Memorandum APPENDIX 2. April 3, Audit Committee

Similar documents
Management s Response to the Auditor General s Review of Management and Oversight of the Integrated Business Management System (IBMS)

Business Continuity and Disaster Recovery

Corporate Security & Emergency Management Summary of Submitted 2015 Budget From Rates

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY

Organizational Structure of the Toronto Environment Office

UCLA AUDIT & ADVISORY SERVICES

Information Technology Disaster Recovery Planning Audit Redacted Public Report

Title of Nomination: Security Policies and Standards Project/System Manager: Donna Crutcher Title: State Security Manager Agency: Department:

Earthquake Preparedness

Continuity of Business

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

1 Data Center Requirements

NORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives

Appendix 3 Disaster Recovery Plan

ASSURING BUSINESS CONTINUITY THROUGH CONTROLLED DATA CENTER

Projectplace: A Secure Project Collaboration Solution

Disaster Recovery for Information Technology. March 3, Special Report #628

NATIONAL GUIDELINES ON CLOUD COMPUTING FOR GOVERNMENT, MINISTRIES, DEPARTMENTS AND AGENCIES

Session 5: Business Continuity, with Business Impact Analysis

The J100 RAMCAP Method

Business Continuity: How to Keep City Departments in Business after a Disaster

Office of MN.IT Services Data Centers

Statewide Information Technology Contingency Planning

Florida State University

Follow-up to Information Technology Security Audit

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

Business Continuity Planning

REPORT 2015/149 INTERNAL AUDIT DIVISION

SERVERS / SERVICES AT DATA CENTER AND CO-LOCATION POLICY

San Francisco Chapter. What an auditor needs to know

BUSINESS CONTINUITY AND DISASTER RECOVERY ACROSS GOVERNMENT BOUNDARIES

Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013

Data Center Operations Guide

IPMA State of Washington. Disaster Recovery in. State and Local. Governments

FOLLOW-UP REPORT Industrial Control Systems Audit

Subject: Audit Report 18-84, IT Disaster Recovery, California State University, Sacramento

CUNY Graduate Center Information Technology. IT Provisioning for Business Continuity & Disaster Recovery Effective Date: April 6, 2018

UPU UNIVERSAL POSTAL UNION. CA C 4 SDPG AHG DRM Doc 3. Original: English COUNCIL OF ADMINISTRATION. Committee 4 Development Cooperation

Emergence of Business Continuity to Ensure Business and IT Operations. Solutions to successfully meet the requirements of business continuity.

Community Development and Recreation Committee

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Information Technology General Control Review

Response to Wood Buffalo Wildfire KPMG Report. Alberta Municipal Affairs

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Unclassified. Date Monday 24 September Business Continuity Plan Review - Mission Critical Activities

CABINET PLANNING SYSTEM PROCUREMENT

Policy. Business Resilience MB2010.P.119

Security and Compliance at Mavenlink

SAINT PETERSBURG DECLARATION Building Confidence and Security in the Use of ICT to Promote Economic Growth and Prosperity

Resolution adopted by the General Assembly. [without reference to a Main Committee (A/62/L.30 and Add.1)]

WHITE PAPER. Title. Managed Services for SAS Technology

CHAIR AND MEMBERS CIVIC WORKS COMMITTEE MEETING ON NOVEMBER 29, 2016

Network Performance, Security and Reliability Assessment

Certified Information Systems Auditor (CISA)

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

Leveraging ITIL to improve Business Continuity and Availability. itsmf Conference 2009

Audit & Advisory Services. IT Disaster Recovery Audit 2015 Report Date January 28, 2015

Business Continuity Plan Executive Overview

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Symantec Business Continuity Solutions for Operational Risk Management

Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

New Zealand Government IBM Infrastructure as a Service

Public Safety Canada. Audit of the Business Continuity Planning Program

6/21/2013. The Business Risk of NOT Considering a Cloud/Managed IT Services Strategy. Christian Brothers Information & Technology Services

