oversight

Year 2000 Computing Challenge: DEA Has Developed Plans and Established Controls for Business Continuity Planning

Published by the Government Accountability Office on 1999-10-14.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                United States General Accounting Office

GAO             Report to the Special Committee on the
                Year 2000 Technology Problem



October 1999
                YEAR 2000
                COMPUTING
                CHALLENGE

                DEA Has Developed
                Plans and Established
                Controls for Business
                Continuity Planning




GAO/AIMD-00-8
Contents



Letter                                                                                        3


Appendixes   Appendix I:   Briefing to the Senate Special Committee on the
               Year 2000 Technology Problem                                                  12
             Appendix II:   Objectives, Scope, and Methodology                               58




             Abbreviations

             DEA       Drug Enforcement Administration
             IT        information technology
             BCCP      Business Continuity and Contingency Planning




             Page 1           GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
Page 2   GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
United States General Accounting Office                                                Accounting and Information
Washington, D.C. 20548                                                                      Management Division



                                    B-282158                                                                            Leter




                                    October 14, 1999

                                    The Honorable Robert F. Bennett
                                    Chairman
                                    The Honorable Christopher J. Dodd
                                    Vice Chairman
                                    Senate Special Committee on the Year 2000 Technology Problem
                                    United States Senate

                                    Despite an organization’s best efforts to remediate its mission-critical
                                    systems, core business processes may still be disrupted by Year 2000-
                                    induced failures and errors in internal systems, business partners’ systems,
                                    or public infrastructure systems such as power, water, transportation, and
                                    telecommunications systems. Contingency plans for continuity of business
                                    operations help mitigate the risks and impacts associated with unexpected
                                    internal and uncontrollable external system failures.

                                    At your request, we determined (1) the status of and plans for completing
                                    the Drug Enforcement Administration’s (DEA) contingency planning for
                                    continuity of operations and (2) whether DEA’s contingency planning
                                    efforts satisfy the key processes described in our business continuity and
                                    contingency planning guide.1 On July 21, 1999, we briefed your office on
                                    these matters. This report summarizes and updates the information
                                    presented in the briefing. The briefing slides are presented in appendix I.
                                    Details of our objectives, scope, and methodology are in appendix II. We
                                    performed our work from March through July 1999 in accordance with
                                    generally accepted government auditing standards. We updated the status
                                    of DEA’s development of its business continuity plans through August 1999.




                                    1
                                     Year 2000 Computing Crisis: Business Continuity and Contingency Planning
                                    (GAO/AIMD-10.1.19, August 1998).




                                    Page 3             GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                   B-282158




Results In Brief   DEA has managed its business continuity planning efforts in accordance
                   with the structures and processes recommended by our business
                   continuity and contingency planning guide and it has made progress
                   toward completing Year 2000 business continuity plans. DEA plans to
                   complete development of its business continuity plans by early September
                   1999 and to test them by the end of November 1999. DEA’s development of
                   its plans is about 4 months later than our April 30, 1999, recommended date
                   and its testing milestone is 2 months behind our recommended date of
                   September 30, 1999.2

                   While progress has been made, DEA is, nevertheless running late, and still
                   has many important tasks to complete and its plans for completing these
                   tasks leave little time to address any schedule slippage. Therefore, it is
                   important that DEA’s leadership continues to monitor its business
                   continuity planning efforts to ensure that any deviations from plans are
                   identified and that corrective actions are taken immediately to ensure that
                   this very important Year 2000 risk mitigation process is completed on time.

                   DEA officials commented on a draft of the briefing slides and agreed with
                   our findings and conclusions.



Background         DEA’s mission is to enforce the controlled substances laws and regulations
                   of the United States, to bring to the criminal and civil justice systems
                   organizations and individuals involved in the growing, manufacture, or
                   distribution of controlled substances, and to recommend and support
                   programs aimed at reducing the availability of illicit controlled substances.
                   For purposes of business continuity planning, DEA has defined six core
                   business processes:

                   • Ιnvestigations of regional, national, and international drug cases;
                   • Tracking information on domestically cultivated and manufactured
                     illegal drugs;
                   • Enforcement of the country’s drug laws;
                   • Regulation and control of the distribution of controlled substances;
                   • Management of human resource issues such as payroll, health, staffing,
                     and training; and


                   2
                   Year 2000 Computing Crisis: Readiness Improving, But Much Work Remains to Avoid
                   Major Disruptions (GAO/T-AIMD-99-50, January 1999).




                   Page 4             GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                        B-282158




                        • Financial management of payroll, bills paying, and ordering of supplies.

                        To carry out its responsibilities, DEA depends extensively on information
                        technology (IT) systems. For example, DEA uses the Narcotics and
                        Dangerous Drugs Information System, which includes information on
                        people, businesses, vessels, and selected airfields of interest to support its
                        investigation process. In addition, DEA uses the Automation of Reports and
                        Consolidated Orders System to track the sales and purchases of illegal
                        drugs between manufacturers, distributors, and the retail sector (e.g.,
                        practitioners, hospitals, and pharmacies).

                        DEA has been working to address the Year 2000 problem with its critical IT
                        systems. Under the leadership of its Year 2000 executive, DEA identified
                        38 mission-critical IT systems. DEA reported that all its mission-critical IT
                        systems were Year 2000 compliant as of March 1999.



