Columbus City Schools Office of Internal Audit

Size: px
Start display at page:

Download "Columbus City Schools Office of Internal Audit"

Transcription

1 Information Technology Disaster Recovery Plan Review Report Date: March 24, 2011 Internal Audit Mission Statement To support the overall mission of the Columbus City Schools by providing quality management advisory and business process auditing services to the District. Internal Audit is an extension of management. Through our reviews we assist the Board of Education, Superintendent, Treasurer, and all Columbus City Schools personnel in carrying out their responsibilities.

2 Table of Contents Title Page Executive Summary 3 Results of DR Plan Testing Documentation Review 3 Background 4 Objectives 4 Scope and Methodology 5 Observations and Recommendations 5 Management Responses and Action Plans 7 2

3 Executive Summary On February 8, 2011, The (IA) completed an initial review of the testing documentation provided in support of the Information Technology Department Disaster Recovery Plan (DR Plan), last revised July The IT Operations Manager is responsible for executing DR Plan testing, documenting test results and completing the semi-annual update to the DR Plan, as described in the July 2010 plan. The following report summarizes our observations and the results of our testing documentation review. The report contains several recommendations designed to strengthen the testing procedures and the testing documentation included in the DR Plan. Results of DR Plan Testing Documentation Review The initial review of the July 2010, Information Technology DR Plan testing documentation indicated the testing documentation should be enhanced to support evidence of the execution of an effective, proactive DR Plan testing methodology. The DR Plan testing plan should establish the required minimum testing activity to be accomplished annually. The IT Operations Manager stores the core DR Plan Book, in hard copy and electronic copy, separate from the annual DR Plan testing support documentation. The DR Plan book (hard copy and electronic copy) should be expanded to include a reference to the location(s) where the evidentiary support for annual DRP testing is maintained. The current DR Plan document contains descriptions of IT Operation s reactions to various situations that present during daily operations, such as equipment malfunction and requests for data restorations, etc.. The documentation of successful recovery from the unanticipated event has been a mainstay of the DR Plan testing methodology and support documentation. The DR Plan testing methodology should be enhanced to include an effective forward looking annual testing plan. The plan should include documentation of the results of actual testing scenarios, lessons learned from the testing scenarios and documentation describing subsequent DR Plan changes which will be incorporated into the annual update of the DR Plan Book, hard copy and electronic copy. 3

4 Background Disaster recovery planning is the process, policy, and procedures related to preparing for recovery continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Business continuity involves planning for keeping all aspects of a business functioning in the midst of disruptive events, disaster recovery, a subset of continuity planning focuses on the IT or technology systems that support business functions. The IT Operations Manager described the evolution of the Information Technology Disaster Recovery Plan for Columbus City Schools. Prior to the development of the District s disaster recovery plan the Information Technology (IT) Department maintained a book of system documentation/restore procedures. In the Information Technology Department identified the mission critical applications and built out the three data centers. The disaster recovery plan was formalized by critical application in accordance with the disaster recovery capabilities of the three generator backed up facilities. The IT Department supports 148 district buildings and over 250 departments. The IT department supports three data centers which house over 200 physical servers, approximately 29,000 traditional computer/thin client work stations, 4,000 laptop computers and over 1,000 unique software applications. Objectives The objectives of the review were the following: Determine District management continues to develop, test and refine the disaster recovery plan to respond to data processing demands and environmental changes within the district. Determine the plan includes documentation describing plan revisions including the sections modified, when modifications were completed, the individual(s) responsible for the modifications and documentation supporting change approval by senior management. Determine the plan includes documentation of the testing cycle and recent test results. Determine that critical personnel have a current copy of the plan and are aware of their roles and responsibilities during a disaster recovery. Determine that the applicable June 30, 2010 Auditor of State management letter recommendations have been addressed and documented in the disaster recovery plan. 4

5 Scope and Methodology The scope of the review is limited to the IT Department and the review of their DR Plan. During the review, IA interviewed the Chief Information Officer (CIO) and IT Operations Manager. IA referenced the Control Objectives for Information and related Technology (COBIT) and other guidance; researched reviews performed on IT DR Plans, and used the internet to research DR Plans & governance. COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues, and business risks. COBIT enables clear policy development and good practice for IT controls throughout organizations. Observations and Recommendations Observation Number 1 - The Information Technology (IT) Department DR Plan is not regularly tested. Disaster Recovery Plan testing should be a multi-step process. The preparation and execution of disaster recovery plan testing involves pre-planning, scenario building, scheduling of personnel and facilities, pre-test reviews, finalization of the actual disaster recovery plan and lastly, making sure all the resources you need are available when testing the plan. Effective disaster recovery plan testing helps to determine the readiness of all systems, people, and processes, helps identify gaps in the DR Plan, and allows IT Operations management to constantly improve the plan to ensure it is a living document. The last formal, pre-planned, IT Department table top exercise was performed in December The lack of scheduling and performing planned testing could lead to the District failing to protect intellectual property or sensitive information and files from loss or significant damage. Recommendation Nos. 1, 2 1. IA recommends IT Operations management perform scheduled testing of the DR Plan, conducted on a regular basis, at least annually. The testing at a minimum should include tabletop exercises. 5

