Contingency Planning and Disaster Recovery Internal Control Questionnaire



Similar documents
General IT Controls Audit Program

GREATER TEXAS FEDERAL CREDIT UNION RECORDS PRESERVATION PROGRAM

DETAIL AUDIT PROGRAM Information Systems General Controls Review

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS)

Federal Deposit Insurance Corporation Improvement Act 1

CITY UNIVERSITY OF HONG KONG Business Continuity Management Standard

Comparison of Joint Commission and Healthcare Facilities Accreditation Program (HFAP) Emergency-Related Standards for Hospitals.

An organization properly establishes and operates its control over risks regarding the information system to fulfill the following objectives:

CANADIAN PAYMENTS ASSOCIATION LVTS RULE 11 CHANGE MANAGEMENT, TESTING AND CERTIFICATION

The University of Texas at Tyler. Audit of Compliance with Texas Administrative Code 202

Company Quality Manual Document No. QM Rev 0. 0 John Rickey Initial Release. Controlled Copy Stamp. authorized signature

SFC ELECTRONIC TRADING REGIME

Overview. Responsibility

CORPORATE QUALITY MANUAL

Overview of how to test a. Business Continuity Plan

DISASTER RECOVERY AND CONTINGENCY PLANNING CHECKLIST FOR ICT SYSTEMS

Memorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE May 23, 2000.

Summary of CIP Version 5 Standards

Land Agents Regulations 2010

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Electronic Trading Information Template

AUDITING A BCP PLAN. Thomas Bronack Auditing a BCP Plan presentation Page: 1

DCU BULLETIN Division of Credit Unions Washington State Department of Financial Institutions Phone: (360) FAX: (360)

Overview of Business Continuity Planning Sally Meglathery Payoff

ISO 9001: 2008 Construction Quality Management System Sample - Selected pages (not a complete plan)

Disaster Recovery Planning Process

BUSINESS CONTINUITY MANAGEMENT REQUIREMENTS FOR SGX MEMBERS NEW RULES FOR INCLUSION IN SGX-ST RULES

SECTION 15 INFORMATION TECHNOLOGY

GUIDANCE NOTE ON OUTSOURCING

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

THE COMMONWEALTH OF MASSACHUSETTS. Division of Insurance. Arbella Indemnity Insurance Company, Inc.

PAS 99: Integrated Management Systems Checklist IMPLEMENTATION CHECKLIST

SMKI Recovery Procedure

HIPAA Privacy & Security White Paper

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

PHASE 9: OPERATIONS AND MAINTENANCE PHASE

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

Disaster Recovery Policy

Department of Public Utilities Customer Information System (BANNER)

Company Name Vendor Management Policy and Procedure. Table of Contents

Finansinspektionen s Regulatory Code

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference

Ten Most Common Violations Found in DRE Audits

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

PSU Hyland OnBase Document Imaging and Workflow Services Level Memorandum of Understanding

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014

39C-1 Records Management Program 39C-3

Information Technology Operational Audit DEPARTMENT OF STATE. Florida Voter Registration System (FVRS) Report No July 2015

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987

BNA FEDERAL CREDIT UNION DISASTER RECOVERY PLAN

by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy

Federal Home Loan Bank Membership Version 1.0 March 2013

Ohio Supercomputer Center

GOVERNMENT NOTICE NO. 416 published on 28/12/2012 ARRANGEMENT OF SECTIONS THE BANK OF TANZANIA (CREDIT REFERENCE BUREAU) REGULATIONS, 2012

Draft Copy. Change Management. Release Date: March 18, Prepared by: Thomas Bronack

CHAPTER Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

NETWORK SERVICES WITH SOME CREDIT UNIONS PROCESSING 800,000 TRANSACTIONS ANNUALLY AND MOVING OVER 500 MILLION, SYSTEM UPTIME IS CRITICAL.

