IT Disaster Recovery 14



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • In a way, disaster recovery is related to SOX but don’t spend too much time on it. The more imprtant issues are
    SOD and Process.



  • Just make sure you have enough backup’s stored…:
    one or two every day…and one every week…(store them in a save place outside your company-building .)



  • DR is considered to be one of the general IT Controls.
    An example: If data is backed up at mid-night and sent off site and a disaster occurs at noon, data entered between midnight and noon may not be reflected within the records of the company. A solid control environment would be able to identify the gaps and provide remediation to restore the data to its proper state. We should be using a
    scenario like this for testing.
    For test results it is both the recovery of key systems and the actual on-going operations of the entity in the recovery site. Since most entities only conduct Disaster Recovery tests once a year the test results, like year end processes can be done to coincide with the yearly test.



  • I believe that section 404 deals more specifically with the need to establish redundant IT controls over your financial reporting systems…and the last post was correct in stating that there needs to be some systems inplace that accomplishes a complete capture of all financial records in ‘real-time’ in the event of a disaster.
    In the past, Disaster recovery was classified into 3 categoies, cold, warm, and hot. With regards to Sarb-Ox, you will need to have a ‘hot’ site that will immediately continue to capture, process, and report on all financial transactions at a moment’s notice.



  • DR is an important aspect of having controls in place.
    You should ensure that you have back ups scheduled and that these are actually tested periodically.
    You should also have documented plans in place that define what is and what is not in scope for DR.
    Make sure that your DR plans contain sufficient information for anyone with the necessary skill set to being a box and related apps back on line. You cannot afford to rely upon your existing staff with all the ‘business knowledge’ to perform in a DR situation. It might well be that the very people you rely on today are unavailable in a real DR situation.
    Document, document, document…
    Hope this helps



  • Just testing is not going to be enough . You have to successfully recover the data. The courts have already established that not recovering data is being treated as if ‘you’re hiding something’.
    I’ve posted this view in the past, backing up in a traditional to tape environemnt is going to get IT in big trouble.
    However, SOX doesn’t define what storage media is allowed. As Senator Sarbanes indicates ‘that’s for the courts to decide’ SOX states the penalties for not being able to produce data as:
    Title VIII: Corporate and Criminal Fraud Accountability Act of 2002.
    It is a felony to ‘knowingly’ destroy or create documents to ‘impede, obstruct or influence’ any existing or contemplated federal investigation.
    Auditors are required to maintain ‘all audit or review work papers’ for five years.
    Title IX: White Collar Crime Penalty Enhancements
    Maximum penalty for mail and wire fraud increased from 5 to 10 years.
    Creates a crime for tampering with a record or otherwise impeding any official proceeding.
    Section 1102: Tampering With a Record or Otherwise Impeding an Official Proceeding
    Makes it a crime for any person to corruptly alter, destroy, mutilate, or conceal any document with the intent to impair the object’s integrity or availability for use in an official proceeding or to otherwise obstruct, influence or impede any official proceeding is liable for up to 20 years in prison and a fine.



  • There is a difference between business continuty planning and disaster recovery.
    To simplify (maybe oversimplify) BCP means you can recover the data. DRP means you can recover your facilities.
    BCP therefore is definitely something you should include and test. However our external auditors have indicated that DRP is operational and therefore out.


Log in to reply