6 2. IA recommends IT Operations management generate and retain supporting documentation as evidence of completion of the test objectives, the individuals involved, test results, lessons learned, and any procedural changes to be incorporated into the DR plan, so the plan evolves over time. Observation Number 2 - Lack of Consistent Reviews and Updates of the Disaster Recovery Plan. The current DR Plan, Administration Section 4.0, states: The Disaster Recovery Plan and Emergency Operation Manual will be reviewed by Information Technology personnel in June and December of each year. The review will be initiated by the IT Operations Manager and will consider hardware and operating system changes, application software changes, staffing changes and organizational changes. All modification documentation will be submitted to the IT Operations Manager. The DR Plan has been revised and updated twice, once in January 2009 and again in July Lack of a system to test and ensure controls are in place to properly update the disaster recovery plan could lead to outdated information being contained in the plan. Recommendation Nos. 3, 4, 5, & 6 3. IA recommends IT Operations management review and update the DR Plan at least annually. 4. IA recommends IT Operations management develop a mechanism to identify sections changed with date, and what was revised and/or changed during the review cycle. 5. IA recommends IT Operations management ensure that all individuals identified as required to have DR Plan have the most up-to-date copy. 6. IA recommends IT Operations management conduct an annual meeting with key personnel who would be involved in the disaster recovery, to ensure they know their roles and responsibilities during an event of a disaster. February 8, 2011 Status Update Received from IT Operations The IT Operations Manager revealed a significant effort is underway to update the July 2010 version of the DR Plan. The end of February 2011 is the target completion date for the latest DR Plan revision. Also stated was the intent to eliminate semi-annual DR Plan updates, replacing them with a single, annual DR Plan update to be scheduled for the month of February each year. The months of March and May of each year are to be dedicated for testing and documenting the results of DR Plan testing scenarios. 6

7 The IT Operations Manager indicated the electronic and hard copy versions of the DR Plan will be switched out during the first week of March The updated hard copies of the DR Plan will be provided to individuals identified in DR Plan Section 4.1. A 90 Day Review will be performed. Management Responses and Action Plans Recommendation No. 1 Annually we will be doing a tape restore test in March of each year and will be doing a walk through test of one of the critical system in May of each year. This is outlined in the DR Plan revised February 2011 in the Introduction, Section 5.2 Testing schedule, on page 11. Target Implementation date: March 2011 for the tape restore test and May 2011 for the walk through of the critical system. Recommendation No. 2 Ultimately the IT Operations Manager is responsible for ensuring the tests are completed and documented. The IT technical and applications teams will conduct the tests. Individuals will change depending on the system tested and the names of those involved will be noted in the test documentation. Target Implementation date: March 2011 for the tape restore test and May 2011 for the walk through of the critical system. Recommendation No. 3 The plan was updated in February of 2011 and will be done annually in February going forward. If there is a significant change to any of the recovery plans within the year, the plan will be updated accordingly. 7

8 Ultimately the IT Operations Manager is responsible for insuring the plan updated are completed and documented. The IT technical and applications teams will make the necessary changes. Individuals will change depending on the system documented. The names of those involved will be noted in the documentation. Target Implementation date: Annually in February Recommendation No. 4 For the update done in February 2011, the changes are noted in an excel spreadsheet. The spreadsheet includes section updated, the lead for the changes and the team members who made the changes. Going forward the change tracker will be turned on when the changes are made. Target Implementation date: Annually in February. Recommendation No. 5 & 6 For the individuals that are receiving a paper copy, the copies are delivered and signed for by the recipient once the old copy is turned over and the recipient understands their role in the plan. For those who have access to the electronic copy, a meeting is held to let the team members know the updates are complete, where the file is located. Once they have verified their access and understand their role in the plan, they sign a document confirming this. Target Implementation date: The first week of March annually. 8

OFFICE OF AUDITS & ADVISORY SERVICES IT DISASTER RECOVERY AUDIT FINAL REPORT

OFFICE OF AUDITS & ADVISORY SERVICES IT DISASTER RECOVERY AUDIT FINAL REPORT County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES IT DISASTER RECOVERY AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Audit Manager: Lynne Prizzia, CISA, CRISC Senior Auditor:

More information

Project Background and Summary

Project Background and Summary To: LASERS Audit Committee; Cindy Rougeou, Executive Director Cc: Maris LeBlanc, Deputy Director; Lance Armstrong, IT Director; Dan Bowden, IT Deputy Director From: Ryan Babin, Audit Director; Blake Lee,

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis (BIA) Page

More information

Audit of IMS Disaster Recovery Plan

Audit of IMS Disaster Recovery Plan Audit of IMS Disaster Recovery Plan Internal Audit 378-1-615 April 29, 2009 TABLE OF CONTENTS EXECUTIVE SUMMARY...II 1.0 INTRODUCTION...5 2.0 AUDIT OBJECTIVES AND SCOPE...7 3.0 AUDIT APPROACH AND METHODOLOGY...7

