RIVERSIDE: AUDIT & ADVISORY SERVICES June 30, 2009 To: Charles Rowley, Associate Vice Chancellor Computing & Communications Subject: Internal Audit of Information Technology Disaster Recovery Plan Ref: R2009-10 We have completed our audit of the Computing & Communication Disaster Recovery Plan in accordance with the UC Riverside Audit Plan. Our report is attached for your review. We appreciate the cooperation and assistance provided by your staff. Should you have any questions concerning the report, please do not hesitate to contact me. Michael R. Jenson Director xc: Audit Committee Members Director of Computing Infrastructure and Security Harvey Chief Financial and Administrative Officer Gupta
UNIVERSITY OF CALIFORNIA AT RIVERSIDE AUDIT & ADVISORY SERVICES MEMBER OF ASSOCIATION OF COLLEGE & UNIVERSITY AUDITORS INTERNAL AUDIT REPORT R2009-10 INFORMATION TECHNOLOGY DISASTER RECOVERY PLAN JUNE 2009 Approved by: Noahn Montemayor Principal Auditor Michael R. Jenson Director
UC RIVERSIDE INFORMATION TECHNOLOGY DISASTER RECOVERY PLAN INTERNAL AUDIT REPORT R2009-10 JUNE 2009 I. MANAGEMENT SUMMARY Based upon the results of work performed within the scope of the audit, it is our opinion that overall, in compliance with University policies and procedures, UCR Computing & Communication (C&C) has developed a comprehensive Disaster Recovery Plan (DRP) to guide the restoration to campus of essential enterprise wide systems in the event of a major disaster and subsequent systems failure. Positive observations included: * The C&C DRP has been appropriately tested and communicated to key campus stakeholders. * C&C has established a Disaster Recovery Committee, with well-defined individual roles and responsibilities, delegations of authority, contact information, and emergency communications plans and procedures if the DRP is invoked. * Three suitable alternate locations are available and prepared to house the Information Technology Emergency Operations Center in case of emergency. Minor items that were not of a magnitude to warrant inclusion in the report were discussed verbally with management. II. INTRODUCTION A. PURPOSE UC Riverside Audit & Advisory Services, as part of its Audit Plan, performed an audit of the C&C DRP to evaluate the Information Technology (IT) function s preparedness in the event of a process disruption, compliance with certain University policies and procedures, efficiency and effectiveness of selected operations, and adequacy of certain internal controls.
R2009-10 June 30, 2009 Page 2 B. BACKGROUND IT systems are vulnerable to a variety of disruptions, ranging from mild (e.g., short-term power outage, disk drive failure) to severe (e.g., equipment destruction, fire). Many vulnerabilities may be minimized or eliminated through technical, management, or operational solutions as part of the organization s risk management effort; however, it is virtually impossible to completely eliminate all risks. For example, in many cases, critical resources may reside outside the organization s control (such as electric power or telecommunications), and the organization may be unable to ensure their availability. Contingency planning is designed to mitigate the risk of system and service unavailability by focusing effective and efficient recovery solutions. 1 IT contingency planning represents a broad scope of activities designed to sustain and recover critical IT services following an emergency. IT contingency planning fits into a much broader emergency preparedness environment that includes organizational and business process continuity and recovery planning. Ultimately, an organization would use a suite of plans to properly prepare response, recovery, and continuity activities for disruptions affecting the organization s IT systems, business processes, and facilities. 2 Universally accepted definitions for IT contingency planning and related planning areas have not been available, and this unavailability has occasionally led to confusion regarding the actual scope and purpose of various types of plans. To provide a common basis of understanding, the National Institute of Standards and Technology (NIST) identifies several types of plans, describes their purpose and scope relative to IT contingency planning, and shows how the various plans relate to each other, each with a specific purpose. 3 The NIST offers the following description to apply to disaster recovery plans: Disaster Recovery Plan (DRP). As suggested by its name, the DRP applies to major, usually catastrophic, events that deny access to the normal facility for an extended period. Frequently, DRP refers to an ITfocused plan designed to restore operability of the target system, application, or computer facility at an alternate site after an emergency. The DRP scope may overlap that of an IT contingency plan; however, the DRP is narrower in scope and does not address minor disruptions that do not require relocation. Dependent on the organization s needs, several DRPs may be appended to the Business Continuity Plan (BCP). 1 National Institute of Standards and Technology (NIST) Special Publication 800-34, Contingency Planning Guide for Information Technology Systems 2 Ibid 3 Exhibit attached
