SlideShare a Scribd company logo

What every IT audit should know about backup and recovery

E
essbaih

What every IT audit should know about backup and recovery

Business
1 of 3
Download to read offline
All entities that use IT and data in their operations have a need for a backup and recovery plan. The plan should enable the entity to recover lost data and to recover computer operations from a loss of data. At the low end of need, the entity may experience a data loss (e.g., corrupted data) and simply need to restore a backup of data. At the high end of need, the entity may experience loss of computer operations and more, from a pandemic event (e.g., fire, flood, tornado or hurricane). Entities that have a high risk regarding backup and recovery include, at least, those that rely heavily on IT and data to conduct business, operate solely online (e-commerce) and operate 24/7. More than likely, all Fortune 1,000 enterprises are at a high risk; however, a small entity that uses cutting-edge IT and whose business processes are heavily reliant on IT is also at a high risk. This column attempts to explain the principles of an effective backup and recovery plan and to provide some guidance for conducting an IT audit for backup and recovery. Data Management should provide for a means to back up relevant data on a regular basis. The principle for regular data backups is to back up data daily. That backup could be to media (e.g., tape or external hard drive), or it could be to a remote location via the cloud (i.e., the Internet). If an enterprise is backing up to media, the aforementioned principle recommends that backups be conducted to a different media for end-of-week and end-of-month backups (this daily, weekly and monthly set of backups is known as “grandfather-father-son”). The next concern is whether the backup process is reliable. Therefore, upon using a new backup methodology or technology, management should provide a means to test the data afterward to ensure that the process is actually recording all of the data onto the target backup device. Another concern is where the backup is stored. If it is stored onsite and if the entity suffers a pandemic event such as a fire, the event would destroy the operational data and the backup data. Thus, the backup principle for storage is to provide a location that is at a safe distance from the entity’s location. The cloud automatically provides this element. Additionally, management should provide a test for restoring the backup at least once a year. That test should be documented, even if it is just a screenshot showing the data restored. Computer Operations The purpose of the computer operations piece of a backup and recovery plan is to recover from a broad, adverse effect on the computer systems of the entity (figure 1). This part of the plan is commonly called a business continuity plan (BCP) or disaster recovery plan (DRP).1 The adverse event could be systems-related, such as the failure of a mainframe computer to operate, or it could be the result of a natural disaster, such as a fire that destroys some or all of the computer systems and data. Figure 1—Recovery Principles • Identify and rank critical applications. • Create a recovery team with roles and responsibilities. • Provide a backup for all essential components of computer operations. • Provide for regular and effective testing of the plan. Obviously, this plan is much more involved than simply making a backup of data and being able to restore it effectively when necessary. In this case, it may be necessary to restore everything about the infrastructure: computers, operating systems (OSs), applications and data. Even systems documentation and computer supplies could be involved. The principles of developing a BCP/DRP include a step to identify the critical applications and rank them in importance of operations. This list becomes strategically valuable if ever needed in providing the recovery team with a blueprint of how to restore application software. Tommie W. Singleton, Ph.D., CISA, CGEIT, CITP, CPA, is an associate professor of information systems (IS) at the University of Alabama at Birmingham (USA), a Marshall IS Scholar and a director of the Forensic Accounting Program. Prior to obtaining his doctorate in accountancy from the University of Mississippi (USA) in 1995, Singleton was president of a small, value- added dealer of accounting IS using microcomputers. Singleton is also a scholar- in-residence for IT audit and forensic accounting at Carr Riggs Ingram, a large regional public accounting firm in the southeastern US. In 1999, the Alabama Society of CPAs awarded Singleton the 1998–1999 Innovative User of Technology Award. Singleton is the ISACA academic advocate at the University of Alabama at Birmingham. His articles on fraud, IT/IS, IT auditing and IT governance have appeared in numerous publications. What Every IT Auditor Should Know About Backup and Recovery 1 ISACA JOURNAL VOLUME 6, 2011 Do you have something to say about this article? Visit the Journal pages of the ISACA web site (www.isaca. org/journal), find the article, and choose the Comments tab to share your thoughts. Go directly to the article:
2ISACA JOURNAL VOLUME 6, 2011 consumable computer supplies (e.g., printer ink). This can be provided by storing a reasonable quantity of supplies at or near the backup site or by having a contract with a vendor to provide them on short notice. Certain manuals will be needed as well, including user and technical manuals. These manuals are needed because members of the recovery team may not normally do some of the business processes. Last, the plan should provide for adequate personnel to maintain necessary computer operations. The recovery team is usually a key part of the personnel element. There are some common methodologies used to provide for the first few elements. Utilizing a hot site is an approach that usually provides for the site (e.g., building, electricity, furniture), computer and OS (specifically the server and/or mainframe the entity uses, which is up and running) needs. When using a hot site, recovery gets a “jump start,” allowing the entity to take its data backups and applications backups and begin the remainder of the process to restore computer operations. A cold site, however, provides only the site aspect. If the entity chooses a cold site, it would need some way to provide backup for computers and the OS (possibly a backup of the OS on media). A mutual aid pact involves the broadest scope of backup. In this approach, the two entities use the same computer, OS and, often, applications. For example, a large retailer has two branches back up data to another branch and, then, uses the systems at the other location to restore operations. This approach is inexpensive and has less associated risk. Principles of backup and recovery suggest that the most important step is to provide a full test of the BCP/DRP at some regular interval to ensure that it actually works and to improve the plan to be more efficient and effective. Ideally, it would be tested annually, but for larger or more complex environments, once every three years may be sufficient. Often, internal audit or IT would conduct the test. That test can include as much reality as needed, including something as radical as unplugging the computer in the main computer center. Another principle, and obvious need, is to create a recovery team. The team should include all of the functions and roles necessary to quickly and completely restore computer operations. There should be a document that identifies all of the members of the teams, their respective roles and the steps each would take in restoring operations. The heart of a BCP/DRP is to provide a backup means of providing the essential components of computer operations (figure 2). Figure 2—Computer Operations Essential Components to Back Up • Site/facility • Computers and infrastructure (hardware) • OS • Applications (software) • Data • Supplies • Documentation • Personnel The site should include a building, electricity, furniture and other basic needs for housing the computer operations. Typically, the site follows the same principle as storage of backup data in that it is located a safe distance from the entity’s facility, but not too far to reach in a timely manner if it is necessary to recover operations. The hardware aspect does not necessarily require the restoration of a full complement of computers and infrastructure, but it does require the minimum degree of computers and infrastructure to temporarily restore computer operations. For instance, most entities have one or more servers, and at least one of those servers will be needed to restore operations, but maybe not all of them. Likewise, some semblance of the network will need to be restored. Enough computers will need to be restored to conduct the essential business processes as determined by the plan. The OSs on the computers and servers will need a backup. That includes the network OS and server (e.g., mainframe). There needs to be a backup of all relevant applications. The list of critical applications mentioned previously will provide the list of applications that need a backup and the order in which to restore them. As discussed previously, data backup can be stored offsite at or near a location close to the backup site, or it can be stored in the cloud for easy and efficient data restoration. The list of applications provides the primary source of data needed. The plan should include a means of providing supplies such as preprinted forms (e.g., checks, invoices), as well as • Learn more about and collaborate on business continuity/disaster recovery planning. www.isaca.org/ topic-business-continuity- disaster-recovery-planning
3 ISACA JOURNAL VOLUME 6, 2011 across multiple locations, there would be a need for more powerful and complex test procedures and more evidence. Conclusion All entities must consider and provide a plan for backup and recovery. The IT auditor would want to test the recovery of data and computer operations, but only to the level necessary. When risks or objectives call for simple tests, the IT auditor needs to develop low-level, simple tests that will provide adequate evidence. For more complex situations, more complex and powerful tests are needed to provide assurance that backup and recovery will be successful—especially in the case of a pandemic event. Endnote 1 BCP and DRP are different and separate processes, but for the sake of this article, they will be referred to as one unit. The scope of what an IT auditor would do to test and collect evidence about backup and recovery depends on the type of audit involved and the risks (figure 3). In an internal audit or special IT review, the objectives of management would dictate the scope. Figure 3—Possible Tests/Procedures for Backup and Recovery Data • Review or observe backup procedures. • Review documentation of a successful restore (within the last year). • Verify restoration personally (when risk is high or restoration is an audit objective). Site/computers/ OS • Review the provisions of the BCP/DRP. • Review a contract (hot site, cold site, mutual aid, etc.). • Verify the ability to restore these aspects. Applications • Review the plan’s provisions. • Review the critical applications list, including ranking. • Verify the ability to restore (personally, when risk is high or restoration is an audit objective). • Observe or inquire about the backups of application software and location. Supplies/ documentation • Review the plan’s provisions. • Observe or inquire about the provisions and location. Recovery team • Review the plan’s provisions. • Interview one or more members of the team, and ask about roles and responsibilities. • Gain assurance that there is provision for adequate personnel for a successful restoration. For a financial audit, the scope of testing would be concomitant with the nature and complexity of IT, which is directly correlated to the risk that IT presents to the risk of material misstatement. Thus, an entity with standard commercial equipment and applications, with only one server and a limited number of computers (i.e., simple IT), would need a low-level, simple audit procedure. The IT auditor would probably use a simple test for the backup of data (e.g., a screenshot showing that a test restoration was successfully conducted in the fiscal year). The IT auditor would definitely want to review the data backup procedures and the BCP/DRP. Procedures would also likely involve some questions about backup and recovery of the chief information officer or similar position’s data, but the procedures would probably not include testing the recovery of a data backup or testing the full BCP/ DRP. However, if IT were highly sophisticated and spread