More information

Disaster Recovery and Business Continuity Plan

Disaster Recovery and Business Continuity Plan Disaster Recovery and Business Continuity Plan Table of Contents 1. Introduction... 3 2. Objectives... 3 3. Risks... 3 4. Steps of Disaster Recovery Plan formulation... 3 5. Audit Procedure.... 5 Appendix

More information

hi Information Technologies Change Management Standard

hi Information Technologies Change Management Standard hi Information Technologies Change Management Standard Classification Service Delivery Standard # SVD-002 Approval Authority Chief Information Officer Implementation Authority Director, Service Delivery

More information

MANAGEMENT AUDIT REPORT DISASTER RECOVERY PLAN DEPARTMENT OF FINANCE AND ADMINISTRATIVE SERVICES INFORMATION TECHNOLOGY SERVICES DIVISION

MANAGEMENT AUDIT REPORT DISASTER RECOVERY PLAN DEPARTMENT OF FINANCE AND ADMINISTRATIVE SERVICES INFORMATION TECHNOLOGY SERVICES DIVISION MANAGEMENT AUDIT REPORT OF DISASTER RECOVERY PLAN DEPARTMENT OF FINANCE AND ADMINISTRATIVE SERVICES INFORMATION TECHNOLOGY SERVICES DIVISION REPORT NO. 13-101 City of Albuquerque Office of Internal Audit

More information

Internal Audit Report on. IT Security Access. January 2010. 2010 January - English - Information Technology - Security Access - FINAL.

Internal Audit Report on. IT Security Access. January 2010. 2010 January - English - Information Technology - Security Access - FINAL. Internal Audit Report on January 2010 2010 January - English - Information Technology - Security Access - FINAL.doc Contents Background...3 Introduction...3 IT Security Architecture,Diagram 1...4 Terms

More information

Healthcare Technology Audit Basics. Session Objectives

Healthcare Technology Audit Basics. Session Objectives Healthcare Technology Audit Basics Jennifer McGill, CIA, CISA, CGEIT April 20, 2015 Session Objectives Review information technology basic concepts. Use real world examples to identify and understand healthcare

More information

3/17/2015. Healthcare Technology Audit Basics. Session Objectives. Jennifer McGill, CIA, CISA, CGEIT April 20, 2015

3/17/2015. Healthcare Technology Audit Basics. Session Objectives. Jennifer McGill, CIA, CISA, CGEIT April 20, 2015 Healthcare Technology Audit Basics Jennifer McGill, CIA, CISA, CGEIT April 20, 2015 Session Objectives Review information technology basic concepts. Use real world examples to identify and understand healthcare

More information

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006 Department of Information Technology Data Center Disaster Recovery Audit Report Final Report September 2006 promoting efficient & effective local government Executive Summary Our audit found that a comprehensive

More information

Audit of the Disaster Recovery Plan

Audit of the Disaster Recovery Plan Audit of the Disaster Recovery Plan Report # 11-05 Prepared by Office of Inspector General J. Timothy Beirnes, CPA, Inspector General Kit Robbins, CISA, CISM, CRISC, Lead Information Systems Auditor TABLE

More information

FINAL AUDIT REPORT WITH RECOMENDATIONS Information Technology No. 11-001

FINAL AUDIT REPORT WITH RECOMENDATIONS Information Technology No. 11-001 FINAL AUDIT REPORT WITH RECOMENDATIONS Information Technology No. 11-001 SUBJECT: Review of Emergency Plans DATE: September 24, 2010 for Critical Information Technology Operations and Financial Systems

More information

Business Continuity Management Review

Business Continuity Management Review Office of Internal Audit Business Continuity Management Review November 14, 2014 Internal Audit Team Shannon Henry Chief Audit Officer & Executive Director of Institutional Compliance Stacy Sneed Audit

More information

Subject: Internal Audit of Information Technology Disaster Recovery Plan

Subject: Internal Audit of Information Technology Disaster Recovery Plan RIVERSIDE: AUDIT & ADVISORY SERVICES June 30, 2009 To: Charles Rowley, Associate Vice Chancellor Computing & Communications Subject: Internal Audit of Information Technology Disaster Recovery Plan Ref:

More information

Hong Kong Baptist University

Hong Kong Baptist University Hong Kong Baptist University Disaster Recovery Standard FOR INTERNAL USE ONLY Date of Issue: JULY 2012 Revision History Version Author Date Revision 1.0 Information Security Subcommittee (ISSC) July 2012

More information

Dublin City University

Dublin City University Asset Management Policy Asset Management Policy Contents Purpose... 1 Scope... 1 Physical Assets... 1 Software Assets... 1 Information Assets... 1 Policies and management... 2 Asset Life Cycle... 2 Asset

More information

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Follow-up Audit of Information Technology Services Department. IT Contingency Planning

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Follow-up Audit of Information Technology Services Department. IT Contingency Planning Follow-up Audit of Information Technology Services Department CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR Follow-up Audit of Information Technology Services Department Project No. AU13-F05 October 25,

More information

CRISP Technologies Inc.

