SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT IT Backup, Recovery and Disaster Recovery Planning

Transcription

1 SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT IT Backup, Recovery and Disaster Recovery Planning Executive Summary Introduction As part of the 2011/12 Audit Plan and following discussions with the IT Services Manager, a computer audit was undertaken to review South Lakeland District Council s and Eden District Council s IT back-up and recovery arrangements and disaster recovery planning. Effective data back-up is essential to enable the Councils to recover business information in the event of a system failure or disk crash, and to ensure that all important information can be restored without disruption in a timely way. IT Disaster Plans provide for a structured and timely recovery of services in the event of an IT disaster and supports the Councils overall business continuity plans. They can reduce disruption to an acceptable level, should a significant IT incident occur. Audit Objectives The objective of the audit was to provide reasonable assurance that effective back-up and recovery procedures in place and to confirm that, suitable plans have been developed relating to IT Disaster Recovery Planning, which will minimise data loss and contain disruption to Council business to an acceptable level. The work involved discussions with management and key staff at both sites responsible for back-up and recovery operations and for development, implementation and operation of the disaster recovery strategy, together with a review of procedures and associated logs and observation of the back-up process. The objectives of the audit were discussed and agreed in advance with Ben Wright, IT Services Manager. Details of the audit methodology are provided in Appendix 1. Audit Conclusion Substantial Assurance Key Points Substantial Assurance No major issues identified. Five important issues. Three minor issues. As a result of the audit we have concluded that while there is a basically sound system of control, there are weaknesses, which may put some of the system objectives at risk. This review covers two related areas, Data Backup and Recovery, and Disaster Recovery Planning. These are listed separately as detailed below. Regarding the Backup and Recovery arrangements, the existing backup regime appears to be technically sound, providing a solid basis for the recovery of data when this becomes necessary. Internal Audit have however, raised one important recommendation, which relates to updating and publishing the strategy to user management. In addition we have also raised two minor issues, which cover: Page 1

2 updating procedure documentation, and; introducing checks on media age and quality. In relation to Disaster Recovery Planning, it is considered that although basic plans are in place, some updating and further development is required. As a result four important recommendations have been raised, which relate to: completion of the existing Disaster Recovery Plans; ensuring regular review and testing of the Plans; identifying alternative facilities for IT staff, and including loss of data communications within the Disaster Recovery Plans. There is also one minor issue, which concerns further analysis of key technical risks. We have received a constructive management response from Ben Wright, IT Services Manager, accepting each of our recommendations. It should be noted that the majority of responses relate to the formulation of a Managed Backup Contract through an external provider; if this does not proceed a different course of action would be required. Acknowledgement Internal Audit would like to thank IT staff at both Councils for their co-operation and assistance during the review. Page 2

3 Recommendation 1 Responsibility: IT Services Manager Priority: 2 Management should ensure that the current backup strategy is updated to cover both sites, and issued to user management. The document should specify the backup frequencies, and include information regarding the generations being retained. It is important that there is a documented back-up strategy in place. This should provide a simple, clear description of the approach to back-up and recovery of systems and data, and include information on the retention of data. The Strategy should be published to user management so that there is clear understanding and agreement regarding the cover provided. The current strategy appears technically sound but is not fully documented for both South Lakeland and Eden. Reference to data retention is covered within the Service Level Agreement for both sites, but there is insufficient detail to assume user agreement is fully understood and acknowledged. A managed backup and disaster recovery contract is being finalised for both Councils. Once in place the backup and recovery documentation can be updated. Accepted Implementation Deadline: March 2013 Page 3

4 Recommendation 2 Responsibility: IT Services Manager Priority: 3 The Council should ensure that backup and recovery procedure documentation is updated as soon as practical. It is important that there are clearly documented procedures for each back-up and recovery operation. Complete and up-to-date procedures ensure that the correct and consistent back-up processes are followed and support skill sharing; currently being adopted to enable continuity of service in the absence of key staff. In the past these areas have been well documented but following the recent system/software changes, updates have not yet been applied to the SLDC documentation. A managed backup and disaster recovery contract is being finalised for both Councils. Once in place the backup and recovery documentation can be updated. It should be noted that as part of the contract, the backup solution for both Councils will be implemented, maintained and supported by an external company. Documentation will be provided as part of the contract. Accepted Implementation Deadline: March 2013 Page 4

5 Recommendation 3 Responsibility: IT Services Manager Priority: 3 The Council should ensure suitable life cycle and error thresholds for backup media are agreed and that arrangements are put in place to monitor these. Good practice requires that suitable policies and monitoring arrangements are in place regarding media life-cycles in order to ensure the integrity of stored data. In practice it is likely that high numbers of errors would become apparent resulting in the withdrawal of a faulty tape; however there are currently no formal monitoring arrangements at either Council to ensure the effective management of backup media, including suitable lifecycle arrangements. Dealing with Media Errors has been built into the contract for the provision of the managed backup service. It will be the responsibility of the solution provider. Accepted Implementation Deadline: December 2012 Page 5

6 Recommendation 4 Responsibility: IT Services Manager Priority: 2 The Council should agree a target date for completion of the outstanding items in the Disaster Recovery Plans (as marked within the documents). In addition, the future approval process for these Plans should be clarified and formalised. While an IT disaster, by definition, is likely to seriously impact upon Council activities, an IT Disaster Plan can minimise disruption to services. Even a relatively basic and brief document with a well-structured plan for restoration of systems may considerably reduce business interruptions and minimise any delays to recovery. Such documents are in place at both sites but although well advanced, are not fully complete, with some items marked as to be completed or under development. The existing Plans have previously been agreed by senior management but it is assumed that future plans will be approved by the joint service board; however this point should be clarified. It is agreed that the Disaster Recovery Documents need to be updated along with the implementation of the new managed backup contract. Accepted Implementation Deadline: March 2013 Page 6

