SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT IT Backup, Recovery and Disaster Recovery Planning

Size: px
Start display at page:

Download "SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT 11-02. IT Backup, Recovery and Disaster Recovery Planning"

Transcription

1 SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT IT Backup, Recovery and Disaster Recovery Planning Executive Summary Introduction As part of the 2011/12 Audit Plan and following discussions with the IT Services Manager, a computer audit was undertaken to review South Lakeland District Council s and Eden District Council s IT back-up and recovery arrangements and disaster recovery planning. Effective data back-up is essential to enable the Councils to recover business information in the event of a system failure or disk crash, and to ensure that all important information can be restored without disruption in a timely way. IT Disaster Plans provide for a structured and timely recovery of services in the event of an IT disaster and supports the Councils overall business continuity plans. They can reduce disruption to an acceptable level, should a significant IT incident occur. Audit Objectives The objective of the audit was to provide reasonable assurance that effective back-up and recovery procedures in place and to confirm that, suitable plans have been developed relating to IT Disaster Recovery Planning, which will minimise data loss and contain disruption to Council business to an acceptable level. The work involved discussions with management and key staff at both sites responsible for back-up and recovery operations and for development, implementation and operation of the disaster recovery strategy, together with a review of procedures and associated logs and observation of the back-up process. The objectives of the audit were discussed and agreed in advance with Ben Wright, IT Services Manager. Details of the audit methodology are provided in Appendix 1. Audit Conclusion Substantial Assurance Key Points Substantial Assurance No major issues identified. Five important issues. Three minor issues. As a result of the audit we have concluded that while there is a basically sound system of control, there are weaknesses, which may put some of the system objectives at risk. This review covers two related areas, Data Backup and Recovery, and Disaster Recovery Planning. These are listed separately as detailed below. Regarding the Backup and Recovery arrangements, the existing backup regime appears to be technically sound, providing a solid basis for the recovery of data when this becomes necessary. Internal Audit have however, raised one important recommendation, which relates to updating and publishing the strategy to user management. In addition we have also raised two minor issues, which cover: Page 1

2 updating procedure documentation, and; introducing checks on media age and quality. In relation to Disaster Recovery Planning, it is considered that although basic plans are in place, some updating and further development is required. As a result four important recommendations have been raised, which relate to: completion of the existing Disaster Recovery Plans; ensuring regular review and testing of the Plans; identifying alternative facilities for IT staff, and including loss of data communications within the Disaster Recovery Plans. There is also one minor issue, which concerns further analysis of key technical risks. We have received a constructive management response from Ben Wright, IT Services Manager, accepting each of our recommendations. It should be noted that the majority of responses relate to the formulation of a Managed Backup Contract through an external provider; if this does not proceed a different course of action would be required. Acknowledgement Internal Audit would like to thank IT staff at both Councils for their co-operation and assistance during the review. Page 2

3 Recommendation 1 Responsibility: IT Services Manager Priority: 2 Management should ensure that the current backup strategy is updated to cover both sites, and issued to user management. The document should specify the backup frequencies, and include information regarding the generations being retained. It is important that there is a documented back-up strategy in place. This should provide a simple, clear description of the approach to back-up and recovery of systems and data, and include information on the retention of data. The Strategy should be published to user management so that there is clear understanding and agreement regarding the cover provided. The current strategy appears technically sound but is not fully documented for both South Lakeland and Eden. Reference to data retention is covered within the Service Level Agreement for both sites, but there is insufficient detail to assume user agreement is fully understood and acknowledged. A managed backup and disaster recovery contract is being finalised for both Councils. Once in place the backup and recovery documentation can be updated. Accepted Implementation Deadline: March 2013 Page 3

4 Recommendation 2 Responsibility: IT Services Manager Priority: 3 The Council should ensure that backup and recovery procedure documentation is updated as soon as practical. It is important that there are clearly documented procedures for each back-up and recovery operation. Complete and up-to-date procedures ensure that the correct and consistent back-up processes are followed and support skill sharing; currently being adopted to enable continuity of service in the absence of key staff. In the past these areas have been well documented but following the recent system/software changes, updates have not yet been applied to the SLDC documentation. A managed backup and disaster recovery contract is being finalised for both Councils. Once in place the backup and recovery documentation can be updated. It should be noted that as part of the contract, the backup solution for both Councils will be implemented, maintained and supported by an external company. Documentation will be provided as part of the contract. Accepted Implementation Deadline: March 2013 Page 4

5 Recommendation 3 Responsibility: IT Services Manager Priority: 3 The Council should ensure suitable life cycle and error thresholds for backup media are agreed and that arrangements are put in place to monitor these. Good practice requires that suitable policies and monitoring arrangements are in place regarding media life-cycles in order to ensure the integrity of stored data. In practice it is likely that high numbers of errors would become apparent resulting in the withdrawal of a faulty tape; however there are currently no formal monitoring arrangements at either Council to ensure the effective management of backup media, including suitable lifecycle arrangements. Dealing with Media Errors has been built into the contract for the provision of the managed backup service. It will be the responsibility of the solution provider. Accepted Implementation Deadline: December 2012 Page 5