CRISP Technologies Inc. Resumption Planning (BCRP ) Consulting with BCRP Methodology and Workflow CRISP Technologies Inc. Table of Contents TABLE OF CONTENTS... 2 1 CONSULTING WITH THE CRISP BCRP METHODOLOGY... 3 2 CRISP TECHNOLOGIES

More information

Developing a Business Continuity Plan... More Than Disaster

Developing a Business Continuity Plan... More Than Disaster Developing a Business Continuity Plan..... More Than Disaster Recovery! April 19, 2010 UHY / MMA Business Survival Series Webinar Focus.... Understanding the components of Business Continuity Planning

More information

Business Continuity Planning 101. +1 610 768-4120 (800) 634-2016 www.strohlsystems.com info@strohlsystems.com

Business Continuity Planning 101. +1 610 768-4120 (800) 634-2016 www.strohlsystems.com info@strohlsystems.com Business Continuity Planning 101 Presentation Overview What is business continuity planning Plan Development Plan Testing Plan Maintenance Future advancements in BCP Question & Answer What is a Disaster?

More information

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015 Office of the Auditor General AUDIT OF IT GOVERNANCE Tabled at Audit Committee March 12, 2015 This page has intentionally been left blank Table of Contents Executive Summary... 1 Introduction... 1 Background...

More information

Information and Communication Technology. Disaster Recovery Policy

Information and Communication Technology. Disaster Recovery Policy BELA-BELA LOCAL MUNICIPALITY Chris Hani Drive, Bela- Bela, Limpopo. Private Bag x 1609 BELA-BELA 0480 Tel: 014 736 8000 Fax: 014 736 3288 Website: www.belabela.gov.za OFFICE OF THE MUNICIPAL MANAGER Information

More information

EXECUTIVE SUMMARY. We found that back-up activities were reasonably effective to minimize data loss but that improvements were needed in the areas of:

EXECUTIVE SUMMARY. We found that back-up activities were reasonably effective to minimize data loss but that improvements were needed in the areas of: EXECUTIVE SUMMARY The Securities and Exchange Commission (SEC), Office of Inspector General (OIG) sought to determine whether the SEC s current data back-up procedures were reasonably effective in insuring

More information

SECTION 15 INFORMATION TECHNOLOGY

SECTION 15 INFORMATION TECHNOLOGY SECTION 15 INFORMATION TECHNOLOGY 15.1 Purpose 15.2 Authorization 15.3 Internal Controls 15.4 Computer Resources 15.5 Network/Systems Access 15.6 Disaster Recovery Plan (DRP) 15.1 PURPOSE The Navajo County

More information

I. EXECUTIVE SUMMARY. Date: June 30, 2015. Sabina Sitaru, Chief Innovation Officer, Metro Hartford Innovation Services

I. EXECUTIVE SUMMARY. Date: June 30, 2015. Sabina Sitaru, Chief Innovation Officer, Metro Hartford Innovation Services Date: June 30, 2015 To: Sabina Sitaru, Chief Innovation Officer, Metro Hartford Innovation Services From: Craig Trujillo, CPA, Deputy Chief Auditor CST Tele: Office 860-757-9952 Mobile 860-422-3600 City

More information

Final Audit Report. Audit of Data Integrity MCCS Feeder System Interfacing with SAP

Final Audit Report. Audit of Data Integrity MCCS Feeder System Interfacing with SAP Final Audit Report Audit of Data Integrity MCCS Feeder System Interfacing with SAP April 2008 Table of Contents Executive Summary... ii Introduction...........1 Background... 1 Audit Objectives... 1 Scope

More information

Evaluation of the Railroad Retirement Board s Disaster Recovery Plan Report No. 06-08, August 14, 2006 INTRODUCTION

Evaluation of the Railroad Retirement Board s Disaster Recovery Plan Report No. 06-08, August 14, 2006 INTRODUCTION Evaluation of the Railroad Retirement Board s Disaster Recovery Plan Report No. 06-08, August 14, 2006 INTRODUCTION This report presents the results of the Office of Inspector General s evaluation of the

More information

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011 APPENDIX 1 GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT January 7, 2011 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto TABLE OF CONTENTS

More information

Disaster Recovery Plan Test. Audit Report

Disaster Recovery Plan Test. Audit Report ATTACHMENT 4 Disaster Recovery Plan Test Audit Report Internal Audit Report TABLE OF CONTENTS Section Page No. 1.0 MANAGEMENT SUMMARY...2 2.0 INTRODUCTION...2 3.0 OBJECTIVES AND SCOPE...3 4.0 METHODOLOGY...3

More information

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement Auditor General s Office Governance and Management of City Computer Software Needs Improvement Transmittal Report Audit Report Management s Response Jeffrey Griffiths, C.A., C.F.E Auditor General, City

More information

REPORT 2015/112 INTERNAL AUDIT DIVISION

REPORT 2015/112 INTERNAL AUDIT DIVISION INTERNAL AUDIT DIVISION REPORT 2015/112 Audit of information and communication technology hosting services provided by third parties to the Office of the United Nations High Commissioner for Refugees Overall

More information

ACTUALLY TEST YOUR PLAN. Disaster Recovery using Shadow Protect. March Madness Lunch & Learn. www.martinandassoc.com 1 AGENDA

