Business Continuity Planning

Similar documents
Information Technology Disaster Recovery Planning Audit Redacted Public Report

Position Description IT Auditor

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

Information Technology General Control Review

Google Cloud & the General Data Protection Regulation (GDPR)

Business Continuity and Disaster Recovery

Audit & Advisory Services. IT Disaster Recovery Audit 2015 Report Date January 28, 2015

INFORMATION SECURITY- DISASTER RECOVERY

Subject: Audit Report 18-84, IT Disaster Recovery, California State University, Sacramento

I. PURPOSE III. PROCEDURE

Certified Information Systems Auditor (CISA)

Effective COBIT Learning Solutions Information package Corporate customers

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Disaster Recovery and Business Continuity Planning (Mile2)

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Tools & Techniques I: New Internal Auditor

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

CASA External Peer Review Program Guidelines. Table of Contents

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

IS Audit and Assurance Guideline 2001 Audit Charter

Business Continuity Planning

Contracting for an IT General Controls Audit

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

MassMutual Business Continuity Disclosure Statement

Making trust evident Reporting on controls at Service Organizations

New Jersey State Legislature Office of Legislative Services Office of the State Auditor. November 16, 2015 to November 30, 2017

ANZSCO Descriptions The following list contains example descriptions of ICT units and employment duties for each nominated occupation ANZSCO code. And

Spillemyndigheden s requirements for accredited testing organisations. Version of 1 July 2012

Subject: Audit Report 16-50, IT Disaster Recovery, California State University, Fresno

Data Backup and Contingency Planning Procedure

Chapter 4 EDGE Approval Protocol for Auditors Version 3.0 June 2017

Certified Information Security Manager (CISM) Course Overview

Memorandum APPENDIX 2. April 3, Audit Committee

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Table of Contents. Sample

TSC Business Continuity & Disaster Recovery Session

Introduction To IS Auditing

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

UL and Business Continuity

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Implementation PREVIEW VERSION

IS Audit and Assurance Guideline 2002 Organisational Independence

Application for Certification

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Infocomm Professional Development Forum 2011

Introduction to Business continuity Planning

APPROVAL SHEET PROCEDURE INFORMATION SECURITY MANAGEMENT SYSTEM CERTIFICATION. PT. TÜV NORD Indonesia PS - TNI 001 Rev.05

The Open Group Certification for People. Training Course Accreditation Requirements

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

Minimum Requirements For The Operation of Management System Certification Bodies

Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

UCLA AUDIT & ADVISORY SERVICES

Public Safety Canada. Audit of the Business Continuity Planning Program

Contents. Chapter 3: Chapter 4: Critical Server Ranking Classifying Systems for Recovery Priority Mission-Critical Only, Please...

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

MHA Consulting BCM Metrics Resiliency Through Measurement

Disaster Unpreparedness June 3, 2013

NHS Fife. 2015/16 Audit Computer Service Review Follow Up

Please indicate below the principle nature of your department s operations (check all that apply): Student life support.

Indicate whether the statement is true or false.

Applications/Data To Include in Survey (include applications that meet one or more of the following criteria)

Going Paperless & Remote File Sharing

Business Continuity Management Standards A Side-by-Side Comparison

ISACA Survey Results. 27 April Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC

L18: Integrate Control Disciplines to Increase Control and Save Money

EXAM PREPARATION GUIDE

Workday s Robust Privacy Program

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

REPORT 2015/010 INTERNAL AUDIT DIVISION

Building Disaster Resilience in Small and Mid-Size Businesses

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

OF ACCOUNTANTS IAASB CAG MEETING MARCH 7, 2011

Maryland Health Care Commission

ISACA Enterprise. Solutions and Resources

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY

NEN The Education Network

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

What is BS 7799? BS 7799 is the most influential, globally recognised standard for information security management.