6 Recommendation 4 Responsibility: IT Services Manager Priority: 2 The Council should agree a target date for completion of the outstanding items in the Disaster Recovery Plans (as marked within the documents). In addition, the future approval process for these Plans should be clarified and formalised. While an IT disaster, by definition, is likely to seriously impact upon Council activities, an IT Disaster Plan can minimise disruption to services. Even a relatively basic and brief document with a well-structured plan for restoration of systems may considerably reduce business interruptions and minimise any delays to recovery. Such documents are in place at both sites but although well advanced, are not fully complete, with some items marked as to be completed or under development. The existing Plans have previously been agreed by senior management but it is assumed that future plans will be approved by the joint service board; however this point should be clarified. It is agreed that the Disaster Recovery Documents need to be updated along with the implementation of the new managed backup contract. Accepted Implementation Deadline: March 2013 Page 6

7 Recommendation 5 Responsibility: IT Services Manager Priority: 2 Management should ensure that arrangements are made for regular reviews of the Disaster Recovery Plans to be undertaken and also that appropriate testing of the Plans is carried out at agreed intervals. It is important that there is a process for reviewing, and if necessary updating the IT Disaster Recovery Plans on a regular basis, so that they remain relevant and continue to support business recovery. Also, in order to be useful, it is important that the IT Disaster Recovery Plan has been proven to be clear and effective by regular, documented testing. A variety of tests can be appropriate against the whole or part of the Plans, real or desk based. Plans at both sites, South Lakeland and Eden, have been regularly reviewed in the past, but the SLDC document has not been updated since September There has been testing of recovery and of the Plans in the past but not for some time, the current versions of the Plans have not been tested; however it should be noted that live or actual recovery of data has occurred through the normal course of business. Previous testing of the Plan and recovery has been undertaken, including the use of third party providers. The Disaster Recovery Plans will be reviewed Quarterly by IT services. Recovering systems and associated testing is built into the Managed Backup and Disaster Recovery contract and will be tested annually. Accepted Implementation Deadline: March 2013 Page 7

8 Recommendation 6 Responsibility: IT Services Manager Priority: 2 It is recommended that possible alternative facilities and accommodation for IT support staff should be identified and assessed; and included in the Disaster Recovery Plans. In the event that the Disaster Recovery Plan needs to be invoked, it is essential that alternative IT site arrangements have been agreed, which will fully accommodate the required staffing and equipment. At both sites, the Plan refers to the use of off-site hosted computer facilities provided by a third party, but does not appear to take any account of the possible need for an alternative location and facilities for IT staff. It is agreed a review is required and the Disaster Recovery Documents will be updated to reflect the outcome. Accepted Implementation Deadline: March 2013 Page 8

9 Recommendation 7 Responsibility: IT Services Manager Priority: 2 Management should review and assess the loss of the various communication links; and consider alternative remedies for inclusion within the Disaster Recovery Plans. It is important that consideration has been given to the timely replacement of support facilities, including communications. For both sites, the documentation contains references to telephone systems and data communications support but their loss does not appear to be considered or explanations provided relating to how such issues could be addressed. Many key systems will not function without data communications, particularly the connection to the internet, which would prevent the third party Disaster Recovery contract from being used. A review of network links is taking place as part of our risk assessment process. Provision of an internet connection is built into the Disaster Recovery contract. Disaster Recovery for the telephone systems will be reviewed as part of the implementation of Microsoft Lync into both Councils. Accepted Implementation Deadline: July 2013 Page 9

10 Recommendation 8 Responsibility: IT Services Manager Priority: 3 The IT Services Manager should arrange for the key technical risks to be given more detailed consideration and for possible remedies to be identified and listed within the appropriate documentation. It is important that the main risks relating to possible IT Disaster incidents have been identified, documented and addressed within the IT Disaster Recovery Plans. For both sites, there is a list of general risks (fire, flood, power, telecommunications and hardware) but there is no detailed analysis of risks and related impact, nor are any possible remedies identified. Although the documentation appears to be too general, top level contacts for each of these facilities are included (internal and external). As part of reviewing the Disaster Recovery Documentation we will add more detail covering the areas suggested. Accepted Implementation Deadline: March 2013 Page 10

11 AUDIT FRAMEWORK APPENDIX 1 Coverage The review covered the following areas, which were agreed as part of the preliminary planning stage: - Data Backup and Storage - Data Recovery - Disaster Recovery Planning - Business Continuity Arrangements (relating to IT) - Disaster Recovery Plan Testing Methodology A system based audit approach has been used for this audit, involving the following key procedures: - determine specific management objectives for each area under review; - identify the risk applicable to each area; - evaluate controls against each of the key risks; - test key controls to establish whether they are operating as prescribed; and - report findings, with practical recommendations for improvement where appropriate. Performance Auditor: Mick McKinnell The fieldwork was performed: May - June 2012 Page 11