Installation and Operational Qualification Protocol (Reference: SOP )

Exhibit to Data Center Services Service Component Provider Master Services Agreement

Document subject to ISO Requirements

STATE OF NEVADA Department of Administration Division of Human Resource Management CLASS SPECIFICATION TITLE GRADE EEO-4 CODE

Client Security Risk Assessment Questionnaire

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Supervisory Policy Manual

Auditing in an Automated Environment: Appendix C: Computer Operations

Health Insurance Portability and Accountability Act (HIPAA) Compliance Audit Final Report

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

Disaster Preparedness & Response

Fubon Financial Holding Co., Ltd. Corporate Governance Committee Organizational Rules

How To Write A Health Care Security Rule For A University

PART 10 COMPUTER SYSTEMS

Joseph Suchocki HIPAA Compliance 2015

HIPAA Information Security Overview

City of Raleigh Public Utilities Department. Wastewater EMS Manual

Guidance Note on Credit and Credit Control for Credit Unions. October Office of the Registrar of Credit Unions

NC SBI QUALITY ASSURANCE PROGRAM

ACCIDENT PREVENTION PLAN. A Sample Plan for Counties

BPA Policy Cyber Security Program

Implementing an Energy Management System Using ISO 50001

U. S. Department of Energy Consolidated Audit Program Checklist 5 Laboratory Information Management Systems Electronic Data Management

Final Construction Quality Control Plan Non-Public Properties Newhall Street Neighborhood Site Hamden, Connecticut

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

American International Group, Inc. DNS Practice Statement for the AIG Zone. Version 0.2

543.7 What are the minimum internal control standards for bingo?

Exhibit to Data Center Services Service Component Provider Master Services Agreement

Transcription:

Contingency Planning and Disaster Recovery Internal Control Questionnaire [Institution s name] [Departments under review] [Heads of departments under review] A. POLICY AND SUPERVISION REVIEW 1. Was the policy reviewed for changes made since the last audit? 2. Did the board of directors minutes indicate that the changes were authorized? a. Were the changes implemented through appropriate adjustments to related internal controls? b. Were affected personnel notified of the changes in a timely manner? 3. Did the board of directors review and approve the contingency planning and disaster recovery policy? 4. Has the board of directors requested a completed disaster recovery plan and, thereafter, has the board reviewed and approved the plan? 5. After the internal audit was performed, were all deviations from prescribed controls noted and followed up with the appropriate management level? B. GENERAL GOALS 1. Are there planning procedures for the contingency planning and disaster recovery policy with senior management? a. Is there supporting memoranda and individual plans as evidence that senior management has complied with planning procedures? b. Have the CEO and also the contingency planning officer carried out their responsibilities with respect to: Assigning key personnel? Assigning authorization responsibilities? Prioritizing bank operations? 2. Do the board of directors minutes since the last audit indicate that the CEO has followed through with contingency planning and disaster recovery policy testing, evaluation, and reports? C. SPECIFIC GOALS 1. Are there specific plans for each department? 2. Do the specific plans for each department have the following items addressed in their plans: Disaster Recovery/Contingency Planning E2-1

a. Departmental management and other employees with various assigned responsibilities when an emergency is occurring? Do individuals within each department understand what their emergency responsibilities are and at what point during an emergency they are to assume them? b. Individuals designated to provide alternative and compatible equipment to replace destroyed equipment? c. Management guidelines on providing initial ongoing off-site backup, on a timely basis, of: Software? Data files? Documentation? Forms? Supplies? 3. Review testing memoranda and, if possible, observe the testing of backup systems and equipment by the disaster planning committee to answer the following: a. Has the committee performed periodic testing per its schedule? b. Was the testing performed by the committee to ascertain that prescribed procedures are being followed? 4. Is an annual report prepared by the disaster planning committee? 5. Does the annual report contain the following: a. Items tested and items scheduled to be tested in the same time period? 6. Do the board of directors minutes provide evidence that the board reviewed the annual report? 7. Does the board s meeting minutes indicate that the following were discussed: a. Variances in the schedule, if any? b. Problems that may have been discovered during the testing? c. Solutions to the problems? D. DESIGNATION OF AUTHORITY 1. Review the composition of the disaster planning committee and verify that officers representing each of the following functions are members of the committee: a. Commercial loans? b. Accounting? c. Human resources? d. Investment/trading? e. ALCO? f. Operations? E2-2 Disaster Recovery/Contingency Planning

