 Hello and welcome to the session in which we'll keep working with the business resiliency plan and specifically we're going to be focusing on the system availability controls. In the prior session we looked at the first component of the business resiliency plan which is the OCP organization continuity planning. Now real quick what is business resiliency? Business resiliency is how fast can you come back from a disaster, from an outage, either keep working or come back from zero and start your business again, get back online. It has four components. The first one is organization continuity planning. Basically you have a plan to come back. The second one is system availability control. So in this session we will focus on the system availability controls. What are the system availability controls? Well before a disaster occur, before a hacker attacks us, before we have some sort of a cyber attack, what type of controls do we have as a company? So the system availability controls is composed of four components. We're gonna break it down into four components. We should have physical controls. We should have IT controls. We should have redundancies and we should back up the files. So those are the controls that's gonna help us either prevent or in case something happen minimize this effect. Now since I have a list of those four components of availability controls, I am going to discuss each one separately starting with physical controls. Before we proceed any further, I have a public announcement about my company farhatlectures.com. Farhat accounting lectures is a supplemental educational tool that's gonna help you with your CPA exam preparation as well as your accounting courses. My CPA material is aligned with your CPA review course such as Becker, Roger, Wiley, Gleam, Miles. My accounting courses are aligned with your accounting courses broken down by chapter and topics. My resources consist of lectures, multiple choice questions, true-false questions as well as exercises. Go ahead start your free trial today. What is physical controls? Well physical controls are measured implemented to secure the physical assets. Simply put you are protecting your building, your equipment, your resources, your computers. How do you do that? Well for one thing you create barriers between those assets and the outside world where barriers could include walls, fences, doors, secure doors, bollards to protect the critical system and infrastructure from physical threats such as theft, vandalism, and terrorist attack. That's a great but also you want to limit control to these buildings. How do you limit control? Well through key cards, biometric scanners, and other security measures. So not everyone can access those buildings. Only people that need to access those building with the appropriate authority to do so. Why? Because you want to limit access to the critical system. So you could have those critical system and infrastructure inside a building and if anyone can access the building how good is that? Three, you have to have environmental controls. Why? Because servers, computers, they need an optimal temperature to function. So maintaining an appropriate environmental condition could be temperature, humidity, and air quality to ensure the optimal function of those systems. This is part of your what? Part of the making sure the system don't go down. Part of your business resiliency so your system don't go down because of too cold or too hot or the air quality is not good. Also what could help is a fire suppression system. Those are all examples of physical control. Installing such system will do what? Protect the critical system from fire damage. So as soon as the fire will happen, the sprinkler should help put the fire out and you should have fire extinguisher on hand for the people who are there to help put the fire out as soon as possible. Again, those are kind of a preventive measures, preventive measures. Those are physical control. That's great. You also need part of your control is IT infrastructure controls. What is that? Well, those are measures to ensure the security and availability of your IT infrastructure. What is IT infrastructure? It could include hardware, software, network, data centers. You want to make sure it's available. Those systems are available to the smooth operation of the business. If they're not, you're in trouble. So how do you protect your IT infrastructure? One is you authenticate the users. Not everyone can go in, right? You limit the access but also the access through IT, through password, you can do that. You can protect your asset. Requiring users to authenticate themselves using username and password or other multi-factor authentication. For example, you put your password, then you receive a message to your cell phone. So although you know the password, you need to have your cell phone. You could also use biometrics and smart cards to make sure this individual is exactly this individual. So notice user authentication is very similar to limiting access. But how do you limit access? You limit access through technology. Also, you will use a role-based access control to do what? To limit people from accessing the network, restricting access to the system by doing what? Only the people that are required or there is a need for them to access the information. They access the information, restricting access to the system, network and application based on the user's role within the organization and their level of authorization. So you have no business to access the network, no business to access the data center. You cannot access it, whether that remotely or physically. Actually, we talked about physically but also remotely, you cannot access it. Password policies, implement them, password policies that require users to create strong password. Again, this is related to number one, user authentication. Change them on a regular basis