it42015 slides

5/7/2015

1

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

AuditNet® Training without Travel™ Auditing Contingency Planning May 7 2015

Guest Presenter:Richard Cascarino,

MBA, CIA, CISM, CFERichard Cascarino &

Associates


Jim Kaplan CIA CFE

• President and Founder of AuditNet®, the global resource for auditors (now available on Apple and Android and Windows devices)

• Auditor, Web Site Guru,

• Internet for Auditors Pioneer

• Recipient of the IIA’s 2007 Bradford Cadmus Memorial Award.

• Author of “The Auditor’s Guide to Internet Resources” 2nd Edition

5/7/2015

2


Richard Cascarino MBA CIA CISM CFE

• Principal of Richard Cascarino & Associates based in Colorado USA

• Over 30 years experience in IT audit training and consultancy

• Past President of the Institute of Internal Auditors in South Africa

• Member of ISACA

• Member of Association of Certified Fraud Examiners

• Author of Auditor's Guide to IT Auditing


Webinar Housekeeping

• This webinar and its material are the property of AuditNet® and Richard Cascarino and Associates. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. We are recording the webinar and you will be provided with a link access to that recording as detailed below. Downloading or otherwise duplicating the webinar recording is expressly prohibited.

• Webinar recording link will be sent via email within 5-7 business days.• NASBA rules require us to ask polling questions during the Webinar and CPE

certificates will be sent via email to those who answer ALL the polling questions• The CPE certificates and link to the recording will be sent to the email address you

registered with in GTW. We are not responsible for delivery problems due to spam filters, attachment restrictions or other controls in place for your email client.

• Submit questions via the chat box on your screen and we will answer them either during or at the conclusion.

• After the Webinar is over you will have an opportunity to provide feedback. Please complete the feedback questionnaire to help us continuously improve our Webinars

• If GTW stops working you may need to close and restart. You can always dial in and listen and follow along with the handout.

5/7/2015

3


Disclaimers

• The views expressed by the presenters do not necessarily represent the views, positions, or opinions of AuditNet® or the presenters’ respective organizations. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant‐client relationship.

• While AuditNet® makes every effort to ensure information is accurate and complete, AuditNet® makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. AuditNet® specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the AuditNet® website

• Any mention of commercial products is for information only; it does not imply recommendation or endorsement by AuditNet®


Today’s Agenda

• What is a Disaster?

• What is a Disaster Recovery Plan?

• Who is Accountable?

• What are the Options?

• What is the cost?

• How can a C.P. be tested?

• What is Management's Role?

• What is the User's Role?

• What is the Information Services Role?

• What is the Internal Auditor's Role?

5/7/2015

4


Before and After

Perhaps the best prepared organiZations are the ones who have lived through a calamity

7


The Risks

FireFloodBuilding CollapseExplosionIndustrial FailurePower FailureLoss of dataDeliberate sabotage

8

5/7/2015

5


Computer Abuse

Deliberate action by staff"Hacking" into systemsInternet penetrationEDI abuse

9


DISASTER - A

LOSS OF CAUSESPeople ExplosionBuilding Aircraft

CrashFactories Total FireFinance FloodCredibility Industrial

ActionMaterials EarthquakeComputers Sabotage

10

5/7/2015

6


DISASTER - B

LOSS OF CAUSESHardware ExplosionSoftware FireIn-house data Flood

Industrial Action(Temporary Loss)

11


DISASTER - C

LOSS OF CAUSESSoftware and the ability to recover Explosion

In-house data FireFloodFreak Atmospheric ForceDeliberate DestructionBad Systems DesignPoor Operating Standards

12

5/7/2015

7


DISASTER - D

LOSS OF CAUSESSoftware - Partial loss only and the Computer Operational

inability to recover ErrorDeliberate Destruction Bad Systems Design Poor Operating Standards

