IT Governance, Risk, and Compliance » Disaster Recovery http://itknowledgeexchange.techtarget.com/it-governance Mon, 20 May 2013 00:56:50 +0000 en-US hourly 1 Auditing Business Continuity and Disaster Recovery – Part VIII http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-viii/ http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-viii/#comments Tue, 13 Dec 2011 21:15:18 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=1104 An IT auditor should perform a preliminary control environment (CE) assessment corresponding to the audit area being examined to enable reasonable assurance that all significant items will be adequately addressed during the IT audit process.

Audit evidence for CE elements may not be available in documentary form. In particular to smaller entities, communication between management and other personnel may be informal, yet effective. For example, management’s commitment to ethical values and competence are often implemented through the behavior and attitude they demonstrate in managing the entity’s business instead of in a written code of conduct. Consequently, management’s attitudes, awareness and actions are of particular importance in the design of a smaller entity’s CE. In addition, the role of those charged with governance is often undertaken by the owner/manager — especially where there are no other equivalent personnel within the entity.

View Part I of the Auditing Business Continuity and Disaster Recovery series here

]]> http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-viii/feed/ 0 Auditing Business Continuity and Disaster Recovery – Part VII http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-vii/ http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-vii/#comments Fri, 09 Dec 2011 22:39:15 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=1102 Primary drivers for organizational continuity assurance service planning are: verifying continuity plan existence and assessing continuity plan adequacy. However, as with standard IT audits, a general control environment, information systems, and control procedures understanding should be obtained during engagement planning — to comply with ISACA’s assurance standards and guidelines as well as other applicable attestation, audit, accounting, and IT standards. Neglecting adherence to standardized professional practices can result in unsupportable audit opinions.

View Part I of the Auditing Business Continuity and Disaster Recovery series here

]]> http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-vii/feed/ 0 Auditing Business Continuity and Disaster Recovery – Part VI http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-vi/ http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-vi/#comments Tue, 06 Dec 2011 20:32:09 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=1100 BCP audits normally have an organizational focus. ‘Organizational-based’ BCP audits examine deployed frameworks, managerial issues, and departmental activities. However, if during ‘organizational-based’ planning the IT auditor discovers a BCP framework is not deployed, the audit planner should consider utilizing the COBIT Deliver and Support-Ensure Continuous Service, Manage Service Desk and Incidents, as well as Manage Problems framework domain processes as baselines for setting detail objectives. Partly reflective of the COBIT “Ensure Continuous Service,” “Manage Service Desk and Incidents” and “Manage Problems” processes; BCP availability, compliance, effectiveness and efficiency are the primary information criteria; while confidentiality, integrity, and reliability should be considered secondary information criteria, even when other audit measurement standards are included within the audit ambit.

View Part I of the Auditing Business Continuity and Disaster Recovery series here

]]> http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-vi/feed/ 0 Auditing Business Continuity and Disaster Recovery – Part V http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-v/ http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-v/#comments Fri, 02 Dec 2011 20:53:26 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=1097 The IT auditor’s primary purpose, when performing an audit of business continuity and/or disaster recovery, should be to identify, document, test, evaluate, and report the controls as well as the associated risks related to BCP and/or DRP processes from an IT perspective, as implemented by the entity, for achieving relevant control objectives — both primary and secondary.

The BCP assurance process can be an individual audit area examination or an auditable unit examination for every IT function audit undertaken. During the IT audit planning process, all or segments of an entity’s deployed BCP related frameworks may be selected as auditable units. Furthermore, BCP audits may cross divisional, functional, or departmental demarcations.

View Part I of the Auditing Business Continuity and Disaster Recovery series here

]]> http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-v/feed/ 0 Auditing Business Continuity and Disaster Recovery – Part IV http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-iv/ http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-iv/#comments Tue, 29 Nov 2011 20:44:04 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=1095 Although often referred to as disaster recovery plans, controls to ensure service continuity should address the entire range of potential disruptions. These may include relatively minor interruptions, such as temporary power failures, as well as major disasters, such as fires or natural disasters that would require reestablishing operations at a remote location, and may also include errors, such as writing over a critical file. If controls are inadequate, even relatively minor interruptions can result in data lost or incorrectly processed data — which could cause financial losses, expensive recovery efforts, and inaccurate or incomplete information. For some operations, such as those involving health care or safety, system interruptions could also result in injuries or loss of life.