Recommended

Disaster Recovery
Disaster RecoveryDisaster Recovery
Disaster RecoverySteven Cahill
 
Disaster Recovery Planning
Disaster Recovery Planning Disaster Recovery Planning
Disaster Recovery Planning Keystone IT
 
Membangun Data Recovery Center / Disaster Recovery Center
Membangun Data Recovery Center / Disaster Recovery CenterMembangun Data Recovery Center / Disaster Recovery Center
Membangun Data Recovery Center / Disaster Recovery CenterFanky Christian
 
Creating And Implementing A Data Disaster Recovery Plan
Creating And Implementing A Data Disaster Recovery PlanCreating And Implementing A Data Disaster Recovery Plan
Creating And Implementing A Data Disaster Recovery PlanRishu Mehra
 
Transition to operations template Julie Bozzi Oregon
Transition to operations template Julie Bozzi OregonTransition to operations template Julie Bozzi Oregon
Transition to operations template Julie Bozzi OregonJulie Bozzi, PfPM, PMP
 
Disaster recovery plan sample 2
Disaster recovery plan sample 2Disaster recovery plan sample 2
Disaster recovery plan sample 2AbenetAsmellash
 
It&smart grid
It&smart gridIt&smart grid
It&smart gridHeather Brotherton
 
Schneider - ASK THE EXPERT - ITNEXT
Schneider - ASK THE EXPERT - ITNEXTSchneider - ASK THE EXPERT - ITNEXT
Schneider - ASK THE EXPERT - ITNEXTAniket Patange
 

Recommended

Disaster Recovery
Disaster RecoveryDisaster Recovery
Disaster RecoverySteven Cahill
 
Disaster Recovery Planning
Disaster Recovery Planning Disaster Recovery Planning
Disaster Recovery Planning Keystone IT
 
Membangun Data Recovery Center / Disaster Recovery Center
Membangun Data Recovery Center / Disaster Recovery CenterMembangun Data Recovery Center / Disaster Recovery Center
Membangun Data Recovery Center / Disaster Recovery CenterFanky Christian
 
Creating And Implementing A Data Disaster Recovery Plan
Creating And Implementing A Data Disaster Recovery PlanCreating And Implementing A Data Disaster Recovery Plan
Creating And Implementing A Data Disaster Recovery PlanRishu Mehra
 
Transition to operations template Julie Bozzi Oregon
Transition to operations template Julie Bozzi OregonTransition to operations template Julie Bozzi Oregon
Transition to operations template Julie Bozzi OregonJulie Bozzi, PfPM, PMP
 
Disaster recovery plan sample 2
Disaster recovery plan sample 2Disaster recovery plan sample 2
Disaster recovery plan sample 2AbenetAsmellash
 
It&smart grid
It&smart gridIt&smart grid
It&smart gridHeather Brotherton
 
Schneider - ASK THE EXPERT - ITNEXT
Schneider - ASK THE EXPERT - ITNEXTSchneider - ASK THE EXPERT - ITNEXT
Schneider - ASK THE EXPERT - ITNEXTAniket Patange
 
The Surprising Truth About Your Disaster Recovery Maturity Level
The Surprising Truth About Your Disaster Recovery Maturity LevelThe Surprising Truth About Your Disaster Recovery Maturity Level
The Surprising Truth About Your Disaster Recovery Maturity LevelAxcient
 
Google ppt. mis
Google ppt. misGoogle ppt. mis
Google ppt. misjayadevans89
 
Assert Maintenance
Assert MaintenanceAssert Maintenance
Assert MaintenanceJuan Perez
 
Disaster Recovery & Business Continuity Overview
Disaster Recovery & Business Continuity Overview Disaster Recovery & Business Continuity Overview
Disaster Recovery & Business Continuity Overview Aventis Systems, Inc.
 
3.10 Introducing large ict systems into organisations
3.10 Introducing large ict systems into organisations3.10 Introducing large ict systems into organisations
3.10 Introducing large ict systems into organisationsmrmwood
 
ProfitBricks-white-paper-Disaster-Recovery-US
ProfitBricks-white-paper-Disaster-Recovery-USProfitBricks-white-paper-Disaster-Recovery-US
ProfitBricks-white-paper-Disaster-Recovery-USMudia Akpobome
 
Google data centers
Google data centersGoogle data centers
Google data centersAli Al-Ugali
 
Risk management by Deepak kumar dwivedi
Risk management by Deepak kumar dwivediRisk management by Deepak kumar dwivedi
Risk management by Deepak kumar dwivediEm Red
 
StruxureWare DCIM Q&A
StruxureWare DCIM Q&AStruxureWare DCIM Q&A
StruxureWare DCIM Q&ARogier den Boer
 
Failure analysis buisness impact-backup-archive
Failure analysis buisness impact-backup-archiveFailure analysis buisness impact-backup-archive
Failure analysis buisness impact-backup-archiveDavin Abraham
 
Data Center Optimization
Data Center OptimizationData Center Optimization
Data Center OptimizationBihag Karnani
 
Best Practices for Planning your Datacenter
Best Practices for Planning your DatacenterBest Practices for Planning your Datacenter
Best Practices for Planning your DatacenterAPC by Schneider Electric India
 
Data Center Infrastructure Management Demystified
Data Center Infrastructure Management Demystified Data Center Infrastructure Management Demystified
Data Center Infrastructure Management Demystified Sunbird DCIM
 
Data Center Infrastructure Management(DCIM)
Data Center Infrastructure Management(DCIM)Data Center Infrastructure Management(DCIM)
Data Center Infrastructure Management(DCIM)MD. IFTEKARUL ALAM
 
Improvements in Data Center Management
Improvements in Data Center ManagementImprovements in Data Center Management
Improvements in Data Center ManagementScottMadden, Inc.
 
Ijetr012052
Ijetr012052Ijetr012052
Ijetr012052ER Publication.org
 
New Platforms, New Technologies, Old Headaches
New Platforms, New Technologies, Old HeadachesNew Platforms, New Technologies, Old Headaches
New Platforms, New Technologies, Old HeadachesJason Dea
 
Facebook Data Center
Facebook Data Center Facebook Data Center
Facebook Data Center Kajal Jain
 
Securing and Greening Your IT
Securing and Greening Your ITSecuring and Greening Your IT
Securing and Greening Your ITLumension
 
არა ნარკომანიას!
არა ნარკომანიას!არა ნარკომანიას!
არა ნარკომანიას!gkochiashvili
 
L1
L1L1
L1Sujay Singh
 
Swati goel
Swati goel Swati goel
Swati goel Swati Goel
 

More Related Content

What's hot

The Surprising Truth About Your Disaster Recovery Maturity Level
The Surprising Truth About Your Disaster Recovery Maturity LevelThe Surprising Truth About Your Disaster Recovery Maturity Level
The Surprising Truth About Your Disaster Recovery Maturity LevelAxcient
 
Assert Maintenance
Assert MaintenanceAssert Maintenance
Assert MaintenanceJuan Perez
 
Disaster Recovery & Business Continuity Overview
Disaster Recovery & Business Continuity Overview Disaster Recovery & Business Continuity Overview
Disaster Recovery & Business Continuity Overview Aventis Systems, Inc.
 
3.10 Introducing large ict systems into organisations
3.10 Introducing large ict systems into organisations3.10 Introducing large ict systems into organisations
3.10 Introducing large ict systems into organisationsmrmwood
 
ProfitBricks-white-paper-Disaster-Recovery-US
ProfitBricks-white-paper-Disaster-Recovery-USProfitBricks-white-paper-Disaster-Recovery-US
ProfitBricks-white-paper-Disaster-Recovery-USMudia Akpobome
 
Google data centers
Google data centersGoogle data centers
Google data centersAli Al-Ugali
 
Risk management by Deepak kumar dwivedi
Risk management by Deepak kumar dwivediRisk management by Deepak kumar dwivedi
Risk management by Deepak kumar dwivediEm Red
 
Failure analysis buisness impact-backup-archive
Failure analysis buisness impact-backup-archiveFailure analysis buisness impact-backup-archive
Failure analysis buisness impact-backup-archiveDavin Abraham
 
Data Center Optimization
Data Center OptimizationData Center Optimization
Data Center OptimizationBihag Karnani
 
Data Center Infrastructure Management Demystified
Data Center Infrastructure Management Demystified Data Center Infrastructure Management Demystified
Data Center Infrastructure Management Demystified Sunbird DCIM
 
Data Center Infrastructure Management(DCIM)
Data Center Infrastructure Management(DCIM)Data Center Infrastructure Management(DCIM)
Data Center Infrastructure Management(DCIM)MD. IFTEKARUL ALAM
 
Improvements in Data Center Management
Improvements in Data Center ManagementImprovements in Data Center Management
Improvements in Data Center ManagementScottMadden, Inc.
 
