David N. Wozei Systems Administrator, IT Auditor

ISACA Area 5 Protection of Information Assets Provide assurance that the security architecture (policies, standards, procedures and controls) ensures the confidentiality, integrity and availability of information assets. Tasks _ Evaluate the design, implementation and monitoring of logical access controls to ensure the confidentiality, integrity, availability and authorized use of information assets. _ Evaluate network infrastructure security to ensure confidentiality, integrity, availability and authorized use of the network and the information transmitted. _ Evaluate the design, implementation and monitoring of environmental controls to prevent or minimize loss. _ Evaluate the design, implementation and monitoring of physical access controls to ensure that information assets are adequately safeguarded. _ Evaluate the processes and procedures used to store, retrieve, transport and dispose of confidential information assets.

Provide assurance that, in the event of a disruption, the business continuity and disaster recovery processes will ensure the timely resumption of IT services, while minimizing the business impact. Tasks _ Evaluate the adequacy of backup and restore provisions to ensure the availability of information required to resume processing. _ Evaluate the organization’s disaster recovery plan to ensure that it enables the recovery of IT processing capabilities in the event of a disaster. _ Evaluate the organization’s business continuity plan to ensure its ability to continue essential business operations during the period of an IT disruption. ISACA Area 6 Business Continuity and Disaster Recovery

What is Backup and Disaster Recovery all about? To backup is to have a secondary source of information (to stand in for the primary source). Business continuity is to ensure business critical and non-critical processes keep running. Disaster Recovery is a self- definition; recovering from a disaster. To rebuild a destroyed resource. There is an inherent risk to IT systems. BIA (risk based approach), BCP Identify the IT Systems as business critical and as business assets. (In relation to protection of Information assets) Look out for the risky areas.

Types of backup Full backup Creates an entire copy of each file on the system. This is the most effective backup method and requires a significant amount of time. It’s common for a full backup to be run at least once per week, but the frequency of your backup should depend on the value of your data. To restore data, the computer operator loads the latest full backup, usually from tapes. Next, the most current data is loaded by using files from a subsequent incremental or differential backup tape. Incremental method Copies only the files that have changed since the last backup. The incremental method is commonly used for backups on weekdays. This method requires less time than a full backup. Unfortunately, the file restoration process takes longer because it is necessary to restore the full backup and each version of incremental backup. An incremental backup resets the archive bit (backup flag) to indicate that a file needs to be backed up. If any of the tapes or disks in incremental restoration fails, the RPO will also fail. Incremental recovery requires using more tapes.

Types of Backup (continued…) Differential method Copies every file that has changed between full backup runs. Differential is the preferred method for business continuity. This method ensures that multiple copies of daily files should exist on multiple tapes. A differential backup is very fast on the first day after a full backup, and then takes longer each day as more files are copied. A differential backup works because the backup software does not change the archive bit (backup flag).

What are we auditing anyway? What are the assets and their configurations, locations etc? (This includes disaster recovery sites, primary sites, command sites...) What are their vulnerabilities or risks? Is there a Business Continuity Plan? Is there a Backup policy or Data Retention policy? Is there a Disaster Recovery Plan? Is there a team and individual business continuity manager responsible for these plans and policies or is implementation ad hoc? Has the risk been transferred? Are third-partied involved. Are users aware of the Plan? Is the plan comprehensive and does the team know when it is to be activated? Is the plan reviewed and tested periodically? Has a Business Impact Assessment ever been done?

What are we auditing anyway? (continued) Has the organisation decided not to adopt a plan at all? Is procurement aware of the plan? Are the financial implications of the plan known and are the finances available or feasible? Is security aware of the plan? (a security firm providing security to premises) Are utilities aware of the plan? (Electricity, Tel Cos, Water etc) How do we handle important documents in paper format? (For example, contracts, legal documents, land titles) How do we handle human lives, once there is a risk to them? Is there a specific period acceptable for recovery or downtime? Has the organisation decided not to have a plan?

What are the risks? Business collapse Financial loss Loss of life Loss of business property and assets Loss of information Damage to reputation Legal action Failure to resume business

Who should be involved in the effort to prevent a disaster? A BCP manager or 'owner'. Users Identify first responders Third-parties and out-sourced resources Those to whom risk has been transferred (Insurance Companies) Procurement Suppliers Top management IT department Security staff Any more, you can think of? Please list some…

Review of Documents, Policies, Plans Review of some documents with information on Backup and DR as well as Business Continuity.

THE END