DEA Has Limited Time    To ensure that agencies have sufficient time to develop, test, and finalize
                        business continuity plans, we recommended that agencies develop their
Remaining to Complete   business continuity plans by April 30, 1999, and test them by September 30,
Important Business      1999. This allows sufficient time for agencies to evaluate whether
                        individual contingency plans are capable of providing the level of support
Continuity Planning     needed to their core business processes and whether the plan can be
Tasks                   implemented within a specified period of time.

                        DEA had made progress towards developing and testing its business
                        continuity plans; however, its efforts are running late and its schedule and
                        milestones leave limited time to complete many important tasks. DEA
                        plans to complete the development of its business continuity plans by early
                        September 1999 and to test them by the end of November 1999, which is
                        4 months and 2 months later, respectively, than we recommended.

                        In March 1999, DEA’s Year 2000 Program Office briefed the headquarters
                        and field divisions on DEA’s Year 2000 business continuity and contingency
                        planning strategy and milestones for preparing draft business continuity
                        plans, reviewing and revising the plans, and testing the plans. As of July
                        1999, DEA had met most of the milestones identified in its strategy. For
                        example, DEA’s field and headquarters divisions began submitting draft
                        plans in May, and in June, the Business Continuity and Contingency
                        Planning (BCCP) Task Force began reviewing the draft plans to identify
                        needed improvements and best practices. In addition, contractors, system
                        owners, and users have begun validating and testing system-level



                        Page 5             GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                              B-282158




                              contingency plans and the Year 2000 Program Office is currently
                              developing plans and schedules for the agencywide rehearsal of the
                              business continuity plans.

                              While DEA has made progress towards developing and testing its business
                              continuity plans, it still has many important testing activities to complete in
                              about 4 months before the century date change. For example, as of
                              July 1999, DEA had not validated its business continuity strategy; defined,
                              documented, and reviewed test plans; prepared test schedules and test
                              scenarios; validated the functional capability of each contingency plan;
                              rehearsed business resumption teams to ensure that each team member is
                              familiar with procedures, roles, and responsibilities; and updated business
                              continuity plans based upon lessons learned, then retesting them, if
                              necessary. Such a challenging list of tasks and only about 4 months
                              remaining leaves DEA limited time for addressing problems, such as
                              schedule slippage or delayed delivery of resources needed to implement
                              contingencies, which could arise.



DEA Has Satisfied or          Our business continuity and contingency planning guide provides a four-
                              phased structured approach for business continuity planning−initiation,
Has Plans to Satisfy          business impact analysis, contingency planning, and testing. Each phase
Most Key Processes            includes several key processes to be completed within that phase. DEA has
                              satisfied or has plans to satisfy most of these key processes.
For Business
Continuity Planning

DEA Has Satisfied the Key     According to our contingency planning guide, effective initiation of a
Processes in the Initiation   business continuity planning effort includes, among other things,
                              (1) establishing a business continuity project work group that reports to
Phase
                              executive management and includes representatives from major business
                              units, (2) developing and documenting a high-level business continuity
                              planning strategy that includes project structure, metrics and reporting
                              requirements, and cost and schedule estimates, (3) defining core business
                              processes and the supporting mission-critical systems, and
                              (4) implementing quality assurance reviews to verify that the business
                              continuity plans satisfy information requirements.

                              DEA has implemented all of the initiation phase key processes. For
                              example, DEA’s Year 2000 Program Office (1) established a BCCP task
                              force, which reports to senior management and consists of division and


                              Page 6             GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                             B-282158




                             contractor representatives, to help develop guidance and review
                             contingency plans; (2) documented and communicated the business
                             continuity planning project structure and reporting requirements
                             throughout the agency through management memoranda and briefings,
                             developed reporting metrics to support executive management’s reporting
                             requirements, and developed initial cost and schedule estimates for the
                             business continuity planning activities; (3) defined its six core business
                             processes and identified the mission-critical systems that support each of
                             them; and (4) tasked the BCCP task force and its supporting contractors to
                             review the divisions’ plans for adherence to DEA’s guidance and
                             consistency, and to ensure that the plans address appropriate core business
                             processes.


DEA Has Satisfied or Plans   The objective of the business impact analysis phase is to determine the
to Satisfy All Business      effect of mission-critical information systems’ failures on the viability and
                             effectiveness of agencies’ core business processes. According to our guide,
Impact Analysis Key
                             effective business impact analysis includes, among other things,
Processes                    (1) defining and documenting Year 2000 failure scenarios, (2) performing
                             risk and impact analyses of each core business process, and (3) defining
                             the minimum acceptable level of output and services for each core
                             business process.

                             DEA has fully satisfied, partially satisfied, or has plans to satisfy all
                             business impact analysis key processes. For example, DEA’s Year 2000
                             Program Office (1) defined general failure scenarios, such as infrastructure
                             outages or system failures, and directed the headquarters and field
                             divisions to ensure that failure scenarios are defined in their business
                             continuity plans and (2) assigned risks and assessed the impact of internal
                             and external system failures on each core business process and instructed
                             the field and headquarters divisions to perform risk and impact analyses for
                             the core business processes that they support. In addition, during the
                             business continuity plan review and revision process, DEA Year 2000
                             program officials plan to ensure that the divisions define the minimum
                             acceptable levels of service for each core business process. According to
                             these officials, the criteria for establishing the minimal acceptable levels
                             are those which will not compromise the safety and security of DEA
                             resources.