New Platforms, New Technologies, Old Headaches
New Platforms, New Technologies, Old HeadachesNew Platforms, New Technologies, Old Headaches
New Platforms, New Technologies, Old HeadachesJason Dea
 
Facebook Data Center
Facebook Data Center Facebook Data Center
Facebook Data Center Kajal Jain
 
Securing and Greening Your IT
Securing and Greening Your ITSecuring and Greening Your IT
Securing and Greening Your ITLumension
 

What's hot (19)

The Surprising Truth About Your Disaster Recovery Maturity Level
The Surprising Truth About Your Disaster Recovery Maturity LevelThe Surprising Truth About Your Disaster Recovery Maturity Level
The Surprising Truth About Your Disaster Recovery Maturity Level
 
Google ppt. mis
Google ppt. misGoogle ppt. mis
Google ppt. mis
 
Assert Maintenance
Assert MaintenanceAssert Maintenance
Assert Maintenance
 
Disaster Recovery & Business Continuity Overview
Disaster Recovery & Business Continuity Overview Disaster Recovery & Business Continuity Overview
Disaster Recovery & Business Continuity Overview
 
3.10 Introducing large ict systems into organisations
3.10 Introducing large ict systems into organisations3.10 Introducing large ict systems into organisations
3.10 Introducing large ict systems into organisations
 
ProfitBricks-white-paper-Disaster-Recovery-US
ProfitBricks-white-paper-Disaster-Recovery-USProfitBricks-white-paper-Disaster-Recovery-US
ProfitBricks-white-paper-Disaster-Recovery-US
 
Google data centers
Google data centersGoogle data centers
Google data centers
 
Risk management by Deepak kumar dwivedi
Risk management by Deepak kumar dwivediRisk management by Deepak kumar dwivedi
Risk management by Deepak kumar dwivedi
 
StruxureWare DCIM Q&A
StruxureWare DCIM Q&AStruxureWare DCIM Q&A
StruxureWare DCIM Q&A
 
Failure analysis buisness impact-backup-archive
Failure analysis buisness impact-backup-archiveFailure analysis buisness impact-backup-archive
Failure analysis buisness impact-backup-archive
 
Data Center Optimization
Data Center OptimizationData Center Optimization
Data Center Optimization
 
Best Practices for Planning your Datacenter
Best Practices for Planning your DatacenterBest Practices for Planning your Datacenter
Best Practices for Planning your Datacenter
 
Data Center Infrastructure Management Demystified
Data Center Infrastructure Management Demystified Data Center Infrastructure Management Demystified
Data Center Infrastructure Management Demystified
 
Data Center Infrastructure Management(DCIM)
Data Center Infrastructure Management(DCIM)Data Center Infrastructure Management(DCIM)
Data Center Infrastructure Management(DCIM)
 
Improvements in Data Center Management
Improvements in Data Center ManagementImprovements in Data Center Management
Improvements in Data Center Management
 
Ijetr012052
Ijetr012052Ijetr012052
Ijetr012052
 
New Platforms, New Technologies, Old Headaches
New Platforms, New Technologies, Old HeadachesNew Platforms, New Technologies, Old Headaches
New Platforms, New Technologies, Old Headaches
 
Facebook Data Center
Facebook Data Center Facebook Data Center
Facebook Data Center
 
Securing and Greening Your IT
Securing and Greening Your ITSecuring and Greening Your IT
Securing and Greening Your IT
 

Viewers also liked

არა ნარკომანიას!
არა ნარკომანიას!არა ნარკომანიას!
არა ნარკომანიას!gkochiashvili
 
LifeWatch Greece web and mobile application for the MicroCT
LifeWatch Greece web and mobile application for the MicroCT LifeWatch Greece web and mobile application for the MicroCT
LifeWatch Greece web and mobile application for the MicroCTEmmanouella Panteri
 
Energy engineering
Energy engineeringEnergy engineering
Energy engineeringUmar Farooq
 
DataStax: Backup and Restore in Cassandra and OpsCenter
DataStax: Backup and Restore in Cassandra and OpsCenterDataStax: Backup and Restore in Cassandra and OpsCenter
DataStax: Backup and Restore in Cassandra and OpsCenterDataStax Academy
 
Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Developmentessbaih
 
LME Warehousing Presentation at Arabal Conference 2013
LME Warehousing Presentation at Arabal Conference 2013LME Warehousing Presentation at Arabal Conference 2013
LME Warehousing Presentation at Arabal Conference 2013Novelis
 
Core Curriculum California: What exactly is The Core Curriculum?
Core Curriculum California: What exactly is The Core Curriculum?Core Curriculum California: What exactly is The Core Curriculum?
Core Curriculum California: What exactly is The Core Curriculum?curriculum878
 
Balking and Reneging in the Queuing System
Balking and Reneging in the Queuing SystemBalking and Reneging in the Queuing System
Balking and Reneging in the Queuing SystemIOSR Journals
 
A Hypocoloring Model for Batch Scheduling Problem
A Hypocoloring Model for Batch Scheduling ProblemA Hypocoloring Model for Batch Scheduling Problem
A Hypocoloring Model for Batch Scheduling ProblemIOSR Journals
 
Saritsa foundation celebrated international disaster reduction day from ppt 1...
Saritsa foundation celebrated international disaster reduction day from ppt 1...Saritsa foundation celebrated international disaster reduction day from ppt 1...
Saritsa foundation celebrated international disaster reduction day from ppt 1...Saritsa Foundation (Saritsa Charity Trust)
 
Prueba 2 powerpoint real madrid
Prueba 2 powerpoint real madridPrueba 2 powerpoint real madrid
Prueba 2 powerpoint real madriddaviliyo27
 

Viewers also liked (19)

არა ნარკომანიას!
არა ნარკომანიას!არა ნარკომანიას!
არა ნარკომანიას!
 
L1
L1L1
L1
 
Swati goel
Swati goel Swati goel
Swati goel
 
LifeWatch Greece web and mobile application for the MicroCT
LifeWatch Greece web and mobile application for the MicroCT LifeWatch Greece web and mobile application for the MicroCT
LifeWatch Greece web and mobile application for the MicroCT
 
Class
ClassClass
Class
 
Energy engineering
Energy engineeringEnergy engineering
Energy engineering
 
DataStax: Backup and Restore in Cassandra and OpsCenter
DataStax: Backup and Restore in Cassandra and OpsCenterDataStax: Backup and Restore in Cassandra and OpsCenter
DataStax: Backup and Restore in Cassandra and OpsCenter
 
Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Development
 
LME Warehousing Presentation at Arabal Conference 2013
LME Warehousing Presentation at Arabal Conference 2013LME Warehousing Presentation at Arabal Conference 2013
LME Warehousing Presentation at Arabal Conference 2013
 
Core Curriculum California: What exactly is The Core Curriculum?
Core Curriculum California: What exactly is The Core Curriculum?Core Curriculum California: What exactly is The Core Curriculum?
Core Curriculum California: What exactly is The Core Curriculum?
 
extraccion-de-aceites-esenciales
extraccion-de-aceites-esenciales extraccion-de-aceites-esenciales
extraccion-de-aceites-esenciales
 
Balking and Reneging in the Queuing System
Balking and Reneging in the Queuing SystemBalking and Reneging in the Queuing System
Balking and Reneging in the Queuing System
 
A Hypocoloring Model for Batch Scheduling Problem
A Hypocoloring Model for Batch Scheduling ProblemA Hypocoloring Model for Batch Scheduling Problem
A Hypocoloring Model for Batch Scheduling Problem
 
Parisnicole payton
Parisnicole paytonParisnicole payton
Parisnicole payton
 
26.10 report tkvtg
26.10 report tkvtg26.10 report tkvtg
26.10 report tkvtg
 
Start! presentation
Start! presentationStart! presentation
Start! presentation
 
Madison
MadisonMadison
Madison
 
Saritsa foundation celebrated international disaster reduction day from ppt 1...
Saritsa foundation celebrated international disaster reduction day from ppt 1...Saritsa foundation celebrated international disaster reduction day from ppt 1...
Saritsa foundation celebrated international disaster reduction day from ppt 1...
 
