Disaster Recovery / Business Continuity Auditing
When conducting an audit of a disaster recovery plan the following
factors should be considered:
Contents
- Written disaster recovery plan with continual updating
- Designated hot site or cold site
- Ability to recover data and systems
- Processes for frequent backup of systems and data
- Tests and drills of disaster procedures
- Data and system backups stored offsite
- Appointed disaster recovery committee and chairperson
- Visibly listed emergency telephone numbers
- Insurance
- Procedures allowing effective communication
- Updated system and operation documentation confirmation
- Emergency procedures
- Backup of key personnel positions
- Hardware and software vendor list
- Mission statement
- Both manual and automated procedures in place
- Contractual agreements with external agencies/companies
- Summary
Written Disaster Recovery Plan with Continual
Updating
To be effective the plan must be in writing, must be understandable
and must be accessible to those who need it. Because of constant changes
that occur in the modern business environment, a plan should be updated
frequently to deal with new and existing threats as they become known.
The auditor needs to determine if procedures stated in the plan to
achieve these ends are actually used in practice.
This can be accomplished through:
- Direct observation of procedures
- Examination of the disaster recovery plan
- Inquiries of personnel
- Testing of processes for reasonableness and validity
Designated hot site or cold site
A hot/cold site is a location that an organization can move to after
a disaster if the current facility is unusable. The difference between
the two is that a hot site is fully equipped to resume operations while
a cold site does not have that capability. There is also what is
referred to as a warm site which has the capability to resume some, but
not all operations. The decision a company makes when determining what
type of site to establish depends on a cost-benefit analysis and the
needs of the individual organization. The plan should also spell out how
relocation to a new facility is to be conducted. A company should have
occasional tests and conduct trials to verify the viability and
effectiveness of the plan and to determine if any deficiencies exist and
how they can be dealt with. An audit of a company Disaster Recovery Plan
should primarily look into the probability that operations of the
organization can be sustained at the level that is assumed in the plan,
as well as the ability of the entity to actually establish operations at
the site.
The auditor should:
- Examine and test the procedures involved
- Conduct outside research relating to Disaster recovery
- Determine reasonable standards relating to implementation
- Tour, examine, and research the outside facility
Ability to recover data and systems
The continual backing up of data and systems can help minimize the
severity of threats. Even so, the plan should also include information
on how best to recover any data that has not been copied. Controls and
protections should be in place to ensure that data is not damaged,
altered, or destroyed during this process. Information technology
experts and procedures need to be identified that can accomplish this
endeavor. Vendor manuals can also assist in determining how best to
proceed.
Processes for frequent backup of systems and
data
The auditor should determine if these processes are effective and
are actually being implemented by personnel. This can be accomplished
through:
- Direct observation of the processes
- Analyzing and researching the equipment used
- Conducting computer assisted audit techniques and tests
- Examination of paper and paperless records
Tests and drills of disaster procedures
Practice drills should be conducted periodically to determine how
effective the plan is and to determine what changes may be necessary.
The auditor’s primary concern here is verifying that these drills are
being conducted properly and that problems uncovered during these drills
are addressed and procedures designed to deal with these potential
deficiencies are implemented and tested to determine their
effectiveness.
Data and system backups stored offsite
The auditor can verify this through paper and paperless
documentation and actual physical observation. Testing of the backups
and procedures should be done to confirm data integrity and effective
processes. The security of the storage site also needs to be
confirmed.
Appointed disaster recovery committee and
chairperson
The entity needs to appoint individuals responsible for designing
and implementing the plan when needed. Generally, this consists of a
team headed by a project manager, with a deputy manager who has the
capability to take over the responsibilities if needed. The qualities
needed for this position vary depending on the organization.
The qualities of the project manager generally include:
- Good leadership abilities
- Strong knowledge of company business
- Strong knowledge of management processes
- Experience and knowledge in Information technology and security
- Good project management skills
Other members of the team need to have a clear understanding and
ability to perform the needed procedures. An auditor needs to examine
and assess the project and deputy project manager’s training,
experience, and abilities as well as to analyze the capabilities of the
team members to complete assigned tasks and that more than one
individual is trained and capable of doing a particular function. Tests
and inquiries of personnel can help achieve this objective.
