INTERNAL AUDIT 2008/09 INFORMATION TECHNOLOGY (BUSINESS CONTINUITY)



Similar documents
Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

The Learning Zone - Project Management Arrangements

Essex Fire Authority

Coleg Gwent Internal Audit Report 2012/13 Payroll and HR. Assurance Rating: Payroll

Coleg Gwent. Business Continuity Plan Test - Post Implementation Review (PIR) Internal Audit Report (12.09/10)

Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory. Assurance Rating:

Joint Audit Report for South Lakeland District Council. & Eden District Council

West Highland College. Internal Audit 2014/15 Annual Report August 2015

IT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS

Internal Audit Report Disaster Recovery / Business Continuity Planning

ESKITP6032 IT Disaster Recovery Level 2 Role

FINAL. Internal Audit Report. Data Centre Operations and Security

Comhairle nan Eilean Siar Internal Audit Review DISASTER RECOVERY ARRANGEMENTS Information Technology. Final Report 2014/15-06

Office of the Police and Crime Commissioner for Avon and Somerset and Avon and Somerset Constabulary

Checklist For Business Recovery

Coleg Gwent. Wireless Audit. Internal Audit Report (2.10/11) 23 May Overall Opinion: Amber Green

FINRMFS9 Facilitate Business Continuity Planning and disaster recovery for a financial services organisation

IT Assurance - Business Continuity and Disaster Recovery

Information Commissioner's Office

INFORMATION GOVERNANCE POLICY: DATA BACKUP, RESTORE & FILE STORAGE HANDLING

Appendix 6c. Final Internal Audit Report Disaster Recovery Planning. June Report 6c Page 1 of 15

Aberdeen City Council IT Disaster Recovery

IT control environment Caerphilly County Borough Council

SOUTH LAKELAND DISTRICT COUNCIL INTERNAL AUDIT FINAL REPORT IT IT Backup, Recovery and Disaster Recovery Planning

Coleg Gwent Internal Audit Report 2014/15 Staff Performance Management. Assurance Rating:

DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY

Confirmed Minutes of the Audit Committee of the Governing Body of Carmel College held on Tuesday 10 th June 2014 at 1.00pm

Information Security Policies. Version 6.1

Balancing and Settlement Code BSC PROCEDURE BSCP537. QUALIFICATION PROCESS FOR SVA PARTIES, SVA PARTY AGENTS AND CVA MOAs

GLASGOW LIFE Review of Business Continuity Planning. Final Report

SOUTH NORTHAMPTONSHIRE COUNCIL. 11/31 ICT Capacity Management FINAL REPORT. June 2011

Information Technology Officer POSITION DESCRIPTION

PAPER-6 PART-4 OF 5 CA A.RAFEQ, FCA

How To Audit Health And Care Professions Council Security Arrangements

Cambridgeshire and Peterborough Fire Authority. Internal Audit Progress Report Overview & Scrutiny Committee meeting 16 October 2014

SaaS Terms & Conditions

Glasgow Life Risk Management & Business Continuity Planning. Final Report

Karen Winter Service Manager Schools and Traded Services

Comhairle nan Eilean Siar Internal Audit Review DISASTER RECOVERY. Final Report 12/13-20

External Audit Reviews. Report by Director of Finance

Security of Back-up Media and Offsite Storage (IA_12_005) Steve Allen, Managing Director, Finance. Audit Conclusion: Audit Closed

The Shift Cloud Computing Brings to Disaster Recovery

Disaster Recovery Checklist Disaster Recovery Plan for <System One>

Lot 1 Service Specification MANAGED SECURITY SERVICES

Information Commissioner's Office

Dacorum Borough Council Final Internal Audit Report

Recommendation Current Position and Explanation for Slippage: Target Dates:

Oracle Database Review Security Controls and Other Issues Toronto Public Library Management Response

JOB DESCRIPTION CONTRACTUAL POSITION

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

Oadby and Wigston Borough Council. Information and Communications Technology (I.C.T.) Section

