Contingency Planning Audit Summary
OBJECTIVE:
To evaluate the adequacy, completeness and currency of the University's
Contingency Planning for Information Resources Services Resumption
(Disaster Recovery Plan).
PROCEDURES:
Conducted interviews with IS personnel including the Director
and reviewed the University's Disaster Recovery Plan (DRP) obtained
from the Director of Information Systems.
RESULTS:
- The University's DRP was prepared on September 22, 19XX --
signed off by President, Vice President for Business and Administration
(VPBA), and Information Systems Director -- and has not been updated
or tested.
- The VPBA is not currently performing responsibilities assigned
to him in DRP (i.e., required to be performed annually), namely:
- evaluating all production applications to determine their
criticality by assessing the impact that a delay in data
processing support will have on University operations;
- determining a priority rating for each application
to control the order of migration of all applications to the backup
location based on a "WORSE CASE" scenarios, assuming
that the computer outage occur at the most critical time in the
processing cycle.
- Daily backup tapes of all University records are no longer
being stored in a fire-proof vault in the [off-site
computer facility].
- Backup tapes are not being tested weekly to determine the
physical condition of the tape and integrity of data on the tapes.
- "Computer Operator's Manual" is currently
nonexistent and thus steps for restoring data are outlined in
a documentation that is nonexistent.
- Information processing disaster recovery teams are not being
assigned annually based on the recommendations of the Information
Systems Director to the VPBA.
- Information Processing Operations and Logistics Coordinator,
[name], is no longer with the University; [name] is no longer
the "Computer Operator" in DP; and, Communications Coordinator,
[name] is no longer with the University.
- Affected personnel were not being trained and prepared for
possible disasters or emergencies.
- Automated Information and Telecommunications Commission has
changed its name, and is now known as the Department of Information
Resources (DIR).
CONCLUSION:
The University's DRP should be updated and tested at least annually
based on guidelines set forth in Texas Administrative Code [1
TAC 201.13(b)] and DIR's "Guidelines for Contingency Planning
for Information Resources Services Resumption". Responsibilities
specified in the DRP should be carried out accordingly. Information
Systems Director should have the responsibility and authority
to direct the development, coordination, maintenance, testing,
training, and other activities related to a Contingency Plan for
Information Resources. Other specific audit recommendations related
to contingency planning are outlined in the interim audit report
prepared for the management.