Presentation is loading. Please wait.

Presentation is loading. Please wait.

Alabede, Collura, Walden, Zimmerman

Published byCoral McKenzie Modified over 6 years ago

Similar presentations

Presentation on theme: "Alabede, Collura, Walden, Zimmerman"— Presentation transcript:

1 Alabede, Collura, Walden, Zimmerman
Audit Report Alabede, Collura, Walden, Zimmerman

2 Executive Summary Findings
-Failure to conduct a Failover Test in abidance with ISACA’s COBIT Framework requiring proper testing. -Incomplete data backup of data listed as ‘Critical’ to the company -The BCP/DR Policy is not easily retrieved. - Recovery time objective not correctly represented in BCP/DR Policy Our team completed an audit of Kirkland’s Disaster Recovery processes to determine whether the company has sufficient policies, procedures, and training in place to prevent and/or minimize the impact to the company and its customers in the event of a disaster. To qualify as satisfactory, we recommend that Kirkland follows the recommendations provided in the following slides to keep the Disaster Recovery plan in line with ISACA requirements and to minimize any possible impact to the company and its customers.

3 Audit Scope and Objectives
Based on the outcomes of procedures performed during the walkthrough phase, we selected the following areas for testing: Determine maximum downtime and financial loss before data/business activities is resumed after a failure occurs Compare to current DR plan documentation estimates Interview admins and leadership to determine DR plan awareness and training levels The objective of this audit was to assess the performance mode of the hot site backup from a minimal downtime perspective and to determine if business activities can be resumed in as little time as possible with minimal/no data loss.

4 1 Audit Finding Incomplete Data backup
During our review we noted that the daily backup carried out did include all data classified/assessed as critical to the firm. Standards & Procedures - The firms risk assessment methodology prepared using the NIST special publication requires that a complete business impact analysis of all business units should be carried out to determine the class of data to be backed up. We believe that the cause of the critical data being missing from the daily backup is because the BCP team did not carry long all business unit when conducting the business impact analysis of the firm. Impact to the business - If all critical data are not backed up as needed, the firm may lose such data in the event of a disaster. Recommendations - We therefore recommend that the firm should consider all business units when conducting a business impact analysis and ensure all critical data are captured in their daily backup

5 Audit Finding 2 Current DR plan documentation is not easily located by management Standards – NIST SP-853 Control CP-1 (p. 94), SP-834 Root Cause of the issue – Lack of leadership buy-in on DR plan, interviews displayed a sense that such training is a waste of company resources. Any new training is viewed this way, rather than as a necessary risk management tool. Business planning does not provide copies of DR plan to staff unless requested. Impact to the business - Business continuity would be affected by a disaster, as few staff would know how to switch to the backup site, who to contact for technical assistance, and how to communicate with management for status updates. Power outages could conceivably cause a complete shutdown at the firm until main power is restored. Recommendations - To promote DR plan comprehension and proficiency, full interrupt testing of DR plan with leadership and management involvement.

6 Audit Finding 3 Actual Recovery Time Objective (est. 12 hrs) vs. planned RTO (2 hrs) Standards – NIST SP-853 Control CP-10 (p. 104), SP-834 Root Cause of the issue – DR planning staff disconnected from relevant business units, leaving RTO estimates significantly higher than necessary for business operation. Impact to the business – Significantly greater resource drain would occur, as staff strive to return to full operations, but without meaningful impact on revenue or client relations. This drains limited labor and funding from other mission-critical activities. Recommendations – Bi-monthly RTO and RPO (Recovery Point Objective) meetings between IT staff and heads of business units to synchronize planning. Emphasis is on a single agreed-upon set of metrics, combined with effective dissemination of the agreement to staff.

7 4 Audit Finding Failover test was not conducted
During our review we noted that the firm did not test the failover process for recovering data from the back up site. Standards & Procedures - This is not in line with ISACA’s COBIT framework used to develop the firm's policies and requires all section of the plan should be properly tested. The firm's policy also has a 0% downtime tolerance. Impact to the business - Not carrying out a failover test will not give the firm a fair assessment of the effectiveness of the plan. Recommendations - We therefore recommend that a failover test of data from the hot site back up should be conducted regularly.

8 Audit Opinion After conducting our audit, it is our opinion that the overall rating for the effectiveness of the process and controls evaluated is Needs Improvement. This opinion is based on several issues discovered during our audit testing process. Included in the testing processes were all aspect of the audit engagement. This included reviews of policies, procedures (Business Continuity Plan, Business Impact Analysis), regulations (NIST-SP , NIST-SP ) and controls (process flow).

9 Audit Opinion We recommend that the firm perform or institute the following: Modify Business Impact Analysis to include NIST-SP guidelines Modify Business Continuity Plan to include NIST-SP guidelines Institute more strenuous controls with regards to Accounts Payable/Warehouse interactions Institute Disaster Recovery plan in line with ISACA and COBIT ‘Hot Site” Enforce daily/weekly/monthly data backup policies and procedures with management accountability.

10 QUESTIONS? THANK YOU

Download ppt "Alabede, Collura, Walden, Zimmerman"

Similar presentations

Creating a Data Disaster Recovery Plan. What is a DR Plan? Is your best solution to: Continuous business services Prompt and smooth recovery Prepare for.

Creating a Data Disaster Recovery Plan. What is a DR Plan? Is your best solution to: Continuous business services Prompt and smooth recovery Prepare for.
Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.

Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.
Oregon Department of Education Business Continuity / Disaster Recovery Program Implementation Mark Tyler Nigel Crowhurst.

Oregon Department of Education Business Continuity / Disaster Recovery Program Implementation Mark Tyler Nigel Crowhurst.
Business Continuity and Disaster Recovery Planning.

Business Continuity and Disaster Recovery Planning.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
CIOassist Technologies Your CIO on Demand… Business Continuity Planning Our Offering CIOassist Technologies (www.cioassist.in)www.cioassist.in

CIOassist Technologies Your CIO on Demand… Business Continuity Planning Our Offering CIOassist Technologies (
Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)

Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)
1 Disk Based Disaster Recovery & Data Replication Solutions Gavin Cole Storage Consultant SEE.

1 Disk Based Disaster Recovery & Data Replication Solutions Gavin Cole Storage Consultant SEE.
Business Continuity Planning and Disaster Recovery Planning

Business Continuity Planning and Disaster Recovery Planning
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
The Camp Audit “Keep your friends close and your auditor closer”

The Camp Audit “Keep your friends close and your auditor closer”
What is Business Analysis Planning & Monitoring?

What is Business Analysis Planning & Monitoring?
Challenges Faced in Developing Audit Plans and Programs 21 st March, 2013.

Challenges Faced in Developing Audit Plans and Programs 21 st March, 2013.
Reports on Audited Financial Statements

Reports on Audited Financial Statements
Business Continuity and Disaster Recovery Chapter 8 Part 2 Pages 914 to 945.

Business Continuity and Disaster Recovery Chapter 8 Part 2 Pages 914 to 945.
Making Business Continuity Child’s Play Solutions Ltd Business Continuity Management Contact details: Contact : Mick O’Regan Mobile : 087-2897687 Email.

Making Business Continuity Child’s Play Solutions Ltd Business Continuity Management Contact details: Contact : Mick O’Regan Mobile :
ISA 562 Internet Security Theory & Practice

ISA 562 Internet Security Theory & Practice
David N. Wozei Systems Administrator, IT Auditor.

David N. Wozei Systems Administrator, IT Auditor.

Similar presentations

Ads by Google