MANAGING THE IT FUNCTION - PowerPoint PPT Presentation

1 / 103
About This Presentation
Title:

MANAGING THE IT FUNCTION

Description:

Chapter Five MANAGING THE IT FUNCTION Disaster Recovery Backup Strategy Fully mirrored recovery operations Requires building that have linkages between the live site ... – PowerPoint PPT presentation

Number of Views:200
Avg rating:3.0/5.0
Slides: 104
Provided by: Prefer663
Category:

less

Transcript and Presenter's Notes

Title: MANAGING THE IT FUNCTION


1
Chapter Five
  • MANAGING THE IT FUNCTION

2
Organizing the IT Function
  • The IT Function must be organized and structured.
  • IT Manager must define the role and articulate
    the value of the IT Function.
  • Configuration within a company depends on
    external and internal organizational factors.
  • Sound internal controls are essential to the
    structural framework.

3
Locating the IT Function to whom should the IT
manager report?
  • Important ramifications on It Managers
  • Ability to acquire needed resources
  • Ability to prioritize workloads.

4
Locating the IT Function
  • Consider segregation of incompatible duties.
  • Must vest in different people
  • Authorizing Transactions
  • Recording Transactions
  • Maintaining Custody of Assets
  • Can be accomplished with judicious choices with
    respect to
  • placing the IT function in the organization
  • integrating programmed controls into computing
    infrastructures and applications.

5
Should the IT manager report to the accounting
manager?
  • Good Idea!
  • Most IT applications deal with accounting
    transactions! So everyone would benefit by
    having the accounting manager involved from the
    start.
  • Bad Idea!
  • Most controllers perform 2 of the 3 incompatible
    duties. This would make 3 of the 3.
  • Fraud would be difficult to detect.

6
Should the IT manager report to another
operations or administrative manager?
  • Good Idea! Many software applications deal with
    these areas.
  • Bad Idea!
  • Many managers can authorize transactions, so
    custody of computing assets would attribute them
    with 2 of the 3 incompatible duties.
  • Other managers would not likely have the
    expertise to guide and support an IT manager.
  • Managers would likely give priority to their own
    IT needs and less to the rest of the company.
  • The IT function may not have access to upper
    management for influencing decisions about
    placing priorities and setting strategies.

7
Should the IT manager report alongside another
line managers?
  • Good Idea!
  • Politically strong to compete for resources and
    set priorities and strategies.
  • CEO has responsibility over, but rarely performs
    the 3 incompatible duties.
  • With sound internal controls, can be effectively
    managed.

8
Should the IT manager report above another line
managers?
  • In a VP position, the IT manager can
  • coordinate strategies
  • set standards
  • establish priorities across the entire
    organization
  • This structure allows the IT managers, who report
    to the Vice President, to focus on local issues
    and needs.

9
Chief Executive Officer (CEO)
Vice President Information Technology
Vice President North American Operations
Vice President Foreign Operations
Research Operations Manager
Human Resources Manager
Finance Accounting Manager
Information Technology Manager
Sales Marketing Manager
10
(No Transcript)
11
Designing the IT Function
  • Designing the ultimate structure of the IT
    function is often determined by cultural,
    political and economic forces inherent in each
    organization.

12
Internal control considerations within an IT
function
  • Separate from one another
  • systems development
  • computer operations
  • computer security

13
Systems Development
  • Staff has access to operating systems, business
    applications and other key software.
  • Systems developers are authorized to create and
    alter software logic, therefore, they should not
    be allowed to process information
  • They should not maintain custody of corporate
    data and business applications.

14
Computer Operations
  • Operation staff are responsible for
  • Entering Data (similar to the internal control
    concept of authorizing transactions)
  • Processing information (similar to the internal
    control concept of recording transactions)
  • Disseminating Output (similar to the internal
    control concept of maintaining custody)
  • Must segregate duties.

15
Computer Security
  • Responsible for the safe-keeping of resources
  • includes ensuring that business software
    applications are secure.
  • responsible for the safety (custody) of
    corporate information, communication networks and
    physical facilities
  • Systems analysts and programmers should not have
    access to the production library.

16
IT Function Manager
Systems Development Manager (a)
Computer Operations Manager (b)
Computer Security Manager (c)
User Services Manager
Systems Analysis (a)
Data Input (a)
Technical Support
Software Security
Computer Programming (b)
Information Processing (b)
Application Support
Information Security
Information Output (c)
Database Administration (c)
User Training
Network Security
Continuity of Operations
Help Desk
Physical Security
Quality Control
17
IT Auditors examination of the IT Function
  • Auditors should ensure that systems developers
    and computer operators are segregated.
  • It is also advisable for the IT function to form
    a separate security specialization to maintain
    custody of software applications and corporate
    data.