ACTUALLY TEST YOUR PLAN. Disaster Recovery using Shadow Protect. March Madness Lunch & Learn. www.martinandassoc.com 1 AGENDA AGENDA BEYOND BACKUP ENSURING RECOVER-ABILITY Identify and Quantify Exposure Risk Evolution of Recovery Technologies Build a Recover-Ability Solution Joe Gast Martin & Associates Maintenance Testing &

More information

Department of Information Technology Software Change Control Audit - Mainframe Systems Final Report

Department of Information Technology Software Change Control Audit - Mainframe Systems Final Report Department of Information Technology Software Change Control Audit - Mainframe Systems Final Report March 2007 promoting efficient & effective local government Introduction Software change involves modifications

More information

Oregon Employment Department: Computer Programs for Unemployment Tax Returns and Claims Need Attention

Oregon Employment Department: Computer Programs for Unemployment Tax Returns and Claims Need Attention Secretary of State Audit Report Jeanne P. Atkins, Secretary of State Gary Blackmer, Director, Audits Division Oregon Employment Department: Computer Programs for Unemployment Tax Returns and Claims Need

More information

NOS for Network Support (903)

NOS for Network Support (903) NOS for Network Support (903) November 2014 V1.1 NOS Reference ESKITP903301 ESKITP903401 ESKITP903501 ESKITP903601 NOS Title Assist with Installation, Implementation and Handover of Network Infrastructure

More information

Disaster Recovery Plan Documentation for Agencies Instructions

Disaster Recovery Plan Documentation for Agencies Instructions California Office of Information Security Disaster Recovery Plan Documentation for Agencies Instructions () November 2009 SCOPE AND PURPOSE The requirements included in this document are applicable to

More information

CISM Certified Information Security Manager

CISM Certified Information Security Manager CISM Certified Information Security Manager Firebrand Custom Designed Courseware Chapter 4 Information Security Incident Management Exam Relevance Ensure that the CISM candidate Establish an effective

More information

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES APPENDIX 1 DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES March 2008 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto TABLE OF CONTENTS EXECUTIVE SUMMARY...1

More information

University of Massachusetts Medical School's Data Center Relocation For the period July 1, 2008 through August 31, 2010

University of Massachusetts Medical School's Data Center Relocation For the period July 1, 2008 through August 31, 2010 ` Official Audit Report Issued September 30, 2011 University of Massachusetts Medical School's Data Center Relocation For the period July 1, 2008 through August 31, 2010 State House Room 230 Boston, MA

More information

Overview of how to test a. Business Continuity Plan

Overview of how to test a. Business Continuity Plan Overview of how to test a Business Continuity Plan Prepared by: Thomas Bronack Phone: (718) 591-5553 Email: bronackt@dcag.com BRP/DRP Test Plan Creation and Exercise Page: 1 Table of Contents BCP/DRP Test

More information

PRIVY COUNCIL OFFICE. Audit of Information Technology (IT) Security. Final Report

PRIVY COUNCIL OFFICE. Audit of Information Technology (IT) Security. Final Report An asterisk appears where sensitive information has been removed in accordance with the Access to Information Act and Privacy Act. PRIVY COUNCIL OFFICE Audit of Information Technology (IT) Security Audit

More information

Office of the Superintendent of Financial Institutions. Internal Audit on Corporate Services: Security and Administrative Services

Office of the Superintendent of Financial Institutions. Internal Audit on Corporate Services: Security and Administrative Services Office of the Superintendent of Financial Institutions Internal Audit on Corporate Services: Security and Administrative Services April 2014 Table of Contents 1. Background... 3 2. Audit Objective, Scope

More information

The Business Continuity Maturity Continuum

The Business Continuity Maturity Continuum The Business Continuity Maturity Continuum Nick Benvenuto & Brian Zawada Protiviti Inc. 2004 Protiviti Inc. EOE Agenda Terminology Risk Management Infrastructure Discussion A Proposed Continuity Maturity

More information

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department

More information

Shared Services Update. What is a Shared Service? Governor s Directive 09 02 1/27/2011. FMAC Group January 27, 2011

Shared Services Update. What is a Shared Service? Governor s Directive 09 02 1/27/2011. FMAC Group January 27, 2011 Shared Services Shared Services Update FMAC Group January 27, 2011 What is a Shared Service? Washington State Government defines shared IT services as: The concentration of state and other related IT resources

More information

Stepping Through the Business Continuity Plan Audit

Stepping Through the Business Continuity Plan Audit Stepping Through the Business Continuity Plan Audit Doug Menendez Graybar Electric Company Presentation to MidAmerica Contingency Planning Forum February 16, 2012 Introduction Whether it is from internal

More information

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS)

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS) Information Technology Disaster Recovery Policy Policy Statement This policy defines acceptable methods for disaster recovery planning, preparedness, management and mitigation of IT systems and services

More information

Internal Audit Department NeighborWorks America. Audit Review of the Business Continuity Plan (BCP) Management and Documentation

Internal Audit Department NeighborWorks America. Audit Review of the Business Continuity Plan (BCP) Management and Documentation Department NeighborWorks America Audit Review of the Business Continuity Plan (BCP) and Documentation Project Number: ADMN.BCP.2013 Audit Review of of BCP Table of Contents Project Completion Letter...

More information

Information Security Management Systems. Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer

Information Security Management Systems. Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer Information Security Management Systems Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer atsec information security, 2013 ISO/IEC 27001 and related

More information

DRAFT Disaster Recovery Policy Template

DRAFT Disaster Recovery Policy Template DRAFT Disaster Recovery Policy Template NOTE: This is a boiler plate template much information is needed from to finalizeconsider this document pre-draft FOREWARD... 3 Policy Overview...

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information

Audit of the Test of Design of Entity-Level Controls

Audit of the Test of Design of Entity-Level Controls Audit of the Test of Design of Entity-Level Controls Canadian Grain Commission Audit & Evaluation Services Final Report March 2012 Canadian Grain Commission 0 Entity Level Controls 2011 Table of Contents

More information

Audit of. District s Information Technology Disaster Recovery Plan

Audit of. District s Information Technology Disaster Recovery Plan Audit of District s Information Technology Disaster Recovery Plan April 11, 2014 Report #2014-03 MISSION STATEMENT The School Board of Palm Beach County is committed to providing a world class education

More information

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery Dacorum Borough Council Final Internal Audit Report IT Business Continuity and Disaster Recovery Distribution list: Chris Gordon Group Manager Performance, Policy and Projects John Worts ICT Team Leader

More information

IT DISASTER RECOVERY CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report 10-34 October 13, 2010

IT DISASTER RECOVERY CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report 10-34 October 13, 2010 IT DISASTER RECOVERY CALIFORNIA STATE UNIVERSITY, EAST BAY Audit Report 10-34 October 13, 2010 Members, Committee on Audit Henry Mendoza, Chair Raymond W. Holdsworth, Vice Chair Nicole M. Anderson Margaret

More information

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years 2009 2013

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years 2009 2013 State of Minnesota Enterprise Security Strategic Plan Fiscal Years 2009 2013 Jointly Prepared By: Office of Enterprise Technology - Enterprise Security Office Members of the Information Security Council

More information

University of Ulster Policy Cover Sheet

University of Ulster Policy Cover Sheet University of Ulster Policy Cover Sheet Document Title Custodian Approving Committee Information Technology Disaster Recovery and Data Backup Policy 1.2 Deputy Director of Finance and Information Services

More information

COMPUTER OPERATIONS AUDIT

COMPUTER OPERATIONS AUDIT County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES COMPUTER OPERATIONS AUDIT FINAL AUDIT REPORT Chief of Audits: James L. Pelletier, CIA, CICA IT Audit Manager: Lynne Prizzia,

More information

COMPUTER OPERATIONS - BACKUP AND RESTORATION

COMPUTER OPERATIONS - BACKUP AND RESTORATION County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES COMPUTER OPERATIONS - BACKUP AND RESTORATION FINAL AUDIT REPORT Chief of Audits: Julie Nieminski, CPA, CIA, CFE, CISA, MPA

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program subsidiaries) 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis

More information

OFFICE OF AUDITS & ADVISORY SERVICES SUNGARD TREASURY MANAGEMENT SYSTEM CONTRACT COMPLIANCE FINAL AUDIT REPORT

OFFICE OF AUDITS & ADVISORY SERVICES SUNGARD TREASURY MANAGEMENT SYSTEM CONTRACT COMPLIANCE FINAL AUDIT REPORT County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES SUNGARD TREASURY MANAGEMENT SYSTEM CONTRACT COMPLIANCE FINAL AUDIT REPORT Chief of Audits: Juan R. Perez Senior Audit Manager:

More information

Report on Hong Kong SME Cloud Adoption and Security Readiness Survey

Report on Hong Kong SME Cloud Adoption and Security Readiness Survey Report on Hong Kong SME Cloud Adoption and Security Readiness Survey Collaborated by Internet Society Hong Kong and Cloud Security Alliance (HK & Macau Chapter) Sponsored by Microsoft Hong Kong Jointly

More information

Report No. D-2008-047 February 5, 2008. Contingency Planning for DoD Mission-Critical Information Systems

Report No. D-2008-047 February 5, 2008. Contingency Planning for DoD Mission-Critical Information Systems Report No. D-2008-047 February 5, 2008 Contingency Planning for DoD Mission-Critical Information Systems Additional Copies To obtain additional copies of this report, visit the Web site of the Department

More information

Business Continuity Plan

Business Continuity Plan Business Continuity Plan October 2007 Agenda Business continuity plan definition Evolution of the business continuity plan Business continuity plan life cycle FFIEC & Business continuity plan Questions

More information

INSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES

INSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES INSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES Report No.: ISD-IS-OCIO-0001-2014 June 2014 OFFICE OF INSPECTOR GENERAL U.S.DEPARTMENT OF THE INTERIOR Memorandum JUN 0 4 2014 To: From:

More information

The Disaster Recovery Self-Assessment Guide and Validation Model. Jim Kates Cognizant Technology Solutions Jim.Kates@cognizant.com

The Disaster Recovery Self-Assessment Guide and Validation Model. Jim Kates Cognizant Technology Solutions Jim.Kates@cognizant.com The Disaster Recovery Self-Assessment Guide and Validation Model Jim Kates Cognizant Technology Solutions Jim.Kates@cognizant.com How Would You Evaluate Your DRP? (Is it a Disaster Recovery Plan or a Dilbert

