What is the role of an auditor in the implementation of a disaster recovery plan?
Given organizations' increasing dependency on information technology to run their operations, Business continuity planning covers the entire organization, and Disaster recovery focuses on IT. Show
Auditing of documents covering an organization's business continuity and disaster recovery plans provides a third-party validation to stakeholders that the documentation is complete and does not contain material misrepresentations. Lack of completeness can result in overlooking secondary effects, such as when vastly increased work-at-home overloads incoming recovery site telecommunications capacity, and the bi-weekly payroll that was not critical within the first 48 hours is now causing perceived problems in ever recovering, complicated by governmental and possibly union reaction.[1] Overview[edit]Often used together, the terms Business Continuity and Disaster Recovery are very different. Business Continuity refers to the ability of a business to continue critical functions and business processes after the occurrence of a disaster, whereas Disaster Recovery refers specifically to the Information Technology (IT) and data-centric functions of the business, and is a subset of Business Continuity.[2] Metrics[edit]The primary objective is to protect the organization in the event that all or part of its operations and/or computer services are rendered partially or completely unusable. A DR plan illustrating the chronology of the RPO and the RTO with respect to the MI. Minimizing downtime and data loss during disaster recovery is measured in terms of two concepts:
The auditor's role[edit]An auditor examines and assesses
Documentation[edit]To maximize their effectiveness, disaster recovery plans are most effective when updated frequently, and should:
Adequate records need to be retained by the organization. The auditor examines records, billings, and contracts to verify that records are being kept. One such record is a current list of the organization's hardware and software vendors. Such list is made and periodically updated to reflect changing business practice. Copies of it are stored on and off site and are made available or accessible to those who require them. An auditor tests the procedures used to meet this objective and determine their effectiveness. Disaster recovery plan[edit]A disaster recovery plan (DRP) is a documented process or set of procedures to execute an organization's disaster recovery processes and recover and protect a business IT infrastructure in the event of a disaster.[3] It is "a comprehensive statement of consistent actions to be taken before, during and after a disaster".[4] The disaster could be natural, environmental or man-made. Man-made disasters could be intentional (for example, an act of a terrorist) or unintentional (that is, accidental, such as the breakage of a man-made dam or even "fat fingers" - or errant commands entered - on a computer system). Types of plans[edit]Although there is no one-size-fits-all plan,[5] there are three basic strategies:[3][5]
The latter may include securing proper insurance policies, and holding a "lessons learned" brainstorming session.[3][7] Relationship to the Business Continuity Plan[edit]Disaster recovery is a subset of business continuity. Where DRP encompasses the policies, tools and procedures to enable recovery of data following a catastrophic event, business continuity planning (BCP) involves keeping all aspects of a business functioning regardless of potential disruptive events. As such, a business continuity plan is a comprehensive organizational strategy that includes the DRP as well as threat prevention, detection, recovery, and resumption of operations should a data breach or other disaster event occur. Therefore, BCP consists of five component plans:[8]
The first three components (Business Resumption, Occupant Emergency, and Continuity of Operations Plans) do not deal with the IT infrastructure. The Incident Management Plan (IMP) does deal with the IT infrastructure, but since it establishes structure and procedures to address cyber attacks against an organization’s IT systems, it generally does not represent an agent for activating the Disaster Recovery Plan, leaving The Disaster Recovery Plan as the only BCP component of interest to IT.[8] Benefits[edit]Like every insurance plan, there are benefits that can be obtained from proper business continuity planning, including:[4]
Planning and testing methodology[edit]According to Geoffrey H. Wold of the Disaster Recovery Journal, the entire process involved in developing a Disaster Recovery Plan consists of 10 steps:[4]
Initial testing can be plan is done in sections and after normal business hours to minimize disruptions. Subsequent tests occur during normal business hours. Types of tests include: checklist tests, simulation tests, parallel tests, and full interruption tests. Caveats/controversies[edit]Due to high cost, various plans are not without critics. Dell has identified five "common mistakes" organizations often make related to BCP/DR planning:[9]
Decisions and strategies[edit]
Other considerations[edit]Insurance issues[edit]The auditor determines the adequacy of the company's insurance coverage (particularly property and casualty insurance) through a review of the company's insurance policies and other research. Among the items that the auditor needs to verify are: the scope of the policy (including any stated exclusions), that the amount of coverage is sufficient to cover the organization’s needs, and that the policy is current and in force. The auditor also ascertains, through a review of the ratings assigned by independent rating agencies, that the insurance company or companies providing the coverage have the financial viability to cover the losses in the event of a disaster. Effective DR plans take into account the extent of a company's responsibilities to other entities and its ability to fulfill those commitments despite a major disaster. A good DR audit will include a review of existing MOA and contracts to ensure that the organization's legal liability for lack of performance in the event of disaster or any other unusual circumstance is minimized. Agreements pertaining to establishing support and assisting with recovery for the entity are also outlined. Techniques used for evaluating this area include an examination of the reasonableness of the plan, a determination of whether or not the plan takes all factors into account, and a verification of the contracts and agreements reasonableness through documentation and outside research. Communication issues[edit]The auditor must verify that planning ensures that both management and the recovery team have effective communication hardware, contact information for both internal communication and external issues, such as business partners and key customers. Audit techniques include
Emergency procedures[edit]Procedures to sustain staff during a round-the clock disaster recovery effort are included in any good disaster recovery plan. Procedures for the stocking of food and water, capabilities of administering CPR/first aid, and dealing with family emergencies are clearly written and tested. This can generally be accomplished by the company through good training programs and a clear definition of job responsibilities. A review of the readiness capacity of a plan often includes tasks such as inquires of personnel, direct physical observation, and examination of training records and any certifications. Environmental issues[edit]The auditor must review procedures that take into account the possibility of power failures or other situations that are of a non-IT nature.
See also[edit]
References[edit]
How auditor should determine effectiveness of a disaster recovery program?Once the information, or evidence, is obtained, the internal auditor evaluates all of it to determine whether the information systems are adequately protecting assets, maintaining data integrity and operating effectively and efficiently to ensure that the organization achieves its goals and objectives.
How do you audit disaster recovery?A comprehensive audit should consider these 15 factors:. Disaster recovery objectives, mission statement and policies.. How recently you updated your written disaster recovery plan.. Your designated hot and/or cold sites.. The ability to recover data and systems.. Processes for frequent, consistent backup of systems and data.. Who is responsible for disaster recovery plan?Your disaster recovery team is responsible for building your organization's disaster recovery plan, developing the plan's processes and procedures, and implementing the plan in the event of a crisis to ensure data recovery is possible.
What are the roles and responsibilities of auditors in risk management?The main role of internal audit in risk management is assessing and monitoring risks that company faces, and providing recommendations for appropriate risk mitigation controls.
|