18
Funding the IT Function
  • Must be adequately funded to fulfill strategic
    objectives.
  • Business risk of under-funding
  • Needs and demands of customers, vendors,
    employees and other stakeholders will go
    unfulfilled.
  • can adversely impact the success of the company.
  • Audit risk of under-funding
  • Heavy workloads can lead to a culture of working
    around the system of internal controls

19
Two funding approaches
  • 1. Cost Center Approach
  • Submit detailed budget to upper management
  • Justify each line item
  • Use the IT function scorecard approach
  • Operational Performance
  • User satisfaction
  • adaptability and scalability
  • Organizational contribution

20
Two funding approaches
  • 2. Profit Center Approach
  • Submit detailed budget to upper management.
  • Charge internal users for services through
    intra-company billing.
  • Positive Outcome Managers will not be overly
    demanding of IT services
  • Negative Outcome IT can build excessive expenses
    into billing rates until the rates exceed costs
    of outside providers.

21
Billing Rates
  • Independent Party within the company should
    compare rates to outside services.
  • IT Auditor should
  • Confirm that reasonableness check is performed at
    least annually to ensure that billing rates are
    not excessive

22
Acquiring IT Resources
  • IT manager should justify IT Capital projects
    using a methodological approach.
  • Determine the net benefit
  • Present value of benefits minus costs
  • Use Scorecard approach for non-quantifiable
    paybacks.

23
Example with Scorecard Approach
  • Justify the in-house development of web-based
    customer ordering system

Scorecard Action
Operational Performance Estimate the increased number of sales the system will handle each day. Determine faster speed of each sale.
User Satisfaction Survey customers for what they need and how they would receive proposed system.
Adaptability Scalability Forecast increased sales. Show how new system integrates with existing accounting inventory systems.
Organizational Contribution Perform net benefit analysis. Estimate financial costs benefits.
24
Staffing the IT Function
  • Business and audit risks can be effectively
    controlled via sound human resource procedures in
    the areas of hiring, rewarding and terminating
    employees.

25
HIRING
  • Should have formal procedures that are followed
  • Each job should have a substantive description of
    responsibilities and procedures.

26
Recruiting
  • Carefully plan and execute each step in
    compliance with company policy.
  • Identify Needs
  • Write a job description
  • Obtain permissions
  • Advertise
  • Accept Applications
  • Review Applications

27
Verifying
  • Extent depends on the position, but all
    candidates should have some checking.
  • Contact references, both personal and
    professional.
  • Conduct Background checks
  • Verify Education
  • Checks for criminal or civil violations
  • Document everything!

28
Testing
  • Written and/or oral tests can be administered to
    test skills.
  • Company must be consistent in testing procedures.

29
Interviewing
  • Follow Sound Procedures
  • Follow Company, Regulatory Statutory Rules
  • Steps of interviewing
  • Select appropriate interviewers
  • Develop an internal interview schedule
  • Arrange for interviews with interviewees
  • Conduct the interviews

30
REWARDING
  • It is important to continually challenge and
    motivate employees.
  • Improperly rewarding employees may result in
    business and audit risks

31
Rewarding
  • Business risks
  • might develop a bad attitude toward the IT
    manager and the company
  • leads to
  • lower productivity
  • frustration
  • turnover
  • Audit risks
  • employees can become bored and disgruntled
  • engage in mischievous and criminal behaviors
  • can threaten the availability, accuracy, security
    and reliability of corporate information

32
Evaluating
  • Most common is the annual review.
  • The evaluation process must have structure and
    reasonableness.
  • Evaluator must be as fair as possible to prevent
    frustration and resentment.

33
Compensating
  • The company should strive to compensate employees
    at least as well as peer organizations.
  • Turnover
  • Can cause productivity losses
  • Replacement costs are high
  • Risks the availability and reliability of systems
  • Employees take sensitive information to
    competitors

34
Compensation IssuesEqual Pay for Equal Work
  • IT Function must not discriminate in appearance
    or substance among employees.
  • Test by comparing the compensation packages of
    employees holding similar positions.

