CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Follow-up Audit of Information Technology Services Department. IT Contingency Planning



Similar documents
CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Follow-up Audit of San Antonio Fire Department. Fleet Maintenance Division. Project No.

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Follow-Up Audit of San Antonio Metropolitan Health District Laboratory Operations

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Follow-Up Audit of Finance Department. San Antonio eprocurement System (SAePS) Controls

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of the Finance Department. Payroll. Project No. AU June 9, 2014

OFFICE OF THE CITY AUDITOR

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Follow-up Audit of Building & Equipment Services Department. Fuel Inventory Management

Distribution: Sheryl L. Sculley, City Manager Erik Walsh, Deputy City Manager Ben Gorzell, Chief Financial Officer Charles N. Hood, Fire Chief Martha

Distribution: Sheryl L. Sculley, City Manager Gloria Hurtado, Assistant City Manager Ben Gorzell, Chief Financial Officer Dr.

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of Payment Card Industry Data Security Standards (PCI DSS) Security Governance

CITY OF SAN ANTONIO P. O. BOX SAN ANTONIO TEXAS

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of Transportation and Capital Improvements. On-Call Contracts. Project No.

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of Risk Management Division, Human Resources Department. Liability Insurance Fund

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of Customer Service/311. CRM System. Project No. AU April 15, 2013

MANAGEMENT AUDIT REPORT DISASTER RECOVERY PLAN DEPARTMENT OF FINANCE AND ADMINISTRATIVE SERVICES INFORMATION TECHNOLOGY SERVICES DIVISION

Mecklenburg County Department of Internal Audit. PeopleSoft Application Security Audit Report 1452

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of Finance Department. Workers Compensation Fund and Program. Project No.

Disaster Recovery Plan Review Checklist. A High-Level Internal Planning Tool to Assist State Agencies with Their Disaster Recovery Plans

Subject: Internal Audit of Information Technology Disaster Recovery Plan

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA

July 6, Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263

Global Statement of Business Continuity

Assessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC

,"ENT 0..- ~ Q c. ;:* *1 ~ J U.S. DEPARTMENTOF HOUSINGAND URBAN DEVELOPMENT THEDEPUTYSECRETARY WASHINGTON, DC

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS)

State of South Carolina Policy Guidance and Training

COMPUTER OPERATIONS - BACKUP AND RESTORATION

Technology Recovery Plan Instructions

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Recommendation Current Position and Explanation for Slippage: Target Dates:

Information Technology General Controls (ITGCs) 101

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

This is the third and final presentation on HIPAA Security Administrative Safeguards. This presentation focuses on the last 2 standards under the

Audit of Physical Security Management

OFFICE OF AUDITS & ADVISORY SERVICES IT DISASTER RECOVERY AUDIT FINAL REPORT

Contingency Plan for HIPAA

Columbus City Schools Office of Internal Audit

Western Intergovernmental Audit Forum

Business Continuity and Disaster Recovery Planning

Experienced professionals may apply for the Certified Risk Management Professional (CRMP) certification under the grandfathering provision.

Maryland Transportation Authority

Emerging Strategies for Performance Auditing

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

Business Continuity Policy and Business Continuity Management System

DATABASE SECURITY CITYWIDE REPORT NO.

Business Continuity Planning

Disaster Recovery Business Continuity Premium Edition

PRIVY COUNCIL OFFICE. Audit of Information Technology (IT) Security. Final Report

Review of the SEC s Continuity of Operations Program

Business Unit CONTINGENCY PLAN

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of Contract Procurement and Monitoring. HD Supply Facilities Management Contract

Disaster Recovery/Business Continuity

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

Council Policy Business Continuity Management

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Domain 1 The Process of Auditing Information Systems

OFFICE OF AUDITS & ADVISORY SERVICES SUNGARD TREASURY MANAGEMENT SYSTEM CONTRACT COMPLIANCE FINAL AUDIT REPORT

Oregon Employment Department: Computer Programs for Unemployment Tax Returns and Claims Need Attention

Business Continuity & Recovery Plan Summary

EPA Can Better Assure Continued Operations at National Computer Center Through Complete and Up-to-Date Documentation for Contingency Planning

SAMPLE IT CONTINGENCY PLAN FORMAT

External Supplier Control Requirements BCM

Audit Follow-Up. The City s Parking Program (Report #0622, Issued September 8, 2006) As of September 30, Summary. Report #0806 January 11, 2008

BUSINESS CONTINUITY PLANNING

Department of Public Utilities Customer Information System (BANNER)

POLICY. 1) Business Continuity Management 2) Disaster Recovery 3) Critical Incident Management 4) Risk Management

OFFICE OF AUDITS & ADVISORY SERVICES SHAREPOINT SECURITY AUDIT FINAL REPORT

COMPUTER OPERATIONS AUDIT

Server Management-Scans & Patches

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of San Antonio Fire Department. Drug Inventory Management. Project No.