                             Page 7            GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                             B-282158




DEA Has Fully or Partially   The purpose of the contingency planning phase is to integrate and act on
Satisfied Most Contingency   the business impact analysis results. According to our contingency
                             planning guide, effective contingency planning includes, among other
Planning Key Processes
                             things, (1) defining and documenting triggers for activating contingency
                             plans for each core business process, (2) developing and documenting a
                             “zero day”3 strategy and procedures, (3) establishing a business resumption
                             team for each core business process that is responsible for managing and
                             implementing the contingency plans, and (4) assessing the costs and
                             benefits of identified alternatives and selecting the best contingency
                             strategy for each core business process.

                             DEA has fully or partially satisfied all but one contingency planning key
                             process. For example, DEA (1) defined triggers for activating contingency
                             plans in case of IT and infrastructure failures, such as loss of system
                             services, communications services, and emergency services, and
                             (2) developed a “zero day” strategy that includes participation by all sites
                             during the Year 2000 transition weekend−December 30, 1999, through
                             January 2, 2000. Further, DEA plans to establish and train Year 2000
                             business response teams within its existing “command center” support
                             structure to ensure that Year 2000 contingency plans can be successfully
                             executed if necessary.

                             However, DEA has not assessed the costs and benefits of identified
                             contingency alternatives and its guidance does not instruct the
                             headquarters and field divisions to complete cost/benefit analyses during
                             the development of their business continuity plans. DEA’s Year 2000
                             program officials stated that, during the review of the divisions’ draft plans,
                             they would consider the cost effectiveness of alternative contingency
                             strategies.


DEA Plans to Satisfy All     The objective of the testing phase is to verify that, when implemented,
Testing Key Processes        contingency plans provide the required levels of business performance.
                             According to our continuity planning guide, effective testing includes,


                             3
                              A “zero day” strategy includes procedures for minimizing the risk associated with potential
                             Year 2000-induced failures for the period between December 30, 1999, and January 3, 2000.
                             This strategy may include an agencywide shutdown of all information systems on
                             December 31, 1999, and a phased power-up on January 1, 2000. The shutdown may extend to
                             infrastructure systems, including local area networks, elevators, and building management
                             systems.




                             Page 8                GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                  B-282158




                  among other things, (1) validating the business continuity strategy through
                  reviews, rehearsals, or quality assurance audits, (2) establishing test teams
                  responsible for preparing and executing the contingency plan test and
                  acquiring contingency resources, and (3) updating the business continuity
                  plans based upon lessons learned and retesting if necessary.

                  DEA plans to satisfy all the key processes for the testing phase. For
                  example, DEA’s draft Business Continuity and Contingency Plan and
                  master test plan include plans to (1) conduct “talk-throughs,” “walk-
                  throughs,” and simulations−with participation by system owners, business
                  owners, and users−to ensure that the system-level contingency plans
                  support DEA’s core business processes and to rehearse the divisions’
                  business continuity plans, (2) establish business response teams and
                  command centers at headquarters and throughout the headquarters and
                  field divisions that are responsible for executing the tests, and (3) update
                  its division- and agency-level business continuity plans based upon lessons
                  learned and to retest them, if necessary.



Conclusions       DEA is developing Year 2000 contingency plans for continuity of business
                  operations and has established effective management controls for ensuring
                  that this very important Year 2000 risk mitigation task is completed on time.
                  However, DEA is behind our recommended schedule, has many important
                  planning steps yet to complete, and has very little time to address any
                  slippage in its schedule. As a result, it is important that DEA’s leadership
                  continue to closely monitor business continuity planning efforts to ensure
                  that any deviations from plans are identified and that corrective actions are
                  taken immediately. While management structures and processes cannot
                  guarantee that DEA will not experience Year 2000-induced system failures
                  and business impacts, if the agency implements its plans and follows its
                  policies and procedures to ensure that remaining business continuity tasks
                  are completed, it should effectively reduce the severity of these impacts.



Agency Comments   We provided the attached briefing to DEA officials, including the senior
                  DEA Year 2000 official, on July 20, 1999, who agreed with our findings and
                  conclusions and provided some updated status information. We
                  incorporated DEA’s comments into the briefing where appropriate before
                  briefing your office on July 21, 1999.




                  Page 9            GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
B-282158




We are sending copies of this report to the Honorable Jacob J. Lew,
Director, Office of Management and Budget; the Honorable Janet Reno,
Attorney General; and the Honorable Thomas A. Constantine,
Administrator, U.S. Drug Enforcement Administration. Copies will be made
available to others upon request.

If you have any questions regarding this report, please contact me or
Deborah Davis, Assistant Director, at (202) 512-6240 or by e-mail at
hiter.aimd@gao.gov or davisd.aimd@gao.gov. Key contributors to this
assignment were Tonia Brown and Teresa Tucker.