12 CLASSIFICATIONS APPENDIX 2 Assurance Level Unqualified Substantial Restricted None Evaluation There is an adequate system of controls designed to achieve the system objectives. While there is a reasonable system of control, there are weaknesses, which may put the system objectives at risk. Significant weaknesses have been identified in the system of control, which put the system objectives at risk. Control is weak, causing the system to be vulnerable to error abuse. Testing The controls appear to be consistently applied. Evidence was identified to suggest that the level of non-compliance with controls may put some of the system objectives at risk. The level of non-compliance identified places the system objectives at risk. Significant non-compliance with controls was identified leaving the system vulnerable to error and abuse. Audit Recommendations and Follow-up Priority 1 Priority 2 Priority 3 Recommendation Major issues that we consider need to be brought to the attention of senior management Important issues which should be addressed by management in their areas of responsibility Minor issues which provide scope for operational improvement Follow Up Follow-up will be performed at specific dates agreed with senior management. Follow-up of the recommendations will be performed by the end of the next audit year Follow-up performed by the end of the next audit year. Page 12

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT ACCOUNTING SYSTEM AND GENERAL LEDGER

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT ACCOUNTING SYSTEM AND GENERAL LEDGER SOUTH LAKELAND DISTRICT COUNCIL 12-08 INTERNAL AUDIT FINAL REPORT ACCOUNTING SYSTEM AND GENERAL LEDGER Executive Summary Introduction The Council s Integra financial information and accounting system is

More information

Joint Audit Report for South Lakeland District Council. & Eden District Council

Joint Audit Report for South Lakeland District Council. & Eden District Council Joint Audit Report for South Lakeland District Council & Eden District Council Audit of IT Data Backup and Recovery Arrangements Audit of Development Management 22nd May 2015 11 th June 2015 0 Page 0 Audit

More information

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT PAYROLL

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT PAYROLL SOUTH LAKELAND DISTRICT COUNCIL 11-12 INTERNAL AUDIT FINAL REPORT PAYROLL Executive Summary Introduction The Council s Payroll is processed and administered by the Human Resources Section, using Trent

More information

IT Disaster Recovery and Business Resumption Planning Standards

IT Disaster Recovery and Business Resumption Planning Standards Information Technology Disaster Recovery and Business IT Disaster Recovery and Business Adopted by the Information Services Board (ISB) on May 28, 1992 Policy No: Also see: 500-P1, 502-G1 Supersedes No:

More information

Hong Kong Baptist University

Hong Kong Baptist University Hong Kong Baptist University Disaster Recovery Standard FOR INTERNAL USE ONLY Date of Issue: JULY 2012 Revision History Version Author Date Revision 1.0 Information Security Subcommittee (ISSC) July 2012

More information

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery Dacorum Borough Council Final Internal Audit Report IT Business Continuity and Disaster Recovery Distribution list: Chris Gordon Group Manager Performance, Policy and Projects John Worts ICT Team Leader

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

FINAL. Internal Audit Report. Data Centre Operations and Security

FINAL. Internal Audit Report. Data Centre Operations and Security FINAL Internal Audit Report Data Centre Operations and Security Document Details: Reference: Report nos from monitoring spreadsheet/2013.14 Senior Manager, Internal Audit & Assurance: ext. 6567 Engagement

More information

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department

More information

Disaster Recovery Planning

Disaster Recovery Planning Disaster Recovery Planning This is a brief guide, with a suggested table of contents, to help you get started with putting together your Disaster Recovery Plan (DRP) Pensar can assist you in completing

More information

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA 1 Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA Learning Objectives 2 To understand the concept of Business Continuity Management To understand

More information

Does it state the management commitment and set out the organizational approach to managing information security?

Does it state the management commitment and set out the organizational approach to managing information security? Risk Assessment Check List Information Security Policy 1. Information security policy document Does an Information security policy exist, which is approved by the management, published and communicated

More information

Business Continuity Planning and Disaster Recovery Planning

Business Continuity Planning and Disaster Recovery Planning 4 Business Continuity Planning and Disaster Recovery Planning Basic Concepts 1. Business Continuity Management: Business Continuity means maintaining the uninterrupted availability of all key business

More information

Success or Failure? Your Keys to Business Continuity Planning. An Ingenuity Whitepaper

Success or Failure? Your Keys to Business Continuity Planning. An Ingenuity Whitepaper Success or Failure? Your Keys to Business Continuity Planning An Ingenuity Whitepaper May 2006 Overview With the level of uncertainty in our world regarding events that can disrupt the operation of an

More information

San Francisco Chapter. Information Systems Operations

San Francisco Chapter. Information Systems Operations Information Systems Operations Overview Operations as a part of General Computer Controls Key Areas of focus within Information Systems Operations Key operational risks Controls generally associated with

More information

IT Assurance - Business Continuity and Disaster Recovery

IT Assurance - Business Continuity and Disaster Recovery Audit Summary Report October 2006 PAPER D IT Assurance - Business Continuity and Disaster Recovery Audit 2006/2007 Paper D - 1 External audit is an essential element in the process of accountability for

More information

DISASTER RECOVERY AND CONTINGENCY PLANNING CHECKLIST FOR ICT SYSTEMS

DISASTER RECOVERY AND CONTINGENCY PLANNING CHECKLIST FOR ICT SYSTEMS Appendix L DISASTER RECOVERY AND CONTINGENCY PLANNING CHECKLIST FOR ICT SYSTEMS I. GETTING READY A. Obtain written commitment from top management of support for contingency planning objectives. B. Assemble

