Audit & Advisory Services IT Disaster Recovery Audit 2015 Report Date January 28, 2015
Audit & Advisory Services Mission and Function The JCCC Audit & Advisory Services department provides an independent assurance function to management and the Audit Committee of the Board of Trustees 2
Scope & Objectives Ensure a documented Disaster Recovery Plan (DRP) exists for the college, and that it s kept up-to-date and securely stored Determine that systems and other resources that are required to support critical business processes have been identified and prioritized in the event of a disruption Verify that a detailed plan for the recovery of information system facilities has been established through the development, testing, and implementation of strategies for recovering critical business processes until full operations are restored
Key Administrators Phil Mein Systems Manager / Information Technology Security Officer Sandra Warner Deputy CIO / Director, Administrative Computing Services Mary O Sullivan Director, Client Support Services Shannon Ford Director, Academic Technology Services Denise Moore VP, Information Services / CIO, recently retired Dr. Barbara Larson EVP, Finance & Administrative Services
Executive Summary The IS Department uses a layered approach for recovery: One level of protection is provided via daily back-ups of critical data These back-ups are stored off-site to increase protection of data Additional level of protection is data center redundancy Redundant systems are located in the OCB Building and provide failover capability in the event of a Regnier Center outage This provides protection for instances such as equipment failure, but may not be sufficient in cases such as large scale tornado however off-site recovery sites (i.e. hot site) have been cost prohibitive in the past. New cloud based DR technology has emerged which presents an accessible solution. The IS department is already pursuing that option JCCC already has many components of a comprehensive Disaster Recovery Plan in place. A more comprehensive plan with a strategic focus is warranted and our recommendations support the development of such a plan
Offsite Recovery Facilities A fully operational back-up site decreases the risk of being unable to provide critical IS services in the event of an emergency. However, these sites have historically been prohibitively expensive, and the college has not pursued this option Newer, cloud based DR technology is available which makes this service more accessible The college has contracted with an outside provider to provide off-site recovery for critical systems The provider offers an affordable, sustainable, and secure method for the college to replicate its data The agreement was approved in September 2014, and Active Directory replication is complete for the employee domain IS plans to replicate the data from other critical systems through FY16
Offsite Recovery Facilities Recommendations We recommend the IS department continue to pursue strategies to replicate the identified first level applications (College Website, Active Directory, Banner and Central Authentication System) to the outside provider s site. In addition: IS should continue to evaluate the potential expansion of critical IS resources or other offsite recovery providers appropriate to each specific system Update the DR plan accordingly Risk: MediumX
Business Impact Analysis A Business Impact Analysis (BIA) includes: An inventory of all systems The associated Recovery Time Objectives (RTOs) for each system A cost/benefit risk assessment that identifies and includes the critical systems in a backup and disaster recovery arrangement This cost / benefit analysis is important, as the college does not want to spend more money on a disaster recovery solution than the financial loss or other consequences that would be experienced in the absence of such a system, resulting in data loss
Business Impact Analysis Recommendation We recommend that IS work with college business units to develop a Business Impact Analysis (BIA) that can be used to: Prioritize recovery efforts of the college s critical business processes Identify the underlying IS systems (including thirdparty systems), applications, and other resources needed to support such processes Using the Recovery Time Objectives (RTOs) identified in the BIA for critical services and key IS systems, appropriate strategies can be included in the DR plan. Risk: Medium
Systems Recovery Procedures Systems recovery is crucial to meet Recovery Time Objectives in the event of a disaster The JCCC IS Department has failover capability for many of the college s crucial servers They routinely perform restoration of data files and folders and are confident in the ability to restore from archived media Backup tapes would only be needed in the event a failover component was unavailable However, in order to be prepared for a disaster, preparation for all scenarios is important JCCC has most of its systems recovery procedures documented. Our recommendation will help facilitate the completion of procedures for all critical systems necessary to support preparedness efforts
Systems Recovery Procedures Recommendation We recommend the IS department complete development of all of its step-by-step recovery procedures. These procedures should : Outline critical IS systems and networks Their recovery time objective (RTO) Delineate the steps needed to restart, reconfigure and recover them Include relevant supplier contacts, sources of expertise for recovering disrupted systems Facilitate coordination between IS divisions to ensure an integrated approach Risk: Medium We recommend that, where systems are supported by third party suppliers, the reliance on the third party to provide support during incidents should be clearly defined, including details of support hours and key supplier contacts Risk: Low
Comprehensive Disaster Recovery (DR) Plan A comprehensive DR plan can Identify exposures to internal and external threats Establish mechanisms to provide effective protection and recovery for critical systems Any event that could have an adverse impact on continued IS operations should be considered The IS department has many components of a DR Plan in place. However a more comprehensive plan with a strategic focus is warranted to help ensure critical IS services can resume in the event of a disaster
Comprehensive DR Plan Recommendation We recommend that the IS department develop a comprehensive DR plan that is based on a complete Business Impact Analysis and the establishment of Recovery Time Objectives which will help in identifying risk, critical information systems and the costs associated with addressing these risks. Appropriate staff should be trained on the plan. A review of best practices highlighted critical components that should be addressed in a well defined and comprehensive plan. That detailed information has been provided to IS staff. Risk: Medium
Summary of Recommendations Recommendation Risk Level Management Response Offsite Recovery Facilities: We recommend the IS department continue working on replicating the identified first level applications (College Website, Active Directory, Banner and Central Authentication System) to the outside provider s site. In addition: Continue to evaluate the potential expansion of critical IS resources or other offsite recovery providers appropriate to the each particular system Medium Information Services enthusiastically embraces this finding. We appreciate the opportunity to share our progress in this critical area. Business Impact Analysis We recommend that IS work with college business units to develop a Business Impact Analysis (BIA) that can be used to Prioritize recovery efforts of the college s critical business processes and Identify the underlying IS systems (including third party systems), applications and other resources needed to support such processes Using the Recovery Time Objectives (RTOs) identified in the BIA for critical services and key IS systems, appropriate strategies can be included in the DR plan. Medium Information Services will partner with internal and external resources to implement this finding. Systems Recovery Procedures We recommend the IS department complete development of all of its step-by-step recovery procedures. These procedures should : Outline critical IS systems and networks Their recovery time objective (RTO) Delineate the steps needed to restart, reconfigure and recover them Include relevant supplier contacts, sources of expertise for recovering disrupted systems Facilitate coordination between IS divisions to ensure an integrated approach We recommend that, where systems are supported by third party suppliers, the reliance on the third party to provide support during incidents should be clearly defined, including details of support hours and key supplier contacts Medium Low Information Services will partner with internal and external resources to implement this finding. Comprehensive Disaster Recovery Plan We recommend that the IS department develop a comprehensive DR plan that is based on a complete Business Impact Analysis and Recovery Time Objectives which will help in identifying risk, critical information systems and the costs associated with addressing these risks. Appropriate staff should be trained on the plan Medium Information Services will partner with internal and external resources to implement this finding. Responses provided by Sandra Warner, Deputy CIO / Director Administrative Computing Services
Report Distribution We wish to thank the Information Services for their assistance in this review. The staff were extremely helpful to us and open to suggestions in their ongoing work to maintain a high level of customer service and quality operations. If you have any questions concerning this report, please do not hesitate to contact Audit & Advisory Services. Report CC Trustee Jerry Cook Trustee Greg Musil Dr. Joe Sopcich Dr. Barbara Larson Phil Mein Sandra Warner Mary O Sullivan Shannon Ford