Internal Audit Report Business Continuity Planning Arrangements

Overview of how to test a. Business Continuity Plan

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Application / Hardware - Business Impact Analysis Template. MARC Configuration Requirements. Business Impact Analysis

EA-ISP-002-Business Continuity Management and Planning Policy

Comhairle nan Eilean Siar Internal Audit Review Project Management and Project Delivery Technical Services department. Final Report 2014/15-21

Smart Meters Programme Schedule 8.6. (Business Continuity and Disaster Recovery Plan) (CSP North version)

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

The Importance of Organizing Your SJSU Information Assets

Disaster Recovery and Contingency Planning

Version 1.0. Ratified By

Internal Audit at the University of Cambridge.

DIRECTORATE OF AUDIT, RISK FF AND ASSURANCE. Appendix 2a FOLLOW UP REVIEW OF CORPORATE BUSINESS CONTINUITY

Cumbria Constabulary. Business Continuity Planning

Microsoft Dynamics CRM as a. Service. G-Cloud Pricing. Service - Pricing. Commercial in Confidence

Business Continuity Requires the Best Cloud Storage Options

SFC ELECTRONIC TRADING REGIME

Disaster Recovery Plan Review Checklist. A High-Level Internal Planning Tool to Assist State Agencies with Their Disaster Recovery Plans

Goodbye, SAS 70! Hello, SSAE 16!

Network Security Policy

Options for the Council s Debit & Credit Card (Merchant Acquirer) Contract Not a Key Decision

Audit Committee, 13 March Internal Audit Report Project Management. Executive summary and recommendations. Introduction

I.T. Disaster Recovery Plan

Essex Fire Authority. Fleet Management. Internal Audit Report (4.12/13) 28 February 2013 FINAL. Overall Opinion

ITSM Tools Operation Continuity Plan Example

Business Continuity Policy. Version 1.0

DEPARTMENT OF ALCOHOLIC BEVERAGE CONTROL REPORT ON AUDIT FOR THE YEAR ENDED JUNE 30, 2012

How To Use A Court Record Electronically In Idaho

ISS Student Data Storage Policy Security: Internal Only

APPENDIX 4 GREATER LONDON AUTHORITY SUN ACCOUNTS UNIX REVIEW FINAL AUDIT REPORT. Auditor: Chris Power & Michael Lacey Date: April 2003 Reference: 320

Depute Chief Executive Resources & People Services. Internal Audit Report Fleet Management

North Nottinghamshire College Corporation Minutes of the Audit Committee Meeting held on 13 March 2008

Course 2788A: Designing High Availability Database Solutions Using Microsoft SQL Server 2005

Argyll and Bute Council

business continuity plan for:

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery

Using the Cloud: A Quick Guide for Small and Medium Businesses

Internal Audit (policy & procedure)

Hanh Do, Director, Information System Audit Division, GAA. SUBJECT: Review of HUD s Information Technology Contingency Planning and Preparedness

The Council is invited to note the methods used to develop the business continuity plan

University Executive Committee. IT Steering Group. IT Back-up and Recovery Policy (Data)

CLOUD SERVICE SCHEDULE Newcastle

ISS Student Data Storage Policy Security: Internal Only

PARKES SHIRE COUNCIL BUSINESS CONTINUITY POLICY

Information Services IT Security Policies B. Business continuity management and planning

Strategic Alliance. Business Continuity Policy

C I T Y O F W E S T L I N N

Protecting Your Business

Cloud Software Services for Schools

Transcription:

2008/09

SUMMARY Location Subject Business Sponsor Staff engaged Coleg Gwent Information Technology (Business Continuity) Lynda Roberts Sue Harris Head of Internal Audit Gaynor Rains Manager David Bratt Assistant Manager Date of visit 15 18 December 2008 Fieldwork completed 18 December 2008 Draft report issued 14 January 2009 Management responses received 16 February 20009 Final report issued 27 February 2009 This report is supplied on the understanding that it is solely for the use of the persons to whom it is addressed and for the purposes set out herein. No person other than the addressees may rely on it for any purposes whatsoever. Baker Tilly UK Audit LLP accepts no responsibility to any other party to whom it may be shown or into whose hands it may come. PRIVATE AND CONFIDENTIAL

