January 20, 2009 GEORGE W. WRIGHT VICE PRESIDENT, INFORMATION TECHNOLOGY OPERATIONS



Similar documents
SUBJECT: Audit Report Disaster Recovery Capabilities of the Enterprise Payment Switch (Report Number IS-AR )

THOMAS G. DAY SENIOR VICE PRESIDENT, INTELLIGENT MAIL AND ADDRESS QUALITY PRITHA N. MEHRA VICE PRESIDENT, BUSINESS MAIL ENTRY AND PAYMENT TECHNOLOGIES

ROSS PHILO EXECUTIVE VICE PRESIDENT AND CHIEF INFORMATION OFFICER

PAUL VOGEL MANAGING DIRECTOR, GLOBAL BUSINESS AND SENIOR VICE PRESIDENT

SUBJECT: Audit Report Access Controls in the Enterprise Data Warehouse (Report Number IS-AR )

ROSS PHILO EXECUTIVE VICE PRESIDENT AND CHIEF INFORMATION OFFICER

SUBJECT: Audit Report Electronic Data Systems Contract Invoice Approval Procedures (Report Number CA-AR )

INSPECTOR GENERAL UNITED STATES POSTAL SERVICE

for Kimberly F. Benoit Deputy Assistant Inspector General for Information Technology and Data Analysis

SUBJECT: Audit Report Postal Service s Employee Benefit Programs (Report Number HM AR )

Review of Selected Active Directory Domains

Software Change Management for Engineering Systems

STEVEN W. MONTEITH EXECUTIVE DIRECTOR, HUMAN CAPITAL ENTERPRISE

INSPECTOR GENERAL UNITED STATES POSTAL SERVICE

Hardware Inventory Management Greater Boston District

Software Inventory Management Greater Boston District

Solution for Enterprise Asset. Management. System Vehicle Maintenance Facility Data. Management. Advisory Report. Report Number DR-MA

Misclassified Training Expenses

Capital District Vulnerability Assessment

INSPECTOR GENERAL. Fiscal Year 2013 Postal Service Financial Statements Audit St. Louis Accounting Services. Audit Report.

Objectives, Scope, and Methodology

Software Development Processes

How To Check For Errors In International Mail Volume Data

SUBJECT: Audit Report Contract Payment Terms (Report Number CA-AR )

Retail Systems Software Deployment and Functionality

Professional Services Contract Rates

Information Security Awareness Training and Phishing

Cloud Computing Contract Clauses

Oversight of Expense Purchase Cards

September 27, 2002 THOMAS G. DAY VICE PRESIDENT, ENGINEERING CHARLES E. BRAVO SENIOR VICE PRESIDENT, CHIEF TECHNOLOGY OFFICER

Parcel Readiness Product Tracking and Reporting System Controls

Management of Detail Assignments Follow-Up

INSPECTOR GENERAL UNITED STATES POSTAL SERVICE

Monitoring of Government Travel Card Transactions

Software Contract and Compliance Review

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

SUBJECT: Audit Report Oracle Application Control Review Invoice Processing and Discounts (Report Number IS AR )

3.2 Program Management (L ; C.7; G.1.3)

INSPECTOR GENERAL UNITED STATES POSTAL SERVICE

Office of Inspector General

Undeliverable as Addressed Mail

Seamless Acceptance Implementation

INSPECTOR GENERAL. Funnel Management Program. Management Advisory Report. March 20, Report Number MS-MA OFFICE OF

Geo-Fence Technology in Delivery Operations

Information on the Renewable Energy Tax Credit (Iowa Code Section 476C) Iowa Utilities Board

FTS NETWORX Enterprise TQC-JTB

Memorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE May 23, 2000.