Visibly listed emergency telephone numbers
The auditor can verify through direct observation that emergency
telephone numbers are listed and easily accessible in the event of a
disaster.
Insurance
The auditor should determine the adequacy of the company's insurance
coverage (particularly property and casualty insurance) through a review
of the company's insurance policies and other research. Among the items
that the auditor needs to verify are: the scope of the policy (including
any stated exclusions), that the amount of coverage is sufficient to
cover the organization’s needs, and that the policy is current and in
force. The auditor should also ascertain, through a review of the
ratings assigned by independent rating agencies, that the insurance
company or companies providing the coverage have the financial viability
to cover the losses in the event of a disaster.
Procedures allowing effective communication
Management and the recovery team should have procedures which allow
for effective communication. This can be accomplished by making sure
contact information is easily accessible and drills conducted test
communication abilities. Procedures should include non-technological as
well as technological methodologies in case of power or system failures.
Communications between the organization and outside individuals and
organizations also need to be taken into account when designing the
plan. Procedures to test this communication ability generally mirror
those of the organization itself. The auditor should evaluate these
procedures and assumptions to determine if they are reasonable and
likely to be effective.
An auditor evaluation can be accomplished through:
- Testing of procedures
- An inquiry of all employees
- Comparisons to other company plans and industry standards
- Examination of company manuals and other written procedures
Updated system and operation documentation
confirmation
Adequate records need to be retained by the organization. The
auditor should physically examine records, billings, and contracts to
verify this. Outside research such as contacting vendors may also be
conducted to determine the reasonableness of management’s
assertions.
Emergency procedures
Procedures for the stocking of food and water, capabilities of
administering CPR/first aid, and dealing with family emergencies should
be clearly written and tested. This can generally be accomplished by the
company through good training programs and a clear definition of job
responsibilities.
The auditor can verify this is accomplished through:
- Inquires of personnel
- Physical observation
- Examination of training records and any certifications
Backup of key personnel positions
Clearly written policies and specific communication with employees
should be used to substantiate this. There also must be confirmation
that the personnel backups can actually do the duties assigned to them
in an event of an emergency. Periodic training can also help alleviate
this. This training should include updates to existing job positions and
testing to confirm proficiency.
The auditor needs to verify that:
- Policies are being enforced
- Testing is effective
- Training is adequate
Hardware and software vendor list
Copies of this should be periodically updated and stored on and off
site, as well as being accessible by those who require them. An auditor
should test the procedures used to meet this objective and determine
their effectiveness.
Mission statement
This should clearly identify what the purpose and goals of the
Disaster Recovery Plan are. The mission statement can also help the
auditor obtain a better understanding of the organization’s
environment. An auditor should examine this to determine what the
objectives, priorities, and goals of the plan are.
Both manual and automated procedures in place
Procedures in place to accomplish the needed objectives should take
into account the possibility of power failures or other situations where
technology cannot be utilized. The plan should indicate what procedures
to be used in this situation and should also include information on
storage of flashlights and candles, as well as additional safety
procedures in case of gas leaks, fires or other phenomena. Trial runs
should be conducted to test the procedures' effectiveness and
viability.
The auditor should:
- Examine and test procedures for reasonableness
- Make inquiries on personnel
- Conduct outside research
Contractual agreements with external
agencies/companies
The plan needs to take into account the extent of its
responsibilities to other entities and their ability to make those
commitments in lieu of a major event. Are their clauses in contracts
that minimize against any legal liability for lack of performance in the
event of disaster or any other unusual circumstance? Agreements
pertaining to establishing support and assisting with recovery for the
entity should also be outlined.
The auditor should:
- Examine the reasonableness of the plan
- Determine whether it takes all factors into account
- Verify the contracts and agreements through documentation and outside research
Summary
In conducting the audit, the individual or team should make use of
various other procedures and processes to achieve the objectives of the
audit. These objectives should be clearly stated in the audit plan.
|