Randolph C. Hite
Associate Director, Governmentwide
and Defense Information Systems




Page 10          GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
Page 11   GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
Appendix I

Briefing to the Senate Special Committee on                                                           Appendx
                                                                                                            ies




the Year 2000 Technology Problem                                                                       Appendx
                                                                                                             Ii




                    Accounting and Information
                    Management Division
                 Briefing to Senate Special Committee
                  on Year 2000 Technology Problem
                    DEA Has Established Effective
                    Year 2000 Business Continuity
                          Planning Controls

                              July 21, 1999


             1




                           Page 12   GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
              Appendix I
              Briefing to the Senate Special Committee on
              the Year 2000 Technology Problem




    Overview


    •   Objectives, Scope, and Methodology
    •   Results in Brief
    •   Background
    •   Detailed Results
    •   Conclusions




2




              Page 13              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                Appendix I
                Briefing to the Senate Special Committee on
                the Year 2000 Technology Problem




    Objectives, Scope and
    Methodology
    The Committee asked us to determine

    • the status of and plans for completing DEA’s
      contingency planning for continuity of business
      operations and

    • whether DEA’s contingency planning efforts
      satisfy the key processes in GAO’s contingency
      planning guide.*


    * Year 2000 Computing Crisis: Business Continuity and
      Contingency Planning (GAO/AIMD-10.1.19, August 1998).
3




                Page 14              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                      Appendix I
                      Briefing to the Senate Special Committee on
                      the Year 2000 Technology Problem




          Objectives, Scope and
          Methodology (cont’d)
                  GAO Contingency Planning Guide
                    • Establish continuity work group and develop high-
     Initiation       level planning strategy and related guidance and
                      procedures. (8 key processes)

                    • Assess risk and impact of system failures on core
Business Impact
                      business processes and define minimum
   Analysis           acceptable levels of output. (5 key processes)

    Contingency     • Develop contingency plans and implementation
                      modes, assign resumption teams, and define
     Planning
                      implementation triggers. (5 key processes)

                    • Develop contingency test plans, execute tests, and
      Testing         validate business continuity strategy. (8 key
                      processes)
4




                      Page 15              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                Appendix I
                Briefing to the Senate Special Committee on
                the Year 2000 Technology Problem




      Objectives, Scope and
      Methodology (cont’d)
    • Reviewed business continuity plans and schedules;
      discussed their implementation with DEA Year 2000,
      operational division, and contractor officials; obtained
      and reviewed documentation to corroborate officials’
      statements; and compared plans and progress to
      GAO advocated milestones.

    • Analyzed management structures and controls
      (organization, policies, guidance, standards) in place
      and compared these to the key processes in GAO’s
      contingency planning guide.


5




                Page 16              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
               Appendix I
               Briefing to the Senate Special Committee on
               the Year 2000 Technology Problem




      Objectives, Scope and
      Methodology (cont’d)
    • We performed our work from March 1999 through
      June 1999 in accordance with generally accepted
      government auditing standards.




6




               Page 17              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
              Appendix I
              Briefing to the Senate Special Committee on
              the Year 2000 Technology Problem




    Results In Brief


    • Objective 1: DEA has made progress in its
      business continuity planning, but has a limited
      amount of time left to complete important tasks.

    • Objective 2: DEA has satisfied or has plans to
      satisfy many GAO contingency planning key
      processes.




7




              Page 18              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
             Appendix I
             Briefing to the Senate Special Committee on
             the Year 2000 Technology Problem




    Background

    • The DEA’s mission is to

      • enforce the controlled substances laws and
        regulations of the United States;
      • bring to the criminal and civil justice systems
        organizations and individuals involved in the
        growing, manufacture, or distribution of
        controlled substances;
      • recommend and support programs aimed at
        reducing the availability of illicit controlled
        substances.


8




             Page 19              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
               Appendix I
               Briefing to the Senate Special Committee on
               the Year 2000 Technology Problem




      Background (cont’d)

    • DEA’s core business processes are:

      • Investigations of regional, national, and
        international drug cases
      • Tracking information on domestically cultivated
        and manufactured illegal drugs
      • Enforcement of the country’s drug laws
      • Regulation and control of the distribution of
        controlled substances (Diversions)
      • Human Resource issues such as payroll, health,
        staffing, and training
      • Financial management of payroll, paying bills,
        and ordering supplies
9




               Page 20              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
              Appendix I
              Briefing to the Senate Special Committee on
              the Year 2000 Technology Problem




     Background (cont’d)

     • To carry out its mission, DEA depends on
       information technology (IT) systems such as:

       • Narcotics and Dangerous Drugs Information
         System which includes information on people,
         businesses, vessels, and selected airfields of
         interest to DEA’s investigative process.

       • Automation of Reports and Consolidated
         Orders System which is used to track the sales
         and purchases of illegal drugs.


10




              Page 21              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
               Appendix I
               Briefing to the Senate Special Committee on
               the Year 2000 Technology Problem




     Background (cont’d)

     • DEA’s computer centers in Rockville, MD and
       Dallas, TX support headquarters and
        • 21domestic field divisions
        • 7 analytical laboratories
        • 77 offices in 56 foreign countries.

     • All DEA locations are linked by both classified and
       non-classified networks.

     • DEA has 38 mission-critical IT systems and
       hundreds of mission-critical non-IT assets,
       including laboratory equipment and telephone and
       building systems.
11




               Page 22              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                           Appendix I
                           Briefing to the Senate Special Committee on
                           the Year 2000 Technology Problem




            Objective 1: Limited Time to
            Complete Important Tasks
            • Year 2000 Program Office provided guidance to
              the divisions in March 1999* and directed them to,
              among other things:

                 •   identify potential failure scenarios
                 •   assign operational priorities
                 •   designate roles and responsibilities
                 •   identify alternative emergency procedures.