7.6 VULNERABILITY SCANNING SERVICE (VSS) (L ; C ) Satisfying the Service Requirements (L (c))

INSPECTOR GENERAL. Contracting of Real Estate Management Services. Audit Report. June 12, Report Number SM-AR OFFICE OF

ACTING VICE PRESIDENT, INFORMATION TECHNOLOGY. Michael L. Thompson Acting Deputy Assistant Inspector General for Technology, Investment and Cost

SECTION 15 INFORMATION TECHNOLOGY

Disaster Recovery and Business Continuity Plan

JOHN P. BERTOLINA SENIOR PLANT MANAGER MARGARET L. SELLERS PROCESSING AND DISTRIBUTION CENTER

Customer Retention. Audit Report. Report Number MS-AR September 25, 2014

SUBJECT: Audit Report Workplace Safety and Injury Reduction Goals in Selected Capital Metro Area Facilities (Report Number HM-AR )

Hanh Do, Director, Information System Audit Division, GAA. SUBJECT: Review of HUD s Information Technology Contingency Planning and Preparedness

MANAGEMENT AUDIT REPORT DISASTER RECOVERY PLAN DEPARTMENT OF FINANCE AND ADMINISTRATIVE SERVICES INFORMATION TECHNOLOGY SERVICES DIVISION

VICE PRESIDENT, ENTERPRISE ANALYTICS. Deputy Assistant Inspector General for Finance and Supply Management

INSPECTOR GENERAL. Travel Expense Reimbursements and Travel Card Usage. Audit Report. September 27, Report Number FT-AR OFFICE OF

How To Plan For A Disaster At The University Of Texas

Utilization of Marketing and Sales Data for Executives

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

April 27, 2011 SUSAN M. BROWNELL VICE PRESIDENT, SUPPLY MANAGEMENT. SUBJECT: Audit Report Contract Management Data (Report Number CA-AR )

Customer Service Operations Efficiency Chicago District

7.1 MANAGED FIREWALL SERVICES (MFS) (L ; C )

INSPECTOR GENERAL. Availability of Critical Applications. Audit Report. September 25, Report Number IT-AR OFFICE OF

NEXT. Tools of the Participant Portal: Scientific Reports & Deliverables

Customer Care Centers

Management Advisory Postal Service Transformation Plan (Report Number OE-MA )

How To Improve The Business Service Network

Office of Inspector General

IT DISASTER RECOVERY CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report October 13, 2010

OIG. Improvements Are Needed for Information Technology Controls at the Las Vegas Finance Center. Audit Report OFFICE OF INSPECTOR GENERAL

DISASTER RECOVERY AND CONTINGENCY PLANNING CHECKLIST FOR ICT SYSTEMS

UNITED STATES DEPARTMENT OF EDUCATION OFFICE FOR CIVIL RIGHTS THE WANAMAKER BUILDING, SUITE PENN SQUARE EAST PHILADELPHIA, PA

FINAL AUDIT REPORT WITH RECOMENDATIONS Information Technology No

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

IT Operations Operator and Fault Logs

How To Check If Nasa Can Protect Itself From Hackers

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Postal Service Management of Closed Post Office Boxes. Audit Report. Report Number DP-AR

SUBJECT: Management Advisory Retirement for U.S. Postal Service Employees on Workers Compensation (Report Number HR-MA )

STATUS OF RECOMMENDATIONS: INFORMATION SYSTEMS SECURITY EVALUATION OF REGION III LISLE, IL (OIG-09-A-15)

Review of Document Imaging Railroad Unemployment Insurance Act Programs Report No , November 17, 2000

REMOTE INFRASTRUCTURE MANAGEMENT COURSE CURRICULUM

SUBJECT: Audit Report Compliance with Occupational Safety and Health Administration Recordkeeping Requirements (Report Number HR-AR )

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

B U S I N E S S C O N T I N U I T Y P L A N

Review of Information Technology s Data System Backup and Disaster Recovery Process Page 2 of 10 September 30, 2013

TEMPLATE. U.S. Department of Energy. Project Name. Feasibility Study Report. September 2002 U. S. DEPARTMENT OF ENERGY

Ms. Debbie Davenport Auditor General Office of the Auditor General 2910 North 44 th Street, Suite 410 Phoenix, Arizona Dear Ms.

SAMPLE IT CONTINGENCY PLAN FORMAT

ASSESSMENT REPORT GPO WORKERS COMPENSATION PROGRAM. September 30, 2009

U.S. Postal Service s DRIVE 25 Improve Customer Experience

Properly managed equipment operator overtime and workhours by using a smaller percentage of workhours than national averages.

WILLIAM J. HENDERSON POSTMASTER GENERAL, CHIEF EXECUTIVE OFFICER

SUBJECT: Management Advisory Report Time-Definite Surface Network Risk Mitigation (Report Number EN-MA )

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

July 30, Internal Audit Report Information Technology Business Continuity Plan Information Technology Department

Transcription:

January 20, 2009 GEORGE W. WRIGHT VICE PRESIDENT, INFORMATION TECHNOLOGY OPERATIONS SUBJECT: Audit Report Service Continuity at the Information Technology and (Report Number ) This report presents the results of our audit of service continuity at the xxxxx, xxxxxxxxx, xxx xxx xxxxx, xxxxxxxxxx, Information Technology and Accounting Service Centers (IT/ASC) (Project Number 08RD001IS004). The objective of this audit was to determine whether service continuity procedures are in place to minimize the risk when unexpected events occur and to ensure critical operations continue without unreasonable interruption. We performed this self-initiated review as part of the fiscal year (FY) 2008 information systems audit of general controls at the U.S. Postal Service s IT/ASCs. See Appendix A for additional information about this audit. Conclusion Overall, we believe management adequately developed the infrastructure and service continuity processes and procedures to maximize the availability of critical Postal Service operations. The Postal Service is undergoing significant changes in the computing infrastructure, including virtualization and replication. They have made progress building a replication process between the xxxxx xxx xxx xxxxx IT/ASCs and have established testing schedules for critical and sensitive applications. To further minimize the risk of service disruption, management could improve processes for xxxxxxx xxxxxxx xx xxxx tapes and procedures for facility recovery program updates at the xxx xxxxx IT/ASC. UNIX Tape Off-Site Storage xxx xxx xxxxx xx/xxx xxx xxx xxxxxx xxxx xxxxxx xxxxx xxxxxxxx xxxxx xxx xxxx. This occurred because management did not assign responsibilities for these procedures after organizational changes. San Mateo personnel believed that xxxxx administered off-site tape storage procedures while the Eagan personnel were unaware of this responsibility. xxxxxxxx xxxxxxx xx xxxx xxxxx xxx xxxxxxxx xxxxx xxxxxxxxxx xxxx xxxx xxxxxxxxxxxx xxx xxxxxxxx xx xxx xxxxx xx xxxxxxxx. See Appendix B for our detailed analysis of this topic.

