Comhairle nan Eilean Siar Internal Audit Review DISASTER RECOVERY. Final Report 12/13-20



Similar documents
Comhairle nan Eilean Siar Internal Audit Review DISASTER RECOVERY ARRANGEMENTS Information Technology. Final Report 2014/15-06

Comhairle nan Eilean Siar Internal Audit Review Project Management and Project Delivery Technical Services department. Final Report 2014/15-21

Comhairle nan Eilean Siar Internal Audit Review MANAGEMENT OF SICKNESS ABSENCES. Final Report 2013/14-18

Comhairle nan Eilean Siar Internal Audit Follow Up Review Licensing. Final Report FU16 12/13

Comhairle nan Eilean Siar Internal Audit Follow Up Review Disaster Recovery. Final Report FU18 14/15

Comhairle nan Eilean Siar Internal Audit Review School Transport Policy Final Report 15/16-22

Comhairle nan Eilean Siar Internal Audit Follow Up Review PERFORMANCE MANAGEMENT & MONITORING. Final Report FU17 12/13

Comhairle nan Eilean Siar Internal Audit Follow Up Review Statutory Performance Indicators. Final Report FU20 11/12

Comhairle nan Eilean Siar Internal Audit Follow Up Review Children s Services Cost of Placements. Final Report FU01 13/14

Comhairle nan Eilean Siar Internal Audit Follow Up Review Document Management. Final Report FU01 14/15

ICT, PROCUREMENT AND ASSET MANAGEMENT 18 APRIL 2008 SUB-COMMITTEE DISASTER RECOVERY/CONTINGENCY PLANNING

APPLICATION FORM PARTICIPATORY BUDGETING TRAINING SUPPORT PACKAGE FOR LOCAL AUTHORITIES. Telephone number Gayle Findlay

Internal Audit Report Disaster Recovery / Business Continuity Planning

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

IT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS

University of Sunderland Business Assurance Information Security Policy

IT control environment Caerphilly County Borough Council

Appendix 6c. Final Internal Audit Report Disaster Recovery Planning. June Report 6c Page 1 of 15

V1.0 - Eurojuris ISO 9001:2008 Certified

SUBJECT: REPLACEMENT OF CORPORATE ELECTRONIC DATA STORAGE, BACKUP AND DISASTER RECOVERY SOLUTIONS

NORTH HAMPSHIRE CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY MANAGEMENT POLICY AND PLAN (COR/017/V1.00)

APPENDIX 1 COMHAIRLE NAN EILEAN SIAR IT STRATEGY

Joint Audit Report for South Lakeland District Council. & Eden District Council

Audit of Business Continuity Planning

Business Continuity Business Impact Analysis arrangements

Business Continuity Management Framework

How To Write An Audit And Governance Committee Report On An Itd Plan

Guidance notes: Financial Planning & Managing Risk

How To Write A Criminal Justice Plan For The Western Ireland

ICT systems Back-up, business continuity and disaster recovery proposals

Food Standards Agency in Scotland

Outsourcing and third party access

Disaster Recovery and Business Continuity Plan

Virginia Commonwealth University School of Medicine Information Security Standard

IT Assurance - Business Continuity and Disaster Recovery

Dacorum Borough Council Final Internal Audit Report

Summary of Information Technology General Control Environment Findings for the year ended 30 June 2015

Business Continuity Management

AUDIT GUIDELINES FOR SCHOOL DISASTER RECOVERY PLANNING

Business Continuity Management Policy

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Cumbria Constabulary. Business Continuity Planning

Internal Audit Report Business Continuity Planning Arrangements

Service Level Agreement: Support Services (Version 3.0)

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

INFORMATION TECHNOLOGY SECURITY STANDARDS

Information Services IT Security Policies B. Business continuity management and planning

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Proposal for Business Continuity Plan and Management Review 6 August 2008

An Approach to Records Management Audit

Bedfordshire Fire and Rescue Authority Corporate Services Policy and Challenge Group 9 September 2014 Item No. 6

Business Continuity Management. Policy Statement and Strategy

West Highland College. Internal Audit 2014/15 Annual Report August 2015

Our consultancy team will provide guidance throughout the process helping you to produce the necessary documentation and raise staff awareness.

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT IT Backup, Recovery and Disaster Recovery Planning

INTERNAL AUDIT 2008/09 INFORMATION TECHNOLOGY (BUSINESS CONTINUITY)

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Avon & Somerset Police Authority

Review of housing benefit overpayments 2008/09 to 2011/12

Governance and Audit Committee 23 November 2015

Information Commissioner's Office

(Audit Committee 23 September 2010)

FRAMEWORK FOR THE PREPARATION OF ACCOUNTS. Best Practice Guidance

NHS Commissioning Board: Information governance policy

Version: 3.0. Effective From: 19/06/2014

How To Audit Health And Care Professions Council Security Arrangements

Code Subsidiary Document No. 0007: Business Continuity Management. September 2015

Business Continuity Management

Information Technology Internal Audit Report

BUSINESS CONTINUITY POLICY RM03

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Advisory Guidelines of the Financial Supervision Authority. Requirements for Organising the Business Continuity Process of Supervised Entities