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Manager, Infrastructure Services. Position Number Community Division/Region Yellowknife Technology Service Centre

Introduction To IS Auditing

Figure 1: Summary Status of Actions Recommended in June 2016 Committee Report. Status of Actions Recommended # of Actions Recommended

z/os Introduction and Workshop Overview of z Systems Environment 2017 IBM Corporation

Accelerate Your Enterprise Private Cloud Initiative

City of Toronto Accessibility Design Guidelines 2015

Canada Life Cyber Security Statement 2018

5 Servicing Capacity Assignment for Aurora, East Gwillimbury and Newmarket

ISO/ IEC (ITSM) Certification Roadmap

Nottinghamshire Office of the Police & Crime Commissioner & Nottinghamshire Chief Constable

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Convergence of BCM and Information Security at Direct Energy

Security and Privacy Governance Program Guidelines

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

1997 Minna Laws Chap. February 1, The Honorable Jesse Ventura Governor 130 State Capitol Building

Effective: 12/31/17 Last Revised: 8/28/17. Responsible University Administrator: Vice Chancellor for Information Services & CIO

Introduction to SURE

www. continuitymauritius.com Continuitymauritius

BROADBAND FOR IMPLEMENTATION OF NATIONAL EMERGENCY TELECOMMUNICATIONS PLANS

University of Hawaii Hosted Website Service

Governing Body 313th Session, Geneva, March 2012

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

CompTIA Exam CAS-002 CompTIA Advanced Security Practitioner (CASP) Version: 6.0 [ Total Questions: 532 ]

HENRY EE, FBCI, CBCP

Directive on Security of Network and Information Systems

REPORT Bill Bradbury, Secretary of State Cathy Pollino, Director, Audits Division

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Area Business Continuity Management Scalable Cross Sector Coordination Framework of Disaster Management for Business Continuity

Information Technology

Business Continuity Policy

Information Security Policy

The UNISDR Private Sector Alliance for Disaster Resilient Societies

EPRO. Electric Infrastructure Protection Initiative EPRO BLACK SKY SYSTEMS ENGINEERING PROCESS

Transcription:

APPENDI 2 Information & Technology Dave Wallace, Chief Information Officer Metro Hall 55 John Street 15th Floor Toronto, Ontario M5V 3C6 Memorandum Tel: 416 392-8421 Fax: 416 696-4244 dwwallace@toronto.ca www.toronto.ca April 3, 2008 To: From: Subject: Audit Committee Dave Wallace, Chief Information Officer Management Response to the Auditor General s Review of Disaster overy Planning for City Computer Facilities The Information & Technology Division s Management Response to the Auditor General s report is attached. I would like to commend the Auditor General for this report. We believe it is insightful and accurately depicts the state of IT Disaster overy at the City. We are committed to ensuring that we are able to maintain critical information technology systems and critical services for the people of Toronto in the event of a disaster. This response indicates our agreement with the recommendations and provides an action plan to address them. I would also like to thank the Auditor General for recognizing the successful effort of the Information & Technology Division toward ensuring the high availability of the City s information systems that we manage from our primary data centre. We have invested in creating a resilient environment for our technology infrastructure at this data centre and into the facility itself. As a result, the probability of a significant failure within our data centre is extremely low. A partial list of these measures includes: Systems and Technology High Availability Measures - Duplicate (clustering) server hardware and storage disks with software failover and load balancing to provide redundancy and ensure business systems availability if a component fails - Large enterprise servers have error correcting memory and memory reallocation and multiple redundancy components in large enterprise servers - Server virtualization, which permits provisioning of an application or database server in under 1 hour (previously this took several hours or more than a day) - Dual electrical feeds from all servers into separate building electrical panels - Monitoring software which provides threshold-based alerts to technical support staff - Significant investments in security appliances and software and external intrusion detection services to prevent malicious software attacks - Significant on-going investment and commitment to best practice processes - 7x24x365 staffing of the data centre to provide human monitoring and intervention - Technical support staff on call, with remote access capability to troubleshoot and restore - Virus protection on all desktops, servers, and virus appliances scanning internet traffic, and email scanning appliances for incoming and outgoing email

