Subject: Internal Audit of Information Technology Disaster Recovery Plan



Similar documents
,"ENT 0..- ~ Q c. ;:* *1 ~ J U.S. DEPARTMENTOF HOUSINGAND URBAN DEVELOPMENT THEDEPUTYSECRETARY WASHINGTON, DC

FINAL AUDIT REPORT WITH RECOMENDATIONS Information Technology No

Contingency Planning Guide for Information Technology Systems

SCOPE; ENFORCEMENT; AUTHORITY; EXCEPTIONS

Hanh Do, Director, Information System Audit Division, GAA. SUBJECT: Review of HUD s Information Technology Contingency Planning and Preparedness

Contingency Planning Guide

Continuity Planning and Disaster Recovery

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

Unit Guide to Business Continuity/Resumption Planning

Business Continuity Planning and Disaster Recovery Planning

Statement of Guidance

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Business Continuity Planning Toolkit. (For Deployment of BCP to Campus Departments in Phase 2)

UNIVERSITY OF CALIFORNIA DAVIS INTERNAL AUDIT SERVICES. Information and Educational Technology Data Center and Client Services Project #08-21

SAMPLE IT CONTINGENCY PLAN FORMAT

NIST SP , Revision 1 Contingency Planning Guide for Federal Information Systems

March 2007 Report No FDIC s Contract Planning and Management for Business Continuity AUDIT REPORT

Overview of Business Continuity Planning Sally Meglathery Payoff

Evaluation of the Railroad Retirement Board s Disaster Recovery Plan Report No , August 14, 2006 INTRODUCTION

Virginia Commonwealth University School of Medicine Information Security Standard

June 19, Bobbi McCracken, Associate Vice Chancellor Financial Services. Subject: Internal Audit of PCI Compliance.

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Flinders University IT Disaster Recovery Framework

Technology Recovery Plan Instructions

Disaster Recovery and Business Continuity Plan

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Interactive-Network Disaster Recovery

BUSINESS CONTINUITY PLANNING

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Follow-up Audit of Information Technology Services Department. IT Contingency Planning

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

Disaster Recovery Plan Documentation for Agencies Instructions

DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY

Table of Contents... 1

State of South Carolina Policy Guidance and Training

CHAPTER 1: BUSINESS CONTINUITY MANAGEMENT STRATEGY AND POLICY

NIST Special Publication Rev. 1 Contingency Planning Guide for Federal Information Systems

Business Continuity Policy

Business Continuity Management

IMS-ISA Incident Response Guideline

Business Continuity Plans

INFOSEC.MY KNOWLEDGE SHARING SESSION

IT DISASTER RECOVERY CALIFORNIA STATE UNIVERSITY, CHANNEL ISLANDS. Audit Report August 12, 2011

The PNC Financial Services Group, Inc. Business Continuity Program

CPM-East.com. Workshops: November 18, 2013 Conference: November 19 21, 2013 Expo: November 19 20, 2013 Gaylord Texan Resort, Dallas Texas

Business Unit CONTINGENCY PLAN

Developing a Continuity of Operations Program. An Overview

Guidelines 1 on Information Technology Security

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

BUSINESS CONTINUITY PLAN

Business Continuity Management Review

SUPERVISORY AND REGULATORY GUIDELINES: PU BUSINESS CONTINUITY GUIDELINES

Principles for BCM requirements for the Dutch financial sector and its providers.

Intel Business Continuity Practices

Business Continuity Planning

Western Intergovernmental Audit Forum

CRISP Technologies Inc.

D2-02_01 Disaster Recovery in the modern EPU

Business Continuity Planning for Risk Reduction

Disaster Recovery/Business Continuity

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

Assessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC

How to write a DISASTER RECOVERY PLAN. To print to A4, print at 75%.

CISM Certified Information Security Manager

Ohio Supercomputer Center

Department of Budget & Management. State of Maryland Information Technology (IT) Disaster Recovery Guidelines Version 4.0

CONNECTION BETWEEN RISK MANAGEMENT AND BUSINESS CONTINUITY DECEMBER 11, 2014

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

OFFICE OF AUDITS & ADVISORY SERVICES IT DISASTER RECOVERY AUDIT FINAL REPORT

The Commonwealth of Massachusetts

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

BUSINESS CONTINUITY POLICY

DRAFT Disaster Recovery Policy Template

Success or Failure? Your Keys to Business Continuity Planning. An Ingenuity Whitepaper

Temple university. Auditing a business continuity management BCM. November, 2015

Business Continuity and Disaster Recovery Planning

ESCB definitions of major business continuity terms in relation to payment and securities settlement systems 1

Overview TECHIS Manage information security business resilience activities

UNION COLLEGE INCIDENT RESPONSE PLAN

Identify and Protect Your Vital Records

NIST Special Publication Rev. 1 Contingency Planning Guide for Federal Information Systems

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

STATE OF CYBER SECURITY IN ETHIOPIA

Columbus City Schools Office of Internal Audit

Cornell University EMERGENCY MANAGEMENT PROGRAM

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

2014 NABRICO Conference

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

Internal Audit Report ITS CHANGE MANAGEMENT PROCESS. Report No. SC-11-11

A Business Continuity Plan for Government. George Bomar Dianne Casey Texas Department of Licensing and Regulation

Business Continuity Plan

Office of Inspector General

How To Manage A Business Continuity Strategy

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

COMCARE BUSINESS CONTINUITY MANAGEMENT

THORNBURG INVESTMENT MANAGEMENT THORNBURG INVESTMENT TRUST. Business Continuity Plan

Guidance Note XGN XXX.1

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

Internal Audit Department NeighborWorks America. Audit Review of the Business Continuity Plan (BCP) Management and Documentation

Information Security Management: Business Continuity Planning. Presentation by Stanislav Nurilov March 9th, 2005 CS 996: Info. Sec. Mgmt.

Transcription:

RIVERSIDE: AUDIT & ADVISORY SERVICES June 30, 2009 To: Charles Rowley, Associate Vice Chancellor Computing & Communications Subject: Internal Audit of Information Technology Disaster Recovery Plan Ref: R2009-10 We have completed our audit of the Computing & Communication Disaster Recovery Plan in accordance with the UC Riverside Audit Plan. Our report is attached for your review. We appreciate the cooperation and assistance provided by your staff. Should you have any questions concerning the report, please do not hesitate to contact me. Michael R. Jenson Director xc: Audit Committee Members Director of Computing Infrastructure and Security Harvey Chief Financial and Administrative Officer Gupta

UNIVERSITY OF CALIFORNIA AT RIVERSIDE AUDIT & ADVISORY SERVICES MEMBER OF ASSOCIATION OF COLLEGE & UNIVERSITY AUDITORS INTERNAL AUDIT REPORT R2009-10 INFORMATION TECHNOLOGY DISASTER RECOVERY PLAN JUNE 2009 Approved by: Noahn Montemayor Principal Auditor Michael R. Jenson Director

UC RIVERSIDE INFORMATION TECHNOLOGY DISASTER RECOVERY PLAN INTERNAL AUDIT REPORT R2009-10 JUNE 2009 I. MANAGEMENT SUMMARY Based upon the results of work performed within the scope of the audit, it is our opinion that overall, in compliance with University policies and procedures, UCR Computing & Communication (C&C) has developed a comprehensive Disaster Recovery Plan (DRP) to guide the restoration to campus of essential enterprise wide systems in the event of a major disaster and subsequent systems failure. Positive observations included: * The C&C DRP has been appropriately tested and communicated to key campus stakeholders. * C&C has established a Disaster Recovery Committee, with well-defined individual roles and responsibilities, delegations of authority, contact information, and emergency communications plans and procedures if the DRP is invoked. * Three suitable alternate locations are available and prepared to house the Information Technology Emergency Operations Center in case of emergency. Minor items that were not of a magnitude to warrant inclusion in the report were discussed verbally with management. II. INTRODUCTION A. PURPOSE UC Riverside Audit & Advisory Services, as part of its Audit Plan, performed an audit of the C&C DRP to evaluate the Information Technology (IT) function s preparedness in the event of a process disruption, compliance with certain University policies and procedures, efficiency and effectiveness of selected operations, and adequacy of certain internal controls.

R2009-10 June 30, 2009 Page 2 B. BACKGROUND IT systems are vulnerable to a variety of disruptions, ranging from mild (e.g., short-term power outage, disk drive failure) to severe (e.g., equipment destruction, fire). Many vulnerabilities may be minimized or eliminated through technical, management, or operational solutions as part of the organization s risk management effort; however, it is virtually impossible to completely eliminate all risks. For example, in many cases, critical resources may reside outside the organization s control (such as electric power or telecommunications), and the organization may be unable to ensure their availability. Contingency planning is designed to mitigate the risk of system and service unavailability by focusing effective and efficient recovery solutions. 1 IT contingency planning represents a broad scope of activities designed to sustain and recover critical IT services following an emergency. IT contingency planning fits into a much broader emergency preparedness environment that includes organizational and business process continuity and recovery planning. Ultimately, an organization would use a suite of plans to properly prepare response, recovery, and continuity activities for disruptions affecting the organization s IT systems, business processes, and facilities. 2 Universally accepted definitions for IT contingency planning and related planning areas have not been available, and this unavailability has occasionally led to confusion regarding the actual scope and purpose of various types of plans. To provide a common basis of understanding, the National Institute of Standards and Technology (NIST) identifies several types of plans, describes their purpose and scope relative to IT contingency planning, and shows how the various plans relate to each other, each with a specific purpose. 3 The NIST offers the following description to apply to disaster recovery plans: Disaster Recovery Plan (DRP). As suggested by its name, the DRP applies to major, usually catastrophic, events that deny access to the normal facility for an extended period. Frequently, DRP refers to an ITfocused plan designed to restore operability of the target system, application, or computer facility at an alternate site after an emergency. The DRP scope may overlap that of an IT contingency plan; however, the DRP is narrower in scope and does not address minor disruptions that do not require relocation. Dependent on the organization s needs, several DRPs may be appended to the Business Continuity Plan (BCP). 1 National Institute of Standards and Technology (NIST) Special Publication 800-34, Contingency Planning Guide for Information Technology Systems 2 Ibid 3 Exhibit attached