10-13 MEMORIAL HEALTH SYSTEM IT BACKUP PROCESS PUBLIC REPORT CITY OF COLORADO SPRINGS OFFICE OF THE CITY AUDITOR JULY 22, 2010

Evaluation of the Railroad Retirement Board s Disaster Recovery Plan Report No , August 14, 2006 INTRODUCTION

Business Continuity Planning and Disaster Recovery Planning

October 10, Report on Web Applications #13-205

NIST SP , Revision 1 Contingency Planning Guide for Federal Information Systems

- PUBLIC REPORT - CITY OF SAN ANTONIO INTERNAL AUDIT DEPARTMENT

Business Continuity Planning for Risk Reduction

CITY UNIVERSITY OF HONG KONG Business Continuity Management Standard

How To Check If Nasa Can Protect Itself From Hackers

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

UTH~ihltli. December 11, Report on Institutional Use of Cloud Computing #14-204

Audit of IMS Disaster Recovery Plan

Disaster Recovery Plan Documentation for Agencies Instructions

Disaster Recovery Plan (Business Continuity) Template - Version 8.2

Internal Audit Department NeighborWorks America. Audit Review of the Business Continuity Plan (BCP) Management and Documentation

CONTINUITY OF OPERATIONS AUDIT PROGRAM EVALUATION AND AUDIT

1.0 Policy Statement / Intentions (FOIA - Open)

Sample audit Data Center - A Topical Overview

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of Center City Development & Operations Department. Parking Revenue. Project No.

University of Oregon Information Technology Risk Assessment. December 2, 2015

Information System Audit Report Office Of The State Comptroller

Business Continuity & Recovery Plan Summary

CHAPTER 1: BUSINESS CONTINUITY MANAGEMENT STRATEGY AND POLICY

Director, IT Security District Office Kern Community College District JOB DESCRIPTION

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]

Review of Information Technology s Data System Backup and Disaster Recovery Process Page 2 of 10 September 30, 2013

The ABC s of BCP. Jeremy Sucharski Governance Risk and Compliance G31

Annual Risk Assessment and Audit Plan Fiscal Year 2015/2016

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006

EXECUTIVE SUMMARY. We found that back-up activities were reasonably effective to minimize data loss but that improvements were needed in the areas of:

Transcription:

Follow-up Audit of Information Technology Services Department CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR Follow-up Audit of Information Technology Services Department Project No. AU13-F05 October 25, 2013 Kevin W. Barthold, CPA, CIA, CISA City Auditor

Follow-up Audit of Information Technology Services Department Executive Summary As part of our annual Audit Plan approved by City Council, we conducted a follow-up audit of the recommendations made in the Audit of Information Technology Services Department (ITSD) dated March 9, 2012. The audit objectives, conclusions, and recommendations follow: Has ITSD management implemented sufficient contingency action plans? ITSD has effectively implemented action plans that address all but one of the five recommendations from the March 2012 report. The prior audit recommended that the Chief Technology Officer: Work with the City Manager s Office to facilitate the development of a COSAwide contingency program. Develop the contingency program to include IT contingency, incident response, and disaster recovery plans to support applications and system requirements as defined by the needs of individual systems owners. Continue with the development of the Application Inventory System and coordinate with City departments to update its information on a timely basis to reflect the City s current IT environment. Continue to collaborate with individual information systems. The Chief Technology Officer should do this in conjunction with the recommendation for observation C above to develop the Application Inventory System. Assign continuity management responsibilities to an appropriate ITSD individual and expedite the filling of all related open IT positions. The Chief Technology Officer (CTO) and the City Manager s Office (CMO) facilitated the creation of a CoSA-wide contingency program that includes an IS Contingency Plan (ISCP), Business Continuity Plan (BCP), and a Disaster Recovery Plan (DRP). In collaboration with City departments, the CTO also developed an Application Inventory System identifying critical/sensitive and non-critical information systems. Although ITSD has filled all IT positions within the IT security group, the Business Continuity Manager (BCM) position has not been established. We recommend that the Chief Technology Officer establish the BCM role to oversee the CoSA-wide contingency program. ITSD s Management s verbatim response is in Appendix B on page 5. City of San Antonio, Office of the City Auditor i

