


Contributed 8/8/00 by Bonnie_Chan@deanfoods.com 

Audit Program Backup and Recovery on AS400

A Backup and Recovery Procedures


1. Obtain an understanding of backup procedures. 
a) Complete Interview Questionnaire and obtain written policy if it exists.
b) Observe the procedures that are in place.


2. Assess the appropriateness of the objects selected based on frequency of change, time available to save changes, level of importance, etc.  See information obtained in Interview Questionnaire.
* Security information 
* User profiles
* Private authorities
* Authorization lists
* Configuration objects in QSYS
* IBM-supplied libraries that contain user data (QGPL, QUSRSYS)
* User libraries that contain user data and programs
* Folders and documents
* Distributions
* Directories
Note: Recommendation is to have the above items updated on a daily basis assuming changes occur regularly.
* Licensed Internal Code
* Operating sys tem objects in QSYS library
* Operating System/400 optional libraries (QHLPSYS, QUSRTOOL)
* Licensed program libraries (QRPG, QCBL, Qxxxx)
* Licensed program folders (Qxxxxxxx)
* Licensed program directories (/QIBM, /QOpenSys/QIBM)
* Financial (Lawson)
* Order Management
* Price master file
* Customer master file
* Billing
* Personal computers
* Other ___________________
Note: Recommendation is to have the above items updated on a weekly basis or more often because of PTFs (Program Temporary Fixes), new releases to the operating system, or updates to licensed programs.


2a) Use the following commands to obtain proof of what objects are being saved and when.
* CHKSAV - determines whether any libraries members or objects have changed since the last save
* PRTLIBANL - analyzes all objects by library and summarize by days what objects have been changed, saved or not saved.


3. Assess the appropriateness of the media type used for backup.


4. Obtain a network diagram, illustrating the dependencies between divisions, plants, and multiple operating locations.
a) Ensure backup procedures are appropriate for these dependencies and are complete for all systems included.  


5. Are the controls surrounding the backup storage locations appropriate?
a) On-site
b) Off-site


6. Assess whether the availability option(s) selected are appropriate for the environment.  Include past system failure experiences in the assessment.
a) Was the basis for determining the option selected adequate and included a cost/benefit analysis
b) Obtain the cost/ benefit analysis performed.  If not available, re-perform the analysis.



B. Testing 


1. Select critical application(s) to be tested based on the scope of the review.
* Financial (Lawson)
* Order Management
* Price master file
* Customer master file
* Billing
* Other 
a) Identify the mission critical objects used with this application(s) - program, data file, library, etc.


2. Review proof of the following:
* Last 10 back-up dates (weekly) and their objects 
* Last 4 quarterly back-up and their objects



3. Trace the mission critical objects to the Volume Table of Contents (VTOC) listing.


4. Trace files on the VTOC to the backup schedule.


5. Locate backup files whether in on-site or off-site storage.


6. Verify that dates on backup media agree with backup schedule.


7. Obtain listing of contents of off-site storage facility


8. Test procedures that ensure backup is performed.  E.g. review signatures on a log that states backup was performed, and supervisor's approval, etc.


C Disaster Recovery

1. Obtain a formal copy of the company's current disaster recovery plan.


2. Obtain the most current employee list from Human Resources
a) Compare key employee names and numbers to the employee list.


3. Select several key vendors included in the plan and contact them to determine that the contact names and phone numbers are still appropriate.


4. Interview selected employees to determine the level of knowledge regarding the disaster plan and their involvement.


5. Review the disaster recovery plan for completeness. Some items to consider in the review are:


a) Possible alternate processing sites.


b) Alternate sites tested at least annually.


a) Agreement exists for the use of the alternate sites.


c) Availability of peripheral equipment.


b) Defining critical systems to be processed.


d) Ability to process without key personnel.


c) Ability to adapt plan to lesser disasters.


D. General


1. Assess the insurance coverage and the exposure for business interruptions.  Obtain insurance policy or other documentation.  Ask the following questions:
a) Are we covered for computer hardware and software failures?
b) Is our coverage at replacement cost?
c) What are the circumstances and scenarios under which we are not covered?
d) Are we aware of the circumstances or scenarios under which we are not covered?
e) Are there specific requirements regarding for reimbursement, that is, we must perform daily backups or have firewalls on our system?
f) Are we covered in the case of hackers, intrusion and virus damages?
g) Are there any specific requirements regarding how we should prove loss and the measurement of that loss?
h) What is the dollar amount of coverage?
i) How is our deductible administrated?  Is it administrated by incident, by day, by location?  For example if there is an earthquake in California, does the $100,000 deductible apply to the incident of the earthquake or does it apply to each location - Escondido, San Leandro, Sacramento, etc.


2. Assess the Corporate policies related to Backup and Recovery and Business Continuity Planning for reasonableness.