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Drive Your Career Forward IIA Certifications and Qualifications

Action Plan Developed by The Iranian Institute of Certified Accountants (IICA) BACKGROUND NOTE ON ACTION PLANS

Cyber security tips and self-assessment for business

Trust Services Principles and Criteria

FOLLOW-UP REPORT Industrial Control Systems Audit

The UNISDR Private Sector Alliance for Disaster Resilient Societies

Template. IT Disaster Recovery Planning: A Template

Management Update: Information Security Risk Best Practices

Apex Information Security Policy

A80F300e Description of the SA8000:2014 certification procedure

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

2017 SaaS Security Study ABSTRACT

Guide to IREE Certification

PROTERRA CERTIFICATION PROTOCOL V2.2

Transcription:

Information Systems Audit and Control Association www.isaca.org Business Continuity Planning AUDIT PROGRAM & INTERNAL CONTROL QUESTIONNAIRE The Information Systems Audit and Control Association With more than 23,000 members in over 100 countries, the Information Systems Audit and Control Association (ISACA ) is a recognized global leader in IT governance, control and assurance. Founded in 1969, ISACA sponsors international conferences, administers the globally respected CISA (Certified Information Systems Auditor ) designation earned by more than 25,000 professionals worldwide, and develops globally applicable information systems (IS) auditing and control standards. An affiliated foundation undertakes the leading-edge research in support of the profession. The IT Governance Institute, established by the association and foundation in 1998, is designed to be a "think tank" offering presentations at both ISACA and non-isaca conferences, publications and electronic resources for greater understanding of the roles and relationship between IT and enterprise governance. Purpose of These Audit Programs and Internal Control Questionnaires One of the goals of ISACA s Education Board is to ensure that educational products developed by ISACA support member and industry information needs. Responding to member requests for useful audit programs, the Education Board has recently released audit programs and internal control questionnaires on various topics for member use through the member-only web site and K-NET. These products are intended to provide a basis for audit work. E-business audit programs and internal control questionnaires were developed from material recently released in ISACA s e-commerce Security Technical Reference Series. These technical reference guides were developed by Deloitte & Touche and ISACA s Research Board and are recommended for use with these audit programs and internal control questionnaires. Audit programs and internal questionnaires on other subjects were developed by ISACA volunteers and reviewed and edited by the Education Board. The Education Board cautions users not to consider these audit programs and internal control questionnaires to be all-inclusive or applicable to all organizations. They should be used as a starting point to build upon based on an organization s constraints, policies, practices and operational environment. Disclaimer The topics developed for these Audit Programs and Internal Control Questionnaires have been prepared for the professional development of ISACA members and others in the IS Audit and Control community. Although we trust that they will be useful for that purpose, ISACA cannot warrant that the use of this material would be adequate to discharge the legal or professional liability of members in the conduct of their practices. September 2001 Business Continuity Planning 1

Audit Program/ICQ Get Preliminary Information Procedure Step: Policies Determine and obtain copies of all applicable policies for disaster recovery and business continuity, if any. Procedure Step: Get Applicable Documentation Obtain a copy of the organization's disaster recovery plan. Obtain a list of implementation team members list. Obtain a current copy of the organization chart. Obtain current inventory list. Obtain a copy of agreements relating to use of backup facilities. Procedure Step: Control Questionnaire Objective: To verify that the disaster recovery plan is adequate to insure resumption of computer systems in a timely manner during adverse circumstances, is in line with the current business continuation plan, and reflects the current business operating environment. 2

Business Continuity Planning Audit Program/ICQ Is there a disaster recovery plan? If a plan exists, when was it last updated? What are your procedures for updating the plan? Who is responsible for administration or coordination of the plan? Is the plan administrator/coordinator responsible for keeping the plan up-to-date? Is there a disaster recovery implementation team (i.e., the first response team members who will react to the emergency with immediate action steps)? Where is the disaster recovery plan stored? (Verify that key team members have copies of the plan at home as well as at the office). Where are the implementation team contacts list stored? (Suggest each key team member should have contact names and addresses of all other key team members both on his person and at home, as well as in the office - contact numbers should include home and mobile as well as office number) Where is the backup facility site? Are there alternate sites? (Be suspicious of loose arrangements with local businesses!) What is your schedule for testing and training on the plan? When was the last drill performed? (Consider the adequacy of the test - a desk test is unlikely to reveal many potential problems) Did the drill include use of the backup facilities? If not, when were the backup facilities last used? If over 1 year, how has the organization determined that its programs can still run on the backup equipment? What was the outcome of the drill? How did it improve preparedness? What critical systems are covered by the plan? Does the plan clearly indicate priorities for system restoration, based on risk to the business in particular? Does the plan allow for the restoration within pre-determined business critical time frames? (I.e. If certain systems are down for longer than a predetermined time, restoration after this time may be useless if the business has already gone under.) 3

Business Continuity Planning Audit Program/ICQ Details/Test (continued): Does the plan indicate the operational requirements for each of the systems? What systems are not covered by the plan? Why not? What equipment is not covered by the plan? Why not? Does the plan operate under any assumptions? What are they? What are the procedures for activation of the plan? Are inventories as they relate to your critical systems kept (including LAN servers and communication devices)? (Critically, are the procedures and practices for keeping them up to date sufficient?) If inventories are kept, where are they stored? Are there formal procedures that specify backup procedures and responsibilities? What functions/systems/components are covered under such procedures? What training has been given to personnel in using backup equipment and established procedures? Where is the off-site storage site? Are the responsibilities for each team documented? Are the restoration procedures documented? Does the documentation for each system to be recovered indicate the process flow and as well as the equipment that will be recovered? (i.e. for an application that makes use of desktop equipment for data entry and client server equipment for storage this should all be documented along with the software that will be required. Backup Processes Procedure Step: Backup and Recovery Review the backup procedures followed for each area covered by the DRP. Determine if the backup and recovery procedures are being followed. Procedure Step: Cross Training Interview IS personnel to determine if they have been cross-trained. Review training records to determine the amount of cross training provided. Off-site Storage Procedure Step: Visit Off-site Storage Take a tour of the off-site storage facility. Determine if the facility is adequate. 4

5

Business Continuity Planning Audit Program/ICQ Procedure Step: Rotation Practices Compare the log of items stored at the facility with the items present at the facility. Determine if the log is complete and up-to-date. Confirm procedures to ensure that ALL data required by the business units to be sent to the offsite facility is actually sent and received - i.e. more than simply confirming that they hold what the log says they have received.) How often is the log reviewed for completeness? Is this adequate? Disaster Recovery Plan Procedure Step: Review Plans Obtain and review a copy of the disaster recovery plan and the alternate site agreement. Determine if they are complete and current, and if executive management has signed off on the plan. A key point would be provision for formal update reviews to be signed off (e.g. every six months). Just signing off the original plan would probably be insufficient control. Will all systems be recovered at one disaster recovery site? If not how will the information be coordinated to ensure that it will be available at the other locations when necessary? Procedure Step: Review Responsible Parties Determine who was responsible in developing the plan and if users and all facets of data processing were adequately involved in its development. Procedure Step: Risk Assessment Determine if a risk assessment has been prepared and if it appears reasonable. Procedure Step: Testing of Plan Determine if executive management has approved the funding for an alternate data processing center and testing of the disaster recovery plan. Observe a test of the plan. Procedure Step: Review Results of Tests Review the results of the test of the disaster recovery plan. Determine if corrective action has been taken on any problems incurred during the test. Procedure Step: Alternate Processing Visit the alternate processing site. Assess its suitability and compatibility with the current computer facility. 6

7

Procedure Step: Training of Participants Business Continuity Planning Audit Program/ICQ Interview users and/or IS personnel to determine if they have been trained in their responsibilities in the event of an emergency or disaster. Determine if they are aware of manual or alternate processing procedures that are to be used when processing is delayed for an extended period of time. (Note - a key point for successful recovery from major disasters is correct handling of press and publicity). Has training included dealing with TV and newspapers etc. for selected team members, as well as training other team members and employees not to speak directly, but refer queries to the trained team members? This can be crucial in maintaining customer and financial confidence in the business. 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback