CASEBUSINESS CONTINUITY AND DISASTER RECOVERY

SCENARIO: Business continuity and disaster recovery plans are required to counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters. The Payroll Department ("Department") of ISO Company, Inc. is classified as a critical business process because of the sensitive, private, and confidential information it hosts. It would be disastrous for the Department if information gets lost or if its business systems go off-line, even for a day. During planning meetings, IT auditors kept the following objectives in mind:

• Are the Department's business systems adequately backed up?
• Are backup copies of the Department's data held in a secure and remote media store?
• Is there evidence that the current backup strategy works in practice?
• Is there an appropriate disaster recovery plan established as part of the company's busi-
• ness continuity plan?
• Is the disaster recovery plan based on a thorough risk assessment?
• OBSERVATIONS: As part of the IT audit of ISO Company, Inc.'s Payroll Department, IT auditors uncovered a number of problems with the company's business continuity and disas- ter recovery plans and practices. While conducting the audit, IT auditors observed that the organization's business continuity and disaster recovery plans, both established 10 years ago, have not been updated to reflect continuity and disaster recovery practices for the current environment. For example, although backup copies were made of the Department's infor- mation, upon inspection, IT auditors discovered that those backups were not maintained at the off-site location where they were supposed to be stored. Moreover, when IT auditors asked for documentation supporting the tests performed of the Department's business conti- nuity and disaster recovery plans, they discovered that the Department had never tested the plans. The Department also had not conducted any risk assessment in support of the plans.
• The Department's information systems, Payroll System Application (PSA), is open to external attacks since it is interconnected through the network. A collapse of the PSA would bring dire consequences for the Department. In fact, in the event of a crash, switching over to a manual system would not be an option. Manual handling of the company's payroll sensitive, private, and confidential information by staff personnel has resulted in previous loss of such information. Hence, the PSA must operate online at all times. The auditors agree that, based on the above observations, in the event of interruptions due to natural disasters, accidents, equipment failures, and deliberate actions, the Department may not be able to cope with the pressure.

Company, Inc.'s management related to the lack of continuity and disaster recovery proce- dures observed. Support your reasons and justifications with IT audit literature and/or any other valid external source. Include examples, if appropriate, to evidence your case point. Submit a word file with a responses to the tasks above, and a reference section at the end. The submitted file should be at least five pages long (double line spacing), including the and the references page. Be ready to present your work to the class.

Assuming that your group is a team of IT auditors who have just got an assignment to audit information logging of servers of a company. You have known that logs are

important for information systems operation and security because logs can be used to detect unauthorized access, identify unfavorable trend, and provide data for determining the root cause of system failures. Your supervisor asked you to

(1) find out what system activities are to be logged according to commonly used policies or standards. (Hint: Use the internet to search for commonly used policies of standards. Then, list the system activities in you answer. The source of the list should be included in your answer.)

(2) verify whether the company maintains all those necessary logs defined in (1). (Hint: Describe the audit procedure(s) you will use to accomplish this task)

(3) find out what are necessary elements of system log, such as user id.

(4) examine whether the system logs actually include necessary elements

(Hint: Describe the audit procedure(s) you will use to accomplish this task) (5) verify whether these logs are regularly reviewed

(Hint: Describe the audit procedure(s) you will use to accomplish this task) _____________________ End of Problem 1__________________

identify unfavorable trend, and provide data for determining the root cause of system failures. Your supervisor asked you to

(1) find out what system activities are to be logged according to commonly used policies or standards. (Hint: Use the internet to search for commonly used policies of standards. Then, list the system activities in you answer. The source of the list should be included in your answer.)

(2) verify whether the company maintains all those necessary logs defined in (1). (Hint: Describe the audit procedure(s) you will use to accomplish this task)

(3) find out what are necessary elements of system log, such as user id.

(4) examine whether the system logs actually include necessary elements

(Hint: Describe the audit procedure(s) you will use to accomplish this task)

(5) verify whether these logs are regularly reviewed

(Hint: Describe the audit procedure(s) you will use to accomplish this task)