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

Annual Audit Letter. Kettering General Hospital NHS Foundation Trust Audit 2010/11

University of Liverpool

SUPERVISORY AND REGULATORY GUIDELINES: PU BUSINESS CONTINUITY GUIDELINES

San Francisco Chapter. Information Systems Operations

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

ROLE PROFILE. Business Function: Software Operations Managed Cloud Services eg s Head Office, Dunston Business Village, Staffordshire

APPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2014

APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES

Annual Report of Internal Audit 2012/13

BUSINESS CONTINUITY STRATEGY

Company Management System. Business Continuity in SIA

Bridgend County Borough Council. Corporate Risk Management Policy

FINAL. Internal Audit Report. Data Centre Operations and Security

Performance Management 2012/ 13: Quarter 4

PAAS Public Sector Managed Services

Business Continuity Policy and Business Continuity Management System

Business Continuity Management in Local Government

Business Continuity (Policy & Procedure)

TRANSPORT FOR LONDON SAFETY, HEALTH AND ENVIRONMENT ASSURANCE COMMITTEE

Business Continuity Management

BUSINESS CONTINUITY PLANNING

Protecting Data with a Unified Platform

Principles for BCM requirements for the Dutch financial sector and its providers.

Risk Management of Outsourced Technology Services. November 28, 2000

Transcription:

Comhairle nan Eilean Siar Internal Audit Review Final Report 12/13-20 8 th January 2013

CONTENTS Page SECTION 1 - EXECUTIVE SUMMARY 1-3 SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS 4-9 SECTION 3 - ACTION PLAN 10 APPENDIX A - RESPECTIVE RESPONSIBILITIES OF MANAGEMENT 11 AND INTERNAL AUDIT Date of Visit Dec 2012 Final Report Issued 8 th January 2013 Issued to: Chief Executive Director of Finance & Corporate Resources Head of IT & Customer Services External Audit Malcolm Burr Robert Emmott Angus Macarthur Karen Jones 8 th January 2013

1.1 SECTION 1: EXECUTIVE SUMMARY Introduction This report has been prepared following a high level overview of the Disaster Recovery procedures in place in the Comhairle. Disaster Recovery was included as part of the internal audit work plan for 2011/12 and also 2012/13, but due to requests by management we have had to postpone the review on two occasions. This was, mainly due to new works being progressed to replace the system, and it would add no significant value to the area to be audited under such circumstances. Nevertheless, it is important that Internal Audit keep management and members informed of the present position of the disaster recovery procedures in the Comhairle. We intend to re-visit the area in April/May 2013 to confirm how the project is progressing. Disaster Recovery - the process by which you resume business after a disruptive event 8 th January 2013 1

SECTION 1: EXECUTIVE SUMMARY (CONTINUED) 1.2 We have graded our detailed findings and recommendations, based on the likelihood of the identified weakness occurring and the impact on the Comhairle if it should occur, using the following criteria: Grade 1 - Critical High likelihood, High impact (HH) The weakness is almost bound to happen or is already happening (likelihood) and could have a significant impact on the Comhairle s services, reputation, control, financial position, statutory, regulatory or constitutional compliance if not contained Grade 2 - Contingent/Insurable Risk - Low likelihood, High impact (LH) The weakness is unlikely to happen, but would have a significant impact on the Comhairle s services, reputation, control, financial position, statutory, regulatory or constitutional compliance if it did occur Grade 3 - Housekeeping High likelihood, Low impact (HL) The weakness is almost bound to happen or is already happening but is unlikely to have a material impact on the Comhairle s services, reputation, control, financial position, statutory, regulatory or constitutional compliance, and can be contained Grade 4 - Value for Money High likelihood, Value for money impact (HV) The weakness is almost bound to happen or is already happening but if contained would have a positive impact on economy, efficiency and effectiveness in the use of resources Where we have identified isolated exceptions in our sample testing, and we consider that: - They are unlikely to recur; and Would have no significant impact if they should occur, we have classified them as low likelihood and low impact ( LL), discussed them with relevant officers and detailed them in Appendix B to this report. 8 th January 2013 2

SECTION 1: EXECUTIVE SUMMARY (CONTINUED) 1.3 Our recommendations can be summarised and prioritised as follows: Recommendation 2.1 Appropriate disaster recovery procedures be implemented in terms of best practice. Overall grading 4 3 2 1 An SLA/legal agreement be put in place to cover responsibilities, security, data sharing and termination arrangements. Once the system is installed the disaster recovery procedures should be tested to give assurance that the new system in place meets the agreed requirements.. 1.4 We would like to thank the Head of IT & Customer Services for the co-operation and goodwill we received during the course of our internal audit fieldwork. For Comhairle Nan Eilean Siar Internal Audit Section Internal Audit Comhairle Nan Eilean Siar Sandwick Road Stornoway Isle of Lewis HS1 2BW 8 th January 2013 8 th January 2013 3

SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS 2.1 FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT L I COMMENT Control objective 1:The processes in place at present. At present we have reduced levels of disaster recovery controls in place. The means of safeguarding and protecting corporate data is that data is backed up to disks and taken off site and stored securely at the Sports Centre. Backups are done on a daily, weekly, monthly basis and documented to allow for easy retrieval should the need arise in the event of data loss. This process is regularly tested as part of operational restore requests and has proved to be a workable and reliable solution. However, it is necessary to have a more comprehensive plan in place so that processing can resume as soon as possible after an incident. 8 th January 2013 4

SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED) 2.1 FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT L I COMMENT Control objective 1 The processes in place at present. With the current setup, should IT be faced H H Appropriate disaster recovery 1 Agreed. with any form of data failure, corruption, procedures be implemented in fire etc. there is a high risk that the systems terms of best practice. would be unavailable for a number of weeks. In this situation it is imperative that departments who run operational systems have tried and tested business continuity plans in place to provide a minimum level of service that will fulfil statutory obligations during the outage. Current arrangements do not meet best practice.. However, we understand that ongoing processes are underway to remedy this weakness. 8 th January 2013 5

SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED) 2.1 FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT L I COMMENT Control objective 1: What are we doing? As part of a modernisation programme to update the Comhairle s server infrastructure it will be possible to review IT Disaster Recovery planning. We are advised by the Head of IT & Customer Services that server virtualisation has been identified as the most beneficial and the proposal is that the Comhairle replace its current server and storage facility with a virtualised infrastructure whilst also re-deploying existing equipment to a suitable disaster recovery facility at the NHS-WI site. We understand that virtualisation would allow the Comhairle to replicate its servers alongside the WIHB servers. This would do away with the processes in place of having to back up on tapes and take off site. The benefits are that the processes would be quicker, cleaner, better located and the on-line connection improved. 8 th January 2013 6

SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED) 2.1 FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT L I COMMENT Control objective 1: What are we doing? Work is nearing completion on the installation of fibre optic ducting being run from the Comhairle to the NHS WI site to allow this to happen. The work that would allow the link to be in place is scheduled to be completed on Friday 14 th December. A report was presented to the Comhairle s Policy & Resources Committee on 6 th December 2012 seeking the approval of members for funding for the virtualisation project. This report was approved. 8 th January 2013 7

SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED) 2.1 FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT L I COMMENT Control objective 1: Where we hope to be? A proposed legal agreement to govern the H An SLA/legal agreement be put 1 Agreed relationship between CNES and NHS-WI in place to cover responsibilities, for the purposes of site sharing has been security, data sharing and drawn up by CNES and is currently with termination arrangements. NHS-WI legal team for review. It will address issues of shared responsibilities, data security, review arrangements, dispute resolution and termination of the agreement. We would hope to have an agreement in place with NHS-WI allowing the two organisations to share external networks. All the Comhairle critical servers would be replicated on Comhairle equipment housed at the NHS-WI site.. 8 th January 2013 8

SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED) 2.1 FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT L I COMMENT Control objective 1: Where we hope to be? The benefits of this would be that in the H H Once the system is installed the 1 Agreed event of a major incident at Sandwick disaster recovery procedures Road there would always be a duplicate set should be tested to give of data at the NHS-WI site, and it would be assurance that the new system in possible to resume processing within a place meets the agreed matter of hours rather than weeks or requirements. months. Other benefits realised from this project would be the freeing up of resources reducing the time taken to perform backups and removing to a secure location, more office space would be made available at Sandwick Road as the large servers take up additional space and costs would be managed more effectively as server replacement would be integrated into a rolling replacement programme over time. 8 th January 2013 9

SECTION 3 - ACTION PLAN Ref. RECOMMENDATION RESPONSIBLE OFFICER 2.1 Appropriate disaster recovery procedures be Head of IT & implemented in terms of best practice. Customer Services. DATE OF IMPLEMENTATION Summer 2013 An SLA/legal agreement be put in place to cover responsibilities, security, data sharing and termination arrangements. Once the system is installed the disaster recovery procedures should be tested to give assurance that the new system in place meets the agreed requirements Head of IT & Customer Services. Head of IT & Customer Services. Summer 2013 Summer 2013 10

APPENDIX A: RESPECTIVE RESPONSIBILITIES OF MANAGEMENT AND INTERNAL AUDIT Responsibility in relation to internal controls It is the responsibility of the Comhairle s management to maintain adequate and effective financial systems and to arrange for a system of internal controls. Our responsibility as internal auditors is to evaluate the financial systems and associated internal controls. In practice, we cannot examine every financial implication and accounting procedure within an activity, and we cannot substitute for management s responsibility to maintain adequate systems of internal controls over financial systems. We therefore may not identify all weaknesses that exist in this regard. Responsibilities in relation to fraud and corruption The prime responsibility for the prevention and detection of fraud and irregularities rests with management. They also have a duty to take reasonable steps to limit the opportunity for corrupt practices. It is our responsibility to review the adequacy of these arrangements, but our work does not remove the possibility that fraud, corruption or irregularity may have occurred and remained undetected. We nevertheless endeavour to plan our internal audit work so that we have reasonable expectation of detecting material fraud, but our examination should not be relied upon to disclose all such material frauds that may exist. 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information