     * GAO recommends that agencies initiate business continuity planning during the
     assessment phase.
12




                           Page 23              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
              Appendix I
              Briefing to the Senate Special Committee on
              the Year 2000 Technology Problem




     Objective 1: Limited Time to
     Complete Important Tasks
     • The Year 2000 Program Office briefed the
       headquarters and field divisions and presented
       Year 2000 BCCP strategy and milestones to the
       Special Agents-in-Charge and executive staff.

     • DEA plans to complete development of business
       continuity plans in late July 1999, exceeding the
       April 30, 1999, date recommended by GAO.

     • DEA plans to complete testing of its business
       continuity plans by November 1999, which is after
       the September 30, 1999 date recommended by
       GAO.
13




              Page 24              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
              Appendix I
              Briefing to the Senate Special Committee on
              the Year 2000 Technology Problem




     Objective 2: Many GAO Key
     Processes Being Satisfied

                                   Partially Plans to              Not
      Phase              Satisfied Satisfied Satisfy             Satisfied

      Initiation              8            0                0        0
      Business
      Impact                  2            2                1        0
      Analysis
      Contingency
                              1            3                0        1
      Planning
      Testing                 0            2                6        0
      Total                  11            7                7        1
14




              Page 25              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                 Appendix I
                 Briefing to the Senate Special Committee on
                 the Year 2000 Technology Problem




       Objective 2: Many GAO Key
       Processes Being Satisfied (cont’d)
     • Definition of results:
        • Satisfied - key process developed and
          implemented; documentation provided
        • Partially satisfied - some components, but not all,
          of key processes developed and implemented;
          documentation provided
        • Plans to satisfy - key process not yet developed
          or implemented, but may be ongoing and
          guidance directs divisions to develop
        • Not satisfied - key process not developed and not
          addressed in guidance to divisions


15




                 Page 26              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                           Appendix I
                           Briefing to the Senate Special Committee on
                           the Year 2000 Technology Problem




             Detailed Results: Initiation Phase

                    GAO Key Processes                                         Results
     1. Establish business continuity work group                         Satisfied
     2. Develop high-level business continuity planning strategy         Satisfied
     3. Identify core business processes                                 Satisfied

     4. Define roles and assign responsibilities                         Satisfied
     5. Develop master schedule and milestones                           Satisfied
     6. Implement a risk management process and establish                Satisfied
         reporting system

     7. Assess existing business continuity, contingency, and            Satisfied
        disaster recovery plans
     8. Implement quality assurance reviews                              Satisfied



16




                           Page 27              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                    Appendix I
                    Briefing to the Senate Special Committee on
                    the Year 2000 Technology Problem




          Detailed Results: Initiation Phase
          Key Process 1
     • A business continuity workgroup should be established
       that reports to executive management and includes
       representatives from major business units.

     • DEA established a business continuity and contingency
       planning (BCCP) task force consisting of division
       representatives to help develop guidance and review
       contingency plans for the field divisions, and that
       reports to executive management.

     • Satisfied


17




                    Page 28              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                   Appendix I
                   Briefing to the Senate Special Committee on
                   the Year 2000 Technology Problem




         Detailed Results: Initiation Phase
         Key Process 2
     • A high-level business continuity strategy should be
       developed to guide the planning effort. It should
       include project structure, metrics and reporting
       requirements, and cost and schedule estimates.

     • DEA’s Year 2000 Executive documented and
       communicated project structure and reporting
       requirements throughout the agency.

     • The Year 2000 Program Office developed reporting
       metrics and initial cost and schedule estimates.

     • Satisfied
18




                   Page 29              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                   Appendix I
                   Briefing to the Senate Special Committee on
                   the Year 2000 Technology Problem




          Detailed Results: Initiation Phase
          Key Process 3
     • Core business processes and the supporting mission-
       critical systems should be defined for each business
       area.

     • DEA defined core business processes and identified
       their supporting mission-critical systems.

     • Satisfied




19




                   Page 30              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                   Appendix I
                   Briefing to the Senate Special Committee on
                   the Year 2000 Technology Problem




         Detailed Results: Initiation Phase
         Key Process 4
     • Roles should be defined and responsibilities
       assigned for leading the planning effort, performing
       analyses, and designing business alternatives.

     • The Year 2000 Program Manager is responsible for
       overseeing and managing the agency-wide efforts,
       including managing risks to the planning effort.
       Special Agents-in-Charge and division heads are
       responsible for developing and implementing
       continuity plans for the field sites and headquarters
       divisions.

     • Satisfied
20




                   Page 31              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                   Appendix I
                   Briefing to the Senate Special Committee on
                   the Year 2000 Technology Problem




        Detailed Results: Initiation Phase
        Key Process 5
     • Master schedule, including milestones for the delivery
       of interim and final products, should be established.

     • DEA’s Year 2000 Program Office defined a master
       schedule that includes milestones for draft and final
       contingency plans and testing.

     • Satisfied




21




                   Page 32              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                   Appendix I
                   Briefing to the Senate Special Committee on
                   the Year 2000 Technology Problem




          Detailed Results: Initiation Phase
          Key Process 6
     • Organizations should implement a risk management
       process and establish a reporting system that includes
       identifying project risks, developing metrics, and
       establishing reporting requirements.

     • DEA’s Year 2000 Program Manager developed a risk
       mitigation tool and metrics to identify, measure, and
       manage risks.

     • Year 2000 Executive established and communicated
       reporting requirements for BCCP tasks through memos
       to the headquarters and field divisions.

