AUDIT GUIDELINES FOR SCHOOL DISASTER RECOVERY PLANNING



Similar documents
Education and Workforce Development Cabinet POLICY/PROCEDURE. Policy Number: EDU-06 Effective Date: April 15, 2006 Revision Date: December 20, 2012

Information Security Policy. Chapter 11. Business Continuity

Tailored Technologies LLC

Does it state the management commitment and set out the organizational approach to managing information security?

ISO27001 Controls and Objectives

Supplier IT Security Guide

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT IT Backup, Recovery and Disaster Recovery Planning

How to Build a Comprehensive Business Continuity Plan

APPENDIX 7. ICT Disaster Recovery Plan

Business Continuity Exercise: Electricity Supply Failure Appendix 4.4

Supplier Security Assessment Questionnaire

Service Children s Education

Disaster Recovery and Business Continuity Plan

Auditing in an Automated Environment: Appendix C: Computer Operations

TECHNICAL SECURITY AND DATA BACKUP POLICY

Our Colorado region is offering a FREE Disaster Recovery Review promotional through June 30, 2009!

BUSINESS CONTINUITY PLAN

IT Disaster Recovery Plan Template

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

Draft Information Technology Policy

Technology Solutions That Make Business Sense. The 10 Disaster Planning Essentials For A Small Business Network

London Local Authorities Business Continuity Guidance for Suppliers & Contractors

Ready for Anything BUSINESS CONTINUITY GUIDE FOR BUSINESS OWNERS. Plan to Stay in Business

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

BNA FEDERAL CREDIT UNION DISASTER RECOVERY PLAN

Offsite Disaster Recovery Plan

Business Unit CONTINGENCY PLAN

DISASTER RECOVERY PLAN

BUSINESS CONTINUITY PLAN

INFORMATION TECHNOLOGY SECURITY STANDARDS

DETAIL AUDIT PROGRAM Information Systems General Controls Review

HIPAA Security Alert

Disaster Recovery. Tips for business survival. A Guide for businesses looking for disaster recovery November 2005

Autodesk PLM 360 Security Whitepaper

ICT Disaster Recovery Plan

BUSINESS CONTINUITY PLAN

ISO Controls and Objectives

Information Security Policy

business continuity plan for:

The 10 Disaster Planning Essentials For A Small Business Network

OFFICE OF THE STATE AUDITOR General Controls Review Questionnaire

BUSINESS CONTINUITY ASSESSMENT CHECKLIST

Program: Management Information Systems. David Pfafman 01/11/2006

Information Security Policies. Version 6.1

APPENDIX 7. ICT Disaster Recovery Plan

HIPAA RISK ASSESSMENT

July 30, Internal Audit Report Information Technology Business Continuity Plan Information Technology Department

The 10 Disaster Planning Essentials For A Small Business Network

Disaster Recovery Plan

Unit Guide to Business Continuity/Resumption Planning

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

This policy is not designed to use systems backup for the following purposes:

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Business Continuity Planning in IT

Operational Risk Publication Date: May Operational Risk... 3

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

STEP-BY-STEP BUSINESS CONTINUITY AND EMERGENCY PLANNING MAY

Business Continuity. Is your Business Prepared for the worse? What is Business Continuity? Why use a Business Continuity Plan?

IT Disaster Recovery and Business Resumption Planning Standards

How To Manage A Business Continuity Strategy

Birkenhead Sixth Form College IT Disaster Recovery Plan

Clovis Municipal School District Information Technology (IT) Disaster Recovery Plan

Review your insurance cover regularly to ensure it keeps pace with any changes in the business.

CHIS, Inc. Privacy General Guidelines

BACKUP STRATEGY AND DISASTER RECOVERY POLICY STATEMENT

MAXIMUM PROTECTION, MINIMUM DOWNTIME

Disaster Recovery Plan

Music Recording Studio Security Program Security Assessment Version 1.1

MATATIELE LOCAL MUNICIPALITY DISASTER RECOVERY PLAN

Physical Security Policy

BUSINESS CONTINUITY PLAN

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Offsite Backup with Fast Recovery

15 Organisation/ICT/02/01/15 Back- up

The Essential Guide for Protecting Your Legal Practice From IT Downtime

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

IT - General Controls Questionnaire

Keyfort Cloud Services (KCS)

Hong Kong Baptist University

MUSC Information Security Policy Compliance Checklist for System Owners Instructions