35
Compensation IssuesCompression and Inversion
  • Compression The compensation of newly hired
    employees gets very close to experienced
    employees in similar positions or the
    compensation of subordinates is nearly the same
    as their superiors.
  • Inversion The compensation of new hires is
    greater than more experienced employees in the
    same position, or the compensation of
    subordinates exceeds that of superiors.

36
Promoting
  • Should be based on merit
  • Compensation should be commensurate with the new
    jobs role and responsibilities.
  • Must be formal written procedures that are
    consistently followed.

37
Learning
  • Training benefits the employee, the employer and
    society as a whole. Failure to offer learning
    opportunities create
  • Business Risk
  • potential loss of competitive positioning due to
    an uneducated workforce
  • low employee morale
  • Audit Risk
  • stagnate and frustrated employees
  • attitude of complacency toward internal controls
  • or utter disregard for internal controls

38
Terminating
  • A disgruntled employee can disrupt the companys
    systems and controls.
  • The IT function needs to design and implement
    countervailing controls
  • backup procedures
  • checks-and-balances
  • cross-training
  • job rotations
  • mandated vacations
  • immediately separate them from the computing
    environment
  • terminate all computer privileges

39
Directing the IT FunctionAdministering the
Workflow
  • Effective capacity planning
  • Schedule and perform the work
  • Have enough resources for peaks yet minimize idle
    time
  • Develop formal workload schedules
  • Monitor performance
  • Denote actual-to-planned workload variances
  • Continually adjust

40
Managing the Computing Environment
  • Responsible for the computing infrastructure
  • Computer hardware
  • Network hardware
  • Communication systems
  • Operating systems
  • Application softtware and data files

41
Managing the Computing Environment
  • The IT manager must
  • understand how the infrastructure elements work
    together.
  • establish policies for acquiring, disposing, and
    accounting for inventory
  • track rented equipment and software
  • comply with licensing agreements

42
Managing the Computing Environment
  • The IT manager must ensure the physical
    environment is safe for humans and computers with
  • Fire suppression systems in place
  • A tested fire evacuation plan
  • A climate controlled environment
  • Facilities that are inconspicuous in location and
    design
  • Compliance with appropriate safety and health
    regulations

43
Third Party Services
  • Examples
  • Internet service providers (ISP)
  • Communication companies
  • Security firms
  • Call centers
  • Offer economies of scale
  • Use of 3rd party services is increasing .

44
Third Party ServicesKey Issues
  • Policies must be established for purchase, use,
    and termination of 3rd party services.
  • Must have legally binding contracts.
  • Must ensure the security and confidentiality of
    company information.
  • Must have a plan for disruption of services.
  • Must have backup and recover plan in place.

45
Assisting UsersTraining and Education
  • Identify training needs.
  • Design curricula.
  • Deliver programs.
  • Use outside training programs.

46
Assisting UsersHelp Desk
47
Assisting UsersHelp Desk
  • . The IT manager needs to design and monitor
    effective ways to assist users when they request
    help.
  • Must create an atmosphere of mutual trust and
    respect between the IT function and user
    community.
  • Effective handling of problems and incidences
    requires a formal set of policies and procedures.

48
Assisting UsersHelp Desk
  • Requests for help generally arise from users
    lack of understanding about how applications
    work.
  • Problems and incidences reflect improperly
    functioning elements of the computing
    infrastructure, and require the intervention of
    experienced technicians and programmers.

49
Controlling the IT Function
  • The major control categories involved in the IT
    function are
  • Security
  • Input
  • Processing
  • Output
  • Databases
  • backup and recovery
  • Each of these categories is intended to minimize
    business and audit risk via internal controls.

50
Security Controls
  • Secure the computing infrastructure from internal
    and external threats.
  • A compromise of the infrastructure can result in
  • business risk
  • network downtime
  • database corruption
  • audit risk
  • material misstatements in accounts due to
    incomplete or inaccurate data capturing

51
Physical Security
  • Focuses on keeping facilities, computers,
    communication equipment and other tangible
    aspects of the computing infrastructure safe from
    harm.

52
Physical SecurityAccess Restriction
  • Only authorized personnel should be allowed into
    the facility.
  • Visitors should be accompanied by authorized
    personnel at all times.
  • Use at all ingress and egress points
  • --Security guards -- Keys lock
  • --Card readers -- Biometric devices
  • Penetration points should be adequately secured

53
Physical SecurityMonitor Access
  • Monitor who is entering, roaming and leaving the
    facility.
  • Security guards
  • Video Cameras
  • Penetration alarms
  • Review access evidence.
  • Signage log, paper or electronic
  • Formal review procedures in place.

