INTERNAL AUDIT 2008/09 INFORMATION TECHNOLOGY (BUSINESS CONTINUITY)

Transcription

1 2008/09

2 SUMMARY Location Subject Business Sponsor Staff engaged Coleg Gwent Information Technology (Business Continuity) Lynda Roberts Sue Harris Head of Internal Audit Gaynor Rains Manager David Bratt Assistant Manager Date of visit December 2008 Fieldwork completed 18 December 2008 Draft report issued 14 January 2009 Management responses received 16 February Final report issued 27 February 2009 This report is supplied on the understanding that it is solely for the use of the persons to whom it is addressed and for the purposes set out herein. No person other than the addressees may rely on it for any purposes whatsoever. Baker Tilly UK Audit LLP accepts no responsibility to any other party to whom it may be shown or into whose hands it may come. PRIVATE AND CONFIDENTIAL

3 CONTENTS 1. Executive Summary 1 2. Findings and Recommendations 3 3. Action Plan 8 PRIVATE AND CONFIDENTIAL

4 1. EXECUTIVE SUMMARY 1.1 Background and Scope A review of the College s Information Technology, Business Continuity arrangements was undertaken as part of the Internal Audit plan for 2008/ Audit Objectives To review and test the Information Technology Business Continuity arrangements to provide assurance to management that the following control objectives are achieved: An appropriate and approved disaster recovery /business continuity plan is in place. The plan has been distributed appropriately and is available to all key staff. The plan has been tested and found to be appropriate for the College s needs. 1.3 Summary of findings Our review identified that the College has a detailed draft Business Continuity Plan, which currently has not been approved by the Corporation. Once this has been approved we recommend that the College carry out a test of the plan to ensure that it is appropriate and meets the needs of the College. Our review of the draft Business Continuity Plan and the IT Disaster Recovery plan found that each covers the key areas required. Our review also focused on the back up procedures which are in place within the College to assess whether they appeared appropriate and whether they are being followed in practice. Procedures were found to be operating effectively. The control objectives identified for this review have been considered by management. Our review has highlighted two control weaknesses which require attention. A complete summary of the work undertaken is included within section 2 of this report. PRIVATE AND CONFIDENTIAL 1

5 The recommendations made can be summarised as follows: Number recommendations Total: 1.4 Value for Money Risk High Medium Low The Business Continuity arrangements at the College cannot currently be assessed as effective as the Business Continuity Plan has not yet been implemented or tested. Recommendations have been made accordingly. 1.5 Statement of Assurance by Internal Audit on Information Technology, Business Continuity arrangements In our opinion, which is based upon the audit evidence obtained: The internal controls in the system are adequate to ensure that activities and procedures are operating to achieve the College s objectives for the system with one exception noted; Testing has shown the majority of the controls to be operating in practice; There are risks to the performance of the system; and Recommendations have been made to improve the controls in place. Based on this assessment, in our opinion, the controls in place over the system provide satisfactory assurance that risks material to the achievement of the College s objectives are adequately and effectively managed. PRIVATE AND CONFIDENTIAL 2

6 2. FINDINGS AND RECOMMENDATIONS 2.1 An appropriate and approved disaster recovery /business continuity plan is in place. Control Testing / Results / Implications Control operating effectively? The College has an effective and approved Business Continuity Plan in place. The College has produced a Business Continuity Plan in association with external consultants, this was initially drafted in 2007 and completed in September However, the Business Continuity Plan has not yet been presented to Corporation for approval. We were informed that the College had delayed presenting the Business Continuity Plan to Corporation as amendments may be required as a result of the potential reorganisation of the College in Yes Recommendation / Categorisation As the College does not have an approved Business Continuity Plan in place we recommend that the draft plan is presented to Corporation and tested as soon as possible and circulated to all relevant staff. The plan can be appropriately amended if the restructuring takes place. Medium A previous version of a Business Continuity Plan does not exist. Our review of the draft Business Continuity Plan concluded that it covers the key aspects required. However, without formal testing it is difficult to assess if the plan is effective. The plan contains detailed procedures in relation to Business Continuity. These include: Emergency Response Section Crisis Management Section Business Recovery Section including a break down per campus PRIVATE AND CONFIDENTIAL 3