We recommend the Vice President, Information Technology Operations, direct the Manager, Information Technology Computing Services, to: 1. Designate the personnel responsible for administering the backup process for the xxx xxxxx Host Computing Services Center. 2. Implement procedures to ensure xxxx backup tapes are stored off-site. Facility Recovery Plan Update The Facility Recovery Plan was not current for the xxx xxxxx IT/ASC. This occurred because management did not assign responsibilities for these procedures after organizational changes and xxx xxxxx personnel believed that xxxxxxx Management Support Service Center was responsible for updates. An updated plan could help avoid confusion during personnel evacuation in an emergency situation and help resume business operations as quickly as possible. See Appendix B for our detailed analysis of this topic. We recommend the Vice President, Information Technology Operations, direct the Manager, Information Technology Computing Services, to: 3. Clarify the responsibility for maintaining and administering the Facility Recovery Plan for the xxx xxxxx Information Technology and Accounting Service Center. 4. Update the Facility Recovery Plan for the xxx xxxxx Information Technology and Accounting Service Center. Advanced Computing Environment Server Contingency Planning Audit trails of backup data for xxxxxxxx xxxxxxxxx xxxxxxxxxxx xxxxx servers did not clearly show that the data for the servers were stored off-site. Further, applications running on these servers were not tested in a disaster recovery simulation. Specifically, the xxx server we selected for review at the xxxxx IT/ASC was backed up locally, but audit trails did not clearly show that the data for the server xxxx xxxxxx xxxxxxxx. xxx xxx xxx xxxxxxx xx xxxxxxxx xx xxx xxx xxxxx xxxxxx, xxxxx xx xx xxxxxxxx xxxx xxxxxx xxxx xxxx xxxxx xxxxxx xxxxxxxx. This occurred because the Postal Service is undergoing significant changes from stand-alone physical servers to a virtualization 1 and replication environment. Routinely duplicating or backing up data files to off-site storage prevents or minimizes the damage to automated operations that can occur from 1 Virtualization is a software technology that lets one computer do the job of multiple computers by sharing the resources of a single computer across multiple environments. Virtual servers and virtual desktops allow hosting of multiple operating systems and multiple applications locally and in remote locations, freeing users from physical and geographical limitations. The benefits include energy savings, lower capital expenses due to more efficient use of hardware resources, high availability of resources, better desktop management, increased security, and improved disaster recovery processes. 2

unexpected events. Performing periodic testing of application backup data helps ensure application and data recoverability in the event of a disaster. We are not making a recommendation because management is currently deploying a replication process that will address the audit trail issue. In addition, because of our review, management recognized the need for application recovery testing and has re-prioritized resources to meet their testing schedules. Management s Comments Management agreed with all four recommendations. In response to recommendation 1, management stated that the Storage Management group within Host Computing Services is responsible for all backup processes in xxxxx xxx xxx xxxxx. In addressing recommendation 2, management stated that the offsite storage process was developed in accordance with a Sarbanes-Oxley requirement. Management will provide supporting documentation on the process by March 31, 2009. Further, in response to recommendation 3, management stated the Manager, Management Support Service Center, is responsible for maintaining and administering the xxx xxxxx Facility Recovery Plan. Finally, for recommendation 4, management stated that an updated Facility Recover Plan is currently available. Management considers actions completed on recommendations 1, 3, and 4. See Appendix C for management comments, in their entirety. Evaluation of Management s Comments The U.S. Postal Service Office of Inspector General (OIG) considers management s comments responsive to each of the recommendations, and their corrective actions should resolve the issues identified in the report. The OIG considers recommendation 2 significant, and therefore requires OIG concurrence before closure. Consequently, the OIG requests written confirmation when corrective actions are completed. This recommendation should not be closed in the follow-up tracking system until the OIG provides written confirmation that the recommendation can be closed. 3

We appreciate the cooperation and courtesies provided by your staff. If you have any questions or need additional information, please contact Frances E. Cain, Acting Director, Information Systems, or me at (703) 248-2100. E-Signed by Tammy Whitcomb VERIFY authenticity with ApproveIt Tammy L Whitcomb Deputy Assistant Inspector General for Revenue and Systems Attachments cc: Ross Philo H. Glen Walker Harold E. Stark Joseph J. Gabris Katherine S. Banks 4

APPENDIX A: ADDITIONAL INFORMATION BACKGROUND During FY 2006, management purchased mainframe disaster recovery equipment and upgraded the mainframe operating system at the xxxxx xxx xxx xxxxx IT/ASCs. The new equipment enabled the xxx facilities to electronically send replicated production mainframe files directly to storage devices located at the xxxxx xxxx, making each site a xxxxxxxxxx disaster recovery location xxx xxx xxxxx. Application testing followed installation of the mainframe replication process. Management began deploying a similar replication process for the distributed platforms for xxxx xxx xxxxxxx servers. However, management faced challenges building the infrastructure for these distributed platforms, which resulted in delays in the application disaster testing. As an interim measure, the xxxxx xxx xxx xxxxx IT/ASCs backed up some production data to tape media and stored it xxxxxxxx xx xxxxx xxxxxx xxxxxxxxxx. OBJECTIVE, SCOPE, AND METHODOLOGY The objective of this audit was to determine if service continuity procedures are in place to minimize the risk when unexpected events occur, and to ensure critical operations continue without interruption or can be resumed within a reasonable amount of time. The scope of our review included reviewing continuity of operations planning and testing for Postal Service facilities. We also reviewed disaster recovery testing for critical Postal Service facilities, workgroups, and computer applications residing on mainframe and distributed platforms, xxxxx xxxxxxx xxxx xxx xxxxxxx xxxxxxx xx xxx xxxxx xxx xxx xxxxx xxxxxxx. The audit covered the following primary platforms used in the Postal Service s computing environment. xxxxxxxxx (xxxx 2 xxx xxxxxx xxxxxxxxx 3 xxxx xxxxxxxxxxx xxxxxxx xxxxxxx xxxxxxxxx xxx xxxxxxxxxxxxxx xxxxxxxx xxxxxxxxx xxxxxxxxx x xxxxx xxx xxxxxxx 4 2 xxxxxx xx xxx xxxxxxxxxxxxx xxxxxxxx xxxxxxxx xxxx x xxxxxxx xxxx xxx xxxxx xxxxxxxxxxx xxxxxxxxx xxxxxx. 3 xxxxxx xxxxxxxx xxxxxx xx xxxxxxxxx xxxxxxxx xxxxxxxx xxxx xx xxx xxxx xxxxxxxxx xxxx xxxx, xxx xxx xxxxxxxxx xxx xxxxxxxxx xxxxxxxxxx. xxxxxxxx xxxxxxx xxx xxxxxxxxx xxxxxxxx xxxxxxxx xxxxxxt xxxxx xxxxxxxx xxxxxxxxx xxxxxxxxx xxx xxxxxxxx xxx xxx xxxxxxxxx xxxxxxxxxx xxxxxxx xxxxx xx xxxx xxx xxxxxxxxxx xxx xxxxxxxxxx. 4 xxx xxx xxxxxxxx xxxx xx xxx xxxxxxxxx xxxxxxxxxxx. xxxxxx xxxxxxxx xxxxxxxx xxxx xxxxxxxxx xx xxx xxxx xxxxxxxxxxx. 5

We judgmentally selected several applications 5 for review on these platforms. Criteria used to make our selections included production status, financial relevance, sensitivity or criticality, platform, and location. Table 1 provides a summary of the applications reviewed. Table 1: Applications Selected for Review by Platform xxxxxxxx xxxxx xxxxxxxxxxxx xxx xxxxx xxxxxxxxxxxx Mainframe OMAS; ChangeMan EMRS UNIX eawards EMRS Windows OMAS SRM Databases eawards (Oracle) ChangeMan (DB2) EMRS (Oracle) PTS (DB2) To accomplish our objective, we interviewed Postal Service facility officials, analyzed Postal Service policies and procedures, and tested related internal controls. To determine if service continuity plans were complete and tested, we reviewed facility, workgroup, and application recovery plans. We also analyzed documentation related to the testing of these plans at each xxxxxx. To determine if the Postal Service was backing up critical production files and servers, we reviewed system-generated reports and observed back-up tape handling procedures at the xxxxx xxx xxx xxxxx xxxx xxxxxxxxx xxxxxxxx xxxxxxx. We conducted this audit from April 2008 through January 2009 in accordance with generally accepted government auditing standards and included such tests of internal controls as we considered necessary under the circumstances. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. We used manual and automated techniques to analyze the computer-processed data. Based on the results of these tests and assessments, we generally concluded the data were sufficient and reliable to use in meeting the objective. We discussed our observations and conclusions with management officials during the audit and on December 10, 2008, and included their comments where appropriate. 5 We selected the following applications: Official Mail and Accounting System (OMAS), Electronic Awards System (eawards), Electronic Marketing Reporting System (EMRS), Serena ChangeMan, Sales Resource Management (SRM), and Product Tracking System (PTS). 6

PRIOR AUDIT COVERAGE Report Title Disaster Recovery Testing for Critical Postal Service Applications at the xxxxx, xxxxxxxxx xxx xxx xxxxx, California Information Technology and Accounting Service Centers for Fiscal Year 2007 Mainframe Service Continuity Planning and Testing at the xxxxx, xxxxxxxxx xxx xxx xxxxx, California Information Technology and Accounting Service Centers Report Number IS-AR-07-018 IS-AR-07-002 Final Report Date September 14, 2007 November 16, 2006 Monetary Impact N/A N/A Report Results In general, the Postal Service established and updated continuity plans and procedures relating to essential business functions at the IT/ASCs. However, we provided recommendations for implementing the disaster recovery infrastructure to test all critical midrange applications; developing a schedule documenting when they will conduct full operational recovery tests for critical applications; and prioritizing testing of mainframe disaster recovery infrastructure to complete full operational recovery tests of all critical mainframe applications. Management established the schedule for testing applications; however, actions for the remaining recommendations have not been completed. Overall, Postal Service administrators adequately implemented the service continuity programs. However, we recommended testing of the disaster recovery equipment at the Eagan and xxx xxxxx facilities. This recommendation was subsequently completed and closed. 7

xxxx Tape Off-Site Storage APPENDIX B: DETAILED ANALYSIS xxx xxxxx xxx xxx xxxxx xxxxxxx xxxx xx xxxxxxxxxx xxxx xxxxxxx xx x xxxxxxx xxxxxx, xxxxx xxxx xxxx xxxxxxxxx xxxxxxx xxxxxxxxxxxx xxx xxxxxx xx xx xxxx xxxxx xxx xxxxxx xxxxxxxx xx xxxxx xxxxxx xxxxxxxxxx. xxx xxxxxx xxxxxxx xxxx x xxxxxx xx xxxxxxxxx xxx xxxxx xxxxx xxxxxxx xxxxx xx xxxx xxxxx xxx xxx xxxxx xxxxx. Postal Service staff is responsible for ejecting and preparing tape media for storage on a scheduled basis. At the xxx xxxxx xxxx xxxxxxxxx xxxxxxxx xxxxxx, we sampled an xxxx application server xxxxxxxxxxxxxxx and traced the audit trail to ensure the data was backed up and stored xxxxxxxx. xx xxxxx xxxx xxxxxx xxxxxxx xxxxxxxxx xxx xxx xxxxxxx xxx xxxxxxxxx xx xxxxxxx xxxxxxx xxxxx xxx xxxxxx xxxxxxx xxx xxxxxxxx xxxxxxx. We learned that xxxx xxxxx xxx xxx xxxx xxxxxx xxxxxxxx xxxxx xxx xxxx. Postal Service personnel noted there are nearly xxx xxxx servers at the xxx xxxxx xxxxxx which include some critical applications. Management immediately initiated action to assess the overall backup environment. Facility Recovery Plan Update The xxx xxxxx Facility Recovery Plan (FRP) did not contain current information. We reviewed various documents relating to service continuity and disaster recovery planning. Postal Service policy 6 requires the FRP to include information about the process of restoring a facility to a condition so it meets appropriate personnel, business unit, and safety requirements; and making the facility ready to support business functions and computer programming support. xxxxxxx FRP included the detailed information in the Occupant Emergency Plan. xxx xxxxx did not have the same document, but included similar information in the FRP. However, this document was last updated in February 2006 and contained obsolete information. Management was unable to determine the ownership and responsibility for updating the document. 6 Handbook AS-805, Information Security, Section 12-4.4.2, Facility Recovery Plan, dated March 2002 (updated with Postal Bulletin revisions through November 23, 2006). 8

APPENDIX C: MANAGEMENT S COMMENTS 9

10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information