     • Satisfied
22




                   Page 33              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                   Appendix I
                   Briefing to the Senate Special Committee on
                   the Year 2000 Technology Problem




        Detailed Results: Initiation Phase
        Key Process 7
     • Organizations should assess existing business
       continuity, contingency, and disaster recovery plans
       for their applicability in addressing the Year 2000
       problem.

     • DEA’s BCCP task force and operational division
       assessed existing contingency and disaster recovery
       plans to address and mitigate Year 2000 risks.

     • Satisfied



23




                   Page 34              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                   Appendix I
                   Briefing to the Senate Special Committee on
                   the Year 2000 Technology Problem




       Detailed Results: Initiation Phase
       Key Process 8
     • Quality assurance reviews should be conducted to
       verify that the continuity of operations plans satisfy
       information requirements.

     • Year 2000 Program office has tasked contractors
       and the BCCP task force to review the divisions’
       plans for adherence to DEA’s guidance,
       consistency, and assurance that the plans address
       appropriate core business processes.

     • Satisfied


24




                   Page 35              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                      Appendix I
                      Briefing to the Senate Special Committee on
                      the Year 2000 Technology Problem




         Detailed Results: Business
         Impact Analysis Phase
               GAO Key Processes                                         Results
1. Define and document information requirements,                    Partially satisfied
   methods, and techniques
2. Define and document Year 2000 failure scenarios                  Satisfied

3. Perform risk analysis of each core business process              Partially satisifed
4. Assess and document infrastructure risks                         Satisfied
5. Define the minimum acceptable level of outputs and               Plans to satisfy
   services for each core business process




25




                      Page 36              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                    Appendix I
                    Briefing to the Senate Special Committee on
                    the Year 2000 Technology Problem




         Detailed Results: Business Impact
         Analysis Phase Key Process 1
     • Organizations need to define detailed information
       requirements, techniques, and methods for
       constructing a business continuity plan.

     • Year 2000 Program Office defined and documented
       information requirements, methods, and techniques for
       developing business continuity plans in the guidance
       provided to the headquarters and field divisions.

     • DEA’s guidance does not address analysis of costs
       and benefits of business continuity alternatives.

     • Partially satisfied
26




                    Page 37              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                    Appendix I
                    Briefing to the Senate Special Committee on
                    the Year 2000 Technology Problem




         Detailed Results: Business Impact
         Analysis Phase Key Process 2
     • Organizations need to define and document Year
       2000 failure scenarios, including the loss of all
       mission-critical information systems, the possibility
       that problems may be encountered earlier than
       expected, and the potential disruption of infrastructure
       services.

     • The Year 2000 Program Office has defined general
       failure scenarios and has directed the headquarters
       and field divisions to ensure that failure scenarios are
       defined in their continuity plans.

     • Satisfied
27




                    Page 38              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                     Appendix I
                     Briefing to the Senate Special Committee on
                     the Year 2000 Technology Problem




          Detailed Results: Business Impact
          Analysis Phase Key Process 3
     • Organizations should monitor Year 2000 progress and
       determine the risk and impact of internal and external
       system failures on each core business process.

     • The Year 2000 Program Office assigned risks and
       assessed impacts of internal and external system
       failures on each core business process; DEA prepared
       contingency plans for its 38 mission-critical systems.

     • Field and headquarters divisions have been instructed
       to perform risk and impact analyses for the core
       business processes which they support.

     • Partially satisfied
28




                     Page 39              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                   Appendix I
                   Briefing to the Senate Special Committee on
                   the Year 2000 Technology Problem




       Detailed Results: Business Impact
       Analysis Phase Key Process 4
     • Organizations should monitor the Year 2000
       readiness of the public infrastructure, assess the
       risk of service outages, and determine whether
       emergency services may be available to mitigate
       outages.

     • DEA has assessed and documented public
       infrastructure risks and used this information in
       developing contingency procedures in its
       headquarters and field business continuity plans.

     • Satisfied

29




                   Page 40              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                  Appendix I
                  Briefing to the Senate Special Committee on
                  the Year 2000 Technology Problem




       Detailed Results: Business Impact
       Analysis Phase Key Process 5
     • To facilitate the selection of adequate contingencies,
       organizations need to define the minimum acceptable
       level of output and services for each core business
       process.

     • DEA’s initial guidance to headquarters and field
       divisions do not include this requirement; however,
       DEA Year 2000 Program Office officials stated that
       they plan to determine minimal acceptable levels of
       output for core business processes during the review
       of the draft business continuity plans.

     • Plans to satisfy
30




                  Page 41              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                        Appendix I
                        Briefing to the Senate Special Committee on
                        the Year 2000 Technology Problem




          Detailed Results: Contingency
          Planning Phase

                 GAO Key Processes                                          Results
 1. Assess the cost and benefits of identified alternatives            Not satisfied
 and select the best contingency strategy for each core
 business process
 2. Identify and document contingency plans and                        Partially satisfied
 implementation modes
 3. Define and document triggers for activating plans                  Partially satisfied
 4. Establish a business resumption team for each core                 Partially satisfied
 business process
 5. Develop and document “zero day” strategy and                       Satisfied
 procedures




31




                        Page 42              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                       Appendix I
                       Briefing to the Senate Special Committee on
                       the Year 2000 Technology Problem




          Detailed Results: Contingency
          Planning Phase Key Process 1
     • Organizations need to assess the cost and benefits of
       identified alternatives and select the best contingency
       strategy for each core business process.