Prueba 2 powerpoint real madrid
Prueba 2 powerpoint real madridPrueba 2 powerpoint real madrid
Prueba 2 powerpoint real madrid
 

Similar to What every IT audit should know about backup and recovery

Disaster Recovery: Develop Efficient Critique for an Emergency
Disaster Recovery: Develop Efficient Critique for an EmergencyDisaster Recovery: Develop Efficient Critique for an Emergency
Disaster Recovery: Develop Efficient Critique for an Emergencysco813f8ko
 
7 deadly sins of backup and recovery
7 deadly sins of backup and recovery7 deadly sins of backup and recovery
7 deadly sins of backup and recoverygeekmodeboy
 
Information Technology Disaster Planning
Information Technology Disaster PlanningInformation Technology Disaster Planning
Information Technology Disaster Planningguest340570
 
Business Continuity Presentation[1]
Business Continuity Presentation[1]Business Continuity Presentation[1]
Business Continuity Presentation[1]jrm1224
 
Creating And Implementing A Data Disaster Recovery Plan
Creating And Implementing A Data Disaster Recovery PlanCreating And Implementing A Data Disaster Recovery Plan
Creating And Implementing A Data Disaster Recovery PlanRishu Mehra
 
Task 1.Complete the BIA table below and use it for the remai
Task 1.Complete the BIA table below and use it for the remaiTask 1.Complete the BIA table below and use it for the remai
Task 1.Complete the BIA table below and use it for the remaialehosickg3
 
Business Continuity for Mission Critical Applications
Business Continuity for Mission Critical ApplicationsBusiness Continuity for Mission Critical Applications
Business Continuity for Mission Critical ApplicationsDataCore Software
 
Business Continuity Presentation
Business Continuity PresentationBusiness Continuity Presentation
Business Continuity Presentationperry57123
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Aladdin Dandis
 
Computer-Aided Disaster Recovery Planning Tools (CADRP)
Computer-Aided Disaster Recovery Planning Tools (CADRP)Computer-Aided Disaster Recovery Planning Tools (CADRP)
Computer-Aided Disaster Recovery Planning Tools (CADRP)CSCJournals
 
Disaster Recovery vs Data Backup what is the difference
Disaster Recovery vs Data Backup what is the differenceDisaster Recovery vs Data Backup what is the difference
Disaster Recovery vs Data Backup what is the differencejeetendra mandal
 
Boomerang Total Recall
Boomerang Total RecallBoomerang Total Recall
Boomerang Total Recallbdoyle05
 
The buyers' guide to virtual + physical data protection
The buyers' guide to virtual + physical data protectionThe buyers' guide to virtual + physical data protection
The buyers' guide to virtual + physical data protectionKingfin Enterprises Limited
 
RUNNING HEADER Disaster Recovery Plan Information and Documentat.docx
RUNNING HEADER Disaster Recovery Plan Information and Documentat.docxRUNNING HEADER Disaster Recovery Plan Information and Documentat.docx
RUNNING HEADER Disaster Recovery Plan Information and Documentat.docxanhlodge
 
Disaster Recovery Deep Dive
Disaster Recovery Deep DiveDisaster Recovery Deep Dive
Disaster Recovery Deep DiveLiberteks
 
Automation Contingency Plan For Continuity Of Plant Operation
Automation Contingency Plan For Continuity Of Plant OperationAutomation Contingency Plan For Continuity Of Plant Operation
Automation Contingency Plan For Continuity Of Plant OperationTony Lisko
 
Disaster Recovery: Understanding Trend, Methodology, Solution, and Standard
Disaster Recovery: Understanding Trend, Methodology, Solution, and StandardDisaster Recovery: Understanding Trend, Methodology, Solution, and Standard
Disaster Recovery: Understanding Trend, Methodology, Solution, and StandardPT Datacomm Diangraha
 
Business Continuity Knowledge Share
Business Continuity Knowledge ShareBusiness Continuity Knowledge Share
Business Continuity Knowledge Share.Gastón. .Bx.
 

Similar to What every IT audit should know about backup and recovery (20)

Disaster Recovery: Develop Efficient Critique for an Emergency
Disaster Recovery: Develop Efficient Critique for an EmergencyDisaster Recovery: Develop Efficient Critique for an Emergency
Disaster Recovery: Develop Efficient Critique for an Emergency
 
7 deadly sins of backup and recovery
7 deadly sins of backup and recovery7 deadly sins of backup and recovery
7 deadly sins of backup and recovery
 
Information Technology Disaster Planning
Information Technology Disaster PlanningInformation Technology Disaster Planning
Information Technology Disaster Planning
 
PACE-IT, Security+2.8: Disaster Recovery Concepts
PACE-IT, Security+2.8: Disaster Recovery ConceptsPACE-IT, Security+2.8: Disaster Recovery Concepts
PACE-IT, Security+2.8: Disaster Recovery Concepts
 
Business Continuity Presentation[1]
Business Continuity Presentation[1]Business Continuity Presentation[1]
Business Continuity Presentation[1]
 
Creating And Implementing A Data Disaster Recovery Plan
Creating And Implementing A Data Disaster Recovery PlanCreating And Implementing A Data Disaster Recovery Plan
Creating And Implementing A Data Disaster Recovery Plan
 
Task 1.Complete the BIA table below and use it for the remai
Task 1.Complete the BIA table below and use it for the remaiTask 1.Complete the BIA table below and use it for the remai
Task 1.Complete the BIA table below and use it for the remai
 
Business Continuity for Mission Critical Applications
Business Continuity for Mission Critical ApplicationsBusiness Continuity for Mission Critical Applications
Business Continuity for Mission Critical Applications
 
Business Continuity Presentation
Business Continuity PresentationBusiness Continuity Presentation
Business Continuity Presentation
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0
 
