Comhairle nan Eilean Siar Internal Audit Review DISASTER RECOVERY. Final Report 12/13-20

Transcription

1 Comhairle nan Eilean Siar Internal Audit Review Final Report 12/ th January 2013

2 CONTENTS Page SECTION 1 - EXECUTIVE SUMMARY 1-3 SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS 4-9 SECTION 3 - ACTION PLAN 10 APPENDIX A - RESPECTIVE RESPONSIBILITIES OF MANAGEMENT 11 AND INTERNAL AUDIT Date of Visit Dec 2012 Final Report Issued 8 th January 2013 Issued to: Chief Executive Director of Finance & Corporate Resources Head of IT & Customer Services External Audit Malcolm Burr Robert Emmott Angus Macarthur Karen Jones 8 th January 2013

3 1.1 SECTION 1: EXECUTIVE SUMMARY Introduction This report has been prepared following a high level overview of the Disaster Recovery procedures in place in the Comhairle. Disaster Recovery was included as part of the internal audit work plan for 2011/12 and also 2012/13, but due to requests by management we have had to postpone the review on two occasions. This was, mainly due to new works being progressed to replace the system, and it would add no significant value to the area to be audited under such circumstances. Nevertheless, it is important that Internal Audit keep management and members informed of the present position of the disaster recovery procedures in the Comhairle. We intend to re-visit the area in April/May 2013 to confirm how the project is progressing. Disaster Recovery - the process by which you resume business after a disruptive event 8 th January

4 SECTION 1: EXECUTIVE SUMMARY (CONTINUED) 1.2 We have graded our detailed findings and recommendations, based on the likelihood of the identified weakness occurring and the impact on the Comhairle if it should occur, using the following criteria: Grade 1 - Critical High likelihood, High impact (HH) The weakness is almost bound to happen or is already happening (likelihood) and could have a significant impact on the Comhairle s services, reputation, control, financial position, statutory, regulatory or constitutional compliance if not contained Grade 2 - Contingent/Insurable Risk - Low likelihood, High impact (LH) The weakness is unlikely to happen, but would have a significant impact on the Comhairle s services, reputation, control, financial position, statutory, regulatory or constitutional compliance if it did occur Grade 3 - Housekeeping High likelihood, Low impact (HL) The weakness is almost bound to happen or is already happening but is unlikely to have a material impact on the Comhairle s services, reputation, control, financial position, statutory, regulatory or constitutional compliance, and can be contained Grade 4 - Value for Money High likelihood, Value for money impact (HV) The weakness is almost bound to happen or is already happening but if contained would have a positive impact on economy, efficiency and effectiveness in the use of resources Where we have identified isolated exceptions in our sample testing, and we consider that: - They are unlikely to recur; and Would have no significant impact if they should occur, we have classified them as low likelihood and low impact ( LL), discussed them with relevant officers and detailed them in Appendix B to this report. 8 th January

5 SECTION 1: EXECUTIVE SUMMARY (CONTINUED) 1.3 Our recommendations can be summarised and prioritised as follows: Recommendation 2.1 Appropriate disaster recovery procedures be implemented in terms of best practice. Overall grading An SLA/legal agreement be put in place to cover responsibilities, security, data sharing and termination arrangements. Once the system is installed the disaster recovery procedures should be tested to give assurance that the new system in place meets the agreed requirements We would like to thank the Head of IT & Customer Services for the co-operation and goodwill we received during the course of our internal audit fieldwork. For Comhairle Nan Eilean Siar Internal Audit Section Internal Audit Comhairle Nan Eilean Siar Sandwick Road Stornoway Isle of Lewis HS1 2BW 8 th January th January

6 SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS 2.1 FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT L I COMMENT Control objective 1:The processes in place at present. At present we have reduced levels of disaster recovery controls in place. The means of safeguarding and protecting corporate data is that data is backed up to disks and taken off site and stored securely at the Sports Centre. Backups are done on a daily, weekly, monthly basis and documented to allow for easy retrieval should the need arise in the event of data loss. This process is regularly tested as part of operational restore requests and has proved to be a workable and reliable solution. However, it is necessary to have a more comprehensive plan in place so that processing can resume as soon as possible after an incident. 8 th January