More information

AUDIT GUIDELINES FOR SCHOOL DISASTER RECOVERY PLANNING

AUDIT GUIDELINES FOR SCHOOL DISASTER RECOVERY PLANNING AUDIT GUIDELINES FOR SCHOOL DISASTER RECOVERY PLANNING Introduction It has become increasingly common for schools to place a great deal of reliance upon PC s and computer systems to manage and operate

More information

Appendix 6c. Final Internal Audit Report Disaster Recovery Planning. June 2007. Report 6c Page 1 of 15

Appendix 6c. Final Internal Audit Report Disaster Recovery Planning. June 2007. Report 6c Page 1 of 15 Appendix 6c Final Internal Audit Report Disaster Recovery Planning June 2007 Report 6c Page 1 of 15 Contents Page Executive Summary 3 Observations and Recommendations 8 Appendix 1 - Audit Framework 13

More information

Disaster Recovery Plan Documentation for Agencies Instructions

Disaster Recovery Plan Documentation for Agencies Instructions California Office of Information Security Disaster Recovery Plan Documentation for Agencies Instructions () November 2009 SCOPE AND PURPOSE The requirements included in this document are applicable to

More information

Disaster Recovery and Business Continuity Plan

Disaster Recovery and Business Continuity Plan Disaster Recovery and Business Continuity Plan Table of Contents 1. Introduction... 3 2. Objectives... 3 3. Risks... 3 4. Steps of Disaster Recovery Plan formulation... 3 5. Audit Procedure.... 5 Appendix

More information

Business Continuity Management For Small to Medium-Sized Businesses

Business Continuity Management For Small to Medium-Sized Businesses Business Continuity Management For Small to Medium-Sized Businesses Produced by NORMIT and Norfolk County Council Resilience Team For an electronic copy of this document visit www.normit.org Telephone

More information

Audit Report for South Lakeland District Council. People and Places Directorate Neighbourhood Services. Audit of Grounds Maintenance

Audit Report for South Lakeland District Council. People and Places Directorate Neighbourhood Services. Audit of Grounds Maintenance Audit Report for South Lakeland District Council People and Places Directorate Neighbourhood Services Audit of Grounds Maintenance Cumbria Shared Internal Audit Service: Internal Audit Report 7 th November

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information

SUBJECT: REPLACEMENT OF CORPORATE ELECTRONIC DATA STORAGE, BACKUP AND DISASTER RECOVERY SOLUTIONS

SUBJECT: REPLACEMENT OF CORPORATE ELECTRONIC DATA STORAGE, BACKUP AND DISASTER RECOVERY SOLUTIONS REPORT TO CABINET TO BE HELD ON 15 SEPTEMBER 2015 Key Decision No Forward Plan Ref No 23K Corporate Priority The proposals in this report contribute to the delivery of all the Council s priorities Cabinet

More information

Business Continuity Business Impact Analysis arrangements

Business Continuity Business Impact Analysis arrangements Aberdeen City Council Internal Audit Report 2012/2013 for Aberdeen City Council May 2013 Business Continuity Business Impact Analysis arrangements Final Report Contents Section Page 1. Executive Summary

More information

Oadby and Wigston Borough Council. Information and Communications Technology (I.C.T.) Section

Oadby and Wigston Borough Council. Information and Communications Technology (I.C.T.) Section Appendix 1 Oadby and Wigston Borough Council Information and Communications Technology (I.C.T.) Section Information Communication Technology Contingency and Disaster Recovery Plan Version 0.1 10/04/09

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

HUNTINGDONSHIRE DISTRICT COUNCIL. Internal Audit Service: Annual Report. Meeting/Date: Corporate Governance Panel 15 July 2015

HUNTINGDONSHIRE DISTRICT COUNCIL. Internal Audit Service: Annual Report. Meeting/Date: Corporate Governance Panel 15 July 2015 Public Key Decision - No HUNTINGDONSHIRE DISTRICT COUNCIL Title: Internal Audit Service: Annual Report Meeting/Date: Corporate Governance Panel 15 July 2015 Executive Portfolio: Report by: Ward(s) affected:

More information

Balancing and Settlement Code BSC PROCEDURE BSCP537. QUALIFICATION PROCESS FOR SVA PARTIES, SVA PARTY AGENTS AND CVA MOAs

Balancing and Settlement Code BSC PROCEDURE BSCP537. QUALIFICATION PROCESS FOR SVA PARTIES, SVA PARTY AGENTS AND CVA MOAs Balancing and Settlement Code BSC PROCEDURE BSCP537 QUALIFICATION PROCESS FOR SVA PARTIES, SVA PARTY AGENTS AND CVA MOAs APPENDIX 3 GUIDANCE NOTES ON COMPLETING THE SAD Version 2.0 Date: 10 September 2007

More information

Summary of Information Technology General Control Environment Findings for the year ended 30 June 2015

Summary of Information Technology General Control Environment Findings for the year ended 30 June 2015 Summary of Inmation Technology General Control Environment Findings the year ended 30 June 2015 1 Change management Complete Revisiting the Change Management control process documentation and updating

