Information Technology Reference
In-Depth Information
umented in order for employees to use and implement the procedures effectively. Docu-
mentation can also be used by IS auditors to test effectiveness of controls.
c) How often is application data backed up? And is a record of backup activities
kept?
Management will develop backup policies and procedures which are used to keep backup
data for use in the event of an incident. The frequency of data backups depends on many
factors such as the sensitivity of the data, frequency of updates, volume of transactions, and
type of backup to be performed. There are many methods of backups such as full backups,
partial backups, and preferential backups which can be performed.
A record should be kept to indicate when backups were taken. A record can be kept on a
manual or automated system. Most automated backup systems do keep an electronic record
after backup. IS auditors most often want to confirm that backups are being taken by check-
ing backup records. It is also good practice for internal control purposes that management
has access to such records.
d) Does the enterprise test backups? If yes, how often are backups tested?
Good practice demands that backups be tested to ensure that data can be recovered in the
event of an incident, such as data corruption, hard disk failure, or loss of data through theft.
All tests should be documented so that a record is kept for future reference. The frequency
of backup tests depends on how frequently data is updated and the volume of transactions.
Where the volume of transactions is high, the enterprise might need more frequent tests.
However, the policy on backups largely depends on IT risk. If management thinks the risk
is high, backups can be performed more frequently.
Information on backup tests can be collected from backup test records which IT admin-
istrators keep after performing backup tests. These records could be manual or electronic
depending on the level of automation in the enterprise. If the enterprise does not keep a
record of test backups, the IS auditor should take note and report to management.
e) Does the enterprise have a data protection policy?
Most enterprises do have data protection policies which are used to protect personal and
corporate data. Employees are required to have a good understanding of data protection
regulations as most countries have legal requirements for data protection.
The IS auditor should review the data protection policy in order to ensure that it meets the
requirements indicated in the data protection act. It would not help even if an enterprise
had a data protection policy if the policy does not meet the requirements of national laws
on data protection.
Search WWH ::
Custom Search