R2009-10 June 30, 2009 Page 3 Disaster recovery of IT components supports restoring operations critical to the resumption of business, including regaining access to data (records, hardware, software, etc.), communications (e-mail, phone, etc.), workspace, and other business processes after a disaster. A wellestablished and thoroughly tested DRP must be developed in harmony with the business continuity plan to increase the probability of successfully recovering vital organization records. 4 UCOP Business and Finance Bulletin IS-12, Continuity Planning and Disaster Recovery, establishes guidelines to reduce risk and minimize disruption of campus research and business functions in the event of a catastrophic disaster or extraordinary disruption. UCR C&C is charged with developing and maintaining the DRP to guide the restoration of enterprise wide systems to campus in the event of a major disaster and subsequent systems failure. C. SCOPE The scope of the audit focuses on a review of the C&C DRP and its alignment with enterprise risk management and business continuity plans, policies, standards, guidelines, procedures, laws and regulations that address restoring IT critical services after a disruption. Audit & Advisory Services reviewed the latest version of the C&C DRP and related documents, conducted interviews, observations, examinations, and tests, and reviewed management responses to an internal control questionnaire. These and associated procedures were performed to obtain answers to the following questions: Does the DRP as currently formulated provide an adequate framework within which to address the particular needs of the University in the event of a disaster or emergency of sufficient magnitude or duration that it would require the University to invoke the plan? Are there significant risks that are not being addressed by the DRP in its present form? How can the DRP be further strengthened or improved? III. INTERNAL CONTROLS AND COMPLIANCE As part of the review, internal controls were examined within the scope of the audit. Internal control is a process designed to provide reasonable, but not absolute, assurance regarding the achievement of objectives in the following categories: 4 Global Technology Audit Guide Business Continuity Management; The Institute of Internal Auditors
R2009-10 June 30, 2009 Page 4 * effectiveness and efficiency of operations * reliability of financial reporting * compliance with applicable laws and regulations Substantive audit procedures were performed during May through June 2009. Accordingly, this evaluation of internal controls is based on our knowledge as of that time and should be read with that understanding.
R2009-10 DRAFT Exhibit Business Continuity Plan (BCP) Table: Types of Contingency-Related Plans Plan Purpose Scope Provide procedures for sustaining essential business operations while recovering from a significant disruption business process Business Recovery (or Resumption) Plan (BRP) Continuity of Operations Plan (COOP) Continuity of Support Plan/IT Contingency Plan Crisis Communications Plan Cyber Incident Response Plan Disaster Recovery Plan (DRP) Occupant Emergency Plan (OEP) Provide procedures for recovering business operations immediately following a disaster Provide procedures and capabilities to sustain an organization s essential, strategic functions at an alternate site for up to 30 days Provide procedures and capabilities for recovering a major application or general support system Provides procedures for disseminating status reports to personnel and the public Provide strategies to detect, respond to, and limit consequences of malicious cyber incident Provide detailed procedures to facilitate recovery of capabilities at an alternate site Provide coordinated procedures for minimizing loss of life or injury and protecting property damage in response to a physical threat Addresses business processes; IT addressed based only on its support for Addresses business processes; not IT-focused; IT addressed based only on its support for business process Addresses the subset of an organization s missions that are deemed most critical; usually written at headquarters level; not ITfocused Same as IT contingency plan; addresses IT system disruptions; not business process focused Addresses communications with personnel and the public; not IT focused Focuses on information security responses to incidents affecting systems and/or networks Often IT-focused; limited to major disruptions with longterm effects Focuses on personnel and property particular to the specific facility; not business process or IT system functionality based Source: NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems
R2009-10 DRAFT Exhibit Figure: Interrelationship of Emergency Preparedness Plans Source: NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems