Audit & Advisory Services. IT Disaster Recovery Audit 2015 Report Date January 28, 2015

Similar documents
Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 13 Business Continuity

INFORMATION SECURITY- DISASTER RECOVERY

Subject: Audit Report 18-84, IT Disaster Recovery, California State University, Sacramento

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

Subject: Audit Report 16-50, IT Disaster Recovery, California State University, Fresno

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY

Network Performance, Security and Reliability Assessment

Business Continuity Planning

DISASTER RECOVERY PRIMER

Public Safety Canada. Audit of the Business Continuity Planning Program

10 Reasons Why Your DR Plan Won t Work

Information Technology Disaster Recovery Planning Audit Redacted Public Report

Module 4 STORAGE NETWORK BACKUP & RECOVERY

Pro2SQL. OpenEdge Replication. for Data Reporting. for Disaster Recovery. March 2017 Greg White Sr. Progress Consultant Progress

TSC Business Continuity & Disaster Recovery Session

Disaster Recovery Self-Audit

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Continuity of Business

Disaster recovery strategic planning: How achievable will it be?

AGENDA ITEM: 3.4 DATE OF MEETING: 3 MAY 2018 INFORMATION MANAGEMENT, TECHNOLOGY & GOVERNANCE COMMITTEE

Introduction to Business continuity Planning

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

ASSURING BUSINESS CONTINUITY THROUGH CONTROLLED DATA CENTER

SOUTH AFRICAN LIBRARY FOR THE BLIND (SALB)

UF CEMP Support Group Annex: IT Group

IPMA State of Washington. Disaster Recovery in. State and Local. Governments

Certified Information Systems Auditor (CISA)

Business Continuity Plan Executive Overview

Business Continuity and Disaster Recovery. Ed Crowley Ch 12

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

Copyright 2012 EMC Corporation. All rights reserved.

WHITE PAPER. Title. Managed Services for SAS Technology

Management s Response to the Auditor General s Review of Management and Oversight of the Integrated Business Management System (IBMS)

Memorandum APPENDIX 2. April 3, Audit Committee

BUSINESS CONTINUITY PLAN Document Number: 100-P-01 v1.4

What you need to know about cloud backup: your guide to cost, security, and flexibility. 8 common questions answered

Principles for BCM requirements for the Dutch financial sector and its providers.

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

Disaster Recovery Is A Business Strategy

Next Generation Backup: Better ways to deal with rapid data growth and aging tape infrastructures

Business Continuity and Disaster Recovery

Disaster recovery planning for health care data and HIPAA compliance regulations

REPORT 2015/149 INTERNAL AUDIT DIVISION

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 12 Contingency Planning

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

Creating and Testing Your IT Recovery Plan

How to Conduct a Business Impact Analysis and Risk Assessment

Disaster Recovery and Business Continuity Planning (Mile2)

After the Attack. Business Continuity. Planning and Testing Steps. Disaster Recovery. Business Impact Analysis (BIA) Succession Planning

Dell helps you simplify IT

Disaster Recovery Solutions for Oracle Database Standard Edition RAC. A Dbvisit White Paper By Anton Els

Business Resiliency in the Cloud: Reality or Hype?

3.3 Understanding Disk Fault Tolerance Windows May 15th, 2007

Leveraging ITIL to improve Business Continuity and Availability. itsmf Conference 2009

White Paper: Backup vs. Business Continuity. Backup vs. Business Continuity: Using RTO to Better Plan for Your Business

Achieving Rapid Data Recovery for IBM AIX Environments An Executive Overview of EchoStream for AIX

Florida State University

BUSINESS CONTINUITY AND DISASTER RECOVERY POLICY

Standard for Security of Information Technology Resources

INTERNAL AUDIT DIVISION REPORT 2017/138

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Global Statement of Business Continuity

STRATEGIC PLAN. USF Emergency Management

Business continuity management and cyber resiliency

DR Planning. Presented by. Matt Stolk Associate Director Northwest Regional Data Center Florida State University

Template. IT Disaster Recovery Planning: A Template

2014 NASCIO Recognition Award Nomination

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Business Continuity: How to Keep City Departments in Business after a Disaster

Table of Contents. Sample

THE STATE OF CLOUD & DATA PROTECTION 2018

Backup, Disaster Recovery: Defining & Managing Your Risk. Dave Kinsey - 5/9/17

Rejuvenating BCM - Infrastructure. Business Continuity Awareness Week March 2009

The Key to Disaster Recovery

Business Continuity Planning

Disaster Planning Essentials and Disaster Planning Checklist

Backup vs. Business Continuity

Disaster Recovery Committee. Learning Resource Center Specialist

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

INFORMATION AND COMMUNICATIONS TECHNOLOGY (ICT) DISASTER RECOVERY POLICY AND PROCEDURES

CUNY Graduate Center Information Technology. IT Provisioning for Business Continuity & Disaster Recovery Effective Date: April 6, 2018

