Jump to content

Disaster recovery and continuity

Add links
From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 24.19.63.216 (talk) at 21:06, 5 June 2005. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

This article is being considered for deletion in accordance with Wikipedia's deletion policy.
Please vote on and discuss the matter. See this article's entry on the Votes for Deletion page.

You are welcome to edit this article, but please do not blank, merge, or move this article, nor remove this notice, while the discussion is in progress. For more information, read the Guide to Votes for Deletion.

You must add a |reason= parameter to this Cleanup template – replace it with {{Cleanup|reason=<Fill reason here>}}, or remove the Cleanup template.


AUDITING DISASTER RECOVERY AND BUSINESS CONTINUITY'


Disaster Recovery and Business Continuity refers to an organization’s ability to recover from a disaster and/or unexpected event and resume and continue operations. Organizations should have a plan in place (Usually referred to as a Disaster Recovery Plan, or Business Continuity Plan) that outlines how this will be accomplished. When conducting an audit of the plan the following factors should be considered:

Are the steps in the plan put in writing and is it continually updated?

To be effective the plan must be in writing, must be understandable and must be accessible to those who need it. Because of constant changes that occur in the modern business environment a plan should be updated frequently to deal with new and existing threats as they become known. The auditor needs to determine if procedures stated in the plan to achieve these ends are actually used in practice. This can be accomplished through direct observation of procedures, examination of the plan, inquiries of personnel, and the testing of processes for reasonableness and validity.

Whether a hot site/cold site has been selected.

A hot or cold site is a location that an organization can move to after a disaster if the current facility is unusable. The difference between the two is that a hot site is fully equipped to resume operations while a cold site does not have that capability. There is also what is referred to as a “warm site” which has the capability to resume some, but not all operations. The decision a company makes when determining what type of site to establish depends on a cost/benefit analysis and the needs of the individual organization. The plan should also spell out how relocation to a new facility is to be conducted. A company should have occasional tests and conduct run thru-s to verify the viability and effectiveness of the plan and to determine any deficiencies and how they can be dealt with. An audit of this should primarily look into the probability that operations of the organization can be sustained at the level that is assumed in the plan, as well as the ability of the entity to actually establish operations at the site. The auditor should examine and test the procedures involved, conduct outside research relating to disaster recovery to determine reasonable standards relating to implementation, and tour, examine, and research the outside facility.

The ability to recover data and systems.

The continual backing up of data and systems can help minimize the severity of this threat (Discussed in more detail in the next section). Even so, the plan should also include information on how best to recover any data that has not been copied. Controls and protections need to be in place to ensure that data is not damaged, altered, or destroyed during this process. Information Technology experts and procedures need to be identified that can accomplish this endeavor. Vendor manuals can also assist in determining how best to proceed.

Processes for continual and frequent backing up of systems, utilities, application files and data.

The auditor should determine if these processes are effective and are actually being implemented by personnel. This can be accomplished through direct observation of the processes, analyzing and researching the equipment used, conducting computer assisted audit techniques and tests, and confirming the backup, recovery, and procedure ability and history of the entity through examination of paper and paperless records.

Tests and drills of disaster procedures.

Practice drills should be conducted periodically to determine how effective the plan is and to determine what changes may be necessary. The auditor’s primary concern here is verifying that these drills are being conducted properly and that problems uncovered during these drills are addressed and procedures designed to deal with these potential deficiencies are implemented and tested to determine their effectiveness.

Data and systems backups should be stored off site.

The auditor can verify this through paper and paperless documentation and actual physical observation. Testing of the backups and procedures should be done to confirm data integrity and effective processes. The security of the storage site also needs to be confirmed.

Disaster recovery chairperson and committee appointed.

The entity needs to appoint individuals responsible for designing and implementing the plan when needed. Generally this consists of a team headed by a project manager, with a deputy manager who has the capability to take over the responsibilities if needed. The qualities needed for this position vary depending on the organization, but generally include good leadership abilities, strong knowledge of company business and management processes, experience and knowledge in Information Technology and Security, and good project management skills. Other members of the team need to have a clear understanding and ability to perform the needed procedures. An auditor needs to examine and assess the project and deputy project manager’s training, experience, and abilities as well as to analyze the capabilities of the team members to complete assigned tasks and that more than one individual is trained and capable of doing a particular function. Tests and inquiries of personnel can help achieve this objective.

Emergency telephone numbers need to be listed where they are clearly visible and accessible.