Computer-Aided Disaster Recovery Planning Tools (CADRP)
Computer-Aided Disaster Recovery Planning Tools (CADRP)Computer-Aided Disaster Recovery Planning Tools (CADRP)
Computer-Aided Disaster Recovery Planning Tools (CADRP)
 
Backup.pptx
Backup.pptxBackup.pptx
Backup.pptx
 
Disaster Recovery vs Data Backup what is the difference
Disaster Recovery vs Data Backup what is the differenceDisaster Recovery vs Data Backup what is the difference
Disaster Recovery vs Data Backup what is the difference
 
Boomerang Total Recall
Boomerang Total RecallBoomerang Total Recall
Boomerang Total Recall
 
The buyers' guide to virtual + physical data protection
The buyers' guide to virtual + physical data protectionThe buyers' guide to virtual + physical data protection
The buyers' guide to virtual + physical data protection
 
RUNNING HEADER Disaster Recovery Plan Information and Documentat.docx
RUNNING HEADER Disaster Recovery Plan Information and Documentat.docxRUNNING HEADER Disaster Recovery Plan Information and Documentat.docx
RUNNING HEADER Disaster Recovery Plan Information and Documentat.docx
 
Disaster Recovery Deep Dive
Disaster Recovery Deep DiveDisaster Recovery Deep Dive
Disaster Recovery Deep Dive
 
Automation Contingency Plan For Continuity Of Plant Operation
Automation Contingency Plan For Continuity Of Plant OperationAutomation Contingency Plan For Continuity Of Plant Operation
Automation Contingency Plan For Continuity Of Plant Operation
 
Disaster Recovery: Understanding Trend, Methodology, Solution, and Standard
Disaster Recovery: Understanding Trend, Methodology, Solution, and StandardDisaster Recovery: Understanding Trend, Methodology, Solution, and Standard
Disaster Recovery: Understanding Trend, Methodology, Solution, and Standard
 
Business Continuity Knowledge Share
Business Continuity Knowledge ShareBusiness Continuity Knowledge Share
Business Continuity Knowledge Share
 

Recently uploaded

MEHSANA 💋 Call Girl 9827461493 Call Girls in Escort service book now
MEHSANA 💋 Call Girl 9827461493 Call Girls in Escort service book nowMEHSANA 💋 Call Girl 9827461493 Call Girls in Escort service book now
MEHSANA 💋 Call Girl 9827461493 Call Girls in Escort service book nowkapoorjyoti4444
 
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptxQSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptxDitasDelaCruz
 
A DAY IN THE LIFE OF A SALESPERSON .pptx
A DAY IN THE LIFE OF A SALESPERSON .pptxA DAY IN THE LIFE OF A SALESPERSON .pptx
A DAY IN THE LIFE OF A SALESPERSON .pptxseemajojo02
 
Ital Liptz - all about Itai Liptz. news.
Ital Liptz - all about Itai Liptz. news.Ital Liptz - all about Itai Liptz. news.
Ital Liptz - all about Itai Liptz. news.htj82vpw
 
JIND CALL GIRL ❤ 8272964427❤ CALL GIRLS IN JIND ESCORTS SERVICE PROVIDE
JIND CALL GIRL ❤ 8272964427❤ CALL GIRLS IN JIND ESCORTS SERVICE PROVIDEJIND CALL GIRL ❤ 8272964427❤ CALL GIRLS IN JIND ESCORTS SERVICE PROVIDE
JIND CALL GIRL ❤ 8272964427❤ CALL GIRLS IN JIND ESCORTS SERVICE PROVIDEkajalroy875762
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon investment
 
DUNGARPUR 💋 Call Girl 9827461493 Call Girls in Escort service book now
DUNGARPUR 💋 Call Girl 9827461493 Call Girls in Escort service book nowDUNGARPUR 💋 Call Girl 9827461493 Call Girls in Escort service book now
DUNGARPUR 💋 Call Girl 9827461493 Call Girls in Escort service book nowkapoorjyoti4444
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Falcon Invoice Discounting
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxCynthia Clay
 
The Art of Decision-Making: Navigating Complexity and Uncertainty
The Art of Decision-Making: Navigating Complexity and UncertaintyThe Art of Decision-Making: Navigating Complexity and Uncertainty
The Art of Decision-Making: Navigating Complexity and Uncertaintycapivisgroup
 
Arti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdfArti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdfwill854175
 
UJJAIN CALL GIRL ❤ 8272964427❤ CALL GIRLS IN UJJAIN ESCORTS SERVICE PROVIDE
UJJAIN CALL GIRL ❤ 8272964427❤ CALL GIRLS IN UJJAIN ESCORTS SERVICE PROVIDEUJJAIN CALL GIRL ❤ 8272964427❤ CALL GIRLS IN UJJAIN ESCORTS SERVICE PROVIDE
UJJAIN CALL GIRL ❤ 8272964427❤ CALL GIRLS IN UJJAIN ESCORTS SERVICE PROVIDEkajalroy875762
 
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)Adnet Communications
 
Moradia Isolada com Logradouro; Detached house with patio in Penacova
Moradia Isolada com Logradouro; Detached house with patio in PenacovaMoradia Isolada com Logradouro; Detached house with patio in Penacova
Moradia Isolada com Logradouro; Detached house with patio in Penacovaimostorept
 
Goal Presentation_NEW EMPLOYEE_NETAPS FOUNDATION.pptx
Goal Presentation_NEW EMPLOYEE_NETAPS FOUNDATION.pptxGoal Presentation_NEW EMPLOYEE_NETAPS FOUNDATION.pptx
Goal Presentation_NEW EMPLOYEE_NETAPS FOUNDATION.pptxNetapsFoundationAdmi
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...ssuserf63bd7
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxRoofing Contractor
 

Recently uploaded (20)

MEHSANA 💋 Call Girl 9827461493 Call Girls in Escort service book now
MEHSANA 💋 Call Girl 9827461493 Call Girls in Escort service book nowMEHSANA 💋 Call Girl 9827461493 Call Girls in Escort service book now
MEHSANA 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptxQSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
QSM Chap 10 Service Culture in Tourism and Hospitality Industry.pptx
 
A DAY IN THE LIFE OF A SALESPERSON .pptx
A DAY IN THE LIFE OF A SALESPERSON .pptxA DAY IN THE LIFE OF A SALESPERSON .pptx
A DAY IN THE LIFE OF A SALESPERSON .pptx
 
Ital Liptz - all about Itai Liptz. news.
Ital Liptz - all about Itai Liptz. news.Ital Liptz - all about Itai Liptz. news.
Ital Liptz - all about Itai Liptz. news.
 
