Alabede, Collura, Walden, Zimmerman Audit Report Alabede, Collura, Walden, Zimmerman

Executive Summary Findings -Failure to conduct a Failover Test in abidance with ISACA’s COBIT Framework requiring proper testing. -Incomplete data backup of data listed as ‘Critical’ to the company -The BCP/DR Policy is not easily retrieved. - Recovery time objective not correctly represented in BCP/DR Policy Our team completed an audit of Kirkland’s Disaster Recovery processes to determine whether the company has sufficient policies, procedures, and training in place to prevent and/or minimize the impact to the company and its customers in the event of a disaster. To qualify as satisfactory, we recommend that Kirkland follows the recommendations provided in the following slides to keep the Disaster Recovery plan in line with ISACA requirements and to minimize any possible impact to the company and its customers.

Audit Scope and Objectives Based on the outcomes of procedures performed during the walkthrough phase, we selected the following areas for testing: Determine maximum downtime and financial loss before data/business activities is resumed after a failure occurs Compare to current DR plan documentation estimates Interview admins and leadership to determine DR plan awareness and training levels The objective of this audit was to assess the performance mode of the hot site backup from a minimal downtime perspective and to determine if business activities can be resumed in as little time as possible with minimal/no data loss.

1 Audit Finding Incomplete Data backup During our review we noted that the daily backup carried out did include all data classified/assessed as critical to the firm. Standards & Procedures - The firms risk assessment methodology prepared using the NIST 800-34 special publication requires that a complete business impact analysis of all business units should be carried out to determine the class of data to be backed up. We believe that the cause of the critical data being missing from the daily backup is because the BCP team did not carry long all business unit when conducting the business impact analysis of the firm. Impact to the business - If all critical data are not backed up as needed, the firm may lose such data in the event of a disaster. Recommendations - We therefore recommend that the firm should consider all business units when conducting a business impact analysis and ensure all critical data are captured in their daily backup

Audit Finding 2 Current DR plan documentation is not easily located by management Standards – NIST SP-853 Control CP-1 (p. 94), SP-834 Root Cause of the issue – Lack of leadership buy-in on DR plan, interviews displayed a sense that such training is a waste of company resources. Any new training is viewed this way, rather than as a necessary risk management tool. Business planning does not provide copies of DR plan to staff unless requested. Impact to the business - Business continuity would be affected by a disaster, as few staff would know how to switch to the backup site, who to contact for technical assistance, and how to communicate with management for status updates. Power outages could conceivably cause a complete shutdown at the firm until main power is restored. Recommendations - To promote DR plan comprehension and proficiency, full interrupt testing of DR plan with leadership and management involvement.

Audit Finding 3 Actual Recovery Time Objective (est. 12 hrs) vs. planned RTO (2 hrs) Standards – NIST SP-853 Control CP-10 (p. 104), SP-834 Root Cause of the issue – DR planning staff disconnected from relevant business units, leaving RTO estimates significantly higher than necessary for business operation. Impact to the business – Significantly greater resource drain would occur, as staff strive to return to full operations, but without meaningful impact on revenue or client relations. This drains limited labor and funding from other mission-critical activities. Recommendations – Bi-monthly RTO and RPO (Recovery Point Objective) meetings between IT staff and heads of business units to synchronize planning. Emphasis is on a single agreed-upon set of metrics, combined with effective dissemination of the agreement to staff.

4 Audit Finding Failover test was not conducted During our review we noted that the firm did not test the failover process for recovering data from the back up site. Standards & Procedures - This is not in line with ISACA’s COBIT framework used to develop the firm's policies and requires all section of the plan should be properly tested. The firm's policy also has a 0% downtime tolerance. Impact to the business - Not carrying out a failover test will not give the firm a fair assessment of the effectiveness of the plan. Recommendations - We therefore recommend that a failover test of data from the hot site back up should be conducted regularly.

Audit Opinion After conducting our audit, it is our opinion that the overall rating for the effectiveness of the process and controls evaluated is Needs Improvement. This opinion is based on several issues discovered during our audit testing process. Included in the testing processes were all aspect of the audit engagement. This included reviews of policies, procedures (Business Continuity Plan, Business Impact Analysis), regulations (NIST-SP 800-53, NIST-SP 800-34) and controls (process flow).

Audit Opinion We recommend that the firm perform or institute the following: 1. Modify Business Impact Analysis to include NIST-SP 800-34 guidelines 2. Modify Business Continuity Plan to include NIST-SP 800-53 guidelines 3. Institute more strenuous controls with regards to Accounts Payable/Warehouse interactions 4. Institute Disaster Recovery plan in line with ISACA and COBIT ‘Hot Site” 5. Enforce daily/weekly/monthly data backup policies and procedures with management accountability.

QUESTIONS? THANK YOU