Presentation is loading. Please wait.

Presentation is loading. Please wait.

David N. Wozei Systems Administrator, IT Auditor.

Published byRosamund Fisher Modified over 8 years ago

Similar presentations

Presentation on theme: "David N. Wozei Systems Administrator, IT Auditor."— Presentation transcript:

1 David N. Wozei Systems Administrator, IT Auditor

2 ISACA Area 5 Protection of Information Assets Provide assurance that the security architecture (policies, standards, procedures and controls) ensures the confidentiality, integrity and availability of information assets. Tasks _ Evaluate the design, implementation and monitoring of logical access controls to ensure the confidentiality, integrity, availability and authorized use of information assets. _ Evaluate network infrastructure security to ensure confidentiality, integrity, availability and authorized use of the network and the information transmitted. _ Evaluate the design, implementation and monitoring of environmental controls to prevent or minimize loss. _ Evaluate the design, implementation and monitoring of physical access controls to ensure that information assets are adequately safeguarded. _ Evaluate the processes and procedures used to store, retrieve, transport and dispose of confidential information assets.

3 Provide assurance that, in the event of a disruption, the business continuity and disaster recovery processes will ensure the timely resumption of IT services, while minimizing the business impact. Tasks _ Evaluate the adequacy of backup and restore provisions to ensure the availability of information required to resume processing. _ Evaluate the organization’s disaster recovery plan to ensure that it enables the recovery of IT processing capabilities in the event of a disaster. _ Evaluate the organization’s business continuity plan to ensure its ability to continue essential business operations during the period of an IT disruption. ISACA Area 6 Business Continuity and Disaster Recovery

4 What is Backup and Disaster Recovery all about? To backup is to have a secondary source of information (to stand in for the primary source). Business continuity is to ensure business critical and non-critical processes keep running. Disaster Recovery is a self- definition; recovering from a disaster. To rebuild a destroyed resource. There is an inherent risk to IT systems. BIA (risk based approach), BCP Identify the IT Systems as business critical and as business assets. (In relation to protection of Information assets) Look out for the risky areas.

5 Types of backup Full backup Creates an entire copy of each file on the system. This is the most effective backup method and requires a significant amount of time. It’s common for a full backup to be run at least once per week, but the frequency of your backup should depend on the value of your data. To restore data, the computer operator loads the latest full backup, usually from tapes. Next, the most current data is loaded by using files from a subsequent incremental or differential backup tape. Incremental method Copies only the files that have changed since the last backup. The incremental method is commonly used for backups on weekdays. This method requires less time than a full backup. Unfortunately, the file restoration process takes longer because it is necessary to restore the full backup and each version of incremental backup. An incremental backup resets the archive bit (backup flag) to indicate that a file needs to be backed up. If any of the tapes or disks in incremental restoration fails, the RPO will also fail. Incremental recovery requires using more tapes.

6 Types of Backup (continued…) Differential method Copies every file that has changed between full backup runs. Differential is the preferred method for business continuity. This method ensures that multiple copies of daily files should exist on multiple tapes. A differential backup is very fast on the first day after a full backup, and then takes longer each day as more files are copied. A differential backup works because the backup software does not change the archive bit (backup flag).

7 What are we auditing anyway? What are the assets and their configurations, locations etc? (This includes disaster recovery sites, primary sites, command sites...) What are their vulnerabilities or risks? Is there a Business Continuity Plan? Is there a Backup policy or Data Retention policy? Is there a Disaster Recovery Plan? Is there a team and individual business continuity manager responsible for these plans and policies or is implementation ad hoc? Has the risk been transferred? Are third-partied involved. Are users aware of the Plan? Is the plan comprehensive and does the team know when it is to be activated? Is the plan reviewed and tested periodically? Has a Business Impact Assessment ever been done?

