IT Segregation of Duties - are Disaster Recovery in scope? 2060



  • In Segregation of Duties, we know that no one person should have access to both development and production environment at any time.
    Could someone please advise whether Disaster Recovery (DR) servers are considered part of the production environment?



  • From whatever i know abt DR, Those servers will not contain any data at all. In case of any disaster, the data from Backups are uploaded to such severs for business continuance and recovery.
    DR servers are mere hardware devices till a disaster strikes.( that too it is applicable only if the organization has a hot or warm site for their DRP).
    given the above, DR servers do not ideally get into the group of production servers.
    Cheers



  • Hi and welcome to the forums 🙂
    I also see more of an indirect relationship of DR and SOX requirements. The financial information in that environment must be protected and retained according to SOX guidelines (e.g., 7 years of history). The DR environment needs to be properly secured anyway outside the scope of SOX related controls.
    Still SOD requirements in segregating the TEST/PROD environments most likely won’t apply, as your overall security controls and monitoring processes should compensate for any IT related risks.



  • It depends on what kind of DR servers we are talking about

    1. Hot Standby - loaded apps, data replication - they would need to fully conform to SOD norms. They need to be exact replica of production systems for SOD. One exception could be additional group IDs that is reserved for the disaster recovery team for recovery and management and is activated after the disaster.
    2. Warm sites - OS loaded, restore ready - Since no apps is running and data/app will be loaded after the disaster thus not in-scope.
    3. Cold site - Only Basic hardware - Not in scope due to non-operational nature.
      With top down approach once you come to apps level, 2 and 3 are out of scope as no apps is running. This makes only type 1 in-scope for SOX compliance including SOD.


  • Thanks Calvin for sharing the perspective of ‘hot site mirroring’ as my comments pertained more toward warm or cold site recovery strategies.
    The DR process is always very important to the company and often covered by other audits. Hopefully, folks are testing the recovery capabilities from on-site and off-site backups annually (if not more frequently than that). As financial applications are often deemed most important in DR recovery ranking, it might be good to review what COBIT and COSO say in that regard (as they represent complementary standards for SOX compliancy)



  • Thanks all for sharing your thoughts…


Log in to reply