R2009-10 June 30, 2009 Page 3 Disaster recovery of IT components supports restoring operations critical to the resumption of business, including regaining access to data (records, hardware, software, etc.), communications (e-mail, phone, etc.), workspace, and other business processes after a disaster. A wellestablished and thoroughly tested DRP must be developed in harmony with the business continuity plan to increase the probability of successfully recovering vital organization records. 4 UCOP Business and Finance Bulletin IS-12, Continuity Planning and Disaster Recovery, establishes guidelines to reduce risk and minimize disruption of campus research and business functions in the event of a catastrophic disaster or extraordinary disruption. UCR C&C is charged with developing and maintaining the DRP to guide the restoration of enterprise wide systems to campus in the event of a major disaster and subsequent systems failure. C. SCOPE The scope of the audit focuses on a review of the C&C DRP and its alignment with enterprise risk management and business continuity plans, policies, standards, guidelines, procedures, laws and regulations that address restoring IT critical services after a disruption. Audit & Advisory Services reviewed the latest version of the C&C DRP and related documents, conducted interviews, observations, examinations, and tests, and reviewed management responses to an internal control questionnaire. These and associated procedures were performed to obtain answers to the following questions: Does the DRP as currently formulated provide an adequate framework within which to address the particular needs of the University in the event of a disaster or emergency of sufficient magnitude or duration that it would require the University to invoke the plan? Are there significant risks that are not being addressed by the DRP in its present form? How can the DRP be further strengthened or improved? III. INTERNAL CONTROLS AND COMPLIANCE As part of the review, internal controls were examined within the scope of the audit. Internal control is a process designed to provide reasonable, but not absolute, assurance regarding the achievement of objectives in the following categories: 4 Global Technology Audit Guide Business Continuity Management; The Institute of Internal Auditors

R2009-10 June 30, 2009 Page 4 * effectiveness and efficiency of operations * reliability of financial reporting * compliance with applicable laws and regulations Substantive audit procedures were performed during May through June 2009. Accordingly, this evaluation of internal controls is based on our knowledge as of that time and should be read with that understanding.

R2009-10 DRAFT Exhibit Business Continuity Plan (BCP) Table: Types of Contingency-Related Plans Plan Purpose Scope Provide procedures for sustaining essential business operations while recovering from a significant disruption business process Business Recovery (or Resumption) Plan (BRP) Continuity of Operations Plan (COOP) Continuity of Support Plan/IT Contingency Plan Crisis Communications Plan Cyber Incident Response Plan Disaster Recovery Plan (DRP) Occupant Emergency Plan (OEP) Provide procedures for recovering business operations immediately following a disaster Provide procedures and capabilities to sustain an organization s essential, strategic functions at an alternate site for up to 30 days Provide procedures and capabilities for recovering a major application or general support system Provides procedures for disseminating status reports to personnel and the public Provide strategies to detect, respond to, and limit consequences of malicious cyber incident Provide detailed procedures to facilitate recovery of capabilities at an alternate site Provide coordinated procedures for minimizing loss of life or injury and protecting property damage in response to a physical threat Addresses business processes; IT addressed based only on its support for Addresses business processes; not IT-focused; IT addressed based only on its support for business process Addresses the subset of an organization s missions that are deemed most critical; usually written at headquarters level; not ITfocused Same as IT contingency plan; addresses IT system disruptions; not business process focused Addresses communications with personnel and the public; not IT focused Focuses on information security responses to incidents affecting systems and/or networks Often IT-focused; limited to major disruptions with longterm effects Focuses on personnel and property particular to the specific facility; not business process or IT system functionality based Source: NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems

R2009-10 DRAFT Exhibit Figure: Interrelationship of Emergency Preparedness Plans Source: NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information