APPENDI 2 Facility High Availability Measures - Building structural reinforcement, to resist the impact of earthquakes - Dual electrical supply feeds into the building from separate electrical sub-stations - Dual water supply into the building, to ensure water cooling is always available - Dual UPS banks to provide continuous short-term electrical supply - Dual diesel generators, for continuous long-term power in the event of major power failure - Specialized data centre fire suppression systems While these investments are on-going as new technical challenges emerge or opportunities for improvements are identified the systems managed from our primary data centre have achieved a very high availability, exceeding 99.9 %. For the Program Areas, this level of availability ensures the productivity of their staff as they become more reliant on information technology to perform their jobs most effectively. In addition, it builds confidence in the reliability of online services to the public, who will increasingly be using this channel to receive services from the City. Next Step: Eliminating the Data Centre as Single Point of Failure While we have successfully achieved high availability within the data centre through eliminating single points of failure, and the probability of extended failure is very low, the Auditor General has correctly noted that the data centre facility itself can be a single point of failure. Major disasters that could take out part or all of the data centre s ability to provide service are unlikely; however they can occur and we must eliminate this final single point of failure as it would have serious impacts for the City. The Information & Technology Division has recently started a disaster recovery planning program. We have commenced the development of a long-term data centre strategy which will incorporate disaster recovery. We have also invested in a secondary data centre facility which became operational in September, 2007. This facility has considerable infrastructure now in place to permit us to start our program of being able to recover systems in the event of a disaster at our primary data centre. Achievements to date include: - Alternate data centre has been constructed and is operational - Core infrastructure is in place and we have already reduced the time to recover from disaster o Up to 150 servers can now be accommodated within the alternative facility o Networking and storage is in place to accommodate DR servers o Tape library is installed so that we can recover from tape to application servers o Base infrastructure servers to facilitate authentication onto the City Network are deployed at this site o Network connectivity to major City sites is in place o Currently able to connect to the EDS Mainframe via backup network link - Office of Emergency Management are aware of the IT-DR program and we are working together - Disaster overy Plan document has been prepared which provides a range of procedures and programming scripts to initiate in the event of disaster - Vital records are now being stored at both the primary and secondary site to ensure their availability (e.g. contact lists, installation media, source code, patches, licence information, product keys, access codes and passwords)

APPENDI 2 - Detailed planning, architecture, design, implementation, recovery system documentation and testing for SAP and GroupWise Email are now underway, for completion before end of 2008 (this will reduce the recovery time for these key systems to 2-3 days in the event of a disaster). Disaster overy is a Cost of Doing Business The Auditor General s report essentially notes that IT Disaster overy programs are a necessary cost of doing business, particularly so for the City which provides essential citizen services. Substantial Disaster overy programs require adequate capital and operating investments. They involve building and managing a secondary data centre. Duplicate hardware and software and network infrastructure must be acquired and maintained to permit rapid recovery. As our Management Response indicates, we will be detailing a program for our capital and operating budgets, as well as completing the IT Governance required to adequately support a co-ordinated IT Disaster overy program for all City divisions. We will also work closely with the ABC s to ensure collaboration on these initiatives. I would like to again thank the Auditor General s office for their report, which I believe has raised the profile of this important subject. We are committed to completing the action plan to address their recommendations. Dave Wallace Chief Information Officer