More information

Department of Public Utilities Customer Information System (BANNER)

Department of Public Utilities Customer Information System (BANNER) REPORT # 2010-06 AUDIT of the Customer Information System (BANNER) January 2010 TABLE OF CONTENTS Executive Summary..... i Comprehensive List of Recommendations. iii Introduction, Objective, Methodology

More information

Year 2000 Business Continuity and Contingency Planning: Day One Strategy (Report Number TR-AR-00-002)

Year 2000 Business Continuity and Contingency Planning: Day One Strategy (Report Number TR-AR-00-002) December 7, 1999 CLARENCE E. LEWIS, JR. CHIEF OPERATING OFFICER AND EXECUTIVE VICE PRESIDENT SUBJECT: Year 2000 Business Continuity and Contingency Planning: (Report Number ) This audit report presents

More information

By: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015

By: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015 Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level June 9, 2015 By: Tracy Hall MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company,

More information

Maryland Transportation Authority

Maryland Transportation Authority Audit Report Maryland Transportation Authority March 2014 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY This report and any related follow-up correspondence

More information

The Commonwealth of Massachusetts

The Commonwealth of Massachusetts A. JOSEPH DeNUCCI AUDITOR The Commonwealth of Massachusetts AUDITOR OF THE COMMONWEALTH ONE ASHBURTON PLACE, ROOM 1819 BOSTON, MASSACHUSETTS 02108 TEL. (617) 727-6200 No. 2008-1308-4T OFFICE OF THE STATE

More information

Del Mar College Job Description. Chief Information Technology Officer FLSA Status: Exempt. Position # 110035 Prepared: October 2006

Del Mar College Job Description. Chief Information Technology Officer FLSA Status: Exempt. Position # 110035 Prepared: October 2006 BRIEF DESCRIPTION: The purpose of this position is to serve as the chief technology officer with leadership and responsibility for the operational and maintenance of the College s information technology

More information

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Disaster Recovery Testing Is Being Adequately Performed, but Problem Reporting and Tracking Can Be Improved May 3, 2012 Reference Number: 2012-20-041 This

More information

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT 11-02. IT Backup, Recovery and Disaster Recovery Planning

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT 11-02. IT Backup, Recovery and Disaster Recovery Planning SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT 11-02 IT Backup, Recovery and Disaster Recovery Planning Executive Summary Introduction As part of the 2011/12 Audit Plan and following discussions

More information

Central Bank of India. Business Continuity Management Policy

Central Bank of India. Business Continuity Management Policy Central Bank of India Business Continuity Management Policy DataCenter Version 1.0 February 2012 Table of Contents 1. Purpose... 3 2. Objective... 3 3. Scope... 4 4. Policy Statement... 4 5. Top Management

More information

Audit, Finance and Legislative Committee Mayor Craig Lowe, Chair Mayor-Commissioner Pro Tem Thomas Hawkins, Member

Audit, Finance and Legislative Committee Mayor Craig Lowe, Chair Mayor-Commissioner Pro Tem Thomas Hawkins, Member City of Gainesville Inter-Office Communication April 3, 2012 TO: FROM: SUBJECT: Audit, Finance and Legislative Committee Mayor Craig Lowe, Chair Mayor-Commissioner Pro Tem Thomas Hawkins, Member Brent

More information

Updating Your Skills from Microsoft Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010 Course 10165; 5 Days, Instructor-led

Updating Your Skills from Microsoft Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010 Course 10165; 5 Days, Instructor-led Updating Your Skills from Microsoft Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010 Course 10165; 5 Days, Instructor-led Course Description There are two main reasons for the course.

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

Implementation of ITIL in a Moroccan company: the case of incident management process

Implementation of ITIL in a Moroccan company: the case of incident management process www.ijcsi.org 30 of ITIL in a Moroccan company: the case of incident management process Said Sebaaoui 1, Mohamed Lamrini 2 1 Quality Statistic Computing Laboratory, Faculty of Science Dhar el Mahraz, Fes,

More information

REMOTE INFRASTRUCTURE MANAGEMENT COURSE CURRICULUM

REMOTE INFRASTRUCTURE MANAGEMENT COURSE CURRICULUM On a Mission to Transform Talent REMOTE INFRASTRUCTURE MANAGEMENT COURSE CURRICULUM Table of Contents Module 1: Introduction to Hardware and Networking (Duration: 1.5 Weeks)...1 Module 2: Windows XP Professional

More information

Distribution: Sheryl L. Sculley, City Manager Gloria Hurtado, Assistant City Manager Ben Gorzell, Chief Financial Officer Dr.