JIND CALL GIRL ❤ 8272964427❤ CALL GIRLS IN JIND ESCORTS SERVICE PROVIDE
JIND CALL GIRL ❤ 8272964427❤ CALL GIRLS IN JIND ESCORTS SERVICE PROVIDEJIND CALL GIRL ❤ 8272964427❤ CALL GIRLS IN JIND ESCORTS SERVICE PROVIDE
JIND CALL GIRL ❤ 8272964427❤ CALL GIRLS IN JIND ESCORTS SERVICE PROVIDE
 
WheelTug Short Pitch Deck 2024 | Byond Insights
WheelTug Short Pitch Deck 2024 | Byond InsightsWheelTug Short Pitch Deck 2024 | Byond Insights
WheelTug Short Pitch Deck 2024 | Byond Insights
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 
DUNGARPUR 💋 Call Girl 9827461493 Call Girls in Escort service book now
DUNGARPUR 💋 Call Girl 9827461493 Call Girls in Escort service book nowDUNGARPUR 💋 Call Girl 9827461493 Call Girls in Escort service book now
DUNGARPUR 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
Contact +971581248768 for 100% original and safe abortion pills available for...
Contact +971581248768 for 100% original and safe abortion pills available for...Contact +971581248768 for 100% original and safe abortion pills available for...
Contact +971581248768 for 100% original and safe abortion pills available for...
 
The Art of Decision-Making: Navigating Complexity and Uncertainty
The Art of Decision-Making: Navigating Complexity and UncertaintyThe Art of Decision-Making: Navigating Complexity and Uncertainty
The Art of Decision-Making: Navigating Complexity and Uncertainty
 
Arti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdfArti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdf
 
UJJAIN CALL GIRL ❤ 8272964427❤ CALL GIRLS IN UJJAIN ESCORTS SERVICE PROVIDE
UJJAIN CALL GIRL ❤ 8272964427❤ CALL GIRLS IN UJJAIN ESCORTS SERVICE PROVIDEUJJAIN CALL GIRL ❤ 8272964427❤ CALL GIRLS IN UJJAIN ESCORTS SERVICE PROVIDE
UJJAIN CALL GIRL ❤ 8272964427❤ CALL GIRLS IN UJJAIN ESCORTS SERVICE PROVIDE
 
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
 
Moradia Isolada com Logradouro; Detached house with patio in Penacova
Moradia Isolada com Logradouro; Detached house with patio in PenacovaMoradia Isolada com Logradouro; Detached house with patio in Penacova
Moradia Isolada com Logradouro; Detached house with patio in Penacova
 
Goal Presentation_NEW EMPLOYEE_NETAPS FOUNDATION.pptx
Goal Presentation_NEW EMPLOYEE_NETAPS FOUNDATION.pptxGoal Presentation_NEW EMPLOYEE_NETAPS FOUNDATION.pptx
Goal Presentation_NEW EMPLOYEE_NETAPS FOUNDATION.pptx
 
Home Furnishings Ecommerce Platform Short Pitch 2024
Home Furnishings Ecommerce Platform Short Pitch 2024Home Furnishings Ecommerce Platform Short Pitch 2024
Home Furnishings Ecommerce Platform Short Pitch 2024
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
 

