Information Technology Reference
In-Depth Information
Auditing Disaster Recovery Management
Overview
Effective disaster recovery management is one of the critical requirements to ensuring that
the enterprise is able to recover in the event of an incident. When planning for business con-
tinuity, the enterprise also addresses recovery of IT assets, such as hardware, software, data,
and information. Recovery also includes human assets, such as skilled employees.
Many enterprises make large investments in disaster recovery which range from a few thou-
sand dollars to millions of dollars. The level of investments depends on how critical the DRP
infrastructure is to the business. In cases of large banks or stock exchange firms, the recov-
ery of data is critical and can impact the business if recovery takes longer than expected.
Most large banks and stock exchange firms operate in real-time and would set a recovery
point which is very short possibly in seconds or minutes.
Implementing a disaster recovery plan brings a number of benefits to the enterprise, such
as readiness to recover data and information in the event of an incident. An effective DRP
also creates confidence in the internal and external stakeholders, such as management and
business partners, on the reliability of the IT systems.
The IS auditor should be aware of the contents and requirements of major disaster recovery
standards, such as ISO/IEC 24762:2008. There is also ISO/IEC 27031, a business continuity
standard which can also provide valuable information to the IS auditor. Most disaster re-
covery plans are based on an international standard or an internally developed best practice
standard.
A good starting point in auditing disaster recovery is by reviewing the disaster recovery plan
in order to determine how it is being implemented in the enterprise. In this chapter, we shall
focus on various activities relating to operation of a disaster recovery plan and the type of
infrastructure required for implementing various levels of disaster recovery. We will also fo-
cus on various skills required in order to carry out an effective DRP audit and what type of
evidence the IS auditor requires to collect during the audit.
IT Risk
The IS auditor requires a good understanding of IT risk. The IS auditor is required from time
to time to carry out IT risk audits. Many enterprises are dependent on IT to run their business
operations, and IT risk is one of the key considerations in the management of their opera-
Search WWH ::
Custom Search