More information

AUDITING A BCP PLAN. Thomas Bronack Auditing a BCP Plan presentation Page: 1

AUDITING A BCP PLAN. Thomas Bronack Auditing a BCP Plan presentation Page: 1 AUDITING A BCP PLAN Thomas Bronack Auditing a BCP Plan presentation Page: 1 What are the Objectives of a Good BCP Plan Protect employees Restore critical business processes or functions to minimize the

More information

Governance and Audit Committee 23 November 2015

Governance and Audit Committee 23 November 2015 Agenda Item 7 Governance and Audit Committee 23 November 2015 Welland Internal Audit Consortium Internal Audit Plan & Performance Update 2015/16 Purpose of report: To provide Members with information on

More information

DRAFT Disaster Recovery Policy Template

DRAFT Disaster Recovery Policy Template DRAFT Disaster Recovery Policy Template NOTE: This is a boiler plate template much information is needed from to finalizeconsider this document pre-draft FOREWARD... 3 Policy Overview...

More information

A recordkeeping update for Queensland public authorities reissued April, 2013

A recordkeeping update for Queensland public authorities reissued April, 2013 Public records brief A recordkeeping update for Queensland public authorities reissued April, 2013 Identifying and managing vital records This Public Records Brief provides advice to public authorities

More information

Massachusetts Institute of Technology. Functional Area Recovery Management Team Plan Development Template

Massachusetts Institute of Technology. Functional Area Recovery Management Team Plan Development Template Massachusetts Institute of Technology Functional Area Recovery Management Team Plan Development Template Public Distribution Version For further information, contact: Jerry Isaacson MIT Information Security

More information

This policy is not designed to use systems backup for the following purposes:

This policy is not designed to use systems backup for the following purposes: Number: AC IT POL 003 Subject: Backup and Restore Policy 1. PURPOSE The backup and restore policy establishes the need and rules for performing periodic system backup to permit timely restoration of Africa

More information

IT Disaster Recovery Plan Template

IT Disaster Recovery Plan Template HOPONE INTERNET CORP IT Disaster Recovery Plan Template Compliments of: Tim Sexton 1/1/2015 An information technology (IT) disaster recovery (DR) plan provides a structured approach for responding to unplanned

More information

IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP IT Disaster Recovery Plan Template By Paul Kirvan, CISA, CISSP, FBCI, CBCP Revision History REVISION DATE NAME DESCRIPTION Original 1.0 2 Table of Contents Information Technology Statement

More information

COMMERCIALISM INTEGRITY STEWARDSHIP. Back-up Policy & Guidance

COMMERCIALISM INTEGRITY STEWARDSHIP. Back-up Policy & Guidance Back-up Policy & Guidance Document Control Document Details Author Adrian Last Company Name The Crown Estate Division Name Information Services Document Name Back Up Policy Version Date 10/10/12 Effective

More information

Business continuity strategy

Business continuity strategy Business continuity strategy 2009 2012 Table of contents 1 Why this strategy is needed 3 2 Aim of the strategy 4 3 Our approach to business continuity 4 PROCESS 4 STRUCTURE 5 DOCUMENTATION 6 DISRUPTION

More information

Introduction UNDERSTANDING BUSINESS CONTINUITY MANAGEMENT

Introduction UNDERSTANDING BUSINESS CONTINUITY MANAGEMENT INFORMATION SECURITY: UNDERSTANDING BUSINESS CONTINUITY MANAGEMENT FACTSHEET This factsheet will introduce you to Business Continuity Management (BCM), which is a process developed to counteract systems

More information

Vendor Management. Outsourcing Technology Services

Vendor Management. Outsourcing Technology Services Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring

More information

Offsite Disaster Recovery Plan

Offsite Disaster Recovery Plan 1 Offsite Disaster Recovery Plan Offsite Disaster Recovery Plan Presented By: Natan Verkhovsky President Disty Portal Inc. 2 Offsite Disaster Recovery Plan Introduction This document is a comprehensive

More information

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 10

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 10 BUSINESS CONTINUITY AND DISASTER RECOVERY The purpose of this Guidance Note The main points it covers To assist participants to understand the disaster recovery and business continuity arrangements they

More information

A Best Practices Point of View from. Data Backup and Disaster Recovery Planning

A Best Practices Point of View from. Data Backup and Disaster Recovery Planning A Best Practices Point of View from Data Backup and Disaster Recovery Planning Security Protect Your Data Expertise Support Patient Privacy Business Continuity Plan and Restore Peace of Mind Backup and

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

University of Nottingham Emergency Procedures and Recovery Policy

University of Nottingham Emergency Procedures and Recovery Policy University of Nottingham Emergency Procedures and Recovery Policy Guidelines for High Hazard Schools and Departments 1. Introduction The University of Nottingham is committed to the identification and

More information

POLICY. 1) Business Continuity Management 2) Disaster Recovery 3) Critical Incident Management 4) Risk Management

POLICY. 1) Business Continuity Management 2) Disaster Recovery 3) Critical Incident Management 4) Risk Management POLICY Policy Title: Management Descriptors: 1) Management 2) Disaster Recovery 3) Critical Incident Management 4) Risk Management Category: Risk Management Intent Organisational Scope Definitions Policy