to prevent password reuse across the friend system and an application. Also, you should have access logs. What is access logs? Basically, you can go back and always figure out who logged in at what point. So this way we know who's logging in and exactly what are they doing, which is basically part of monitoring and log in access to critical system network and application to do what? To enable auditing. If I want to go back and figure out what happened, do a forensic audit, a forensic investigation of a security incident, I can go back and I can trace who logged in, what time, what did they do, what time they left. So they would leave traces of that. Encryption, implement an encryption technology. What's an encryption technology? Basically, if somebody gets access to the data, they cannot read it. It's not useful for them. So you encrypt the data. You just basically put a password inside the data. To protect the data at rest, it could be at your company or at your data center or while in transit to ensuring that even unauthorized users who gain access, they will not be able to read it. So even if you gain access to it in transit or you are able to access the database, you can't read it because it is encrypted. You need another key and that key also another measure of control that it will not allow you to do so. Network redundancy, implementing a redundant network to ensure if one network fails, the other one goes online and you maintain connectivity. This is part again of redundancy. This could be here. This could be part of the redundancy. Okay, that's why I have it in yellow. Network redundancy could be either or and also utilize anti malware software that's going to look for viruses and other cyber security threat. The third control you should have as part of your system of business resiliency is redundancies. What's redundancies? Having more than one thing of the same thing. So in case something happened to one thing that the other comes in and run the business redundancy and system control availability refer to the practice of having multiple instances of critical systems. So if one system went down, you have another backup or one component went down or one process is not working. Another one will compensate, will keep on going. Okay, redundancy can be implemented in various ways depending on the systems that we have and the level of redundancy required or the level of redundancy that you want to have. Now, bear in mind, if you want to have redundancies, you're going to have to pay money. Redundancies means duplicating, having a duplicate or a backup for anything that could happen. You could have redundancy in the hardware, implementing redundant hardware components such as servers, switches, storage devices to ensure if one fails. Another one is available to take over immediately. Now you could have redundant hardware by having a contract with another company. You don't have to buy them just in case something happened. I pay a fee and they will bring them and we can keep on going real quick. Our servers are up and running. You could have redundant power supplies. That's important. Installing redundant power supplies for critical system to ensure uninterrupted power supplies in the event of a power outage or if there's a power failure of one of the power supplies what you have could have generators, could have a generator that just kicks in or you could have uninterrupted power supply which is UPS batteries that could give you a few hours or 24 hours until you figure things out. But this is part of your redundancy plan, a UPS system. You could have a redundant network. Remember, in the prior session we said redundant network, implement a redundant network to ensure that if one network fails the other one is available to take over and maintain connectivity. I believe redundant network is better under redundancy rather than IT controls. Redundant data center, implement redundant data centers in geographical diverse location to ensure if one data center is affected by a disaster or outage another one is available to take over and maintain operation. Let's assume you operate in a place where it's prone for tornadoes. Well, that's that's you have to do that. Well, that's fine. But you should have another data center or a cold center in another place. For example, if that place is in Florida, you want to have a place in maybe New York or in Los Angeles. If you have one place in Los Angeles, an earthquake could happen, you want to have another place in Arizona or another place in Washington state. So what you do is you geographically diversify your locations. That's another form of redundancy. Backup files. Backup file is also a critical component of a business resiliency because what happened is when the system goes down, you could lose your file. So you want to back them up somewhere. It's a critical data and application that are stored in separate location from the primary system. And the backup is an essential component of any business resiliency plan. Why? Because they're going to help you ensure the availability of the data. And once it's available, once you want to recover it, recover the critical data and application in the event of a disaster, outage or other disruptive event. That's important. Now, where could you have this backup files? Well, you could have it in many places. One, you could have it on premise. Okay. Organization can store backup files on storage devices located on their own premises, like you could have external hard drives or tape drives. Well, this option gives you access to that information, but you could be vulnerable to theft, fire or other disasters. Remember, now what you're doing, you're backing up your files in the same place where you may need them to back up. What happened if you lost them, if they are stored on premise? But that's one option. Another option is to store those, that information in the