IT Disaster Recovery 14
-
What does Sarbanes-Oxley require for disaster recovery compliance? What is the Sarbanes-Oxley criteria and/or definition of a ‘successful’ test?
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
This post is deleted!
-
In a way, disaster recovery is related to SOX but don’t spend too much time on it. The more imprtant issues are
SOD and Process.
-
Just make sure you have enough backup’s stored…:
one or two every day…and one every week…(store them in a save place outside your company-building .)
-
DR is considered to be one of the general IT Controls.
An example: If data is backed up at mid-night and sent off site and a disaster occurs at noon, data entered between midnight and noon may not be reflected within the records of the company. A solid control environment would be able to identify the gaps and provide remediation to restore the data to its proper state. We should be using a
scenario like this for testing.
For test results it is both the recovery of key systems and the actual on-going operations of the entity in the recovery site. Since most entities only conduct Disaster Recovery tests once a year the test results, like year end processes can be done to coincide with the yearly test.
-
I believe that section 404 deals more specifically with the need to establish redundant IT controls over your financial reporting systems…and the last post was correct in stating that there needs to be some systems inplace that accomplishes a complete capture of all financial records in ‘real-time’ in the event of a disaster.
In the past, Disaster recovery was classified into 3 categoies, cold, warm, and hot. With regards to Sarb-Ox, you will need to have a ‘hot’ site that will immediately continue to capture, process, and report on all financial transactions at a moment’s notice.
-
DR is an important aspect of having controls in place.
You should ensure that you have back ups scheduled and that these are actually tested periodically.
You should also have documented plans in place that define what is and what is not in scope for DR.
Make sure that your DR plans contain sufficient information for anyone with the necessary skill set to being a box and related apps back on line. You cannot afford to rely upon your existing staff with all the ‘business knowledge’ to perform in a DR situation. It might well be that the very people you rely on today are unavailable in a real DR situation.
Document, document, document…
Hope this helps