More information

IT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS

IT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS NOTTINGHAM CITY HOMES IT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS Report issued: February 2011 Audit Plan: The matters raised in this report are only those that came to the attention of the auditor

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority Internal Audit Progress Report (19 th August 2015) Contents 1. Introduction 2. Key Messages for Committee Attention 3. Work in progress Appendix A: Risk Classification and Assurance Levels Appendix B:

More information

Audit summary of Business Continuity Management in Local Government

Audit summary of Business Continuity Management in Local Government V I C T O R I A Victorian Auditor-General Audit summary of Business Continuity Management in Local Government Tabled in Parliament 1 September 2010 Local councils provide a wide range of services. Disruptions

More information

Clovis Municipal School District Information Technology (IT) Disaster Recovery Plan

Clovis Municipal School District Information Technology (IT) Disaster Recovery Plan Clovis Municipal School District Information Technology (IT) Disaster Recovery Plan Revision History REVISION DATE NAME DESCRIPTION Draft 1.0 Eric Wimbish IT Backup Disaster Table of Contents Information

More information

ASX SETTLEMENT OPERATING RULES Guidance Note 10

ASX SETTLEMENT OPERATING RULES Guidance Note 10 BUSINESS CONTINUITY AND DISASTER RECOVERY The purpose of this Guidance Note The main points it covers To assist participants to understand the disaster recovery and business continuity arrangements they

More information

Version: 1.5 2014 Page 1 of 5

Version: 1.5 2014 Page 1 of 5 Version: 1.5 2014 Page 1 of 5 1.0 Overview A backup policy is similar to an insurance policy it provides the last line of defense against data loss and is sometimes the only way to recover from a hardware

More information

IT Service Management

IT Service Management IT Service Management Service Continuity Methods (Disaster Recovery Planning) White Paper Prepared by: Rick Leopoldi May 25, 2002 Copyright 2001. All rights reserved. Duplication of this document or extraction

More information

Checklist For Business Recovery

Checklist For Business Recovery Checklist For Business Recovery Completed By: Name: Company: Room: Street: City, State, Zip: Phone #: Business Recovery Plan for: Business Recovery Plan (BRP)--LEVEL 1 (Executive Awareness/Authority) 1.

More information

Business Continuity and Capacity Building

Business Continuity and Capacity Building Business Continuity and Capacity Building April 10, 2015 Business Continuity and Capacity Building April 10, 2015 1 / 14 Developing Institutional Business Continuity Plans and Implications for Capacity

More information

Business Continuity Policy & Plans

Business Continuity Policy & Plans Agenda Item 8.3a SNCCG Governing Body 11.03.2014 Business Continuity Policy & Plans Ref Number: Version: 1 Status: Pending Approval Author: A Brown Approval body Governing Body Date Approved Date Issued

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Information Commissioner's Office

Information Commissioner's Office Information Commissioner's Office Ian Falconer Partner T: 0161 953 6480 E: ian.falconer@uk.gt.com Internal Audit 2011-12: Business Continuity Review Last updated 6 February 2012 Will Simpson Senior Manager

More information

Business Continuity Plan

Business Continuity Plan Business Continuity Plan In accordance with FINRA Rule 4370, each FINRA member firm must create and maintain a written business continuity plan identifying procedures relating to an emergency or significant

More information

Public Tertiary Education Sector

Public Tertiary Education Sector Auditor General Report on the Western Australian Public Tertiary Education Sector 1998 Annual Reporting Cycle Report No 5 June 1999 Western Australia A U D I T O R G E N E R A L Western Australia 4th Floor

More information

Information Technology Internal Audit Report

Information Technology Internal Audit Report Information Technology Internal Audit Report Report #2013-03 August 9, 2013 Table of Contents Page Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives... 4 Scope... 5 Testing

More information

IT Infrastructure is Key to Growth. Infrastructure nventory.

IT Infrastructure is Key to Growth. Infrastructure nventory. Introduction. The overall objective of an Information Technology (IT) Assessment is to evaluate whether an enterprise s current IT strategy is tightly coupled to the enterprise plans and challenges. Current

More information

BUSINESS CONTINUITY PLAN

BUSINESS CONTINUITY PLAN Business Logo or Name here BUSINESS CONTINUITY PLAN FOR PERSONAL CARE PROVIDERS TEMPLATE PREPARED BY DEVON COUNTY COUNCIL EMERGENCY PLANNING SERVICE BUSINESS CONTINUITY PLAN LIST OF CONTENTS 1. DISCLAIMER...