Follow-up Audit of the Information Technology Services Department Table of Contents Executive Summary... i Background... 1 Audit Scope and Methodology... 1 Audit Results and Recommendations... 2 A. CoSA-wide Contingency Plan... 2 B. Contingency Program... 2 C. Identification of Major System Applications... 2 D. Identification of Critical/Sensitive Information Systems... 3 E. Assignment of Continuity Manager Responsibilities... 3 Appendix A Staff Acknowledgement... 4 Appendix B Management Response... 5 City of San Antonio, Office of the City Auditor

Follow-up Audit of the Information Technology Services Department Background In March of 2012, the Office of the City Auditor completed an audit of IT Contingency Planning. The objective of that audit was as follows: Has ITSD management implemented sufficient contingency action plans? The Office of the City Auditor concluded that ITSD had not implemented contingency planning actions. Specifically, ITSD had not started the development of a CoSA-wide contingency program or supporting contingency and disaster recovery (DR) plans. ITSD had not assigned continuity manager responsibilities or filled open security positions. Audit Scope and Methodology The audit scope was limited to the recommendations made in the original report and corresponding action plans implemented between March 2012 and April 2013. The audit methodology consisted of reviewing current federal regulations relevant to contingency planning, CoSA-wide contingency planning policies and procedures, and supporting business continuity planning documentation. We also interviewed ITSD management to ensure the development of a CoSA-wide contingency program. We conducted this follow-up performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. City of San Antonio, Office of the City Auditor 1

Audit Results and Recommendations Follow-up Audit of the Information Technology Services Department A. CoSA-wide Contingency Plan The Chief Technology Officer should work with the City Manager s Office to facilitate the development of a CoSA-wide contingency program. Status: Implemented The Chief Technology Officer (CTO) and the City Manager s Office (CMO) facilitated the creation of a CoSA-wide contingency program. The contingency program includes a Continuity of Operations Plan (COOP) for each of the business areas. During the creation of the COOPs, a Business Impact Analysis (BIA) and a Privacy Impact Assessment (PIA) was created in order to prioritize business processes based on criticality and recovery times. B. Contingency Program The Chief Technology Officer should develop the contingency program to include IT contingency, incident response, and disaster recovery plans to support applications and system requirements as defined by the needs of individual systems owners. In addition, the Chief Technology Officer should develop contingency plans for those information systems that are owned by ITSD. Status: Implemented The Chief Technology Officer has created a contingency program that includes an IS Contingency Plan (ISCP), Business Continuity Plan (BCP), and a Disaster Recovery Plan (DRP). These specific IT contingency plans contain a broad scope incorporating procedures and capabilities suited to sustaining mission critical business operations, alternate information system relocation sites, and information system recovery and/or restoration in the event of an emergency. C. Identification of Major System Applications The Chief Technology Officer should continue with the development of the Application Inventory System and coordinate with City departments to update its information on a timely basis to reflect the City s current IT environment. Status: Implemented The Chief Technology Officer has developed an Application Inventory System in coordination with City departments to reflect the City s current IT environment. Major City of San Antonio, Office of the City Auditor 2

Follow-up Audit of the Information Technology Services Department system applications and/or general service applications have been identified in addition to prioritizing mission essential applications, software type, manufacturer, platform type, locations, and availability requirements. D. Identification of Critical/Sensitive Information Systems The Chief Technology Officer should continue to collaborate with individual information system owners. The Chief Technology Officer should continue with the development of the critical/sensitive and non-critical information system inventory. Status: Implemented The Chief Technology Officer has created an information system inventory identifying critical/sensitive and non-critical information systems. In collaboration with City departments, the inventory identifies supporting resources such as hardware, software, and system documentation. E. Assignment of Continuity Manager Responsibilities The Chief Technology Officer should assign continuity management responsibilities to an appropriate ITSD individual and expedite the filling of all related open IT positions. Status: Partially Implemented Although ITSD has filled all IT positions within the IT security group, the Business Continuity Manager (BCM) position has not been established. The BCM role would oversee the CoSA-wide contingency program through actively monitoring and/or maintaining individual departmental contingency plans. In addition, the BCM would assist departments in departmental tests, training, and exercise plans. If the BCM role remains vacant, the CoSA-wide contingency program could become outdated and ineffective. Recommendation: We recommend that the Chief Technology Officer establish the BCM role to oversee the CoSA-wide contingency program. City of San Antonio, Office of the City Auditor 3

Appendix A Staff Acknowledgement Follow-up Audit of the Information Technology Services Department Mark Bigler, CPA-Utah, CISA, CFE, Audit Manager Gabe Trevino, CISA, Auditor in Charge Michael Hurlbut, Auditor City of San Antonio, Office of the City Auditor 4

Appendix B Management Response Follow-up Audit of the Information Technology Services Department City of San Antonio, Office of the City Auditor 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information