It Auditing: Using Controls to Protect Information Assets [IT AUDITING -OS N/D]
As a result of the 2005 hurricane season, disaster recovery planning has gained in awareness. The goal of disaster recovery planning is to efficiently reconstitute systems after a disaster such as a hurricane or flood strikes. In this section we will touch on auditing disaster recovery plans.
6 Ensure that a disaster recovery plan exists and is comprehensive and that key employees are aware of their roles in the event of a disaster.
If a disaster strikes your only data center and you don't have a disaster recovery plan, the overwhelming odds are that your organization will suffer a large enough loss to cause bankruptcy. Disaster recovery therefore is a serious matter.
How
Auditing disaster recovery plans can be difficult because of the complexity of successfully recovering data center operations. In auditing disaster recovery plans, the auditor should do the following:
-
Ensure that a disaster recovery plan exits.
-
Verify that the disaster recovery plan covers all systems and operational areas.
-
Review the last data center threat assessment to verify that the disaster recovery plan is still relevant and addresses the current risk to the data center.
-
Ensure that disaster recovery roles and responsibilities are clearly defined.
-
Verify that salvage, recovery, and reconstitution procedures are addressed.
-
Ensure that the emergency operations center has appropriate supplies, computers, and telecommunications connectivity.
-
Ensure that emergency communications is addressed in the plan.
-
Review the findings of the last disaster recovery exercise.
This information can be obtained from reviewing the actual disaster recovery plan or from interviewing the data center facility manager or disaster recovery planner.
7 Ensure that disaster recovery plans are updated and tested regularly.
Disaster recovery plans should be tested and updated at least annually, sometimes more frequently for organizations that are upgrading or procuring new systems, conducting mergers or acquisitions, or adding new lines of business. Failure to update or test disaster recovery plans will result in slower recovery times in the event of a disaster.
How
When auditing disaster recovery plans, the auditor should review the update or version history that usually is included in the front of the plan. Plans should be updated at least annually. Likewise, the auditor should review disaster recovery test documentation to verify that tests are performed at least annually. This information usually accompanies the plan in either electronic or paper form.
8 Verify that parts inventories and vendor agreements are accurate and current.
When disasters occur, organizations are faced with the task of recovering systems that often are completely destroyed from scratch. This requires hardware, software, and backup media. To speed up the process, data centers should keep certain parts at off-site facilities and enter into vendor agreements to get expedited parts in the event of a disaster.
How
The auditor should review both parts inventories and vendor agreements to ensure that both are current for existing systems. Vendor agreements should accompany the disaster recovery plan. Part inventories can be obtained from asset management or system personnel.
9 Ensure that emergency operations plans address various disaster scenarios adequately.
There are several different types of disasters that can occur at a data center. The common ones include fire, flood, and other weather-related events. Different types of events will require different salvage and recovery efforts. Emergency operations plans should reflect any reasonably anticipated scenario. Inaccurate emergency operations plans increase recovery times.
How
The auditor should verify that any reasonably anticipated scenario is covered by emergency operations plans and that plans accurately reflect specific needs relating to each scenario. This analysis can be performed by interviewing disaster recovery planners or simply by reviewing emergency operations plans.