Information Technology Reference
In-Depth Information
f) How does the enterprise ensure that backups are taken and regularly tested?
A backup schedule should be developed and implemented which IT administrators can fol-
low every day. Where backups are automated, the backup system should be configured to
take backups as per schedule. A record would automatically be generated after the backup
has been taken and can be reviewed by the administrator monitoring backup systems.
A test plan should also be developed which can be used for testing restoration of backups.
Tests can be done at regular intervals as per enterprise IT policy. Evidence can be obtained
from testing platforms and test documentation. The test plan should also ensure that there
is a regular second test and sign off by the manager.
g) Does the enterprise have a maintenance plan for all IT systems?
Maintenance plans can be developed for both software and hardware. Plans can include
dates, specific maintenance activities, duration, and resources required. It should be noted
that major maintenance activities, such as upgrades, might require updating documentation
such as procedure documents and system manuals. So a follow up question would be trying
to find out if relevant documents have been updated due to system update or upgrade.
Lack of a maintenance plan can cause a lot of problems for the IT infrastructure such as
not having timely maintenance works and having no budget and resources for carrying out
maintenance.
The IS auditor can obtain evidence on existence of maintenance plans by requesting for
the plans from IT department. The evidence should show how the plan will be implemen-
ted and which systems require maintenance over a specific duration. The IS auditor will
be required to review the maintenance plans by comparing with actual maintenance works
conducted.
h) Does the enterprise have service-level agreements with vendors?
It is essential that an enterprise has in place service-level agreements which will ensure
that vendors are held responsible for the delivery of agreed services and quality of service.
The enterprise is required to monitor the implementation of SLAs and ensure that they are
timely renewed. A confirmation that the enterprise has SLAs in place should prompt the IS
auditor to request for copies of SLAs for review. Obtaining copies of SLA is evidence that
agreements do exist, but the auditor should also check that the SLAs are valid and that the
dates have not expired and they are duly signed. The IS auditor may be required to ensure
that the SLAs are properly drafted and do include the required service scope.
Absence of SLAs means that the enterprise cannot hold vendors responsible for any works
which are below expected standards or which are delivered late.
i) What procedures do you have in place for monitoring IT systems?
Search WWH ::
Custom Search