7 SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED) 2.1 FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT L I COMMENT Control objective 1 The processes in place at present. With the current setup, should IT be faced H H Appropriate disaster recovery 1 Agreed. with any form of data failure, corruption, procedures be implemented in fire etc. there is a high risk that the systems terms of best practice. would be unavailable for a number of weeks. In this situation it is imperative that departments who run operational systems have tried and tested business continuity plans in place to provide a minimum level of service that will fulfil statutory obligations during the outage. Current arrangements do not meet best practice.. However, we understand that ongoing processes are underway to remedy this weakness. 8 th January

8 SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED) 2.1 FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT L I COMMENT Control objective 1: What are we doing? As part of a modernisation programme to update the Comhairle s server infrastructure it will be possible to review IT Disaster Recovery planning. We are advised by the Head of IT & Customer Services that server virtualisation has been identified as the most beneficial and the proposal is that the Comhairle replace its current server and storage facility with a virtualised infrastructure whilst also re-deploying existing equipment to a suitable disaster recovery facility at the NHS-WI site. We understand that virtualisation would allow the Comhairle to replicate its servers alongside the WIHB servers. This would do away with the processes in place of having to back up on tapes and take off site. The benefits are that the processes would be quicker, cleaner, better located and the on-line connection improved. 8 th January

9 SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED) 2.1 FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT L I COMMENT Control objective 1: What are we doing? Work is nearing completion on the installation of fibre optic ducting being run from the Comhairle to the NHS WI site to allow this to happen. The work that would allow the link to be in place is scheduled to be completed on Friday 14 th December. A report was presented to the Comhairle s Policy & Resources Committee on 6 th December 2012 seeking the approval of members for funding for the virtualisation project. This report was approved. 8 th January

10 SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED) 2.1 FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT L I COMMENT Control objective 1: Where we hope to be? A proposed legal agreement to govern the H An SLA/legal agreement be put 1 Agreed relationship between CNES and NHS-WI in place to cover responsibilities, for the purposes of site sharing has been security, data sharing and drawn up by CNES and is currently with termination arrangements. NHS-WI legal team for review. It will address issues of shared responsibilities, data security, review arrangements, dispute resolution and termination of the agreement. We would hope to have an agreement in place with NHS-WI allowing the two organisations to share external networks. All the Comhairle critical servers would be replicated on Comhairle equipment housed at the NHS-WI site.. 8 th January

11 SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED) 2.1 FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT L I COMMENT Control objective 1: Where we hope to be? The benefits of this would be that in the H H Once the system is installed the 1 Agreed event of a major incident at Sandwick disaster recovery procedures Road there would always be a duplicate set should be tested to give of data at the NHS-WI site, and it would be assurance that the new system in possible to resume processing within a place meets the agreed matter of hours rather than weeks or requirements. months. Other benefits realised from this project would be the freeing up of resources reducing the time taken to perform backups and removing to a secure location, more office space would be made available at Sandwick Road as the large servers take up additional space and costs would be managed more effectively as server replacement would be integrated into a rolling replacement programme over time. 8 th January

12 SECTION 3 - ACTION PLAN Ref. RECOMMENDATION RESPONSIBLE OFFICER 2.1 Appropriate disaster recovery procedures be Head of IT & implemented in terms of best practice. Customer Services. DATE OF IMPLEMENTATION Summer 2013 An SLA/legal agreement be put in place to cover responsibilities, security, data sharing and termination arrangements. Once the system is installed the disaster recovery procedures should be tested to give assurance that the new system in place meets the agreed requirements Head of IT & Customer Services. Head of IT & Customer Services. Summer 2013 Summer

13 APPENDIX A: RESPECTIVE RESPONSIBILITIES OF MANAGEMENT AND INTERNAL AUDIT Responsibility in relation to internal controls It is the responsibility of the Comhairle s management to maintain adequate and effective financial systems and to arrange for a system of internal controls. Our responsibility as internal auditors is to evaluate the financial systems and associated internal controls. In practice, we cannot examine every financial implication and accounting procedure within an activity, and we cannot substitute for management s responsibility to maintain adequate systems of internal controls over financial systems. We therefore may not identify all weaknesses that exist in this regard. Responsibilities in relation to fraud and corruption The prime responsibility for the prevention and detection of fraud and irregularities rests with management. They also have a duty to take reasonable steps to limit the opportunity for corrupt practices. It is our responsibility to review the adequacy of these arrangements, but our work does not remove the possibility that fraud, corruption or irregularity may have occurred and remained undetected. We nevertheless endeavour to plan our internal audit work so that we have reasonable expectation of detecting material fraud, but our examination should not be relied upon to disclose all such material frauds that may exist. 11