Disaster Recovery Options

Protecting VMware vsphere/esx Environments with CA ARCserve

Buyer s Guide: DRaaS features and functionality

Nottinghamshire Office of the Police & Crime Commissioner & Nottinghamshire Chief Constable

Evolved Backup and Recovery for the Enterprise

INTELLIGENCE DRIVEN GRC FOR SECURITY

DHS Overview of Sustainability and Environmental Programs. Dr. Teresa R. Pohlman Executive Director, Sustainability and Environmental Programs

Data Storage, Recovery and Backup Checklists for Public Health Laboratories

Backup vs. Business Continuity: Using RTO to Better Plan for Your Business

University Information Systems. Administrative Computing Services. Contingency Plan. Overview

Security and Privacy Governance Program Guidelines

Running head: Digital Library Disaster 1. Digital Library Disaster Planning. Bryan Hamilton IUPUI. Digital Libraries. Dr.

The Problem. Business Continuity/ Disaster Recovery. Course Outline and Structure. The Problem The Coverage. Sean Gunasekera

MassMutual Business Continuity Disclosure Statement

INTERNAL AUDIT DIVISION REPORT 2017/037

INFORMATION TECHNOLOGY SERVICES DISASTER RECOVERY PLAN

Chapter 1. Storage Concepts. CommVault Concepts & Design Strategies:

Disaster Recovery Planning Blackout. Katrina

Transcription:

Audit & Advisory Services IT Disaster Recovery Audit 2015 Report Date January 28, 2015

Audit & Advisory Services Mission and Function The JCCC Audit & Advisory Services department provides an independent assurance function to management and the Audit Committee of the Board of Trustees 2

Scope & Objectives Ensure a documented Disaster Recovery Plan (DRP) exists for the college, and that it s kept up-to-date and securely stored Determine that systems and other resources that are required to support critical business processes have been identified and prioritized in the event of a disruption Verify that a detailed plan for the recovery of information system facilities has been established through the development, testing, and implementation of strategies for recovering critical business processes until full operations are restored

Key Administrators Phil Mein Systems Manager / Information Technology Security Officer Sandra Warner Deputy CIO / Director, Administrative Computing Services Mary O Sullivan Director, Client Support Services Shannon Ford Director, Academic Technology Services Denise Moore VP, Information Services / CIO, recently retired Dr. Barbara Larson EVP, Finance & Administrative Services

Executive Summary The IS Department uses a layered approach for recovery: One level of protection is provided via daily back-ups of critical data These back-ups are stored off-site to increase protection of data Additional level of protection is data center redundancy Redundant systems are located in the OCB Building and provide failover capability in the event of a Regnier Center outage This provides protection for instances such as equipment failure, but may not be sufficient in cases such as large scale tornado however off-site recovery sites (i.e. hot site) have been cost prohibitive in the past. New cloud based DR technology has emerged which presents an accessible solution. The IS department is already pursuing that option JCCC already has many components of a comprehensive Disaster Recovery Plan in place. A more comprehensive plan with a strategic focus is warranted and our recommendations support the development of such a plan

Offsite Recovery Facilities A fully operational back-up site decreases the risk of being unable to provide critical IS services in the event of an emergency. However, these sites have historically been prohibitively expensive, and the college has not pursued this option Newer, cloud based DR technology is available which makes this service more accessible The college has contracted with an outside provider to provide off-site recovery for critical systems The provider offers an affordable, sustainable, and secure method for the college to replicate its data The agreement was approved in September 2014, and Active Directory replication is complete for the employee domain IS plans to replicate the data from other critical systems through FY16

Offsite Recovery Facilities Recommendations We recommend the IS department continue to pursue strategies to replicate the identified first level applications (College Website, Active Directory, Banner and Central Authentication System) to the outside provider s site. In addition: IS should continue to evaluate the potential expansion of critical IS resources or other offsite recovery providers appropriate to each specific system Update the DR plan accordingly Risk: MediumX

Business Impact Analysis A Business Impact Analysis (BIA) includes: An inventory of all systems The associated Recovery Time Objectives (RTOs) for each system A cost/benefit risk assessment that identifies and includes the critical systems in a backup and disaster recovery arrangement This cost / benefit analysis is important, as the college does not want to spend more money on a disaster recovery solution than the financial loss or other consequences that would be experienced in the absence of such a system, resulting in data loss