Distribution: Sheryl L. Sculley, City Manager Gloria Hurtado, Assistant City Manager Ben Gorzell, Chief Financial Officer Dr. Distribution: Sheryl L. Sculley, City Manager Gloria Hurtado, Assistant City Manager Ben Gorzell, Chief Financial Officer Dr. Thomas Schlenker, Director, San Antonio Metropolitan Health District Robert

More information

Audit Report. Natural Resources Conservation Service Water and Climate Information System Review of Application Controls Portland, Oregon

Audit Report. Natural Resources Conservation Service Water and Climate Information System Review of Application Controls Portland, Oregon U.S. Department of Agriculture Office of Inspector General Western Region Audit Report Natural Resources Conservation Service Water and Climate Information System Review of Application Controls Portland,

More information

REGIONAL CENTER DISASTER RECOVERY PLAN

REGIONAL CENTER DISASTER RECOVERY PLAN APPENDIX L REGIONAL CENTER DISASTER RECOVERY PLAN I. ADMINISTRATIVE INFORMATION: A. Introduction to Operational Recovery Plan B. Procedures to update and Distribute ORP C. Process to test ORP D. Plans

More information

Risk Considerations for Internal Audit

Risk Considerations for Internal Audit Risk Considerations for Internal Audit Cecile Galvez, Deloitte & Touche LLP Enterprise Risk Services Director Traci Mizoguchi, Deloitte & Touche LLP Enterprise Risk Services Senior Manager February 2013

More information

IT Infrastructure is Key to Growth. Infrastructure nventory.

IT Infrastructure is Key to Growth. Infrastructure nventory. Introduction. The overall objective of an Information Technology (IT) Assessment is to evaluate whether an enterprise s current IT strategy is tightly coupled to the enterprise plans and challenges. Current

More information

SUSD IT Disaster Recovery Plan. Tom Clark, Chief Technology Officer

SUSD IT Disaster Recovery Plan. Tom Clark, Chief Technology Officer SUSD IT Disaster Recovery Plan Tom Clark, Chief Technology Officer Rationale for a Disaster Recovery Plan Need for DRP Identified in the District s Auditor General Report Best practice for IT organizations

More information

CONTINUITY OF OPERATIONS AUDIT PROGRAM EVALUATION AND AUDIT

CONTINUITY OF OPERATIONS AUDIT PROGRAM EVALUATION AND AUDIT CONTINUITY OF OPERATIONS AUDIT PROGRAM EVALUATION AND AUDIT April 16, 2014 INTRODUCTION Purpose The purpose of the audit is to give assurance that the development of the Metropolitan Council s Continuity

More information

Western Intergovernmental Audit Forum

Western Intergovernmental Audit Forum Western Intergovernmental Audit Forum Business Continuity & Disaster Recovery Planning September 12, 2013 Presented by: City of Phoenix City Auditor Department Aaron Cook, Sr Internal Auditor IT Audit

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

SCHEDULE 3.9 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT DISASTER RECOVERY PLAN GUIDELINES

SCHEDULE 3.9 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT DISASTER RECOVERY PLAN GUIDELINES SCHEDULE 3.9 TO THE COMPREHENSIVE INFRASTRUCTURE AGREEMENT Disaster Recovery Plan Guidelines Northrop Grumman will provide a comprehensive disaster recovery plan that incorporates Disaster Recovery Institute

More information

Version 8.0 2014 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 1

Version 8.0 2014 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 1 Version 8.0 2014 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 1 Table of Contents 1 1.0 Plan Introduction... 4 1.1 Mission and Objectives... 5 Compliance... 5 ISO Compliance Process...

More information

A Message from Auditor of State Betty Montgomery INSIDE. The Ohio Auditor of State's. Volume 4, Issue 1 Winter 2007. BEST Practices.

A Message from Auditor of State Betty Montgomery INSIDE. The Ohio Auditor of State's. Volume 4, Issue 1 Winter 2007. BEST Practices. The Ohio Auditor of State's Volume 4, Issue 1 Winter 2007 INSIDE Introduction 2 A Message from Auditor of State Betty Montgomery Disaster Recovery Planning Objectives Involve Elected Officials / Upper

More information

EXECUTIVE SUMMARY...5

EXECUTIVE SUMMARY...5 Table of Contents EXECUTIVE SUMMARY...5 CONTEXT...5 AUDIT OBJECTIVE...5 AUDIT SCOPE...5 AUDIT CONCLUSION...6 KEY OBSERVATIONS AND RECOMMENDATIONS...6 1. INTRODUCTION...9 1.1 BACKGROUND...9 1.2 OBJECTIVES...9

More information

I. What benefits do you hope to achieve by engaging in this project? Ensuring that staff are

I. What benefits do you hope to achieve by engaging in this project? Ensuring that staff are Capstone Project Summary I. What benefits do you hope to achieve by engaging in this project? Ensuring that staff are educated about the emergency procedures and plan in place to address actions during

More information

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy: Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance

More information

Office of Information Technology

Office of Information Technology Office of Information Technology Core Services Resilience Plan Version 6.5.6 March 2010 Page 1 of 13 Table of Contents Overview... 3 Background... 4 OIT Organizational Resilience Program... 4 Data Centers...

More information

IT Risk Assessment Action Plan. South Staffordshire District Council Audit 2010/11

IT Risk Assessment Action Plan. South Staffordshire District Council Audit 2010/11 IT Risk Assessment Action Plan South Staffordshire District Council Audit 2010/11 The Audit Commission is a public corporation set up in 1983 to protect the public purse. The Commission appoints auditors

More information