g. Electronic data processing? 2. Review the contingency planning and disaster recovery policy with the officers sitting on the disaster planning committee and determine that they are aware of their responsibilities as members. Do committee members list the following responsibilities for the committee: a. Development and documentation of systems or plans to facilitate operations in the event of a disaster? b. Designation of personnel and their responsibilities during an emergency? Does the structure of this designation compare roughly as follows: A disaster recovery team composed of designated employees with specific assignments during a disaster? A disaster recovery administrator overseeing the disaster recovery team? An alternative disaster recovery administrator (called the disaster recovery coordinator) in case the disaster incapacitates the formerly mentioned disaster recovery administrator? c. Setting up alternative sites for operations if current sites are destroyed or substantially disabled in an emergency? d. Notification of personnel in the event of a disaster? E. DISASTER RECOVERY ADMINISTRATOR RESPONSIBILITIES 1. Does the contingency planning and disaster recovery policy require that the disaster recovery administrator perform a variety of duties? Does the disaster recovery administrator duties include, at a minimum, the following responsibilities: a. To notify personnel immediately in case of a disaster? b. To establish the command and control center in its designated site, or to select an alternative site for establishment of the control center? c. To implement the disaster recovery plan after determining the extent of the disaster? d. To establish communication with key personnel? e. To provide managerial support for key personnel during the recovery? f. To monitor progress during the course of the disaster? g. To document the actions taken and the progress made? Disaster Recovery/Contingency Planning E2-3

F. DISASTER RECOVERY COORDINATOR RESPONSIBILITIES 1. Does the contingency planning and disaster recovery policy require the disaster recovery coordinator to assist the disaster recovery administrator in performing his or her duties? Does the disaster recovery coordinator list, at a minimum, the following responsibilities: a. To assist the disaster recovery administrator? b. To notify the other disaster recovery team members that there is a disaster? c. To activate general notification procedures? d. To notify personnel of the site selected as the command and control center? e. To provide managerial support for key personnel during the recovery? Do key personnel perform the following tasks: Supervise the recovery activities? Document activities that the disaster recovery administrator has not handled directly? f. Keep team members informed of the progress of all recovery activities, since each area depends on the others? 2. Review and determine whether the disaster recovery coordinator confirms on a regular basis that backup systems remain in place and are adequate to meet the needs of the bank in the event of a disaster? G. DESIGNATED EMPLOYEE RESPONSIBILITIES IN DISASTER 1. Has the disaster recovery committee designated disaster recovery employees and their alternates in each division? Are these designations noted as follows: a. The annual report to the board of directors? b. The disaster recovery committee minutes? 2. Do the listings of designated employees and their alternates include home phone numbers? 3. In different data processing memoranda and/or committee minutes, has the disaster recovery committee provided for: a. Adequate training for designated employees? b. Periodic testing of designated employees performing disasterrelated responsibilities? c. Adequate support and guidance from committee members? 4. Through interviews of designated employees, determine whether they are aware of their duties and responsibilities? Are designated employees able to specifically detail: E2-4 Disaster Recovery/Contingency Planning

a. What their responsibilities are in a disaster including: Helping to coordinate the recovery process at a lower level than the disaster recovery coordinator? Helping to assess the nature and extent of the disaster? Activating recovery plans at an operations level? Informing bank managers of progress and problems encountered during the recovery process? Documenting steps taken and progress made during the recovery process? b. Whom they would report to in a disaster situation? c. What timing they would follow when initiating their responsibilities? d. What priority their responsibilities and division have in relation to other areas of the bank? H. PRIORITIZING OPERATIONS 1. Does the contingency planning and disaster recovery policy require the disaster planning committee to prioritize operations? Review the method used by the committee to assign priority status and consider the following: a. Are the assigned priorities reasonable, regarding the methodology used to prioritize? b. Is each department is aware of its status? c. Does each department understand the implications of its priority status? 2. Does a review of the board of directors minutes indicate evidence that the board reviewed and approved the priority listing? 3. Are the areas with the highest priority sufficiently prepared to begin operations as quickly as possible in the event of a disaster? I. BACKUP SYSTEMS 1. Through a review of the backup procedures with the officers and other appropriate employees within each division, is it evident that they are aware of their responsibilities, especially with respect to protection of data and software? 2. Are employees fully aware of the fact that the effectiveness of the backup program depends on the consistent and timely backup of data? 3. For each division affected, do the following operations occur as indicated: a. Customer data, including daily account balances and transactions, are backed up twice daily? Disaster Recovery/Contingency Planning E2-5