More information

LEGISLATIVE AUDIT DIVISION MEMORANDUM

LEGISLATIVE AUDIT DIVISION MEMORANDUM LEGISLATIVE AUDIT DIVISION Scott A. Seacat, Legislative Auditor Tori Hunthausen, Chief Deputy Legislative Auditor Deputy Legislative Auditors: James Gillett Angie Grove MEMORANDUM TO: CC: FROM: DATE: June

More information

Internal Audit Report Disaster Recovery / Business Continuity Planning

Internal Audit Report Disaster Recovery / Business Continuity Planning Audit Committee, 28 November 2013 Internal Audit Report Disaster Recovery / Business Continuity Planning Executive summary and recommendations Introduction As part of the Internal Audit Plan for 2013-14,

More information

Review of Information Technology s Data System Backup and Disaster Recovery Process Page 2 of 10 September 30, 2013

Review of Information Technology s Data System Backup and Disaster Recovery Process Page 2 of 10 September 30, 2013 Page 2 of 10 Scope and Objectives We reviewed the backup and disaster recovery processes utilized by DOH for information applications/systems managed by IT over the last three years. This review included

More information

Business Continuity Management in Local Government

Business Continuity Management in Local Government Business Continuity Management in Local Government Victorian Auditor-General s Report September 2010 2010-11:6 V I C T O R I A Victorian Auditor-General Business Continuity Management in Local Government

More information

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS Workpaper Reference Date(s) Completed Organization and Staffing procedures used to define the organization of the IT Department. 2. Review the organization

More information

Disaster Recovery Plan Review Checklist. A High-Level Internal Planning Tool to Assist State Agencies with Their Disaster Recovery Plans

Disaster Recovery Plan Review Checklist. A High-Level Internal Planning Tool to Assist State Agencies with Their Disaster Recovery Plans Disaster Recovery Plan Review Checklist A High-Level Internal Planning Tool to Assist State Agencies with Their Disaster Recovery Plans November 2008 DISASTER RECOVERY PLAN REVIEW CHECKLIST - FOR INTERNAL

More information

Continuity of Operations Planning. A step by step guide for business

Continuity of Operations Planning. A step by step guide for business What is a COOP? Continuity of Operations Planning A step by step guide for business A Continuity Of Operations Plan (COOP) is a MANAGEMENT APPROVED set of agreed-to preparations and sufficient procedures

More information

GLASGOW LIFE Review of Business Continuity Planning. Final Report

GLASGOW LIFE Review of Business Continuity Planning. Final Report Final Report INTERNAL AUDIT September 2011 Glasgow City Council Internal Audit 1 Table of Contents Section No Section Title 1 Introduction and Background 2 Audit Remit 3 Audit Opinion 4 Conclusions 5 Recommendations

More information

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public] IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System

More information

Business Continuity Planning

Business Continuity Planning Information Systems Audit and Control Association www.isaca.org Business Continuity Planning AUDIT PROGRAM & INTERNAL CONTROL QUESTIONNAIRE The Information Systems Audit and Control Association With more

More information

CONTINUITY OF OPERATIONS AUDIT PROGRAM EVALUATION AND AUDIT

CONTINUITY OF OPERATIONS AUDIT PROGRAM EVALUATION AND AUDIT CONTINUITY OF OPERATIONS AUDIT PROGRAM EVALUATION AND AUDIT April 16, 2014 INTRODUCTION Purpose The purpose of the audit is to give assurance that the development of the Metropolitan Council s Continuity

More information

2.0 RECOMMENDATIONS Members of the Committee are asked to note the information contained within this report.

2.0 RECOMMENDATIONS Members of the Committee are asked to note the information contained within this report. REPORT TO: SCRUTINY COMMITTEE 25 JUNE 2013 REPORT ON: REPORT BY: INTERNAL AUDIT REPORTS CHIEF INTERNAL AUDITOR REPORT NO: 280-2013 1.0 PURPOSE OF REPORT To submit to Members of the Scrutiny Committee a

More information

PROJECT VS. PROGRAM: THE BUSINESS CONTINUITY MANAGEMENT CHALLENGE

PROJECT VS. PROGRAM: THE BUSINESS CONTINUITY MANAGEMENT CHALLENGE PROJECT VS. PROGRAM: THE BUSINESS CONTINUITY MANAGEMENT CHALLENGE 1998 Kathleen A. Lucey W e now do very well what we set out to do 20 years ago: develop emergency response plans, run tests at alternate

More information

Technology Recovery Plan Instructions

Technology Recovery Plan Instructions State of California California Information Security Office Technology Recovery Plan Instructions SIMM 5325-A (Formerly SIMM 65A) September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF

More information

PART 10 COMPUTER SYSTEMS

PART 10 COMPUTER SYSTEMS PART 10 COMPUTER SYSTEMS 10-1 PART 10 COMPUTER SYSTEMS The following is a general outline of steps to follow when contemplating the purchase of data processing hardware and/or software. The State Board

More information

Walton Centre. Document History Date Version Author Changes 01/10/2004 1.0 A Cobain L Wyatt. Monitoring & Audit

Walton Centre. Document History Date Version Author Changes 01/10/2004 1.0 A Cobain L Wyatt. Monitoring & Audit Page 1 Walton Centre Monitoring & Audit Document History Date Version Author Changes 01/10/2004 1.0 A Cobain L Wyatt Page 2 Table of Contents Section Contents 1 Introduction 2 Responsibilities Within This

More information

Information Security Policy

Information Security Policy You can learn more about the programme by downloading the information in the related documents at the bottom of this page. Information Security Document Information Security Policy 1 Version History Version

More information

Business Continuity Management

Business Continuity Management Business Continuity Management Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not