54
Security Issue Physical Controls Logical Controls
Access Controls Security Guards Locks Keys Biometric Devices ID and Passwords Authorization Matrix Firewalls Encryption
Monitor Controls Security Guards Video Cameras Penetration Alarms Access logs Supervisory Oversight Penetration alarms
Review Controls Formal Reviews Signage Logs Violation Investigations Formal Reviews Activity Logs Violation Investigations
Penetrating Tests Unauthorized attempts to enter IT facilities Attempts to break in through vulnerable points As authorized visitor, attempts to leave authorized personnel and wander around the facility without oversight Unauthorized attempts to enter servers and networks Attempts to override access controls (hacking) As authorized user, attempts to use unauthorized applications and view unauthorized information
55
Physical SecurityCommunication Power Lines
  • The IT manager should
  • monitor the primary communication and power lines
    via cameras and guards
  • install secondary (backup) lines in case the
    primary lines fail.
  • Contingency plan must address the possible
    failure of lines.

56
Physical SecurityOff-Site Equipment
  • Equipment located in other places needs to be
    monitored in the same way.
  • Effective backup plan must be in place.

57
Logical Security
  • Data and software nature known as logical
    components of the infrastructure
  • Corporate data
  • Computer software
  • user applications
  • network systems
  • communication systems
  • operating systems

58
Sample Authorization Matrix
User 3 ID XXXXX, Password YYYYY
User 2x ID XXXXX, Password YYYYY
User 1 ID XXXXX, Password YYYYY
Applications
Information
A/R A/P
Add Edit Read Delete
Customers Vendors Sales Purchasing Receipt
s Payments
Add Edit Read Delete
Add Edit Read Delete
Add Edit Read Delete
Add Edit Read Delete
Add Edit Read Delete
59
Logical Security
  • Physical controls
  • most corporate data and software are located on
    computers, servers, storage devices
  • Computer controlled access, monitor review
    systems

60
Logical SecurityPoints of Entry
  • Computer Terminal
  • Supply Authorized ID
  • Password
  • Internet
  • Controls need to control external access Points
  • Firewalls
  • Track failed attempts to enter system

61
Logical SecurityAccess and Monitor Systems
  • Supervisory Oversight
  • Penetration alarms
  • Track usage patterns
  • Report failed attempts
  • Formal review procedure

62
Information Controls
  • Controls need to be in place and working
    effectively to ensure the integrity and accuracy
    of vital decision-making information.
  • Must Integrate sound backup controls.

63
Information ControlsInput Controls
  • The company must have and follow written
    procedures regarding the proper authorization,
    approval and input of accounting transactions.
  • These are incompatible functions.
  • they should be carefully segregated, to the
    extent possible, and controlled.

64
Information ControlsInput Controls 3
Scenarios- 1
  • A customer purchases goods at a store counter.
  • Authorizing the sale
  • A cashier records the sale on the cash register
  • Approving the sale, balances the register, logs
    the logs into the register with ID
  • An accounting clerk later processes cash register
    sales in batches.
  • Inputs sales transactions into accounting system
    in batches

65
Information ControlsInput Controls 3
Scenarios- 2
  • Same except cash register automatically records
    the sale into the accounting system.

66
Process Controls
  • Validating
  • Error Handling
  • Updating

67
Database Controls
  • Database processing involves simultaneous
    updating of multiple tables.
  • Multiple tables and data items can be
    instantaneously corrupted when an interruption
    occurs.

68
Database ControlsWhy corruption is so quick
  • Related tables are inexorably linked to one
    another.
  • Update routines often incorporate one or more of
    the following processing techniques
  • Multi-tasking -- where the computer executes more
    than one task program at a time
  • Multi-processing -- where multiple CPUs
    simultaneously execute interdependent tasks
    programs
  • Multi-threading -- where a computer executes
    multiple parts of a program threads at one
    time.

69
Database ControlsRoll-back and Recovery
  • Databases operate on a transaction principle.
  • A logical unit of work is considered a
    transaction.
  • The processing of a transaction takes the
    database from an initial state to an altered
    state, to the new initial state.
  • Each step must be completed.
  • Any failure will result in database corruption.

70
Database ControlsRoll-back and Recovery
  • When there is an interruption, the database
    management system (DBMS) begins to restore.
  • There are numerous technical processes depending
    on the DBMS in use.