7 2.1 An appropriate and approved disaster recovery /business continuity plan is in place. Control Testing / Results / Implications Control operating effectively? An adequate IT Disaster Recovery Plan is in place. We compared the IT Disaster Recovery Plan with best practice guidance and concluded that the key headings were included in line with best practice. Yes Recommendation / Categorisation Not applicable This aspect of the College s Business Continuity Plan has been implemented. PRIVATE AND CONFIDENTIAL 4

8 2.2 The plan has been distributed appropriately and is available to all key staff. Control Testing / Results / Implications Control operating effectively? Recommendation / Categorisation All key members of staff have access to a copy of the College s Business Continuity Plan. At present the College has not implemented the Business Continuity Plan and therefore it is not widely available to members of staff. However, the IT department has provided relevant members of staff with a copy of the Disaster Recovery Contract Call-out Procedure. This lists the relevant information in relation to the ICM contract (who provide the College with disaster recovery on hardware). No As per Copies of the Business Continuity Plan are held offsite. The Business Continuity Plan contains a list of key members of staff who the plan will be distributed to once implemented. The Business Continuity Plan has not yet been implemented. However, a copy of the IT Disaster Recovery Plan is stored in both recovery boxes held at Usk and Pontypool. Yes Not applicable PRIVATE AND CONFIDENTIAL 5

9 2.3 The plan has been tested and found to be appropriate for the College s needs. Control Testing / Results / Implications Control operating effectively? The College has tested both the disaster recovery plan and the business continuity plan and found that they are appropriate to meet the needs of the College. The College has not formally tested either of their plans due to the fact that the plans have not yet been formally approved. If the Business Continuity Plan and Disaster Recovery Plan are not tested there is a risk that potential problems within the plans may remain undetected and therefore the current plan may not be effective in practice. Yes Recommendation / Categorisation We recommend that the Disaster Recovery Plan is formally tested. We recommend that this check is formally documented and an action plan of improvements produced. Medium Discussions with the College found that they have recently had to restore the information on the exchange server following an SAN upgrade. Although there is no supporting documentation the College believe that they only lost two hours of data The College backs up all data and servers on a regular basis. The College also have a contract in place with ICM who would provide the College infrastructure in the event of a disaster. The College has a detailed back up policy in place. The College use a software programme called Backup Express which controls the back up process. Yes None We checked that the back up procedures had been followed during the weekend prior to our visit. We confirmed that the back up process had PRIVATE AND CONFIDENTIAL 6

10 2.3 The plan has been tested and found to be appropriate for the College s needs. Control Testing / Results / Implications Control operating effectively? occurred. However, we noted that the system identified 3 failures on the backup process. The IT department are to investigate these failures to determine the problem. Recommendation / Categorisation As part of the College s back up and disaster recovery procedures the College has produced two recovery boxes, one stored at Usk and the other at Pontypool. These boxes contain copies of the Colleges main software (and licence keys) as well main supplier contacts. The information within the boxes should enable the College to recover the systems in the event of a disaster. Our review of the recovery box held at Usk confirmed that the box contained all the relevant information in accordance with procedures and that the checklist had been completed to show that all information was within the box. PRIVATE AND CONFIDENTIAL 7

11 3. ACTION PLAN Ref Recommendation Category Management Response / Action To Be Taken Implementation Date / Responsibility As the College does not have an approved Business Continuity Plan in place we recommend that the draft plan is presented to Corporation and tested as soon as possible and circulated to all relevant staff. The plan can be appropriately amended if the restructuring takes place. Medium Implementation and testing of the Business Continuity Plan has been postponed until the Sustainability Action Plan has been fully implemented. Once any structural changes resulting for the Sustainability Action Plan have been implemented the Business Continuity Plan will be presented to Corporation for approval and subsequently tested. December 2009 Director of Estates & Facilities We recommend that the Disaster Recovery Plan is formally tested. We recommend that this check is formally documented and an action plan of improvements produced. Medium As above June 2010 Director of Estates & Facilities/Head of IT PRIVATE AND CONFIDENTIAL 8