of a crisis
    management plan in the context of business
    continuity planning? You may also elucidate steps
    to audit a crisis management plan.

    2013 ISACA. All rights reserved. www.isaca.org

    You might also like