8 What are we auditing anyway? (continued) Has the organisation decided not to adopt a plan at all? Is procurement aware of the plan? Are the financial implications of the plan known and are the finances available or feasible? Is security aware of the plan? (a security firm providing security to premises) Are utilities aware of the plan? (Electricity, Tel Cos, Water etc) How do we handle important documents in paper format? (For example, contracts, legal documents, land titles) How do we handle human lives, once there is a risk to them? Is there a specific period acceptable for recovery or downtime? Has the organisation decided not to have a plan?

9 What are the risks? Business collapse Financial loss Loss of life Loss of business property and assets Loss of information Damage to reputation Legal action Failure to resume business

10 Who should be involved in the effort to prevent a disaster? A BCP manager or 'owner'. Users Identify first responders Third-parties and out-sourced resources Those to whom risk has been transferred (Insurance Companies) Procurement Suppliers Top management IT department Security staff Any more, you can think of? Please list some…

11 Review of Documents, Policies, Plans Review of some documents with information on Backup and DR as well as Business Continuity.

12 THE END

Download ppt "David N. Wozei Systems Administrator, IT Auditor."

Similar presentations

Information Technology Disaster Recovery Awareness Program.

Information Technology Disaster Recovery Awareness Program.
Case Study: Business Continuity Planning for Site- Level Disaster Kimberley A. Pyles Northrop Grumman Corporation

Case Study: Business Continuity Planning for Site- Level Disaster Kimberley A. Pyles Northrop Grumman Corporation
Systems Availability and Business Continuity Chapter Four Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc. 2007.

Systems Availability and Business Continuity Chapter Four Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
1 Disaster Recovery “Protecting City Data” Ron Bergman First Deputy Commissioner Gregory Neuhaus Assistant Commissioner THE CITY OF NEW YORK.

1 Disaster Recovery “Protecting City Data” Ron Bergman First Deputy Commissioner Gregory Neuhaus Assistant Commissioner THE CITY OF NEW YORK.
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
1 Disk Based Disaster Recovery & Data Replication Solutions Gavin Cole Storage Consultant SEE.

1 Disk Based Disaster Recovery & Data Replication Solutions Gavin Cole Storage Consultant SEE.
1 Outsourcing Contract and Service Level Issues Sharon O’Bryan Week 5 November 2, 2004.

1 Outsourcing Contract and Service Level Issues Sharon O’Bryan Week 5 November 2, 2004.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Security Controls – What Works

Security Controls – What Works
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Disaster Prevention and Recovery Presented By: Sean Snodgrass and Theodore Smith.

Disaster Prevention and Recovery Presented By: Sean Snodgrass and Theodore Smith.
®® Microsoft Windows 7 for Power Users Tutorial 10 Backing Up and Restoring Files.

®® Microsoft Windows 7 for Power Users Tutorial 10 Backing Up and Restoring Files.
John Graham – STRATEGIC Information Group Steve Lamb - QAD Disaster Recovery Planning MMUG Spring 2013 March 19, 2013 Cleveland, OH 03/19/2013MMUG Cleveland.

John Graham – STRATEGIC Information Group Steve Lamb - QAD Disaster Recovery Planning MMUG Spring 2013 March 19, 2013 Cleveland, OH 03/19/2013MMUG Cleveland.
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.

Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
1 Objectives Discuss the Windows Printer Model and how it is implemented in Windows Server 2008 Install the Print Services components of Windows Server.

1 Objectives Discuss the Windows Printer Model and how it is implemented in Windows Server 2008 Install the Print Services components of Windows Server.
IT Assurance and Reliability Why Should You Care? Richard Oppenheim, CPA, CITP President, SysTrust Services Corporation Presented to ISACA Regional Meeting.

IT Assurance and Reliability Why Should You Care? Richard Oppenheim, CPA, CITP President, SysTrust Services Corporation Presented to ISACA Regional Meeting.
Services Tailored Around You® Business Contingency Planning Overview July 2013.

Services Tailored Around You® Business Contingency Planning Overview July 2013.
Security+ All-In-One Edition Chapter 16 – Disaster Recovery and Business Continuity Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 16 – Disaster Recovery and Business Continuity Brian E. Brzezicki.

Similar presentations

Ads by Google