More information

SECTION 15 INFORMATION TECHNOLOGY

SECTION 15 INFORMATION TECHNOLOGY SECTION 15 INFORMATION TECHNOLOGY 15.1 Purpose 15.2 Authorization 15.3 Internal Controls 15.4 Computer Resources 15.5 Network/Systems Access 15.6 Disaster Recovery Plan (DRP) 15.1 PURPOSE The Navajo County

More information

Statement of Guidance

Statement of Guidance Statement of Guidance Business Continuity Management All Licensees 1. Statement of Objectives 1.1. To enhance the resilience of the financial sector and to minimise the potential impact of a major operational

More information

INFORMATION TECHNOLOGY SERVICES IT CHANGE MANAGEMENT POLICY & PROCESS

INFORMATION TECHNOLOGY SERVICES IT CHANGE MANAGEMENT POLICY & PROCESS INFORMATION TECHNOLOGY SERVICES IT CHANGE MANAGEMENT POLICY & PROCESS Revised: 12/5/2011 Table of Contents Overview... 3 Roles and Responsibilities... 4 Management Process Definition... 6 Management Process

More information

Documentation. Disclaimer

Documentation. Disclaimer HOME UTORprotect DOCUMENTATION AMS/ROSI SERVICES CONTACT Documentation Disaster Recovery Planning Disaster Recovery Planning Disclaimer The following project outline is provided solely as a guide. It is

More information

The Complete Disaster Recovery Plan

The Complete Disaster Recovery Plan The Complete Disaster Recovery Plan Larry Mattox, VC3 1 If A Disaster Strikes, Can You? Provide your services: When your citizens need them the most? At the level needed by your citizens? Recover your

More information

What is Business Continuity Planning (BCP) / Disaster Recovery Plan(DRP)?

What is Business Continuity Planning (BCP) / Disaster Recovery Plan(DRP)? Workshop on System Audit of Banks BCP Workshop on System Audit of Banks What is Business Continuity Planning (BCP) / Disaster Recovery Plan(DRP)? - Preparedness of an organisation to ensure continuity,

More information

NORTH YORKSHIRE FIRE AND RESCUE AUTHORITY AUDIT AND PERFORMANCE REVIEW COMMITTEE 25 JUNE 2014 INTERNAL AUDIT PROGRESS REPORT TO 31 MAY 2014

NORTH YORKSHIRE FIRE AND RESCUE AUTHORITY AUDIT AND PERFORMANCE REVIEW COMMITTEE 25 JUNE 2014 INTERNAL AUDIT PROGRESS REPORT TO 31 MAY 2014 ITEM 5 NORTH YORKSHIRE FIRE AND RESCUE AUTHORITY AUDIT AND PERFORMANCE REVIEW COMMITTEE 25 JUNE 2014 INTERNAL AUDIT PROGRESS REPORT TO 31 MAY 2014 Report of the Head of Internal Audit 1.0 PURPOSE OF THE

More information

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management Advisory Guidelines of the Financial Supervisory Authority Requirements regarding the arrangement of operational risk management These Advisory Guidelines have established by resolution no. 63 of the Management

More information

1.1 In consultation with management, to identify against business objectives, issues of self-development and training.

1.1 In consultation with management, to identify against business objectives, issues of self-development and training. London Fire Brigade is run by the London Fire and Emergency Planning Authority Fire Our vision To be a world class fire and rescue service for London, Londoners and visitors. Job Description JOB TITLE

More information

Adlib Hosting - Service Level Agreement

Adlib Hosting - Service Level Agreement Adlib Hosting - Service Level Agreement June 2014 This service level agreement (SLA) applies to the Adlib Hosting services provided by Axiell ALM Netherlands BV, and includes the activities and facilities

More information

OFFICE OF AUDITS & ADVISORY SERVICES IT DISASTER RECOVERY AUDIT FINAL REPORT

OFFICE OF AUDITS & ADVISORY SERVICES IT DISASTER RECOVERY AUDIT FINAL REPORT County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES IT DISASTER RECOVERY AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Audit Manager: Lynne Prizzia, CISA, CRISC Senior Auditor:

More information

Auditing in an Automated Environment: Appendix C: Computer Operations

Auditing in an Automated Environment: Appendix C: Computer Operations Agency Prepared By Initials Date Reviewed By Audit Program - Computer Operations W/P Ref Page 1 of 1 Procedures Initials Date Reference/Comments OBJECTIVE - To document the review of the computer operations

More information

Office of the Auditor General

Office of the Auditor General Office of the Auditor General Our Vision A relevant, valued and independent audit office serving the public interest as the House of Assembly s primary source of assurance on government performance. Our

More information

Overview of how to test a. Business Continuity Plan

Overview of how to test a. Business Continuity Plan Overview of how to test a Business Continuity Plan Prepared by: Thomas Bronack Phone: (718) 591-5553 Email: bronackt@dcag.com BRP/DRP Test Plan Creation and Exercise Page: 1 Table of Contents BCP/DRP Test

More information

Tufts Health Plan Corporate Continuity Strategy

Tufts Health Plan Corporate Continuity Strategy Tufts Health Plan Corporate Continuity Strategy July 2015 OVERVIEW The intent of this document is to provide external customers and auditors with a highlevel overview of the Tufts Health Plan Corporate

More information