7 Recommendation 5 Responsibility: IT Services Manager Priority: 2 Management should ensure that arrangements are made for regular reviews of the Disaster Recovery Plans to be undertaken and also that appropriate testing of the Plans is carried out at agreed intervals. It is important that there is a process for reviewing, and if necessary updating the IT Disaster Recovery Plans on a regular basis, so that they remain relevant and continue to support business recovery. Also, in order to be useful, it is important that the IT Disaster Recovery Plan has been proven to be clear and effective by regular, documented testing. A variety of tests can be appropriate against the whole or part of the Plans, real or desk based. Plans at both sites, South Lakeland and Eden, have been regularly reviewed in the past, but the SLDC document has not been updated since September There has been testing of recovery and of the Plans in the past but not for some time, the current versions of the Plans have not been tested; however it should be noted that live or actual recovery of data has occurred through the normal course of business. Previous testing of the Plan and recovery has been undertaken, including the use of third party providers. The Disaster Recovery Plans will be reviewed Quarterly by IT services. Recovering systems and associated testing is built into the Managed Backup and Disaster Recovery contract and will be tested annually. Accepted Implementation Deadline: March 2013 Page 7

8 Recommendation 6 Responsibility: IT Services Manager Priority: 2 It is recommended that possible alternative facilities and accommodation for IT support staff should be identified and assessed; and included in the Disaster Recovery Plans. In the event that the Disaster Recovery Plan needs to be invoked, it is essential that alternative IT site arrangements have been agreed, which will fully accommodate the required staffing and equipment. At both sites, the Plan refers to the use of off-site hosted computer facilities provided by a third party, but does not appear to take any account of the possible need for an alternative location and facilities for IT staff. It is agreed a review is required and the Disaster Recovery Documents will be updated to reflect the outcome. Accepted Implementation Deadline: March 2013 Page 8

9 Recommendation 7 Responsibility: IT Services Manager Priority: 2 Management should review and assess the loss of the various communication links; and consider alternative remedies for inclusion within the Disaster Recovery Plans. It is important that consideration has been given to the timely replacement of support facilities, including communications. For both sites, the documentation contains references to telephone systems and data communications support but their loss does not appear to be considered or explanations provided relating to how such issues could be addressed. Many key systems will not function without data communications, particularly the connection to the internet, which would prevent the third party Disaster Recovery contract from being used. A review of network links is taking place as part of our risk assessment process. Provision of an internet connection is built into the Disaster Recovery contract. Disaster Recovery for the telephone systems will be reviewed as part of the implementation of Microsoft Lync into both Councils. Accepted Implementation Deadline: July 2013 Page 9

10 Recommendation 8 Responsibility: IT Services Manager Priority: 3 The IT Services Manager should arrange for the key technical risks to be given more detailed consideration and for possible remedies to be identified and listed within the appropriate documentation. It is important that the main risks relating to possible IT Disaster incidents have been identified, documented and addressed within the IT Disaster Recovery Plans. For both sites, there is a list of general risks (fire, flood, power, telecommunications and hardware) but there is no detailed analysis of risks and related impact, nor are any possible remedies identified. Although the documentation appears to be too general, top level contacts for each of these facilities are included (internal and external). As part of reviewing the Disaster Recovery Documentation we will add more detail covering the areas suggested. Accepted Implementation Deadline: March 2013 Page 10

11 AUDIT FRAMEWORK APPENDIX 1 Coverage The review covered the following areas, which were agreed as part of the preliminary planning stage: - Data Backup and Storage - Data Recovery - Disaster Recovery Planning - Business Continuity Arrangements (relating to IT) - Disaster Recovery Plan Testing Methodology A system based audit approach has been used for this audit, involving the following key procedures: - determine specific management objectives for each area under review; - identify the risk applicable to each area; - evaluate controls against each of the key risks; - test key controls to establish whether they are operating as prescribed; and - report findings, with practical recommendations for improvement where appropriate. Performance Auditor: Mick McKinnell The fieldwork was performed: May - June 2012 Page 11

12 CLASSIFICATIONS APPENDIX 2 Assurance Level Unqualified Substantial Restricted None Evaluation There is an adequate system of controls designed to achieve the system objectives. While there is a reasonable system of control, there are weaknesses, which may put the system objectives at risk. Significant weaknesses have been identified in the system of control, which put the system objectives at risk. Control is weak, causing the system to be vulnerable to error abuse. Testing The controls appear to be consistently applied. Evidence was identified to suggest that the level of non-compliance with controls may put some of the system objectives at risk. The level of non-compliance identified places the system objectives at risk. Significant non-compliance with controls was identified leaving the system vulnerable to error and abuse. Audit Recommendations and Follow-up Priority 1 Priority 2 Priority 3 Recommendation Major issues that we consider need to be brought to the attention of senior management Important issues which should be addressed by management in their areas of responsibility Minor issues which provide scope for operational improvement Follow Up Follow-up will be performed at specific dates agreed with senior management. Follow-up of the recommendations will be performed by the end of the next audit year Follow-up performed by the end of the next audit year. Page 12