Between forty and sixty percent of all businesses that suffer a business threatening disaster fail in the next five years so disaster planning is not taken lightly by stockholders, or regulatory authorities. Conducting an audit of the disaster recovery plan will immediately make obvious any discrepancy that would affect business continuity
Disasters occur all the time, and are rarely anticipated. Many IT administrators and organizations plan for hardware failure in their networks or attacks from hackers and viruses, and understandably many will have no plans for natural disasters such as earthquakes, flooding or fire. Even fewer will have plans in place to cope with terrorism or pandemics such as the much anticipated bird flu.
Business continuity planning is a vital task of all departments even though it might be coordinated by IT or primarily involve disaster recovery of data. Of course all departments need to take responsibility for their specific roles under the disaster recovery plan. The written plan in a large organization may extend to several hundred pages, and would be difficult to keep updated without frequent testing of procedures and regular audits.
No audit of disaster recovery procedures would be complete without first reviewing the plan and its documentation. Staff and third party contact details need to be up to date, and all staff with responsibilities under the plan issued with detailed instructions. Training of staff that is adequate for the duties need to be arranged and tested, and new staff inducted into the company disaster recovery procedures.
Company insurance policies need to maintained at levels suitable for expected losses after a disaster, the audit should establish that these are paid for or if paid monthly or quarterly are not in arrears. Similarly, the audit will be investigating third party contractors and ensuring all networking, backup, mirroring, and data center provisioning is in place as per agreed deliverables.
Backup procedures are an important component of disaster recovery and should be tested for integrity and completeness on a regular schedule with occasional simulation of a failed server. Auditing teams will be looking at the efficiency of restoring procedures and whether full service is resumed, as well as systems in place to catch incomplete data restoration.
If fail over networks, redundant servers and spare critical components are factored into the business continuity plan then auditing their usefulness and response times will be considered. Off-site locations will be evaluated for suitability, disaster immunity, and security of data. If a hot site is provisioned, auditors will want to eliminate deficiencies that may affect the success of disaster recovery
Performance of disaster recovery plan duties by staff and third party contractors at audit time are not left untested, business continuity depends on the people implementing the plan to get it right. Excellent communication skills and expertise in their role can be evaluated against industry standards in addition to running simulations with staff.
The auditors job is to ensure that disaster preparedness is as complete as humanly possible, so staff shouldn’t feel threatened. During a disaster recovery and business continuity audit, management need to allay the fears of staff, yet also reinforce that ultimately the corporation cannot afford to not be prepared.