     • Guidance does not instruct the headquarters and field
       divisions to complete this process; however, DEA Year
       2000 Program Office officials stated that they plan to
       assess the costs and benefits of alternative strategies
       during the review of the draft plans.

     • Not satisfied



32




                       Page 43              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                    Appendix I
                    Briefing to the Senate Special Committee on
                    the Year 2000 Technology Problem




         Detailed Results: Contingency
         Planning Phase Key Process 2
     • Organizations need to identify and document
       contingency plans and implementation modes.

     • DEA is developing draft business continuity plans and
       defining implementation modes for both field and
       headquarters divisions’ core business processes.

     • Partially satisfied




33




                    Page 44              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                     Appendix I
                     Briefing to the Senate Special Committee on
                     the Year 2000 Technology Problem




          Detailed Results: Contingency
          Planning Phase Key Process 3
     • Organizations need to define and document triggers for
       activating contingency plans for each core business
       process.

     • The Year 2000 Program Office has defined triggers for
       activating contingency plans in case of IT and
       infrastructure systems failures.

     • DEA’s headquarters and field divisions are defining
       triggers for activating contingency plans in their site-
       specific continuity plans.

     • Partially satisfied
34




                     Page 45              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                    Appendix I
                    Briefing to the Senate Special Committee on
                    the Year 2000 Technology Problem




         Detailed Results: Contingency
         Planning Phase Key Process 4
     • Organizations need to designate responsible individuals
       to ensure that the plans are executed if necessary.

     • DEA has developed procedures for supporting
       continuity of operations based upon its existing
       “command center” support structure centralized at
       headquarters.

     • DEA is establishing and training Year 2000 business
       response teams at each site to ensure that plans can
       be successfully executed if necessary.

     • Partially satisfied
35




                    Page 46              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                   Appendix I
                   Briefing to the Senate Special Committee on
                   the Year 2000 Technology Problem




      Detailed Results: Contingency
      Planning Phase Key Process 5
     • Organizations should develop a risk reduction
       strategy and procedures for the period between
       December 30,1999, and January 3, 2000.

     • DEA has developed a “zero day” strategy that
       includes participation by all sites for the weekend of
       December 31,1999.

     • Satisfied




36




                   Page 47              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                        Appendix I
                        Briefing to the Senate Special Committee on
                        the Year 2000 Technology Problem




           Detailed Results: Testing Phase


                    GAO Key Processes                                           Results
     1. Validate business continuity strategy                             Plans to satisfy
     2. Develop and document contingency test plans                       Plans to satisfy
     3. Establish test teams and acquire contingency                      Partially satisfied
        resources
     4. Prepare for and execute tests                                     Partially satisfied
     5. Validate the capability of contingency plans                      Plans to satisfy
     6. Rehearse business resumption teams                                Plans to satisfy
     7. Update the business continuity plan based upon                    Plans to satisfy
        lessons learned and re-test if necessary
     8. Update disaster recovery plans and procedures                     Plans to satisfy


37




                        Page 48              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                 Appendix I
                 Briefing to the Senate Special Committee on
                 the Year 2000 Technology Problem




       Detailed Results: Testing Phase
       Key Process 1
     • Agencies should validate business continuity
       strategies through reviews, rehearsals, or quality
       assurance audits.

     • DEA is conducting “talk-throughs”, “walk-throughs”,
       and simulations to ensure that the systems
       contingency plans support core business processes.

     • DEA plans to rehearse the divisions’ business
       continuity plans.

     • Plans to satisfy

38




                 Page 49              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                 Appendix I
                 Briefing to the Senate Special Committee on
                 the Year 2000 Technology Problem




       Detailed Results: Testing Phase
       Key Process 2
     • Agencies should define, document, and review
       contingency test plans.

     • DEA plans to define and document test plans for the
       headquarters and field divisions’ contingency plans.

     • DEA has allocated time in the schedule for testing
       business continuity plans and plans to develop test
       scenarios for both levels.

     • Plans to satisfy


39




                 Page 50              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                  Appendix I
                  Briefing to the Senate Special Committee on
                  the Year 2000 Technology Problem




       Detailed Results: Testing Phase
       Key Process 3
     • Agencies should establish test teams and acquire
       contingency resources.

     • DEA is establishing business response teams and
       command centers at headquarters and throughout
       the headquarters and field divisions which are
       responsible for executing the tests.

     • DEA has requested funds from OMB to ensure that
       resources needed to carry out contingency plans are
       provided.

     • Partially satisfied
40




                  Page 51              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                  Appendix I
                  Briefing to the Senate Special Committee on
                  the Year 2000 Technology Problem




       Detailed Results: Testing Phase
       Key Process 4
     • Agencies should prepare for and execute tests.

     • DEA has assigned responsibility to Year 2000
       Program Office representatives to develop test
       plans, schedules, and scenarios and to execute the
       tests.

     • DEA has plans to train teams to prepare for and
       execute tests.

     • Partially satisfied


41




                  Page 52              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                 Appendix I
                 Briefing to the Senate Special Committee on
                 the Year 2000 Technology Problem




       Detailed Results: Testing Phase
       Key Process 5
     • Agencies should validate the functional capability of
       each contingency plan.

     • DEA is currently validating system contingency plans
       to ensure that the plans support continuity of
       business operations and that resources necessary to
       execute the plans are identified and made available
       to the field.