13


Inefficiency Production control Lost production Schedule disruption

LegalPenalty clauses

Ill-willCustomersShareholdersStaff

Consequences of Disruption

Loss of RevenuesDelays in invoicingLost interestLost salesLost future business

Incurred CostsExtra manningInterest on loansLoss of discount

14

5/7/2015

8


DRP Status

2011 Survey by RC&A

M/frame LANs CloudDRP 77% 51% 35%Planning 18% 18% 29%No Plans 5% 30% 32%

That does not mean they work

15


The Future

Increasing dependence on Cloud systemsIntegrated data warehousesIntegrated office automationEDIInternet tradingDRP must be considered during systems planning

16

5/7/2015

9


Corporate Survival

MenMoneyMaterialsMachinesMethodsAll resources

17


Corporate Survival

Not a computer problemThereforeThe responsibility of

The boardExecutive managementSenior managementJunior managementUsersThe cleaning staff

18

5/7/2015

10


The Computer Role

A prime resourceExpertise neededRecovery not instantaneousReturn to normal even longerIn-depth planning requiredOne objective - survival

19


A Plan must be

ComprehensiveDynamicUseableRelevantTestedUp to dateKnown

20

5/7/2015

11


A Disaster can be

Application dependentCalendar dependentInstallation dependentTotal loss

Probability is lowImpact on business is high

Minor lossProbability is highImpact on business is low

21


How to Get Started

Establish terms of referenceIdentify emergency lines of reportingEstablish emergency strategyTerms of referenceIt must be firmly recognized and accepted that policy decisions and overall responsibility rest entirely with top management

22

5/7/2015

12


Disaster Planning

3 levels of concernHardware reliabilitySoftware and data integrityLoss of Facility

Why has loss of facility become the predominant concern?

23


Preparedness for a Disaster

PoorOrganisation highly vulnerable to damage to its data processing capability; could jeopardize corporate survival

WeakDisaster would result in conspicuous interruption of IT services ; could result in loss of business

AdequateOrganisation could recover from the loss of computer capabilities at some cost and public embarrassment

GoodOrganisation could recover from the loss of computing capability with some cost but little embarrassment

Very GoodOrganisation is ready for virtually any eventuality. Disaster should have no material effect on the business

24

5/7/2015

13


Contingency Plan

Board-level sponsor requiredCommittee or individual

Identify the key systems and prioritize24 hours2-3 days1 week1 monthnever?

Calendarized

25


Risk analysisDevelop the plan outlineEstablish the recovery teamResource analysisSelection of backup facilitiesDocumenting the plan / procedures / tasksPrepare off-site storageTest and educateMaintain and review

26

The Methodology

5/7/2015

14


Risk Analysis

Must beSimpleQuickEasily understoodEasily updated

Must cover all systems ManualAutomated

Must determine dependencies

27


Planning - 1

DefinePurposeScopeStrategy

Determine recovery requirementsWhich jobsIn which orderWhat resources

Arrange backup siteHotWarmCold

28

5/7/2015

15


Planning - 2

Define recovery activitiesDefine responsibilities and staffingDefine procedures to test & maintainTest and Amend

Possible strategiesFallback to manual

Rarely possible

Fallback within the organisationEffective but expensive

Reciprocal agreementsMany inherent problems

29


Minimum Requirements to Recover

Copies of filesCopies of programsOperating SystemDocumentationAlternate facilityContingency plan

30

5/7/2015

16


Where to Start

Model the business

Accounting Marketing Payroll

Production MIS

How do we identify critical applications?

Disaster Recovery Planning is a Business Problem !!!!!!

31


Model the Business

Identify data flow and dependencies

Identify the critical business performance areasCritical success factors


Production MIS

32

5/7/2015

17


Identify the Critical Systems

Also dependent systems (incl. manual)


Production MIS

Plan for the DRP when you plan for the systemAt the Feasibility Study stage

33


Polling Question 1

5/7/2015

18


Making the First Move

Establish the terms of referenceIt must be firmly recognised and accepted that policy decisions and overall responsibility rests entirely with top management

Identify emergency lines of reportingEstablish emergency strategies

35


Need to Define

Allocation of responsibilityList of all possible perilsStudy of all components under threatEffectiveness of existing defencesHigh risk / high exposure areasCurrent insurance positionManagement awareness levels