71
Database ControlsRoll-back and Recovery Basic
Recovery
  • A unique identifier tags each transaction.
  • An activity log tracks the transaction as it
    processes.
  • After interruption, the DBMS identifies the
    transactions in process.
  • Roll-back procedure is performed
  • Uncompleted transactions placed back into queue
  • Recovery takes place.

72
Database ControlsConcurrency Control
  • Multiple users attempt to update the same data
    item simultaneously.
  • or when
  • One user is updating while another user is
    reading the same data item.

73
Database ControlsConcurrency Control
  • A common way to prevent concurrency problems is
    to lock a database object while it is in use and
    release the object upon completion.
  • The DBMS can determine which operation to perform
    in what order, as it timestamps each transaction
    when the processing request is initiated.

74
Database ControlsConcurrency Control Levels of
Granularity
  • Course level database is locked during updates.
  • No one can use the database until update is
    complete.
  • Moderate level Database locks at tuple (record)
    level.
  • No one else could use the record until update is
    finished.
  • Fine level Database locks at attribute (field)
    level.
  • Only the field being updated would be locked.

75
Database ControlsConcurrency Control Levels of
Granularity
  • Tradeoff
  • There is an inverse relationship between the
    granularity level and system performance.
  • A lower level of granular locking equates to
    slower computer performance.

76
Output controls
  • Only properly authorized parties can request
    certain output
  • computer screens
  • printed reports
  • Such logical access control is accomplished via
    the ID-password authorization matrix procedure.

77
Output controlsComputer Screens
  • Screens need to be physically secure when output
    is visible.
  • Output should be removed when user leaves the
    terminal.
  • Return to the screen should require a password.

78
Output controlsPrinted Reports
  • Printer rooms need trail of accountability.
  • Locks to prevent unauthorized access.
  • Logs to sign in anyone entering.
  • Logs to sign for reports.
  • End user report requests should be password
    protected.
  • Network printers should be placed where
    unauthorized persons will not have access.

79
Output controlsPrinted Reports
  • Must have record retention and destruction
    policies.
  • Mandated by regulatory agency.
  • Dictated by company policy.
  • Permanent reports must be in secured area.
  • Temporary reports must by properly destroyed.

80
(No Transcript)
81
Continuity Controls
  • Must develop and follow a sound backup strategy
    to prevent disruption of business activity due to
    computer failures and disasters.
  • Two key considerations downtime and cost.
  • Shorter downtime requirements equate to higher
    backup costs.

82
Impact Analysis Criteria
Level Impact Financial Criteria Reputation
5 Catastrophic Over 10 million National media coverage or major product withdrawal
4 Intolerable 5 to 10 million Local media coverage and reduced professional reputation
3 Major 1 to 5 million Media coverage in trade publications and customer complaints
2 Significant 50,000 to 1 million Limited coverage in media and some customer complaints
1 Minor Less than 50,000 Negligible impact on reputation
0 No Impact
83
Continuity ControlsBackup Controls Data Backup
  • Slow Company
  • Can Survive for days without its computer system.
  • Would perform full backup each week.
  • Medium Company
  • Must be back on computers same day.
  • Would perform weekly full backups
  • Daily incremental backups

84
Continuity ControlsBackup Controls Data Backup
  • Fast Company
  • Must be back on computers within hours
  • Needs daily full backup
  • Hourly incremental backups
  • Lightening Company
  • Must be back on computers within minutes
  • Needs real-time backup
  • Simultaneouse updating on remote computer

85
Continuity ControlsStorage location hardware
redundancy
  • Physical Vaulting
  • One backup on-site, one off-site
  • On site copy is readily accessible if no disaster
  • Off-site copy retrievable if disaster
  • Strategy involves more time and money

86
Continuity ControlsStorage location hardware
redundancy
  • Electronic Vaulting
  • Send backup data over a communications network
    (such as the Internet) to an off-site storage
    medium.
  • Send to home of employee.
  • Send to another company location.
  • Purchase outside service.
  • Costs and accessibility are considerations.

