Disaster Recovery Plan Test. Audit Report



Similar documents
Oracle Database Review Security Controls and Other Issues Toronto Public Library Management Response

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

Disaster Recovery Planning Procedures and Guidelines

IT Service Desk Unit Opportunities for Improving Service and Cost-Effectiveness

APPENDIX 3 TO SCHEDULE 8.1

FUNCTIONAL AREA 12. Network Administration (NET)

TOSM Server Backup Service

Documentation. Disclaimer

DRAFT Disaster Recovery Policy Template

Hong Kong Baptist University

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT IT Backup, Recovery and Disaster Recovery Planning

EXECUTIVE SUMMARY 1.1 PROJECT OBJECTIVES

IT Sr. Systems Administrator

PSU Hyland OnBase Document Imaging and Workflow Services Level Memorandum of Understanding

Infrastructure Engineer

Audit of the Disaster Recovery Plan

Karen Winter Service Manager Schools and Traded Services

Course 2788A: Designing High Availability Database Solutions Using Microsoft SQL Server 2005

Corporate. Report COUNCIL DATE: June 26, 2006 NO: C013 COUNCIL-IN-COMMITTEE. TO: Mayor & Council DATE: June 15 th, 2006

Disaster Recovery Plan Review Checklist. A High-Level Internal Planning Tool to Assist State Agencies with Their Disaster Recovery Plans

Assistant Information Technology Specialist. X X X software related to database development and administration Computer platforms and

Standards for Developing and Implementing Administrative Systems at UC Davis

SENIOR SYSTEMS ANALYST

Internal Audit. Audit of HRIS: A Human Resources Management Enabler

Annex 9: Technical proposal template. Table of contents

JOB DESCRIPTION. Head of Information and Communication Technology

Attachment E. RFP Requirements: Mandatory Requirements: Vendor must respond with Yes or No. A No response will render the vendor nonresponsive.

Customer Support Handbook. Designed to Guide Customers in How Best to Engage Edify Product Support

Disaster Recovery and Business Continuity Plan

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four

SOFTWARE MANAGEMENT EXECUTIVE SUMMARY

The Navajo Nation. A Foliow-Up Review. Department of Information Technology. Corrective Action Plan Implementation. Report No

Ms. Debbie Davenport Auditor General Office of the Auditor General 2910 North 44 th Street, Suite 410 Phoenix, Arizona Dear Ms.

Case Study SharePoint Implementation

Disaster Recovery Plan Documentation for Agencies Instructions

JOB TITLE: CURRENT CLASSIFICATION/GRID POSITION # IT Tech I AD Grid Level 5(h) #68 (Service Desk)

Business Continuity Management

MARQUIS DISASTER RECOVERY PLAN (DRP)

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

SECTION 15 INFORMATION TECHNOLOGY

Leveraging Virtualization for Disaster Recovery in Your Growing Business

Business Continuity Planning

Overview of how to test a. Business Continuity Plan

SCHEDULE 10.1A PRICING FORMAT REQUIREMENTS SCHEDULE 10.1.A

How To Build A New System For A College

CONTINUITY OF OPERATIONS AUDIT PROGRAM EVALUATION AND AUDIT

JOB TITLE: CURRENT CLASSIFICATION/GRID POSITION # IT Tech II AD Grid Level 5(g) #123 Network Support Technician

An Overview of Disaster Recovery Planning Under HIPPA Security Rules

Disaster Recovery Policy

INSIDE. Preventing Data Loss. > Disaster Recovery Types and Categories. > Disaster Recovery Site Types. > Disaster Recovery Procedure Lists

Contact Centers in the Cloud: A Better Way to Source

Is the Cloud Right for Your Business? 5 Reasons to Conquer the Cloud

PPSADOPTED: OCT BACKGROUND POLICY STATEMENT PHYSICAL FACILITIES. PROFESSIONAL PRACTICE STATEMENT Developing a Business Continuity Plan

Managing Outsourcing Arrangements

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

HELP DESK SUPERVISOR

W H I T E P A P E R. Reducing Server Total Cost of Ownership with VMware Virtualization Software

The Power Of Managed Services. Features

ITIL Roles Descriptions

1. INTRODUCTION AND CONTACT INFORMATION

How To Consolidate A Service Desk

RFP Attachment C Classifications

Support & Field Services

Audit of Business Continuity Audit of Business Planning Continuity Planning

EPA Can Better Assure Continued Operations at National Computer Center Through Complete and Up-to-Date Documentation for Contingency Planning

MCSE SYLLABUS. Exam : Managing and Maintaining a Microsoft Windows Server 2003:

A2: If the above list did not provide enough detail, please describe, in your own words, your enterprise s primary industry.

April promoting efficient & effective local government

UMZINYATHI DISTRICT MUNICIPALITY IT DISASTER RECOVERY PLAN

Disaster Recovery & Business Continuity Related, but NOT the Same! Teri Stokes, Ph.D., Director GXP International

Ohio Supercomputer Center

The Information Systems Audit

Transcription:

ATTACHMENT 4 Disaster Recovery Plan Test Audit Report Internal Audit Report

TABLE OF CONTENTS Section Page No. 1.0 MANAGEMENT SUMMARY...2 2.0 INTRODUCTION...2 3.0 OBJECTIVES AND SCOPE...3 4.0 METHODOLOGY...3 5.0 DETAILED OBSERVATIONS AND RECOMMENDATIONS...4 5.1 ENSURING KNOWLEDGE TRANSFER FROM THE CONSULTANTS TO THE FINANCE IT BRANCH...4 5.2 KEEPING THE DISASTER RECOVERY PLAN UP-TO-DATE...5 5.3 RESULTS OF DISASTER RECOVERY PLAN TESTING...5 5.4 BUSINESS IMPACT ASSESSMENT...7 Internal Audit Report

1.0 Management Summary The Audit Services Branch has completed work relating to the first of the on-going periodic tests of the York Region (the Region) disaster recovery plan. As part of its oversight role, the Branch participated in the disaster recovery plan and test as a member of the steering committee. Audit Services was present during the testing phase of the disaster recovery plan, which was executed from May 31 to June 4, 2004. The testing of the Region s disaster recovery plan was successful. Briefly: A total of 114 applications were tested in the five day period. A total of 109 applications, which included all priority one applications, tested and performed without problems. Relatively minor problems were experienced with five applications which resulted in partially passed or failed conditions. This success places the Region ahead of all Municipalities in terms of our ability to recover from a major Information Technology disaster. The Branch and project team are commended for their efforts and the results. Audit Services had raised this as a significant risk for a number of years. It is now Audit Services opinion that the risk has been mitigated to an appropriate level. Based on the work performed, opportunities were noted for consideration by the Region s Information Technology (IT) Branch: knowledge transfer maintenance of the disaster recovery plan follow-up of 5 applications update of the business impact assessment. This report has been discussed with Finance Information Technology management, who have provided their comments and agreed to take the necessary action to implement the noted opportunities. Should the reader have any questions or require a more detailed understanding of the risk assessment and sampling decisions made during this audit, please contact the Director, Audit Services. We wish to thank the Commissioner of Finance, IT Director, and their staff for their co-operation during the course of the audit, and for their assistance in providing Audit Services with timely responses. 2.0 Introduction As part of our 2004 Audit Plan, which accommodates various types of audit projects, consulting engagements, and follow up requests from the Audit Committee and Management, the Audit Services Branch was present during the Region s disaster recovery plan initial test from May 31 to June 4, 2004. The Audit Services Branch uses a Risk Assessment Methodology to develop the Audit Plan annually. This methodology helps to define the level of risks associated with the various strategic Internal Audit Report Page 2

projects and processes at the Region, and is a tool that Audit Services uses in assessing where best to allocate audit resources. The York Region Audit Committee approves the Plan. 3.0 Objectives and Scope The objective of this engagement was to determine if the Region s Disaster Recovery Plan could be relied upon to recover from a major disruption of services in the Information Technology area. The audit objectives were accomplished through observation and discussion during a controlled test of the Disaster Recovery Plan and testing at a sufficient detail. 4.0 Methodology Audit Services was present at the disaster recovery plan test site and observed the process involved in recovering Region IT systems and reviewed output from both production and test environments to ensure the results were successful. Internal Audit Report Page 3

5.0 Detailed Observations and Recommendations 5.1 Ensuring Knowledge Transfer from the Consultants to the Finance IT Branch Observation The Region relied on the use of consultants to recover the back-up site for the test. The Region needs to ensure there is appropriate knowledge transfer to Regional staff so the Disaster Recovery Plan can be self sustaining using Regional staff on a go forward basis once all phases of the Disaster Recovery Plan have been completed. Recommendation It is recommended that the Finance IT Branch ensure that the technical expertise, provided by the consultants, to execute the disaster recovery plan is captured and transferred to the IT Branch. Management Response The consultant s report on the Disaster Recovery Plan Testing recommended a full time coordinator to maintain operational procedures manuals and to develop and maintain a regular refresh cycle that keeps the computing applications in step with the disaster recovery applications. IT management is implementing this function with existing staff to understand the workload requirement of this role. An assessment of the impact on existing staff complement will be done approximately mid year 2005 and appropriate recommendations developed for potential staffing in 2006. Internal Audit Report Page 4

5.2 Keeping the Disaster Recovery Plan Up-to-Date Observation The Region must ensure that there is a process in place to maintain the disaster recovery plan. This will ensure that any new or upgraded applications are captured in the Disaster Recovery Plan, so that in the event of a real disaster, the production environment can be recovered in a timely manner. Recommendation It is recommended that Finance IT develop a process by which the disaster recovery plan is kept current and incorporates upgraded and new applications as they are rolled out to the Region. Management Response The DRP hardware and operating systems environment uses a software product know as VMWare. There is a new release of this product that needs to be installed in the DRP environment. A RFQ for technical professional services has been issued for installation services for this new release. When this work is completed, the DRP environment can be brought into sync with the computing environment. We have received a SOW for this work and expect to issue a P.O. shortly. The target completion date is end of June 2005. 5.3 Results of Disaster Recovery Plan Testing Observation The following applications experienced a partially passed or failed scoring during the Region s testing: Application Priority Status Condition T&W Trapeze FX 3 Partially passed Reports not available. T&W Fleet Management 2 Partially passed Report formats not available Finance Salary Management 5 Failed Application errors System Corporate Services 5 Failed Application would not start Deltaview Corporate Services Versatile 3 Failed Application accessing production Internal Audit Report Page 5

Recommendation It is recommended that Finance IT ensures that the causes of the errors are fully investigated, and their resolutions documented for future reference should the disaster recovery plan need to be executed. Management Response Status: Relatively minor problems were experienced with five applications which resulted in partially passed or failed conditions during the testing. Current status is as below: 2 - Applications Partially Passed 3 - Applications Failed T&W - Trapeze FX Reports are not available. Reports are stored on the user s desktop computer not on the network. T&W Fleet Mgmnt Report formats are not available Report formats are stored on the user s desktop computer not on the network. Finance Salary Mgmnt Sys Application errors. This application has been modified, retested by the user and passed. Corp Services Deltaview Application would not start. This application has been modified, re-tested by the user and passed. Corp Services Versatile - Application accessing production This will be resolved before DRP Phase III testing. An additional server is required in the DRP environment to point the Versatile database to DRP. Out target to implement this device is June 2005. Internal Audit Report Page 6

5.4 Business Impact Assessment Observation The business impact assessment which was used to prioritize the applications was based on the original work performed by SunGuard in 1999, with an update from the Disaster Recovery coordinators in the business units. In order to ensure the Disaster Recovery Plan is recovering the right applications at the right time, the business impact assessment should be updated on a periodic basis. Recommendation It is recommended that Finance IT conduct a more formal business impact assessment in the near future with a view to updating it on a periodic basis. This will ensure that the appropriate resources are assigned to the disaster recovery planning process and that the plan is recovering the higher priority applications first and the lower priority applications over a longer period of time. Management Response Status: A business impact assessment phase of the Disaster Recovery project is currently underway. Assessment information has been gathered and analysis is in progress. Target completion for this item is March 1 st, 2005. original signed original signed Sandra Cartwright Commissioner Finance Louis Shallal Director Information Technology Systems Internal Audit Report Page 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information