CONTENTS 1. Executive Summary 1 2. Findings and Recommendations 3 3. Action Plan 8 PRIVATE AND CONFIDENTIAL

1. EXECUTIVE SUMMARY 1.1 Background and Scope A review of the College s Information Technology, Business Continuity arrangements was undertaken as part of the Internal Audit plan for 2008/09. 1.2 Audit Objectives To review and test the Information Technology Business Continuity arrangements to provide assurance to management that the following control objectives are achieved: An appropriate and approved disaster recovery /business continuity plan is in place. The plan has been distributed appropriately and is available to all key staff. The plan has been tested and found to be appropriate for the College s needs. 1.3 Summary of findings Our review identified that the College has a detailed draft Business Continuity Plan, which currently has not been approved by the Corporation. Once this has been approved we recommend that the College carry out a test of the plan to ensure that it is appropriate and meets the needs of the College. Our review of the draft Business Continuity Plan and the IT Disaster Recovery plan found that each covers the key areas required. Our review also focused on the back up procedures which are in place within the College to assess whether they appeared appropriate and whether they are being followed in practice. Procedures were found to be operating effectively. The control objectives identified for this review have been considered by management. Our review has highlighted two control weaknesses which require attention. A complete summary of the work undertaken is included within section 2 of this report. PRIVATE AND CONFIDENTIAL 1

The recommendations made can be summarised as follows: Number recommendations Total: 1.4 Value for Money Risk High Medium Low 2-2 - The Business Continuity arrangements at the College cannot currently be assessed as effective as the Business Continuity Plan has not yet been implemented or tested. Recommendations have been made accordingly. 1.5 Statement of Assurance by Internal Audit on Information Technology, Business Continuity arrangements In our opinion, which is based upon the audit evidence obtained: The internal controls in the system are adequate to ensure that activities and procedures are operating to achieve the College s objectives for the system with one exception noted; Testing has shown the majority of the controls to be operating in practice; There are risks to the performance of the system; and Recommendations have been made to improve the controls in place. Based on this assessment, in our opinion, the controls in place over the system provide satisfactory assurance that risks material to the achievement of the College s objectives are adequately and effectively managed. PRIVATE AND CONFIDENTIAL 2

2. FINDINGS AND RECOMMENDATIONS 2.1 An appropriate and approved disaster recovery /business continuity plan is in place. Control Testing / Results / Implications Control operating effectively? 2.1.1 The College has an effective and approved Business Continuity Plan in place. The College has produced a Business Continuity Plan in association with external consultants, this was initially drafted in 2007 and completed in September 2008. However, the Business Continuity Plan has not yet been presented to Corporation for approval. We were informed that the College had delayed presenting the Business Continuity Plan to Corporation as amendments may be required as a result of the potential reorganisation of the College in 2009. Yes Recommendation / Categorisation As the College does not have an approved Business Continuity Plan in place we recommend that the draft plan is presented to Corporation and tested as soon as possible and circulated to all relevant staff. The plan can be appropriately amended if the restructuring takes place. Medium A previous version of a Business Continuity Plan does not exist. Our review of the draft Business Continuity Plan concluded that it covers the key aspects required. However, without formal testing it is difficult to assess if the plan is effective. The plan contains detailed procedures in relation to Business Continuity. These include: Emergency Response Section Crisis Management Section Business Recovery Section including a break down per campus PRIVATE AND CONFIDENTIAL 3