View Part I of the Auditing Business Continuity and Disaster Recovery series here

]]> http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-iv/feed/ 0 Auditing Business Continuity and Disaster Recovery – Part III http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-iii/ http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-iii/#comments Fri, 25 Nov 2011 20:41:14 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=1093 As with a business continuity plan (BCP); a disaster recovery plan (DRP) contains the consistent actions to be undertaken prior to, during and after a disaster. A sound DRP is built from a comprehensive planning system, involving all of the entity’s business processes. Disaster recovery strategies include, but are not limited to:
 disaster insurance
 reciprocal agreements
 redundant data centers
 the use of alternate sites
 telecommunication links
 business impact analyses
 legal liabilities assessments

View Part I of the Auditing Business Continuity and Disaster Recovery series here

]]> http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-iii/feed/ 0 Auditing Business Continuity and Disaster Recovery – Part II http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-ii/ http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-ii/#comments Tue, 22 Nov 2011 21:07:19 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=1090 For most professionals, business continuity planning refers to the process for developing advance arrangements and procedures enabling an entity to respond to service interruptions in such a manner that critical business functions continue at projected levels. In other words, business continuity planning is the act of proactively strategizing a method to prevent, if possible, and manage, if necessary, the consequences of a disaster; while limiting crisis consequences to the extent that an entity can absorb the impact. As a result, though it often ranks in the lower-half in importance, business continuity planning is on most top-ten governance lists of strategic entity issues.

View Part I of the Auditing Business Continuity and Disaster Recovery series here

]]> http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-ii/feed/ 0 Auditing Business Continuity and Disaster Recovery – Part I http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-i/ http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-i/#comments Fri, 18 Nov 2011 21:00:30 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=1088 After a catastrophic incident or event; losing the capability to process, retrieve, and protect information maintained electronically can significantly affect an entity’s ability to accomplish its mission. For this reason, an entity should have: (1) controls in place to protect information assets as well as minimize the risk of unplanned interruptions, and (2) a plan to recover critical operations should interruptions occur. Consequently, these plans should consider the activities performed at general support facilities, such as data processing centers and telecommunications facilities, as well as the activities performed by users of specific resources.

]]> http://itknowledgeexchange.techtarget.com/it-governance/auditing-business-continuity-and-disaster-recovery-part-i/feed/ 0 Business Continuity and IT Availability – Part VIII http://itknowledgeexchange.techtarget.com/it-governance/business-continuity-and-it-availability-part-viii/ http://itknowledgeexchange.techtarget.com/it-governance/business-continuity-and-it-availability-part-viii/#comments Tue, 26 Jul 2011 20:04:12 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=987 Directly, an entity’s DRP has a significant affect on the viability of IT and information security governance programs. Indirectly, IT and information security governance programs may impact stakeholder assessed entity value. Regardless of organizational formation — corporation, partnership, co-operative, or agency — management has a generally accepted duty to plan and enact strategies permitting the entity’s survival under less than idealistic conditions. Literally, adequate business continuity management (BCM) requires securing assets that offset catastrophic events. Therefore, management should ensure ‘best practices’ DRP is deployed within the IT and information security governance frameworks as well as visibly communicate commitment expectations for sustaining a sound and effective continuity program.

View Part I of the Business Continuity and IT Availability series here

]]> http://itknowledgeexchange.techtarget.com/it-governance/business-continuity-and-it-availability-part-viii/feed/ 0 Business Continuity and IT Availability – Part VII http://itknowledgeexchange.techtarget.com/it-governance/business-continuity-and-it-availability-part-vii/ http://itknowledgeexchange.techtarget.com/it-governance/business-continuity-and-it-availability-part-vii/#comments Fri, 22 Jul 2011 17:35:49 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=985 Through establishment and deployment of an emergency management program, top-level personnel can send a clear message to everyone in the entity that business continuity and disaster recovery control responsibilities are taken seriously. If properly institutionalized, lower-level personnel will endeavor to understand germane aspects of the entity’s continuity systems, and how they operate, as well as their own roles and responsibilities within the control program.

Within the confidentiality, integrity, and availability (C-I-A) triad; pertinent financial and non-financial information relating to external or internal events, as well as daily activities, should be identified, captured, and communicated properly and in a timely manner to decision makers. When required, established entity communication channels should permit authorized information flows throughout the organizational structure, with all relevant internal and external data reliably conveyed to intended recipients.

View Part I of the Business Continuity and IT Availability series here

]]> http://itknowledgeexchange.techtarget.com/it-governance/business-continuity-and-it-availability-part-vii/feed/ 0