Business Impact Analysis Recommendation We recommend that IS work with college business units to develop a Business Impact Analysis (BIA) that can be used to: Prioritize recovery efforts of the college s critical business processes Identify the underlying IS systems (including thirdparty systems), applications, and other resources needed to support such processes Using the Recovery Time Objectives (RTOs) identified in the BIA for critical services and key IS systems, appropriate strategies can be included in the DR plan. Risk: Medium

Systems Recovery Procedures Systems recovery is crucial to meet Recovery Time Objectives in the event of a disaster The JCCC IS Department has failover capability for many of the college s crucial servers They routinely perform restoration of data files and folders and are confident in the ability to restore from archived media Backup tapes would only be needed in the event a failover component was unavailable However, in order to be prepared for a disaster, preparation for all scenarios is important JCCC has most of its systems recovery procedures documented. Our recommendation will help facilitate the completion of procedures for all critical systems necessary to support preparedness efforts

Systems Recovery Procedures Recommendation We recommend the IS department complete development of all of its step-by-step recovery procedures. These procedures should : Outline critical IS systems and networks Their recovery time objective (RTO) Delineate the steps needed to restart, reconfigure and recover them Include relevant supplier contacts, sources of expertise for recovering disrupted systems Facilitate coordination between IS divisions to ensure an integrated approach Risk: Medium We recommend that, where systems are supported by third party suppliers, the reliance on the third party to provide support during incidents should be clearly defined, including details of support hours and key supplier contacts Risk: Low

Comprehensive Disaster Recovery (DR) Plan A comprehensive DR plan can Identify exposures to internal and external threats Establish mechanisms to provide effective protection and recovery for critical systems Any event that could have an adverse impact on continued IS operations should be considered The IS department has many components of a DR Plan in place. However a more comprehensive plan with a strategic focus is warranted to help ensure critical IS services can resume in the event of a disaster

Comprehensive DR Plan Recommendation We recommend that the IS department develop a comprehensive DR plan that is based on a complete Business Impact Analysis and the establishment of Recovery Time Objectives which will help in identifying risk, critical information systems and the costs associated with addressing these risks. Appropriate staff should be trained on the plan. A review of best practices highlighted critical components that should be addressed in a well defined and comprehensive plan. That detailed information has been provided to IS staff. Risk: Medium

Summary of Recommendations Recommendation Risk Level Management Response Offsite Recovery Facilities: We recommend the IS department continue working on replicating the identified first level applications (College Website, Active Directory, Banner and Central Authentication System) to the outside provider s site. In addition: Continue to evaluate the potential expansion of critical IS resources or other offsite recovery providers appropriate to the each particular system Medium Information Services enthusiastically embraces this finding. We appreciate the opportunity to share our progress in this critical area. Business Impact Analysis We recommend that IS work with college business units to develop a Business Impact Analysis (BIA) that can be used to Prioritize recovery efforts of the college s critical business processes and Identify the underlying IS systems (including third party systems), applications and other resources needed to support such processes Using the Recovery Time Objectives (RTOs) identified in the BIA for critical services and key IS systems, appropriate strategies can be included in the DR plan. Medium Information Services will partner with internal and external resources to implement this finding. Systems Recovery Procedures We recommend the IS department complete development of all of its step-by-step recovery procedures. These procedures should : Outline critical IS systems and networks Their recovery time objective (RTO) Delineate the steps needed to restart, reconfigure and recover them Include relevant supplier contacts, sources of expertise for recovering disrupted systems Facilitate coordination between IS divisions to ensure an integrated approach We recommend that, where systems are supported by third party suppliers, the reliance on the third party to provide support during incidents should be clearly defined, including details of support hours and key supplier contacts Medium Low Information Services will partner with internal and external resources to implement this finding. Comprehensive Disaster Recovery Plan We recommend that the IS department develop a comprehensive DR plan that is based on a complete Business Impact Analysis and Recovery Time Objectives which will help in identifying risk, critical information systems and the costs associated with addressing these risks. Appropriate staff should be trained on the plan Medium Information Services will partner with internal and external resources to implement this finding. Responses provided by Sandra Warner, Deputy CIO / Director Administrative Computing Services

Report Distribution We wish to thank the Information Services for their assistance in this review. The staff were extremely helpful to us and open to suggestions in their ongoing work to maintain a high level of customer service and quality operations. If you have any questions concerning this report, please do not hesitate to contact Audit & Advisory Services. Report CC Trustee Jerry Cook Trustee Greg Musil Dr. Joe Sopcich Dr. Barbara Larson Phil Mein Sandra Warner Mary O Sullivan Shannon Ford

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback