If you run a business, you need to plan for events, such as power outages, floods, earthquakes, or terrorist attacks that will prevent your informationsystems and your business from operating. Disaster recovery planning devises plans for the restoration of computing and communications services after they have been disrupted. Disaster recovery plans focus primarily on the technical issues involved in keeping systems up and running, such as which files to back up and the maintenance of backup computer systems or disaster recovery services. For example, MasterCard maintains a duplicate computer center in Kansas City, Missouri, to serve as an emergency backup to its primary computer center in St. Louis. Rather than build their own backup facilities, many firms contract with disaster recovery firms, such as Comdisco Disaster Recovery Services in Rosemont, Illinois, and SunGard Availability Services, headquartered in Wayne, Pennsylvania. These disaster recovery firms provide hot sites housing spare computers at locations around the country where subscribing firms can run their critical applications in an emergency. For example, Champion Technologies, which supplies chemicals used in oil and gas operations, is able to switch its enterprise systems from Houston to a SunGard hot site in Scottsdale, Arizona, in two hours.
Business continuity planning focuses on how the company can restore business operations after a disaster strikes. The business continuity plan identifies critical business processes and determines action plans for handling mission-critical functions if systems go down. For example, Deutsche Bank, which provides investment banking and asset management services in 74 different countries, has a well-developed business continuity plan that it continually updates and refines. It maintains full-time teams in Singapore, Hong Kong, Japan, India, and Australia to coordinate plans addressing loss of facilities, personnel, or critical systems so that the company can continue to operate when a catastrophic event occurs. Deutsche Bank’s plan distinguishes between processes critical for business survival and those critical to crisis support and is coordinated with the company’s disaster recovery planning forits computer centers.
Business managers and information technology specialists need to work together on both types of plans to determine which systems and business processes are most critical to the company. They must conduct a business impact analysis to identify the firm’s most critical systems and the impact a systems outage would have on the business. Management must determine the maximum amount of time the business can survive with its systems down and which parts of the business must be restored first.
THE ROLE OF AUDITING
How does management know that information systems security and controls are effective? To answer this question, organizations must conduct comprehensive and systematic audits. An MIS audit examines the firm’s overall security environment as well as controls governing individual information systems. The auditor should trace the flow of sample transactions through the system and perform tests, using, if appropriate, automated audit software. The MIS audit may also examine data quality. Security audits review technologies, procedures, documentation, training, and personnel. A thorough audit will even simulate an attack or disaster to test the response of the technology, information systems staff, and business employees. The audit lists and ranks all control weaknesses and estimates the probability of their occurrence. It then assesses the financial and organizational impact
Business continuity planning focuses on how the company can restore business operations after a disaster strikes. The business continuity plan identifies critical business processes and determines action plans for handling mission-critical functions if systems go down. For example, Deutsche Bank, which provides investment banking and asset management services in 74 different countries, has a well-developed business continuity plan that it continually updates and refines. It maintains full-time teams in Singapore, Hong Kong, Japan, India, and Australia to coordinate plans addressing loss of facilities, personnel, or critical systems so that the company can continue to operate when a catastrophic event occurs. Deutsche Bank’s plan distinguishes between processes critical for business survival and those critical to crisis support and is coordinated with the company’s disaster recovery planning forits computer centers.
Business managers and information technology specialists need to work together on both types of plans to determine which systems and business processes are most critical to the company. They must conduct a business impact analysis to identify the firm’s most critical systems and the impact a systems outage would have on the business. Management must determine the maximum amount of time the business can survive with its systems down and which parts of the business must be restored first.
THE ROLE OF AUDITING
How does management know that information systems security and controls are effective? To answer this question, organizations must conduct comprehensive and systematic audits. An MIS audit examines the firm’s overall security environment as well as controls governing individual information systems. The auditor should trace the flow of sample transactions through the system and perform tests, using, if appropriate, automated audit software. The MIS audit may also examine data quality. Security audits review technologies, procedures, documentation, training, and personnel. A thorough audit will even simulate an attack or disaster to test the response of the technology, information systems staff, and business employees. The audit lists and ranks all control weaknesses and estimates the probability of their occurrence. It then assesses the financial and organizational impact
This chart is a sample page from a list of control weaknesses that an auditor might find in a loan system in a local commercial bank. This form helps auditors record and evaluate control weaknesses and shows the results of discussing those weaknesses with management, as well as any corrective actions taken by management.
of each threat. Figure 8.4 is a sample auditor’s listing of control weaknesses for a loan system. It includes a section for notifying management of such weaknesses and for management’s response. Management is expected to devise a plan for countering significant weaknesses in controls.
No comments:
Post a Comment