36

5/7/2015

19


Components Include

HardwareSystems softwareApplication softwareDataData storage mediumsDocumentationStationeryPeople

37


Also Affected

Cash flowVulnerable remote sitesContracts / commitmentsTelecomms and networksBuildingsServicesManual interfacing systems

38

5/7/2015

20


Work in Progress

Systems under development should be accounted for:Time schedulesLocation of all documentationTest versions of systemsSDLC status reports

39


Documentation

Must be up-to-dateMust be stored securelyMust record known weaknessesMust reflect dependenciesMust reflect changesMust include authority levels

40

5/7/2015

21


Insured Areas for Review (1)

Schedule of coverDamage or loss to/of:PropertyPlant and equipmentComputer hardwareComputer software and dataDocumentationKey Personnel

Degree of damage:Slight to total loss

41



ProtectionAgainst computer misuseOf misuse of data Of disclosure of dataAgainst other organizations consequential claims

42

5/7/2015

22



Loss of people includingPublic liabilityEmployers liabilityBusiness interruption

General exceptionsGeneral conditionsOngoing declarations

43


Lines of Reporting

In an emergencyWho is in charge ?What is his role ?Who is his backup ?Who are the key personnel ?What autonomous groups exist ? Who maintains the plan ?

44

5/7/2015

23


Emergency Strategies

Must contain alternativesApply to:

Key systemsDisaster potentialDisruption periods

Define impact of a DP area disaster on all operating areas

45


Strategies Defined Under:

Pre-planning definition stageFunctional requirements stageDesign stageImplementation stageTesting stageContinuity and maintenance stage

46

5/7/2015

24


Teams Involved

Management teamUser teamFacilities teamTelecomms teamSystems software teamOperations teamHardware teamRecovery team

47


Identify Types of System - IT

By operating objectivesCentralisedStand-aloneDistributedReal timeOn-lineBatchTogether with degrees of priority

48

5/7/2015

25


Categorize Systems

Effect of stoppage identifiedEssential interfacing systems identified (computer and manual)Document all systemsPriorities to include:Business loss ratingAlternative service level reqd.Maximum down time

49


Other Systems - Manual

Document all manual systemsIdentify relationshipsEffect of stoppage identifiedCheck alternative:AccommodationPeopleStationery suppliesOffice equipmentControl procedures

50

5/7/2015

26


If only Limited Resources Available

Grade systems for recoveryAgree with managementDependencies must be taken account ofDocumentation must be archivedRun priorities agreed with management (these may vary by time period)

51


Polling Question 2

5/7/2015

27


Backups

For all systems?For essential systems only?Required:HardwareSoftwarePeople

SpecialistsUsers

53


Infrastructure

Infrastructure includes:Computer siteOffice accommodationPower and servicesCommunicationsComputerClericalAir conditioning

54

5/7/2015

28


Backup Operating Standards

Run documentationSystems specsProgram specsSource codeObject codeJCLSupport documentationControl documentationCommunication protocols

55


Points of Contact

Who does what ?Who is the backup ?Who is needed for recovery ?Who can declare a disaster ?How can they be reached ?

56

5/7/2015

29


Identify User Data - IT

Storage media must be identifiedData elements must be classifiedBy creationOrganisationRetrieval typeImportanceConfidentialityAccess restrictions

57


Data also Defined by:

Method of processingUsagePresentationActive life spanLocationDisposal timescaleDisposal methodNote also transitory data

58

5/7/2015

30


Data Elements

InterrelationshipsValidation rulesInput and reinput proceduresInterim processesControl requirementsSecurity requirements

59


Grading of Data

By applicationTherefor by strategic importanceBy alternate method of sourcingBy degree of pain in lossBy disruption periodEach application is therefor graded but not all of its data is of the same importance

60

5/7/2015

31


Planning and Development Data

Not all data reqd is for processingTest data for WIPStrategic plans of the siteAdministrative data for the siteAll must be backed up

61


Preparation of Back-up Data

The most important elementShould be designed into application systemsShould be an enforced standardMust be maintained safelyMust be maintained securely

62

5/7/2015

32


Acquisition

Reputable vendorsSupport levelsSecond sourcingInternal backupKnown backup sitesVendor's DRP policies

63


Contracts Should Include

Equipment life spanMaintenance agreementsEnvironmental requirementsPower requirementsPower failure reactionTraining scheduleSafety and security measures

64

5/7/2015

33


Register of Hardware Including:

Importance in processingLocationAvailability of replacementImportance in DRPNeeds of application systemsVendorReplacement lead timePurchase/lease/rentalInsurance cover

65


Hardware Availability Assured by:

Agreements with suppliersStandby sitesPortable computer centresReciprocal arrangementsBackup optionsIn-company backupReciprocal arrangementsCold sitesWarm sitesHot sitesManual procedures

66

5/7/2015

34


Polling Question 3


For Recovery Establish:

Minimum configuration reqdContinuity agreements with vendorsBackup procedures agreedCompatibility of equipmentCompatibility of firmwareSecurity arrangementsTesting of h/w backup

68

5/7/2015

35


Consider Also

Redundant hardwareDual control of peripheralsSwitchable commsComms linesUPSStandby generators

69


Types of Stoppage

Hardware failureMicrocode failureMechanical problemPower failureDamageEnvironmental failureHuman errorBuilding damage

70

5/7/2015

36


Ancillary Equipment

SwitchboardsElectrical equipmentPower stabilizersModemsData prep equipmentStandby generators

71


Is it Useable?

Review for obsolescenceSpares may by unobtainableBackup may have to be secondhandManuals may be missingTransport may be required

72

5/7/2015

37


Systems Software

Software categoriesSystems support softwareCompilersUtilitiesAll otherTypesSource codeBinaryExecutable

73


Systems Software

Operating systemsFile back-up softwareFile restore softwareSecurity softwareCommunications software

74

5/7/2015

38


Problem Areas

Differing versionsConfiguration timesPortability to backup sitesIncompatibility of minor programsFrequency of useWork in progress

75


Software Data Required

Supply sourceRelease level and dateSecurity classificationSupport criteriaAmendments madeContingency arrangementsTesting proceduresRecovery procedures

76

5/7/2015

39


Documentation Must Include

How to use the softwareHow to generate the software productWhere the software residesListings of source codeHow to handle error conditions

77


Amendment Notes Must Include

Date of amendmentLevel and version noamendment sourcewho amendedDate amendment testedDate/release & level when put into productionPurpose of the amendment

78

5/7/2015

40


Software Acquisition

Level of software supportDuration of support for release levelCan previous levels be obtained?How far back?Cost of replacingLicense agreementsTimescale for replacement

79


Software Disasters

Stoppage due to:Specific program problemsProject problemsDepartmental problemsCompany problemsOther problems

80

5/7/2015

41


Software Failure?

orProgram logic faultOperational errorWrong version of software usedJCL ErrorInput errorHuman error

81


Other Problems

Snapped magnetic tapesHead crashesUnreadable magnetic mediaLost source codeDeleted recordsDeleted filesIncompatible softwareOperational difficultiesActs of God

82

5/7/2015

42


Polling Question 4


Testing the Plan

Management needs must:Be fully definedBe approvedCover all in-houseand third party risksDefine all 'retained' risks

84

5/7/2015

43


The Plan Must

Be knownBe secureBe up-to-dateBe availableBe workableBe cost-effective

85


Testing the Plan

Must be plannedMust be practicalShould be realisticShould be unexpectedWill comprise discrete elementsWill not work the first time

86

5/7/2015

44


We Must Know

The critical systemsThe critical dataThe critical hardwareThe critical softwareThe timing of backupsAll retained risksThe insurance positionContractual agreements

87


Continuity

Change control must operateRisk evaluation of the corporation is dynamicAgreements expirePeople leaveTraining is forgottenTesting is ongoingPolicies changeCost/benefits change

88

5/7/2015

45


Polling Question 5


The Audit Program

PoliciesApplication systemsUser dataHardwareSystems softwareTestingContinuity

90

5/7/2015

46


Policies - Terms of Reference

Ensure contingency policy existsEnsure policy is sufficient and realisticEnsure high risk areas identifiedEnsure adequacy of insuranceEnsure all levels of managementUnderstand their responsibilitiesIf insufficient in-house expertise - call in a consultant

91


Policies - Strategies

Assess levels of competence expectedReview the estimated financial effectsReview the projected costReview the current planning statusReview current contractsReview contingency team staffingReview security and distribution of plan

92

5/7/2015

47


Who Does What?