What every IT audit should know about backup and recovery

  • 1. All entities that use IT and data in their operations have a need for a backup and recovery plan. The plan should enable the entity to recover lost data and to recover computer operations from a loss of data. At the low end of need, the entity may experience a data loss (e.g., corrupted data) and simply need to restore a backup of data. At the high end of need, the entity may experience loss of computer operations and more, from a pandemic event (e.g., fire, flood, tornado or hurricane). Entities that have a high risk regarding backup and recovery include, at least, those that rely heavily on IT and data to conduct business, operate solely online (e-commerce) and operate 24/7. More than likely, all Fortune 1,000 enterprises are at a high risk; however, a small entity that uses cutting-edge IT and whose business processes are heavily reliant on IT is also at a high risk. This column attempts to explain the principles of an effective backup and recovery plan and to provide some guidance for conducting an IT audit for backup and recovery. Data Management should provide for a means to back up relevant data on a regular basis. The principle for regular data backups is to back up data daily. That backup could be to media (e.g., tape or external hard drive), or it could be to a remote location via the cloud (i.e., the Internet). If an enterprise is backing up to media, the aforementioned principle recommends that backups be conducted to a different media for end-of-week and end-of-month backups (this daily, weekly and monthly set of backups is known as “grandfather-father-son”). The next concern is whether the backup process is reliable. Therefore, upon using a new backup methodology or technology, management should provide a means to test the data afterward to ensure that the process is actually recording all of the data onto the target backup device. Another concern is where the backup is stored. If it is stored onsite and if the entity suffers a pandemic event such as a fire, the event would destroy the operational data and the backup data. Thus, the backup principle for storage is to provide a location that is at a safe distance from the entity’s location. The cloud automatically provides this element. Additionally, management should provide a test for restoring the backup at least once a year. That test should be documented, even if it is just a screenshot showing the data restored. Computer Operations The purpose of the computer operations piece of a backup and recovery plan is to recover from a broad, adverse effect on the computer systems of the entity (figure 1). This part of the plan is commonly called a business continuity plan (BCP) or disaster recovery plan (DRP).1 The adverse event could be systems-related, such as the failure of a mainframe computer to operate, or it could be the result of a natural disaster, such as a fire that destroys some or all of the computer systems and data. Figure 1—Recovery Principles • Identify and rank critical applications. • Create a recovery team with roles and responsibilities. • Provide a backup for all essential components of computer operations. • Provide for regular and effective testing of the plan. Obviously, this plan is much more involved than simply making a backup of data and being able to restore it effectively when necessary. In this case, it may be necessary to restore everything about the infrastructure: computers, operating systems (OSs), applications and data. Even systems documentation and computer supplies could be involved. The principles of developing a BCP/DRP include a step to identify the critical applications and rank them in importance of operations. This list becomes strategically valuable if ever needed in providing the recovery team with a blueprint of how to restore application software. Tommie W. Singleton, Ph.D., CISA, CGEIT, CITP, CPA, is an associate professor of information systems (IS) at the University of Alabama at Birmingham (USA), a Marshall IS Scholar and a director of the Forensic Accounting Program. Prior to obtaining his doctorate in accountancy from the University of Mississippi (USA) in 1995, Singleton was president of a small, value- added dealer of accounting IS using microcomputers. Singleton is also a scholar- in-residence for IT audit and forensic accounting at Carr Riggs Ingram, a large regional public accounting firm in the southeastern US. In 1999, the Alabama Society of CPAs awarded Singleton the 1998–1999 Innovative User of Technology Award. Singleton is the ISACA academic advocate at the University of Alabama at Birmingham. His articles on fraud, IT/IS, IT auditing and IT governance have appeared in numerous publications. What Every IT Auditor Should Know About Backup and Recovery 1 ISACA JOURNAL VOLUME 6, 2011 Do you have something to say about this article? Visit the Journal pages of the ISACA web site (www.isaca. org/journal), find the article, and choose the Comments tab to share your thoughts. Go directly to the article:
  • 2. 2ISACA JOURNAL VOLUME 6, 2011 consumable computer supplies (e.g., printer ink). This can be provided by storing a reasonable quantity of supplies at or near the backup site or by having a contract with a vendor to provide them on short notice. Certain manuals will be needed as well, including user and technical manuals. These manuals are needed because members of the recovery team may not normally do some of the business processes. Last, the plan should provide for adequate personnel to maintain necessary computer operations. The recovery team is usually a key part of the personnel element. There are some common methodologies used to provide for the first few elements. Utilizing a hot site is an approach that usually provides for the site (e.g., building, electricity, furniture), computer and OS (specifically the server and/or mainframe the entity uses, which is up and running) needs. When using a hot site, recovery gets a “jump start,” allowing the entity to take its data backups and applications backups and begin the remainder of the process to restore computer operations. A cold site, however, provides only the site aspect. If the entity chooses a cold site, it would need some way to provide backup for computers and the OS (possibly a backup of the OS on media). A mutual aid pact involves the broadest scope of backup. In this approach, the two entities use the same computer, OS and, often, applications. For example, a large retailer has two branches back up data to another branch and, then, uses the systems at the other location to restore operations. This approach is inexpensive and has less associated risk. Principles of backup and recovery suggest that the most important step is to provide a full test of the BCP/DRP at some regular interval to ensure that it actually works and to improve the plan to be more efficient and effective. Ideally, it would be tested annually, but for larger or more complex environments, once every three years may be sufficient. Often, internal audit or IT would conduct the test. That test can include as much reality as needed, including something as radical as unplugging the computer in the main computer center. Another principle, and obvious need, is to create a recovery team. The team should include all of the functions and roles necessary to quickly and completely restore computer operations. There should be a document that identifies all of the members of the teams, their respective roles and the steps each would take in restoring operations. The heart of a BCP/DRP is to provide a backup means of providing the essential components of computer operations (figure 2). Figure 2—Computer Operations Essential Components to Back Up • Site/facility • Computers and infrastructure (hardware) • OS • Applications (software) • Data • Supplies • Documentation • Personnel The site should include a building, electricity, furniture and other basic needs for housing the computer operations. Typically, the site follows the same principle as storage of backup data in that it is located a safe distance from the entity’s facility, but not too far to reach in a timely manner if it is necessary to recover operations. The hardware aspect does not necessarily require the restoration of a full complement of computers and infrastructure, but it does require the minimum degree of computers and infrastructure to temporarily restore computer operations. For instance, most entities have one or more servers, and at least one of those servers will be needed to restore operations, but maybe not all of them. Likewise, some semblance of the network will need to be restored. Enough computers will need to be restored to conduct the essential business processes as determined by the plan. The OSs on the computers and servers will need a backup. That includes the network OS and server (e.g., mainframe). There needs to be a backup of all relevant applications. The list of critical applications mentioned previously will provide the list of applications that need a backup and the order in which to restore them. As discussed previously, data backup can be stored offsite at or near a location close to the backup site, or it can be stored in the cloud for easy and efficient data restoration. The list of applications provides the primary source of data needed. The plan should include a means of providing supplies such as preprinted forms (e.g., checks, invoices), as well as • Learn more about and collaborate on business continuity/disaster recovery planning. www.isaca.org/ topic-business-continuity- disaster-recovery-planning
  • 3. 3 ISACA JOURNAL VOLUME 6, 2011 across multiple locations, there would be a need for more powerful and complex test procedures and more evidence. Conclusion All entities must consider and provide a plan for backup and recovery. The IT auditor would want to test the recovery of data and computer operations, but only to the level necessary. When risks or objectives call for simple tests, the IT auditor needs to develop low-level, simple tests that will provide adequate evidence. For more complex situations, more complex and powerful tests are needed to provide assurance that backup and recovery will be successful—especially in the case of a pandemic event. Endnote 1 BCP and DRP are different and separate processes, but for the sake of this article, they will be referred to as one unit. The scope of what an IT auditor would do to test and collect evidence about backup and recovery depends on the type of audit involved and the risks (figure 3). In an internal audit or special IT review, the objectives of management would dictate the scope. Figure 3—Possible Tests/Procedures for Backup and Recovery Data • Review or observe backup procedures. • Review documentation of a successful restore (within the last year). • Verify restoration personally (when risk is high or restoration is an audit objective). Site/computers/ OS • Review the provisions of the BCP/DRP. • Review a contract (hot site, cold site, mutual aid, etc.). • Verify the ability to restore these aspects. Applications • Review the plan’s provisions. • Review the critical applications list, including ranking. • Verify the ability to restore (personally, when risk is high or restoration is an audit objective). • Observe or inquire about the backups of application software and location. Supplies/ documentation • Review the plan’s provisions. • Observe or inquire about the provisions and location. Recovery team • Review the plan’s provisions. • Interview one or more members of the team, and ask about roles and responsibilities. • Gain assurance that there is provision for adequate personnel for a successful restoration. For a financial audit, the scope of testing would be concomitant with the nature and complexity of IT, which is directly correlated to the risk that IT presents to the risk of material misstatement. Thus, an entity with standard commercial equipment and applications, with only one server and a limited number of computers (i.e., simple IT), would need a low-level, simple audit procedure. The IT auditor would probably use a simple test for the backup of data (e.g., a screenshot showing that a test restoration was successfully conducted in the fiscal year). The IT auditor would definitely want to review the data backup procedures and the BCP/DRP. Procedures would also likely involve some questions about backup and recovery of the chief information officer or similar position’s data, but the procedures would probably not include testing the recovery of a data backup or testing the full BCP/ DRP. However, if IT were highly sophisticated and spread