The auditor can verify this through direct observation.

Insurance should be obtained to lessen any impact.

The auditor should verify this through documentation and other research. The auditor also needs to verify that the coverage is current, that payout is probable, and the amount of coverage is sufficient to cover the organization’s needs.

The plan should include procedures that enable management and the recovery team to communicate effectively.

To do this contact information should be easily accessible and drills conducted should test communication abilities. Procedures should include non-technological as well as technological in case of power or systems failures. Communications between the organization and outside individuals and organizations also need to be taken into account when designing the plan. Procedures to test this communication ability generally mirror those above. The auditor needs to evaluate these procedures and assumptions to determine if they are reasonable and likely to be effective. This can be accomplished through testing the procedures, inquiring of employees, comparisons to other company’s plans and industry standards, and by examination of company manuals and other written procedures.

Up to date system and operation documentation confirmed.

Adequate records need to be retained by the organization. The auditor should physically examine records, billings, and contracts to verify this. Outside research such as contacting vendors, may also be conducted to determine the reasonableness of management’s assertions.

Procedures for the stocking of food and water, capabilities of administering CPR/first aid, and dealing with family emergencies should be clearly written and tested.

This can generally be accomplished through training, and a clear definition of job responsibilities. The auditor can verify this is accomplished through inquires of personnel, physical observation, and examination of training records and any certifications.

Key personnel positions backed up.

Clear written policies and specific communication with employees should be used to substantiate this. It also needs to be confirmed that backups can actually do the work. Periodic training can also help alleviate this. This training should include updates to existing job positions and testing to confirm proficiency. The auditor needs to verify that policies and testing are being enforced, that their effective, and that the training is adequate.

List made of hardware and software and vendors.

Copies of this should be periodically updated and stored on and off site, as well as being accessible by those who require them. An auditor should test the procedures used to meet this objective and determine their effectiveness.

Mission Statement.

This should clearly identify what the purpose and goals of the plan are. An auditor should examine this to determine what the objectives, priorities, and goals of the plan are. It can also help the auditor obtain a better understanding of the organization’s environment, which is a staple of auditing.

Manual procedures in place as well as automated.

Procedures in place to accomplish the needed objectives should take into account the possibility of power failures or other situations where technology cannot be utilized. The plan should indicate what procedures to be used in this situation and should also include information on storage of flashlights and candles, as well as additional safety procedures in case of gas leaks, fires or other phenomena. Run thru-s should be conducted to test the procedures effectiveness and viability. The auditor should examine and test procedures for reasonableness, inquire of personnel, and conduct outside research.

Contractual agreements with outside agencies or companies.

The plan needs to take into account the extent of its responsibilities to other entities and their ability to make those commitments in lieu of a major event. Are their clauses in contracts that minimize against any legal liability for lack of performance in the event of disaster or any other unusual circumstance? Agreements pertaining to establishing support and assisting with recovery for the entity should also be outlined. The auditor should examine the reasonableness of the plan, whether it takes all factors into account, and verify the contracts and agreements through documentation and outside research.

In conducting the audit the individual or team should make use of various other procedures and processes (Which are too numerous to mention here) to achieve the objectives of the audit. These objectives should be clearly stated in the audit plan (Which is essentially a guideline for performing the audit). More information on this subject can be obtained from a number of sources. These include, but are not limited to:

The American Institute of Certified Public Accountants (AICPA): [1] Information Systems Audit and Control Association (ISACA): [2] Association of Information Technology Professionals (AITP): [3] Institute of Internal Auditors (IIA): [4] International Association for Computer Information Systems (IACIS): [5] Information Systems Security Association (ISSA): [6] International Disaster Recovery Association (IDRA): [7] Business Recovery Managers Association (BRMA): [8]</nowiki>]

References:

Messier jr., W., F. (2003) Auditing & Assurance Services: A Systematic Approach. (3rd ed.) New York: McGraw-Hill/Irwin.

Gallegos, F., Senft, S., Manson, D., Gonzales, C. (2004). Information Technology Control and Audit. (2nd ed.) Boca Raton, Florida: Auerbach Publications.

Business Continuity Planning. (No Date). Business Continuity Planning / Disaster Recovery Planning: An Online Guide: Retrieved June 1, 2005 from the World Wide Web at: [9]

Retrieved from "https://en.wikipedia.org/w/index.php?title=Disaster_recovery_and_continuity&oldid=14759402"