APPENDI 2 1. The City Manager develop a formal disaster recovery planning and preparedness protocol with the Agencies, Boards and Commissions. The protocol should ensure coordination, collaboration and communication related to computer facility disaster recovery planning and preparedness 2. The City Manager implement a disaster recovery and business continuity program that includes divisional roles and responsibilities, resource and training requirements, and simulation and plan maintenance schedules. We agree that there are opportunities for the City s I&T Division and the ABC s to collaborate. Discussions have already taken place to promote consistency in architecture and standards, to achieve economies of scale and to share best practices, in such areas as: - Data centre strategy (primary and alternative DR sites) - Data communications network - Sharing of geospatial technical environment. As noted in the report, IT- DR is a subset of overall Business Continuity Planning (BCP). Often IT-DR planning is a catalyst for considering full BCP and the I&T Division has already contacted the Office of Emergency Management to discuss the role of IT-DR within the City s emergency planning process. I&T Division can assist with BCP by using expertise in overall Risk Management and DR planning to develop an integrated approach to BCP/IT-DR. Overall responsibility for BCP ultimately lies with each division. A formal IT-DR planning and preparedness protocol will be developed. Timing: by October, 2008 Working with the City Manager s Office, the Office of Emergency Management and divisions, Information & Technology Division will facilitate the establishment of a BCP and IT-DR program and framework. Timing: May, 2009 to have the planning framework in place along with BCP/IT-DR governance defined and program planning commenced. Page 1

APPENDI 2 3. The Chief Information Officer to report to the Business Advisory Panel on a periodic basis. Such reporting to include updates on disaster recovery planning and preparedness for information technology systems The IT Governance initiative has established the Business Advisory Panel (BAP) along with an Enterprise Architecture Review Panel to direct overall I&T strategy and investment priorities. IT-DR will be an important facet of the I&T strategy and will be a specific agenda item at least once or more per year. The CIO will ensure an annual or more frequent report to the BAP in the status of IT disaster recovery planning and preparedness. Timing: Initial report, including preliminary strategy, investment plan and governance model will be provided to BAP by July, 2008. The initial report will provide a working paper to identify the preliminary IT-DR strategy and the associated capital and operating investment plan. It will also define the governance model which will permit the BAP to determine investment levels and sequence priorities to have City information systems complete the IT-DR planning and implementation process. 4. The Chief Information Officer take action to ensure management responsible for maintaining City computer systems receive timely direction, guidance and training on preparing consistent City-wide disaster recovery plans. The I&T Division has already begun preparation of an IT-DR planning framework/process, which is going through an initial cycle with: - SAP - GroupWise Email A full training program for those responsible for IT-DR planning and testing will be developed and offered to: - Applicable management and practitioners within the I&T Page 2

APPENDI 2 5. The Chief Information Officer review the backup and storage procedures of City information technology units for: (a) compliance with acceptable standards and practices for data backup and storage requirements; and This will ensure these systems can be quickly restored (within 2-3 days) in the event of a primary data centre disaster. Once completed, this process can be repeated for other systems and a training program can be initiated. Information & Technology Division has a solid backup and storage process in place. We currently use an external service provider to store our backup media. All documentation is maintained at both our primary and alternative data centre facility. Division - Directors and IT Managers within divisions responsible for IT systems - ABC IT Managers Timing: May, 2009 Information & Technology Division will publish best practices for data backup and storage and ensure divisional IT compliance. Timing: vember, 2008 (b) provide divisions with the opportunity to participate in existing data storage arrangements within the City or with an outside service provider. It should be noted that at the conclusion of the IT Governance and Reorganization currently underway, most of the responsibility for IT infrastructure will be centralized within the Information & Technology Division. Develop a plan to have divisions participate in I&T Division s date storage and backup services, including a review of logical migration of infrastructure into centralized facilities. Timing: vember, 2008 6. The City Manager, in consultation with the Chief Information Officer, direct divisions to test information technology disaster recovery plans on a regular basis. Information & Technology Division has previously initiated a testing process with the outsourced EDS mainframe contract. A process will be established to ensure all stakeholders participate in a regular testing cycle for the IT-DR plans, once Page 3

APPENDI 2 7. The Chief Information Officer develop disaster recovery testing guidelines and provide training necessary to ensure crossdivisional consistency Testing of the initial infrastructure at the alternative data centre has begun and testing will be part of the IT-DR methodology being established. established. Timing: March, 2009 Testing guidelines are being established as part of the IT-DR methodology. As per the Action Plan noted in 4, a training program will be developed and provided to relevant stakeholders. Timing: May, 2009 Page 4

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback