A disaster recovery audit helps you identify various points of failure and potential risks to your business. You can then take sufficient measures to minimize the impact of disasters on your organization. It is important to have a disaster recovery audit, and there are two areas to look into before such audits:
Nifty DR resources
IT hardware includes servers and storage (like backup, input, output and monitoring devices). On the network front, audit active devices (routers, switches and legacy devices like hubs) and passive devices (like cabling and stacking). To ensure information security, audit firewalls, threat prevention systems and antivirus gateways.
Power and cooling also come under IT hardware. You should audit power efficiency, supply and chances of downtime. Cooling is important, since data center equipment works 24 X 7.
Consider locations of the data center and disaster recovery site(s); ensure that they are on different seismic zones. A building management system and fault tolerant approach is a must. On the end-user front ensure that all machines – laptops, desktops, smartphones and tablets — belonging to employees, customers, partners and vendors are audited as well.
On the software front, audit operating systems that exist on all hardware, even those at the firmware level. You should also audit databases and applications — routine and mission critical. These elements could pose risks. Have a broad horizontal framework of the security policy that documents all processes to be followed to ensure the mentioned elements.
Let’s now take a look at the best practices for disaster recovery audits.
- Customize your disaster recovery templates
A disaster recovery audit has to be done in a strategic manner, as it holds a lot of confidential information about the organization. This involves critical information pertaining to the business functions, profit centers, business’ stress points, and the elements that your organization thrives on.
‘One template fits all’ is a wrong approach. Challenges of each industry vary, so you need a customized template to draft DR processes and security policy. For example, the template should be more human-centric for service industry, whereas it should be machine-centric for manufacturing.
- Have a mix of internal and external auditors
Several organizations wonder about the right approach while choosing a disaster recovery auditor. Should they go in for an internal auditor or an external? I propose this solution – a mix of both.
An internal disaster recovery auditor is part of the organizational hierarchy. Implementing the standards he proposes may not be an easy task with all the stereotypes end-users may have against him. With an external auditor, trust is a big issue. Organizations may be apprehensive about handing over confidential data. Moreover, an external disaster recovery auditor requires a thorough understanding of the organization’s business patterns to understand risks.
The benefit of a mixed setup of internal and external auditors is that the internal representative brings in his expertise regarding business functionalities and their criticality. The external auditor brings his unbiased third person view of the company’s risks and loopholes that may otherwise go unnoticed.
Before inviting an external disaster recovery auditor the internal team should carry out a GAP analysis of the system as part of a preliminary assessment report. Hand over this information to the external auditor. Based on your trust in the external auditor’s understanding of the business and involved risks, formulate a disaster recovery audit program.
- Conduct regular audits and certification programs
Once you draft your disaster recovery audit program and set the security policies in place, aim for a certification like the BS 25999 standard. Regular audits are necessary, due to technological upgrades and trained manpower churn in the organization. Half yearly or quarterly disaster recovery audits will ensure that your organization is in compliance with the DR and security policy.
Many organizations are certified in areas like ISO 27001 (information security), ISO 9001 (quality management), and ISO 14001 (environment management). Such standards make it easy for organizations to opt for the BS 25999 standard.
- Have emergency procedures and drills
Put all emergency procedures in place. Some units may require immediate resumption, while others may not. Categorize your priorities with people as the foremost, followed by data and technological aspects. For instance, evacuate all employees at the earliest in case of an earthquake. Then ensure that all processes are switched over to the DR site located at a different seismic zone. Next priority is to resume activities in the primary site at the earliest.
This is possible only if everyone from top management to the lowest level employee is aware and alert. Awareness is the key focus of a disaster recovery audit. Ensure that end users are aware of the potential risks and steps involved in mitigating those challenges. Regular training and DR drills are a must.
Conduct unplanned checks by internal as well as external disaster recovery auditors to explore loopholes and non-compliance. Properly document checks and drills; this prepares users for unforeseen circumstances. Along with replication and policy-based backup of other databases, ensure safety and recovery of these documents. Perform regular cross-verification to understand the efficiency and integrity of data retrieval systems.
Regularly audit service level agreements (SLA) signed between various hardware and software vendors. Ensure good integration between your SLAs during disaster recovery audits to ensure unified uptime. Interlinked SLAs will ensure availability on all technological fronts.
About the author: Goldi Misra is the Group Coordinator and Head of High Performance Computing (HPC) Solutions Group at C-DAC, Ministry of Communications & IT, Government of India. He is a member of the HPC Advisory council, which is responsible for HPC outreach in India. Goldi is also a member of different committees of various organizations for evaluation of HPC tenders and related tasks.
(As told to Mitchelle Jansen.)