87
Continuity ControlsStorage location hardware
redundancy
  • Hardware Backup usually needed for component
    failures
  • Power supplies
  • Anything with moving parts
  • There are 3 common configurations for redundant
    storage devices
  • Redundant Array of Independent Disks (RAID)
  • Network Attached Storage (NAS)
  • Server Area Network (SAN)

88
Continuity ControlsRedundant Array of
Independent Disks (RAID)
  • Disk mirroring
  • Data is simultaneously written to the primary
    disk and one or more redundant disks
  • Disk striping
  • An array of at least three, but usually five,
    disks is established
  • scheme of parity checks is utilized
  • if one disk drive in the array fails, the
    remaining drives can reconstruct the data on the
    failed drive and continue processing

89
RAID Mirroring and Striping Disk Mirroring (RAID)
Duplicate Recording On single mirrored disk
90
RAID Mirroring and Striping Disk Striping (RAID)
Duplicate Recording On an array of disks
91
Continuity ControlsNetwork Attached Storage
(NAS)
  • Integrates one or more storage devices, (NAS
    appliances,) into the local area network (LAN) .
  • Comprised of one or more disk drives and an
    internal controller.
  • Employs RAID technology to ensure hardware
    redundancy.
  • Can be shared by multiple users on the network.
  • Appliances are relatively affordable and
    scalable

92
(No Transcript)
93
Continuity ControlsServer Area Network (SAN)
  • Expands NAS to wide area networks (WAN).
  • SAN is a dedicated network.
  • SAN can be linked to multiple LANs.
  • Multiple SANs can be simultaneously utilized.
  • SAN can be expensive and technically complicated
  • Capable of handling very high volumes
  • SAN is a great solution for large companies.
  • SAN is designed to be very fault tolerant.

94
LAN
Wide Area Network
Input-Output Controller
Storage Area Network (SAN)
Disk Storage
Disk Storage
Disk Storage
Disk Storage
95
Disaster Recovery Controls
  • The first step is to plan for various disaster
    scenarios
  • a) a single server is damaged
  • b) an entire company site is demolished
  • c) multiple company locations are simultaneously
    stuck with disaster
  • d) the entire company is destroyed?

96
Disaster Recovery Controls
  • IT managers and auditors should plan for what,
    who, when, where, how, which and why.
  • determine what just happened
  • specify who to contact, in what order, and what
    they are expected to do
  • when to enact the remainder of the contingency
    plan

97
Disaster Recovery Controls
  • where to transfer the lost computer processing
    load
  • Plan to shift to one or more alternate company
    locations
  • Establish contractual relationships with peer
    companies in the same industry
  • Affordable, but needs may not be a priority.
  • Compatibility problems with operation systems
  • Establish contractual relationships with
    third-party providers of alternate computing
    sites.

98
Disaster Recovery Backup Strategy
  • Fully mirrored recovery operations
  • Requires building that have linkages between the
    live site and the backup facility
  • Switchable Hot site facility
  • Arrangement with a vendor who will guarantee to
    maintain an identical site with communications to
    enable the transfer of all data processing within
    an agreed time period
  • Traditional hot site
  • Have a contract with a disaster recovery vendor
    with a compatible site
  • Cold Site
  • Includes building basic infrastructure
  • Establishing emergency site space to allow the
    enterprise to begin processing

99
Disaster Recovery Backup Strategy
  • Relocate and restore
  • Identification of a suitable location, hardware,
    and peripherals and the reinstallation of systems
    after an emergency has occurred
  • No Strategy
  • No backup and restore strategy

100
Disaster Recovery Controls
  • How is the company going to get the computer
    hardware, people, software and data to the
    alternate site?
  • Which applications are mission critical?
  • Why one application or set of applications is
    more time sensitive than another ?

101
DRP plans
  • Detailed descriptions of IT systems components,
    including both IT servers, storage resources and
    network connection
  • A summary of applications and key supporting data
  • Detailed descriptions of the servers and other
    hardware
  • The communication network, such as telephone,
    radio, wireless and Internet linkages
  • External, third party connections
  • IT infrastructure components, including logon
    services, software distribution and remote access
    services
  • All supporting information management systems,
    including file rooms and both electric and manual
    document management systems

102
Internal Audit DRP Review Points
  1. Review the existing DRP with the responsible
    manager
  2. Examine the contents and format of DRP
  3. Review the overall training and understanding of
    DRP
  4. Review the results of recent DRP tests
  5. Review of DRP backup procedures
  6. Prepare IT internal audit documentation assessing
    the overall adequacy of the organizations DRP

103
Disaster Recovery Controls
  • All affected parties need to be involved in
    planning phase.
  • The disaster recovery plan is a living document.
  • It must be reviewed and updated on a recurrent
    basis.
  • Everyone involved should be initially trained and
    required to attend periodic refresher sessions.
  • Portions of the recovery plan should be tested on
    an unannounced basis.
Write a Comment
User Comments (0)
About PowerShow.com