b. A review, on a sample basis, of the computer transaction log details evidence that the backup operation has consistently been performed on a regular basis? c. Customer data, including daily account balances and transactions, are backed up hourly on Fridays? d. System modifications and changes are copied immediately, electronically documented, and supplied immediately thereafter to an off-site storage facility? e. Have system modifications made since the last policy audit been copied and have copies of the modifications been stored in the off-site location? f. Were internal audit staff present when system modifications occurred and, therefore, have documentation that represent copies are held off-site? 3. Do personnel obtain proper authorization before releasing corporate or customer information? a. Is the information release procedures manual readily available to personnel? b. Do information release procedures, as followed by electronic data processing personnel and off-site storage personnel, ensure that information will not be released without proper authorization? J. OFF-SITE STORAGE 1. Per discussions with appropriate personnel regarding the procedures for establishing and maintaining off-site storage, are the following steps part of their duties: a. Making sure that backup systems and files are stored off-site? b. Ensuring that transfer of data occurs immediately after backup by armored car? c. Reviewing all forms quarterly? d. Destroying obsolete forms after new forms are available? 2. Is the application of the prior procedures regularly occurring during the transfer of files, per a sampling of divisions? 3. Are copies of the disaster recovery plan maintained in off-site storage? 4. Do both the bank president and the CEO each have the most recent copy of the disaster recovery plan? 5. Has the most recent copy of the disaster recovery plan been also placed in a safe deposit box at the bank? K. COMMUNICATION PROCEDURES AND CHANNELS 1. Do the responsibilities of the public relations manager during a disaster include the following: a. Make all outside announcements? E2-6 Disaster Recovery/Contingency Planning

b. Obtain management review and approval before making public announcements? c. Ensure that disaster damage assessment is published as soon as possible? 2. Has a disaster recovery team member been appointed to be responsible for activating communication procedures? 3. Does he/she have a clear understanding regarding timing and extent of those responsibilities? a. Does activation occur only after a physical inspection of the disaster site and an assessment of damages? b. Are there specific procedures utilized when the disaster occurs after hours? L. TESTING CONTINGENCY PLANS 1. Has the contingency plan been tested with as many steps as are practical? a. Has the internal audit staff been an active participant in the management and evaluation of the plan? 2. Were all key personnel involved in the test? 3. Were the following areas, at a minimum, tested: a. Data files? b. Equipment? c. Backup equipment? 4. Do testing memoranda provide details to indicate that: a. The test was evaluated? b. Any cited deficiencies were documented? c. Deficiencies were corrected? d. Deficiencies were retested? 5. Review the board of directors minutes and determine that when deficiencies were resolved, the board approved the final plan? 6. Once the final disaster recovery plan has been approved, has the disaster recovery committee been testing the plan on a semiannual basis? M. FINANCIAL CONDITION OF THE SERVICE PROVIDERS 1. Do the disaster recovery committee minutes indicate that the committee has reviewed all service providers on an annual basis? a. Does documentation indicate a review of service providers financial statements? b. Does the documentation indicate that a financial analysis was performed on those statements? c. Does the documentation of the service providers also include a review of copies of their backup plans? Disaster Recovery/Contingency Planning E2-7

d. Is there an analysis of the feasibility of the service providers backup plans? e. Are service providers backup plans fully integrated into the bank s disaster recovery plans? f. Have the service providers backup plans been tested with respect to backup of the bank s services? E2-8 Disaster Recovery/Contingency Planning

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information