Business Continuity Guidance for Suppliers & Contractors. Blackburn with Darwen Borough Council

University of Aberdeen Information Security Policy

The University of Iowa. Enterprise Information Technology Disaster Plan. Version 3.1

BUSINESS CONTINUITY MANAGEMENT A Guide for Businesses In Northamptonshire

R345, Information Technology Resource Security 1

Intel Enhanced Data Security Assessment Form

Business Continuity Planning and Disaster Recovery Planning

FINAL. Internal Audit Report. Data Centre Operations and Security

San Francisco Chapter. Information Systems Operations

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

Rotherham CCG Network Security Policy V2.0

Business Continuity Management & Disaster Recovery GETTING STARTED Checklist for Local Businesses & Organisations

What is Business Continuity Planning (BCP) / Disaster Recovery Plan(DRP)?

PAPER-6 PART-4 OF 5 CA A.RAFEQ, FCA

Disaster Recovery. Policy - External

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

OIG. Improvements Are Needed for Information Technology Controls at the Las Vegas Finance Center. Audit Report OFFICE OF INSPECTOR GENERAL

Transcription:

AUDIT GUIDELINES FOR SCHOOL DISASTER RECOVERY PLANNING Introduction It has become increasingly common for schools to place a great deal of reliance upon PC s and computer systems to manage and operate both the schools academic and administrative functions. However, the School must also be aware of the consequence to those systems in the event of a disaster, security failure and loss of service. Each of these areas should be analysed and contingency plans developed and implemented to identify and reduce risks, limit the consequences of damaging incidents, and to ensure the timely resumption of essential academic and administrative operations. Contingency planning is necessary in all organisations (including schools) that use computers, and the auditors will look for evidence of a written contingency plan. Plans should be maintained and practised to become an integral part of other management processes. Due to this it has become critical for schools to prepare an appropriate disaster recovery plan in order to cope with the possible risk of disruptions or complete loss of computer systems. However, the role of the School in disaster recovery planning does not end at the creation of such a plan. Plans must be tested regularly at appropriate intervals to a level, which demonstrates that the school can restore to its normal state of operation within a time scale appropriate to the service it provides. It is accepted that most schools regularly take back up copies of their systems but it is possible that few actually test the back up tapes to ensure that all information has been correctly saved. Types of disaster, loss or damage to consider Theft Fire and smoke Sabotage and vandalism Flood Power failure Equipment failure Consequences of a disaster Assets stolen or destroyed have to be replaced Disruption of academic and/or administrative functions Disruption of purchasing arrangements, payments procedures and income collection. Loss of financial control and financial reporting to Governors on the financial position of the School Possible liability for losses of third parties who rely on you. Page 1 of 5

Developing a Contingency and Business Continuity Plan The process for developing and maintaining a continuity plan should bring together the following key elements: Understand the risks the School faces in terms of likelihood and impact. This should include identifying risks proportionate to the critical systems. Understand the impact that interruptions, small or large, are likely to have on the School. Formulate and document continuity strategy consistent with the Schools objectives and priorities. Formulate and document continuity plan in line with agreed strategy. Regularly test and update plan and processes. Establish ownership of the plan at an appropriate level i.e. Headteacher. Consider purchasing suitable insurance to cover eventualities. Business Continuity and Impact Analysis Business continuity should begin by identifying events that can cause interruptions to processes. This should be followed by a risk assessment to determine the impact of those interruptions (both in terms of damage scale and recovery period). Both these activities should be carried out with the full involvement of the Governing Body who own the resources and processes. The assessment considers all systems, and is not limited to the information processing facility. Depending on the risk assessment, a strategy plan should be developed to determine the overall approach to keep the school up and running. Once this plan has been created, the Governing Body should endorse it. The School should consider the following; Each system should be risk assessed and ranked in order to determine the degree of importance to the School and the knowledge of the consequences of a system being unavailable. Each system should be analysed to ensure that any other systems reliant on them are known. Each system should be evaluated in order to ensure recovery takes place within the expected time-scale. Adequate back up and retention of data off site must be maintained for use in an emergency. Recovery is based on reasonable assumptions. Evaluation of system s recovery time-scale is performed before a decision is made on the selection of re-start operations. Personnel must be trained in and understand the plan. Plan must be rehearsed. Plan includes financial support for extended operations. Page 2 of 5

If another School is chosen as a Partner, their facilities have been checked to ensure that they can perform within the desired time-scale and provide adequate facilities. Key functions should be identified by job title not by name. Analyses of current procedures to ensure all elements are included in the plan. Insurance cover should include consequential loss and cover for increased working costs. Quality checks on all plan elements. Check to ensure all key systems are represented in the plan. Frequent update and republishing of plan stored copies of the plan should be replaced when new issues are released. Summary Most of the everyday issues concerning formulating disaster and contingency arrangements circulate around three concepts; contingency arrangements require a great attention to detail, plans must always be maintained, plans must be stored where they can be readily found and must be known to those who will use them. SUGGESTED BASIC FRAMEWORK FOR A DISASTER RECOVERY PLAN Backup Procedures Detail the procedure for backup of SIMS. SIMS Administrator Detail staff who have: Full management status in SIMS; Access to certain SIMS modules State where the SYSMAN password is stored. Identify the number and locations of those PC s where SIMS can be accessed. Virus Protection SCHOOL NETWORK & SIMS DISASTER RECOVERY PLAN Backup Procedures SIMS is backed up each day. Tapes are labelled Monday Friday. Monthly tapes are kept at (1 st person & job title) home. The Administrator replaces tapes if (1 st person & job title) is away from the school. SIMS Administrator The SYSMAN password is kept in a sealed envelope in the school safe. (1 st person & job title) and (2 nd person & job title) have full Manager status in SIMS. Staff are given access to SIMS modules as required. SIMS can, in general, only be accessed from terminals located in the Head-teacher and Administrator s office. Very few terminals will run SIMSMAN. Virus Protection Page 3 of 5

Detail the virus protection software in use at school. State when and how the networks/ stand alone PC s can and should be scanned. Document the procedures to be taken when a virus is detected and the action to be taken to remedy the problem. Disaster Recovery during School Hours This should state the following: The member of staff to contact initially; The telephone/ mobile/ pager number of the member of staff identified above. A second member of staff to contact if the initial member can not be contacted. Out of School Hours This should state the following: The member of staff to contact initially; The telephone/ mobile/ pager number of the member of staff identified above; State procedures if emergency access is needed by outside contractors or North Somerset Staff. The procedures should be located in a fireproof safe with full details of passwords and contracts. The user areas on the PC are scanned regularly by Dr Solomon s virus protection software. Each PC can be selectively scanned or disinfected from the terminal of the Administrator. Disaster Recovery during School Hours Contact (1 st person & job title) either by phone or message pager. The pager number is (xx)xxx on the school phone system. If (1 st person & job title) is not in school, contact (2 nd person & job title) if action is needed quickly. Please leave a pager message for (1 st person and job title) as well. If there is a power cut effecting the servers, (person & job title) or (other person & job title) should turn off the server monitors to conserve the batteries in the UPS. If the power cut only lasts a few minutes, the system may keep running. If it lasts too long, the system will shut down and then restart when power is restored. CD-ROM and print servers will have to be restarted after the system has got going. Out of School Hours If possible, contact (contact person & job title) as above or by phoning home on (0000) 123456), or in extreme emergency contact (alternative contact person & job title) (message pager yyyyy-yyy ). If emergency access to the system by (company) or North Somerset staff, full details of passwords, procedures and contracts can be found in a sealed envelope in the school safe. Out-of-hours power cuts should not affect the servers, but print-server computers will need to be restarted about 5 minutes after power is restored. Check the screen to see that it starts properly. If in doubt, press the reset button again. Page 4 of 5

Maintenance Contracts Detail all maintenance contracts the school has with outside bodies, including North Somerset Council IT Sections. Daily SIMS Maintenance This should state the procedures in place for checking the SIMS error log in SIMSMAN. Inventory The inventory should include both hardware and software. It should be up to date and in accordance with audit requirements. Maintenance Contracts The server covers both the Administration and Academic Networks. There is basic maintenance cover available under the relevant North Somerset Contract. In addition, both servers are covered by the (name of company) care contract number 1234567 which expires xx/xx/02 Details of the contract are in the front of the Contractors event log. The school has (name of company) onsite standard support. The school customer ID is 1111. The onsite support contract number is AB4321. This runs until at least September 02. SIMS maintenance is covered by the North Somerset SIMS team. Daily SIMS Maintenance The SIMS error log in SIMSMAN is checked regularly and the error messages are checked daily. Most SIMS indexes are rebuilt weekly. The FMS6 indexes are rebuilt termly. Page 5 of 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information