OBJECTIVE:

To verify that the disaster recovery plan is adequate to insure resumption of co

mputer systems in a timely manner during adverse circumstances, is in line with
the current Business Continuation plan, and reflects the current business operat
ing environment.

QUESTIONNAIRE
W/P Ref
Is there a disaster recovery plan? If a plan exists, when was it last updated?
What are your procedures for updating the plan?
Who is responsible for administration or coordination of the plan?
Is the plan administrator/coordinator responsible for keeping the plan up-to-dat
e?
Is there a disaster recovery implementation team (i.e., the first response team
members who will react to the emergency with immediate action steps)?
Where is the disaster recovery plan stored?
Where are the implementation team contacts list stored?
Where is the backup facility site? Are there alternate sites?
What is your schedule for testing and training on the plan?
When was the last drill performed?
Did the drill include use of the backup facilities? If not, when were the backu
p facilities last used? If over 1 year, how has the organization determined tha
t its programs can still run on the backup equipment?
What was the outcome of the drill? How did it improve preparedness?
What critical systems are covered by the plan?
What systems are not covered by the plan? Why not?
Does the plan operate under any assumptions?
What are the procedures for activation of the plan?
Are inventories as they relate to your critical systems kept (including LAN serv
ers and communication devices)?
If inventories are kept, where are they stored?
Are there formal procedures that specify backup procedures and responsibilities?
What functions/systems/components are covered under such procedures?
What training has been given to personnel in using backup equipment and establis
hed procedures?
Where is the off-site storage site?
DOCUMENTATION
* Obtain a copy of the organization's disaster recovery plan.
* Obtain a list of implementation team members list.
* Obtain a current copy of the organization chart.
* Obtain current inventory list.
* Obtain a copy of agreements relating to use of backup facilities.

TEST STEPS
W/P Ref
Review disaster recovery plan.
Verify that the plan contains a date qualifier to ensure currency.
Verify that the plan has been updated within the past 12 months.
Verify that their is effective monitoring of the plan's state of readiness.
Verify storage location of the plan.
If different from above, verify the storage location of the implementation team
contact list.
Verify that the implementation team list contains names of team members, job tit
les, location, office & home telephone numbers.
Validate that the implementation team list contains active associates, their pre
sent title and location, including current home and office telephone numbers.
Verify that team members are aware of their roles and responsibilities.
Verify that a testing and training schedule exists and is adequate (at least ann
ually)..
Verify date of last drill.
Verify that the weaknesses identified in the last drill have been addressed and
corrected.
Verify plans documented correspond to the Business Continuation plan.
Verify that the plan reflects the current system environment.
Verify that all mission critical programs, data files, computer resources (and o
perating systems) are covered.
Verify that the non-covered systems are noted.
Verify that the plan incorporates prioritization of critical applications and sy
stems.
Verify that the plan covers procedures for disaster declaration, general shutdow
n and migration of operations to the backup facility site.
Verify that the plan includes time requirements for recovery/availability of eac
h critical system, and that they are reasonable.
Review any agreements for use of backup facilities and related documents. Verif
y that the site is adequate.
Verify that the site has appropriate hardware and telecommunications devices to
restore operations.
Verify the procedures for periodic evaluation of the backup facilities and equip
ment to ensure their adequacy including when the facilities last used.
Verify that the site is adequately secured from unauthorized access.
Verify that the proper security is in effect on the backup equipment and softwar
e.
Verify that the arrangements with the backup site are of a nature and at an orga
nization level where there appears to be a substantial probability that they wou
ld and could be honored for substantial periods (e.g., 50 hours per week for two
consecutive weeks).
Verify that the plan includes contingencies in case of prolonged adverse circums
tances.
Verify that inventories noted in the plan reflect the current operating environm
ent.
Verify that the plans contain written operating instructions and procedures incl
uding procedures to regenerate the system..
Verify storage location of the inventories.
Verify that the plan includes controlled procedures for restoration of the origi
nal site for normal operations.
Review the effectiveness of the backup procedures in general.
Verify that the critical program, data files and computer resources defined for
backup are in fact created and sent offsite.
Verify that the same is true for procedure and job libraries (verify that the cu
rrent media library maintained by the user area corresponds to the library at th
e offsite facility).
Verify that the same is true for operating instructions and other key documentat
ion.
Verify that the same is true for papers relating to systems and programs under d
evelopment.
Verify that the backup copies for onsite, offsite, and legal retention are appro
priate.
For applications with on-line updating of databases, verify that procedures are
in place to aid in database recovery to include a) tape/disk logging of input tr
ansactions; b) logging of before and after images of updated database records; c
) ability to backup or nullify a transaction; d) use of checkpoint/restart softw
are.
Review the arrangements for offsite storage of key data files and documents.
Verify that the offsite storage facilities are so located that a disaster could
not destroy the records in both the D&B facility and the storage facility.
Verify the procedures to obtain offsite copies to the backup site is adequate, e
fficient and timely.

CONCLUSIONS AND ISSUES

________________________________________________________________________________
_____
________________________________________________________________________________
_____
________________________________________________________________________________
_____
________________________________________________________________________________
_____
________________________________________________________________________________
_____
Audit/Project
Audit Date
Disaster Recovery
Prepared By:_______ Reviewed By:_______
Date:_____________ Date:______________
W/P Reference:_______ p. 4