Carefully created and thorough data backup (BCP) and recovery plans (DR) are crucial for anyone who wishes to secure their data in the event a problem arises; this is even more necessary if your company handles a large amount of sensitive data such as credit card information, transactions, and the personal information of your employees and customers. A backup plan is essentially an insurance plan for your data. As hardware and software are anything but perfect, situations arise where the stored information can be corrupted or even lost. If mission-critical or sensitive data is rendered useless, there needs to be a plan in place to be able to restore this information in a timely and cost-effective manner.
Regarding auditing BCP and DR plans, there are several methods of ensuring that current systems and future changes are effective. Any thorough audit should first create the project’s scope by merely deciphering the building-blocks of the systems in question. For example, for a BCP plan, one should decide what data needs to be protected and backed up, how often this data should be backed up, and what methods will be used to back up and restore the data. Next, an auditor will need to decide what and how many pieces of equipment will be required to properly back up the organization’s information, including optical drives, tape drives, and removable disk drives. Additionally, there should be an individual put in charge of this plan; this will ensure the constant updates and technical assistance that this plan requires are performed. An audit of the personnel involved in BCP and DR plans should be performed as well, looking into their security status, certifications, or any other information that may hinder or improve their ability to perform their assigned tasks.
During an audit of a BCP, for example, all documentation should be collected and reviewed; this can include equipment inventory sheets, weekly testing checklists, and even call/email orders/notifications to be used in the event of an issue. For a DR plan, many of the same steps of a BCP plan would apply, with the inclusion of test scenarios to see how the plan would perform if a real-world incident occurred. During an audit of any business-related IT plan, it is vital to ensure documentation is up to date, the company is following any associated rules, regulations, policies, and laws, and effectively document any potential improvements that can be made.
Otero, A. R. (2019). Information Technology Environment and IT Audit. In The IT Audit Process. (Fifth ed., pp. 59-96). Boca Raton, Florida: CRS Press.