     • DEA plans to validate business continuity plans to
       ensure that they support business functions.

     • Plans to satisfy
42




                 Page 53              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                 Appendix I
                 Briefing to the Senate Special Committee on
                 the Year 2000 Technology Problem




       Detailed Results: Testing Phase
       Key Process 6
     • Agencies should rehearse to ensure that each team
       and team member is familiar with procedures and
       their roles.

     • DEA’s high-level plans include milestones for
       business response teams’ rehearsal activities.

     • Plans to satisfy




43




                 Page 54              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                 Appendix I
                 Briefing to the Senate Special Committee on
                 the Year 2000 Technology Problem




       Detailed Results: Testing Phase
       Key Process 7
     • Agencies should update the business continuity plan
       based upon lesson learned and re-test, if necessary.

     • DEA’s plans to update the continuity plans based
       upon results of test and validation activities.

     • Plans to satisfy




44




                 Page 55              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                 Appendix I
                 Briefing to the Senate Special Committee on
                 the Year 2000 Technology Problem




       Detailed Results: Testing Phase
       Key Process 8
     • Agencies should update disaster recovery plans and
       procedures.

     • DEA has updated existing disaster recovery plans to
       consider Year 2000 disruptions.

     • DEA plans to update all plans before the final
       rehearsal of the entire agency BCCPs.

     • Plans to satisfy



45




                 Page 56              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                 Appendix I
                 Briefing to the Senate Special Committee on
                 the Year 2000 Technology Problem




       Conclusions
     • DEA is developing Year 2000 contingency plans for
       continuity of operations, and has generally
       established effective management controls for
       ensuring that this very important Year 2000 risk
       mitigation task is completed before January 1, 2000.

     • DEA has many important planning steps yet to
       complete and its milestones for doing so leave very
       little time to address any slippage in its schedule. As
       a result, it is important that DEA’s leadership
       continues to closely monitor business continuity
       planning efforts to ensure that any deviations from
       plans are identified and that corrective actions are
       taken immediately.
46




                 Page 57              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
Appendix II

Objectives, Scope, and Methodology                                                                    Appendx
                                                                                                            iI




              Our objectives were to determine (1) the status of and plans for completing
              DEA’s contingency planning for continuity of operations and (2) whether
              DEA’s contingency planning efforts satisfy the key processes described in
              GAO’s business continuity and contingency planning guide.1

              To accomplish our first objective, we reviewed DEA’s high-level strategy,
              plans, and schedules for developing and testing business continuity plans
              and compared these to our recommended milestones.2 Additionally, we
              reviewed supporting documentation to evaluate the status and progress of
              DEA’s efforts against its plans and schedules. Specifically, we reviewed
              project plans, progress and status reports, and Year 2000 program
              management memoranda. To supplement our analysis, we discussed the
              status of planned and ongoing activities with Year 2000 program officials
              responsible for implementing the management strategy and overseeing the
              divisions’ activities, division chiefs responsible for developing business
              continuity plans, and contractors responsible for reviewing the plans and
              developing validation procedures.

              We accomplished our second objective by identifying DEA’s Year 2000
              program management controls and comparing these to controls (i.e., key
              processes) described in our business continuity and contingency planning
              guide. In addition, we reviewed supporting documentation to verify that the
              management controls were functioning as intended and, using specified
              criteria,3 determined whether each of the key processes were satisfied. To
              do this verification, we reviewed documents describing DEA’s business
              continuity planning strategy, organization charts, documents describing
              business continuity planning activities, risk management matrices,
              contractors’ statements of work, and business continuity planning
              guidance provided to the divisions by the Year 2000 Program Office. We
              then judgmentally selected eight draft business continuity plans for review


              1
               Year 2000 Computing Crisis: Business Continuity and Contingency Planning
              (GAO/AIMD-10.1.19, August 1998).
              2
              Year 2000 Computing Crisis: Readiness Improving, But Much Work Remains to Avoid
              Major Disruptions (GAO/T-AIMD-99-50, January 1999).
              3
               “Satisfied” means that the key process was developed and implemented and documentation
              was provided. “Partially satisfied” means that some components, but not all, of the key
              process were developed and implemented, and documentation was provided. “Plans to
              satisfy” means that the key process was not yet developed or implemented but may be
              ongoing and guidance directs the divisions to develop. “Not satisfied” means that the key
              process was not developed and not addressed in guidance to the divisions.




              Page 58              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
                   Appendix II
                   Objectives, Scope, and Methodology




                   and compared these to the key processes in GAO’s business continuity and
                   contingency planning guide. To supplement our analysis, we interviewed
                   key Year 2000 program officials, such as the Year 2000 executive and Year
                   2000 program manager, division representatives, and support contractor
                   representatives.

                   We performed our work at DEA’s headquarters in Arlington, Virginia. We
                   performed our work from March through July 1999 in accordance with
                   generally accepted government auditing standards. We updated the status
                   of DEA’s development of its business continuity plans through August 1999.




(511141)   Leter   Page 59              GAO/AIMD-00-8 DEA’s Year 2000 Business Continuity Planning Efforts
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order made
out to the Superintendent of Documents, when necessary, VISA and
MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any list
from the past 30 days, please call (202) 512-6000 using a touchtone
phone. A recorded menu will provide information on how to obtain
these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. GI00
Official Business
Penalty for Private Use $300

Address Correction Requested