cloud. Well, cloud storage services offer secure offsite in contrast to onsite for backup files or something happened on your site, you're not affected. Provide an accessibility from any location within an internet connection. But again, there's always pros and cons. Cloud storage can be an affordable and reliable option, but you will need additional security measure to protect against data breaches. Now you're giving your data to someone else, and now you're relying on their system. So it's good you don't have it on premise, because you don't have to worry about in case of a fire, it's in the cloud. But now you have to worry about security. Three, you could have remote backup services. Remote backup services offer offsite storage and management of backup files. So rather than have those files on your system, you'll put them in a remote backup service and often with advanced security features such as encryption and multi factor authentication. This option provide a redundancy and security, but it can be more expensive than having it on premise, which is you're taking care of it or have it in the cloud option. Again, how important is your backup files to you? And how critical are they to your business? So that's why you want to back up the files, but you want to make sure, where am I backing them up? Am I backing them up on my hard drive and keeping them at the office? What if a fire happened? The purpose of these backup is to protect me when I need to go back online. I can put them on the cloud, but again, I have to worry about security or I can buy a remote backup services that's going to cost me a lot of money, depending on the critical aspect of it. Also, you want to back up your files on regular basis. We have two types of backup. We have full backup and we have a partial backup. What is a full backup? Well, it's a type of a backup that create a complete copy of all the data and application in the system at a given point in time. Simply put, when I go to sleep, I always backup my system, so I don't lose any files. So full backup capture all files, folders and application, including those that have not changed since the last backup. So full backup is you're backing up everything from zero, backing up everything. Well, it's the most comprehensive backup, but it can be time consuming and require a significant storage space. So the full backup is the best. Why? Because you have everything backed up, but it's going to take time. It's going to slow down your system and it's going to require computing power in significant storage space. So this is a full backup. Then we have partial backup. Under partial backup, we're going to have two types of partial backup. Partial backup are backup methods that do not back up the entire system, but instead they focus on specific subset of data and application. There are two types of backup. The first one is called incremental backup. So what is incremental backup? Incremental backup captures only the changes made to the system since the last backup, whether that was a full backup or another incremental backup. Let's assume on Sunday, I backed up my system. I fully backed up my system. So this is a full backup. On Monday, what I would do is I only backup the data that I changed on Monday. So it's an incremental. So when I do the backup on Monday, only backup the data that I perform on Monday. On Tuesday, again, I would only backup the information that I changed on Tuesday. So it's an incremental. So this type of backup requires less storage space and it's faster backup because I'm only backing up the incremental backup. However, restoring data from incremental backup can be more complex because multiple backup must be restored in the correct order. So notice on Wednesday, again, I'm going to have another backup but that backup is only for Wednesday data. So when I have to restore, I have to be careful in restoring this information in order. So that's the problem with incremental backup. Then we have another backup called the differential backup. Differential backup capture all changes made to the system since the last full backup. This backup, this type of backup is faster than a full backup and require less storage than an incremental. So basically, again, if we go back to Sunday, Monday, Tuesday example, so Sunday I did a full backup, Monday I backed up Monday. On Tuesday, I will go ahead back up Sunday, Monday as well as Tuesday. However, restoring data from differential backup can be slower than incremental backup because it requires restoring the full backup and the differential backup. So when it comes to restoring here, you're going to have, it's going to take, it can be slower. Just know the difference between differential backup and a an incremental backup. What are they? What are the pros? What are the cons? Again, what we did here is we looked at the second component of business resiliency, which is you have to have availability of system controls, which is availability of system controls is composed of these four component, I'm sorry, it's composed of these four component, physical control, IT control, redundancy and backup files. In the next session, we would look at the third component of business resiliency, and that's crisis management. So part of your business resiliency, you should have a crisis management plan. What should you do now? Go to far hat lectures, look at MCQs, that's going to help you understand these topics better. Business resiliency is a topic that's covered on the CPA exam. Why? Because it's an important topic in the real world. Companies, they cannot afford to go down and stay down for a long period of time. Therefore, they have to have a business resiliency plan. And part of it, they have to have an OCP system availability controls crisis management, which we'll talk about next. And this disaster recovery, which will be the last topic. Good luck, study hard and stay safe.