-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of O'Brien, Tim
Sent: 01 March 2002 17:04
To: '[EMAIL PROTECTED]'
Subject: Two IT related questions:
This is my first post to the list and thank in advance for the help.
Q1 - Can anybody give me a definition for an IT general controls review (audit)?
(My audit director is struggling with a the level of detail involved with a 'general controls review' verses a normal and more extensive detailed review of the same areas: IE - SOPS, computer system operations, logical security, physical security, DR (or BCP), etc.)Help!!!
Q2 - In performing this general controls review, I've looked at business continuity planning for a division running distributed systems (well over 100+ servers, no mainframes, mid-frames, etc.). The audit manager is asking "why don't they have Disaster Recovery TEST of their systems"?
My reply was it's nearly impossible, and certainly cost prohibitive, to perform a hot site - test of this complex network. (key words being distributed systems....)
So here is the question: Other than a 'talk-through/walk-through is there any other way to practically 'test' a DR plan for a distributed network? (the thought of buying servers simply for the use in a DR test is not viable...)
once again - HELP!!!
Thanks for the support
Tim
Timothy P. O'Brien
Senior IT Auditor
Ball Corporation
(303)-460-3756
[EMAIL PROTECTED]
Title: Message
Tim,
Q1:
Because of
the problem with definitions most groups I work with perform three types of
work: 1) Infrastructure reviews (infrastructure is all that you need to support
business processes [applications] hence includes OSs, Networks, Database
Systems, Policy, Physical, Logical, Continuity, Change Management, Incident
Management etc. 2) Hindsight reviews - reviews of control architecture of
existing business processes 3) Farsight reviews - reviews of business processes,
systems and applications under development or proposed for
development.
Q2:
The point
behind a trial (contingency) is that it is a proof of concept / proof of working
without it you will never know... and that's not a smart risk to
take
Yes, trials
can be costly, but some would regard that as a cost essential to running your
business. Try and imagine a business that would run a factory based
manufacturing operation without testing out the factory processes first. They
wouldn't would they?
So to reduce
the cost think about these things:
Start with
small scaled down trials first - partial tests of part of the
system
Then try
different combinations of elements
And gradually
piece together the framework...
And by the
way, you've already got part of your answer - it lies in risk - your words tell
the story: "My reply was it's nearly impossible, and
certainly cost prohibitive, to perform a hot site - test of this complex
network. (key words being distributed
systems....) "
Wouldn't it
be cost prohibitive to accept not having a fall back capability? You woudn't be
the first company to go to the wall after a disaster. The statistics in 1996
(yes, a little old) were that four out of five companies who failed to recover
smoothly after a disaster were not in business a year after the
event.
Best
regards,
Stan
Dormer
- Two IT related questions: O'Brien, Tim
- Stan Dormer
