Gideon T. Rasmussen, CISSP, CISA, CISM, MVP
Professional
 
 
Disaster Recovery Audit

Here is a response to one of my contacts regarding a disaster recovery audit. She wanted to assess the effectiveness of security during a DR test.

Kind regards,

Gideon

Gideon T. Rasmussen
CISSP, CISA, CISM, MVP
Charlotte, NC
http://www.virtualcso.com

http://www.ussecurityawareness.org
http://groups.yahoo.com/group/insider-threat
http://groups.yahoo.com/group/security-awareness
http://groups.yahoo.com/group/gideons-infosec-list

Unfortunately, I have not come across a disaster recovery audit. I would start by establishing a partnering relationship with the IT group. Work at a peer level as much as possible. Ensure someone takes notes at each site during the test.

From a security perspective, I would want to ensure that all production controls exist at the DR site:

* Are the systems hardened and patched?
* Are anti-virus and malware definitions current?
* Is the same network segmentation in place (e.g. a DMZ w/the DB on an internal network)?
* Has the DR environment been scanned for network and application vulnerabilities?
* Are the firewall rules appropriate (granular source and destination)?
* Is production-quality encryption in use?
* Is intrusion detection software current with notification monitored?
* Are permissions appropriately restricted on files and directories?
* Do high availability components adequately support production?
* Are any of the systems shared with other customers?
* Are administrative passwords properly controlled?
* Are backups enabled with automated scheduling?
* Are physical security controls appropriate?
* Are audit trails enabled and centralized?

I would want to confirm that the test was thorough:

* Was the entire plan tested (versus a table top exercise)?
* Did the test include primary & alternate sites?
* Were all plan participants involved (e.g. senior management & third parties)?
* Was the plan well organized, detailing teams and specific tasks?
* Was data restored at the alternate site?
* Was a complete failover accomplished, placing the alternate site into production?
* Was data from the alternate site restored back into production at the primary site?
* Were all services restored in the time allotted by the plan?
* Was sensitive data deleted at the conclusion of testing?
* Was the DR plan and recall roster stored off-site?
* Were both documents current?

Post testing:

* Did the plan address all business critical services?
* Did participants attend a lessons learned session?
* Were all testing issues tracked and remediated?

I wrote an article on powering down a computer room as a first phase of disaster recovery. It may be of use to you.

http://www.gideonrasmussen.com/article-10.html

Please feel free to contact me with any questions or comments.

Posted: Tue Jun 26, 2007 2:44 am



Copyright © 2002 - 2007 Gideon T. Rasmussen All Rights Reserved.
Legal Notices