Ensure a definitive organisation chart existsEnsure it is up-to-dateEnsure all reporting relationships are coveredEnsured security arrangements existEnsure security will continue in an emergency

93


Application Systems - IT

Review key systems of the CorporationCheck for their computer componentCheck the priority ratingsEnsure contingency plan allows for differing time spansCheck for adequate and up-to-date documentationReview previous tests

94

5/7/2015

48


Manual Systems

Check manual systems are includedEnsure adequate and up-to-date documentation existsCheck for back-up facilitiesReview training program for manual backupReview previous tests

95


Systems Under Development

Check all WIP is coveredCheck details are up-to-dateCheck for backups of test librariesReview staff responsibilitiesCheck level of documentation

96

5/7/2015

49


User Data - Computer

Check file layouts of key systemsCheck layouts to actual filesReview data relationshipsReview linkage to manual dataCheck costs of alternate data sourcesCheck backups are as recordedCheck backups are appropriateReview the results of previous tests

97


Hardware

Check an acquisition policy existsCheck it is enforcedEnsure documentation exist for all hardwareReview hardware registerTest check the register to actualSpot check remote equipmentCheck for immediate availability of the registerReview the results of previous tests

98

5/7/2015

50


More Hardware

Ensure hardware backup plan existsReview for essential systems usageEnsure the essential hardware has been identifiedReview contingency agreementsReview contractual arrangementsEnsure the plan is tested on an ongoing basisReview the results of previous tests

99


Hardware Stoppages

Ensure an incident log is maintainedEnsure recovery procedures exist for previous stoppage typesSample hardware log for serious interruptionsCheck latest contacts listEnsure maintenance routines are followedCheck fire fighting equipment maintenanceCheck physical security 100

5/7/2015

51


Systems Software

Establish software usedCheck backup proceduresCheck software securityCheck that recoverability has been testedCheck software contracts existCheck all amendments are recordedCheck backup copies of software documentationCheck previous test results

101


Software Problems

Check previous problems have been recorded including the fixCheck incident logs are maintainedCheck offsite documentation storageCheck current backup proceduresCheck backups are currentEnsure all new software is adequately testedCheck regular testing is done

102

5/7/2015

52


Testing

Review all relevant files,Charts, meeting minutesReview policy objectivesReview costs, budgets and estimatesCheck progressive nature of test planCheck that all previously identified deficiencies have been remediedInvestigate inefficiencies highlighted in testingTest prioritizationInspect remote sites

103


Continuity

Ensure responsibility for plan maintenanceEnsure management kept informedEnsure master copy of plan is secureEnsure distributed copies are kept up-to-date, available but secure

104

5/7/2015

53


Polling Question 6


Remember

It could be a corporate survival planIt is not one person's planManagement commitment is required

106

5/7/2015

54


Questions?

• Any Questions?Don’t be Shy!


Coming Up Next

IT AUDIT BASIC

5. IT Fraud and Countermeasures May 12

IT AUDIT ADVANCED

1. Advanced IT Audit Risk Analysis for Auditors May 19

2. Advanced IT Audit Securing the Internet May 21

3. Advanced IT Audit IT Security Reviews May 26

4. Advanced IT Audit Performance Auditing of the IT Function May 28

5. Advanced IT Audit Managing the IT Audit Function June 2

5/7/2015

55


Thank You!Richard Cascarino, MBA, CIA, CISM, CFE

Richard Cascarino & Associates970-291-1497

[email protected]

Jim KaplanAuditNet LLC®800-385-1625

[email protected]

it42015 slides

Technology

webinar recording

founder of auditnet

property of auditnet

auditing copyright

polling questions

email client

email address

auditors pioneer recipient