Minimizing business risk with disaster recovery audits. Having a disaster recovery plan in place is a key step toward making sure your business can recover data and continue operations in the event of a disaster. Auditing the plan ensures that it addresses people, process and technology issues and relevant controls. Business continuity expert Paul F. Kirvan, FBCI, CBCP, CISSP, discusses disaster recovery auditing in this Q& A. His answers are also available as an mp. Listen to the disaster recovery auditing FAQWhat is a disaster recovery audit? Let's begin by quickly reviewing IT audits, since a disaster recovery (DR) audit may be an area addressed in the IT audit process. An IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, procedures, operations and governance. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives. Audit Objectives Audit Approach. System is accurately and completely capturing data feeds from. Changes to the job schedule are processed through a formal change control program. Backup and Disaster Recovery. Audit of NARA’s Data Backup Operations OIG Audit Report No. National Archives and Records Administration. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. IT audits focus on determining risks that are relevant to information assets, and in assessing controls so as to reduce or mitigate these risks. By implementing controls, the impact of risks can be minimized, but controls, no matter how comprehensive, cannot completely eliminate all risks. The key to successful disaster recovery is to have a plan (such as an emergency plan, technology recovery plan, business continuity plan) well before disaster ever strikes. Auditing the plan ensures that it addresses people, process and technology issues and relevant controls so that the plan is likely to work as anticipated, especially when faced with a real emergency. What factors should be considered as a part of a disaster recovery audit? The following are items that should be addressed in a disaster recovery audit: Disaster recovery policies, mission statement. Written disaster recovery plan with continual updating. Designated hot site or cold site. Ability to recover data and systems. Processes for frequent backup of systems and data. Tests and drills of disaster procedures. Data and system backups stored offsite. Appointed disaster recovery committee and chairperson. The purpose of this policy is to specify the procedures to backup and allow for recovery of important data in the event. For data critical to the ongoing. System Backup Review Audit Work Program: Technology Risks. Internal Audit Report ICT backup and recovery Report status Final Report date 14th November 2013 Financial Period 2013/14 Prepared by Mark Gee, ICT Auditor (Haines Watts) 47. What to expect from a storage audit – SearchStorage.co.UK; FAQ: What is the impact of a compliance audit on. Data backup app users are tough critics, but Veritas NetBackup and Veeam Backup & Replication won over users in. BACKUP AND RECOVERY REVIEW AUDIT 14-08. TECHNOLOGY & INNOVATION DEPARTMENT BACKUP AND RECOVERY REVIEW. Visibly listed emergency telephone numbers. Insurance. Procedures allowing effective communication. Updated and validated system and operational documentation. Emergency procedures. Backup of key personnel positions. Hardware and software vendor lists. Both manual and automated procedures in place. Contractual agreements with external agencies/companies, such as service- level agreements (SLAs)How can a company benefit from performing a disaster recovery audit? Audit results can identify areas of the disaster recovery program that are incomplete, lack suitable procedures, lack suitable documentation, are untested, and not up to date. Satisfying the audit findings will ensure that the disaster recovery program, and its various components (including plans), are up to date, appropriate for their anticipated function, and capable of fulfilling the organization's business objectives. The organization will thus be better prepared to respond to unplanned incidents, and should be able to mitigate the severity and long- term impact of the incident. What are the major challenges people face when performing a disaster recovery audit? The most important challenge is to have senior management support for the audit (this includes facilitating access to key staff as well as funding); otherwise, recommended actions from the audit may not be implemented, putting the organization at continued risk. Additional challenges include securing interviews and follow- up meetings with key staff, obtaining the information required by the audit, ensuring that the information is the most current available, and ensuring that the BC/DR program addresses the most critical technology and business- related issues. Assuming there are no internal staff qualified or experienced with conducting disaster recovery audits, experienced third- party organizations can be considered. The staff should have appropriate professional credentials, including the Certified Information Systems Auditor (CISA) and relevant BC/DR credentials, such as those available from the Business Continuity Institute (BCI) and DRI International. Lack of experience and/or proper credentials should generate red flags when considering a third- party auditing firm. Large . Dozens of small- to medium- sized independent consulting firms that specialize in BC/DR provide excellent value for money, assuming they have the experience and credentials. Using an inexperienced or unqualified firm could result in useless or irrelevant recommendations, or ignorance of critical operational issues that need to be addressed. Result: The organization is unable to validate and improve its BC/DR capabilities, thus putting the firm at continued risk. It's also a good idea to use IT disaster standards in the audit process. The best examples include National Institute of Standards and Technology (NIST) Special Publication 8. ISO/IEC 2. 47. 62; and British Standard BS 2. Simply following the standards provides an excellent template for conducting an audit. A number of hard copy and software- based audit tools are available to simplify the audit process. They can be obtained through various sources, such as Rothstein Associates and of course Search. Disaster. Recovery. Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 2. He is also secretary of the Business Continuity Institute USA Chapter.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2017
Categories |