2.1 An appropriate and approved disaster recovery /business continuity plan is in place. Control Testing / Results / Implications Control operating effectively? 2.1.2 An adequate IT Disaster Recovery Plan is in place. We compared the IT Disaster Recovery Plan with best practice guidance and concluded that the key headings were included in line with best practice. Yes Recommendation / Categorisation Not applicable This aspect of the College s Business Continuity Plan has been implemented. PRIVATE AND CONFIDENTIAL 4

2.2 The plan has been distributed appropriately and is available to all key staff. Control Testing / Results / Implications Control operating effectively? Recommendation / Categorisation 2.2.1 All key members of staff have access to a copy of the College s Business Continuity Plan. At present the College has not implemented the Business Continuity Plan and therefore it is not widely available to members of staff. However, the IT department has provided relevant members of staff with a copy of the Disaster Recovery Contract Call-out Procedure. This lists the relevant information in relation to the ICM contract (who provide the College with disaster recovery on hardware). No As per 2.1.1 2.2.2 Copies of the Business Continuity Plan are held offsite. The Business Continuity Plan contains a list of key members of staff who the plan will be distributed to once implemented. The Business Continuity Plan has not yet been implemented. However, a copy of the IT Disaster Recovery Plan is stored in both recovery boxes held at Usk and Pontypool. Yes Not applicable PRIVATE AND CONFIDENTIAL 5

2.3 The plan has been tested and found to be appropriate for the College s needs. Control Testing / Results / Implications Control operating effectively? 2.3.1 The College has tested both the disaster recovery plan and the business continuity plan and found that they are appropriate to meet the needs of the College. The College has not formally tested either of their plans due to the fact that the plans have not yet been formally approved. If the Business Continuity Plan and Disaster Recovery Plan are not tested there is a risk that potential problems within the plans may remain undetected and therefore the current plan may not be effective in practice. Yes Recommendation / Categorisation We recommend that the Disaster Recovery Plan is formally tested. We recommend that this check is formally documented and an action plan of improvements produced. Medium Discussions with the College found that they have recently had to restore the information on the exchange server following an SAN upgrade. Although there is no supporting documentation the College believe that they only lost two hours of data. 2.3.2 The College backs up all data and servers on a regular basis. The College also have a contract in place with ICM who would provide the College infrastructure in the event of a disaster. The College has a detailed back up policy in place. The College use a software programme called Backup Express which controls the back up process. Yes None We checked that the back up procedures had been followed during the weekend prior to our visit. We confirmed that the back up process had PRIVATE AND CONFIDENTIAL 6

2.3 The plan has been tested and found to be appropriate for the College s needs. Control Testing / Results / Implications Control operating effectively? occurred. However, we noted that the system identified 3 failures on the backup process. The IT department are to investigate these failures to determine the problem. Recommendation / Categorisation As part of the College s back up and disaster recovery procedures the College has produced two recovery boxes, one stored at Usk and the other at Pontypool. These boxes contain copies of the Colleges main software (and licence keys) as well main supplier contacts. The information within the boxes should enable the College to recover the systems in the event of a disaster. Our review of the recovery box held at Usk confirmed that the box contained all the relevant information in accordance with procedures and that the checklist had been completed to show that all information was within the box. PRIVATE AND CONFIDENTIAL 7

3. ACTION PLAN Ref Recommendation Category Management Response / Action To Be Taken Implementation Date / Responsibility 2.1.1 As the College does not have an approved Business Continuity Plan in place we recommend that the draft plan is presented to Corporation and tested as soon as possible and circulated to all relevant staff. The plan can be appropriately amended if the restructuring takes place. Medium Implementation and testing of the Business Continuity Plan has been postponed until the Sustainability Action Plan has been fully implemented. Once any structural changes resulting for the Sustainability Action Plan have been implemented the Business Continuity Plan will be presented to Corporation for approval and subsequently tested. December 2009 Director of Estates & Facilities 2.3.1 We recommend that the Disaster Recovery Plan is formally tested. We recommend that this check is formally documented and an action plan of improvements produced. Medium As above June 2010 Director of Estates & Facilities/Head of IT PRIVATE AND CONFIDENTIAL 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information