Are backup copies of the Department’s data held in a secure and remote media store? Is there evidence that the current backup strategy works in practice?

Scenario

Business continuity and disaster recovery plans are required to counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters. The Payroll Department (“Department”) of ISO Company, Inc. is classified as a critical business process because of the sensitive, private, and confidential information it hosts. It would be disastrous for the Department if information gets lost or if its business systems go off-line, even for a day. During planning meetings, IT auditors kept the following objectives in mind: Are the Department’s business systems adequately backed up? Are backup copies of the Department’s data held in a secure and remote media store? Is there evidence that the current backup strategy works in practice? Is there an appropriate disaster recovery plan established as part of the company’s business continuity plan? Is the disaster recovery plan based on a thorough risk assessment?

Overview

As part of the IT audit of ISO Company, Inc.’s Payroll Department, IT auditors uncovered a number of problems with the company’s business continuity and disaster recovery plans and practices. While conducting the audit, IT auditors observed that the organization’s business continuity and disaster recovery plans, both established 10 years ago, have not been updated to reflect continuity and disaster recovery practices for the current environment. For example, although backup copies were made of the Department’s information, upon inspection, IT auditors discovered that those backups were not maintained at the off-site location where they were supposed to be stored. Moreover, when IT auditors asked for documentation supporting the tests performed of the Department’s business continuity and disaster recovery plans, they discovered that the Department had never tested the plans. The Department also had not conducted any risk assessment in support of the plans.

The Department’s information systems, Payroll System Application (PSA), is open to external attacks since it is interconnected through the network. A collapse of the PSA would bring dire consequences for the Department. In fact, in the event of a crash, switching over to a manual system would not be an option. Manual handling of the company’s payroll sensitive, private, and confidential information by staff personnel has resulted in previous loss of such information. Hence, the PSA must operate online at all times. The auditors agree that, based on the above observations, in the event of interruptions due to natural disasters, accidents, equipment failures, and deliberate actions, the Department may not be able to cope with the pressure.

Task
List the risks the ISO Company, Inc.’s Payroll Department is exposed to as a result of the observations. Also, document audit recommendations you would communicate to ISO Company, Inc.’s management related to the lack of continuity and disaster recovery procedures observed. Support your reasons and justifications with IT audit literature and/or any other valid external source. Include examples, if appropriate, to evidence your case point.

Deliverable

Submit a Word document with a cover page, responses to the task above, and a reference section at the end. The submitted file should be five (5) pages long (double line spacing), including cover page and references. Be ready to present your work to the class. Submit your paper to the Assignments dropbox titled for this activity by the date specified by your instructor.