Submitted 2/18/99 by Ami Johnson (JOHNSOAK@apci.com) 
        

OBJECTIVE:      
To verify that the disaster recovery plan is adequate to insure resumption of computer systems in a timely manner during adverse circumstances, is in line with the current Business Continuation plan, and reflects the current business operating environment.


QUESTIONNAIRE
W/P Ref
Is there a disaster recovery plan? If a plan exists, when was it last updated?

What are your procedures for updating the plan?

Who is responsible for administration or coordination of the plan?

Is the plan administrator/coordinator responsible for keeping the plan up-to-date?

Is there a disaster recovery implementation team (i.e., the first response team members who will react to the emergency with immediate action steps)?

Where is the disaster recovery plan stored?

Where are the implementation team contacts list stored?

Where is the backup facility site?  Are there alternate sites?

What is your schedule for testing and training on the plan?

When was the last drill performed?

Did the drill include use of the backup facilities?  If not, when were the backup facilities last used?  If over 1 year, how has the organization determined that its programs can still run on the backup equipment?

What was the outcome of the drill?  How did it improve preparedness? 

What critical systems are covered by the plan?

What systems are not covered by the plan?  Why not?

Does the plan operate under any assumptions?

What are the procedures for activation of the plan?

Are inventories as they relate to your critical systems kept (including LAN servers and communication devices)?

If inventories are kept, where are they stored?

Are there formal procedures that specify backup procedures and responsibilities?

What functions/systems/components are covered under such procedures?

What training has been given to personnel in using backup equipment and established procedures?

Where is the off-site storage site?


DOCUMENTATION
* Obtain a copy of the organization's disaster recovery plan.
* Obtain a list of implementation team members list.
* Obtain a current copy of the organization chart.
* Obtain current inventory list.
* Obtain a copy of agreements relating to use of backup facilities.


TEST STEPS
W/P Ref
Review disaster recovery plan.

Verify that the plan contains a date qualifier to ensure currency.

Verify that the plan has been updated within the past 12 months.

Verify that their is effective monitoring of the plan's state of readiness.

Verify storage location of the plan.

If different from above, verify the storage location of the implementation team contact list.

Verify that the implementation team list contains names of team members, job titles, location, office & home telephone numbers.

Validate that the implementation team list contains active associates, their present title and location, including current home and office telephone numbers.

Verify that team members are aware of their roles and responsibilities.

Verify that a testing and training schedule exists and is adequate (at least annually)..

Verify date of last drill.

Verify that the weaknesses identified in the last drill have been addressed and corrected.

Verify plans documented correspond to the Business Continuation plan.

Verify that the plan reflects the current system environment.

Verify that all mission critical programs, data files, computer resources (and operating systems) are covered.

Verify that the non-covered systems are noted.

Verify that the plan incorporates prioritization of critical applications and systems.

Verify that the plan covers procedures for disaster declaration, general shutdown and migration of operations to the backup facility site.

Verify that the plan includes time requirements for recovery/availability of each critical system, and that they are reasonable.

Review any agreements for use of backup facilities and related documents.  Verify that the site is adequate.

Verify that the site has appropriate hardware and telecommunications devices to restore operations.

Verify the procedures for periodic evaluation of the backup facilities and equipment to ensure their adequacy including when the facilities last used.

Verify that the site is adequately secured from unauthorized access.

Verify that the proper security is in effect on the backup equipment and software.

Verify that the arrangements with the backup site are of a nature and at an organization level where there appears to be a substantial probability that they would and could be honored for substantial periods (e.g., 50 hours per week for two consecutive weeks).

Verify that the plan includes contingencies in case of prolonged adverse circumstances.

Verify that inventories noted in the plan reflect the current operating environment.

Verify that the plans contain written operating instructions and procedures including procedures to regenerate the system..

Verify storage location of the inventories.

Verify that the plan includes controlled procedures for restoration of the original site for normal operations.

Review the effectiveness of the backup procedures in general.

Verify that the critical program, data files and computer resources defined for backup are in fact created and sent offsite.

Verify that the same is true for procedure and job libraries (verify that the current media library maintained by the user area corresponds to the library at the offsite facility).

Verify that the same is true for operating instructions and other key documentation.

Verify that the same is true for papers relating to systems and programs under development.

Verify that the backup copies for onsite, offsite, and legal retention are appropriate.

For applications with on-line updating of databases, verify that procedures are in place to aid in database recovery to include a) tape/disk logging of input transactions; b) logging of before and after images of updated database records; c) ability to backup or nullify a transaction; d) use of checkpoint/restart software.

Review the arrangements for offsite storage of key data files and documents.

Verify that the offsite storage facilities are so located that a disaster could not destroy the records in both the D&B facility and the storage facility.

Verify the procedures to obtain offsite copies to the backup site is adequate, efficient and timely.


CONCLUSIONS AND ISSUES
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Audit/Project
Audit Date
Disaster Recovery

Prepared By:_______             Reviewed By:_______
Date:_____________              Date:______________
                W/P Reference:_______ p. 4