Disaster Recovery Audit Here is a response to one of my contacts regarding a disaster recovery audit. She wanted to assess the effectiveness of security during a DR test. Kind regards, Gideon Gideon T. Rasmussen CISSP, CISA, CISM, MVP Charlotte, NC http://www.virtualcso.com http://www.infosecresources.com http://groups.yahoo.com/group/insider-threat http://groups.yahoo.com/group/security-awareness http://groups.yahoo.com/group/gideons-infosec-list Unfortunately, I have not come across a disaster recovery audit. I would start by establishing a partnering relationship with the IT group. Work at a peer level as much as possible. Ensure someone takes notes at each site during the test. From a security perspective, I would want to ensure that all production controls exist at the DR site: · Are the systems hardened and patched? · Are anti-virus and malware definitions current? · Is the same network segmentation in place (e.g. a DMZ w/the DB on an internal network)? · Has the DR environment been scanned for network and application vulnerabilities? · Are the firewall rules appropriate (granular source and destination)? · Is production-quality encryption in use? · Is intrusion detection software current with notification monitored? · Are permissions appropriately restricted on files and directories? · Do high availability components adequately support production? · Are any of the systems shared with other customers? · Are administrative passwords properly controlled? · Are backups enabled with automated scheduling? · Are physical security controls appropriate? · Are audit trails enabled and centralized? I would want to confirm that the test was thorough: · Was the entire plan tested (versus a table top exercise)? · Did the test include primary & alternate sites? · Were all plan participants involved (e.g. senior management & third parties)? · Was the plan well organized, detailing teams and specific tasks? · Was data restored at the alternate site? · Was a complete failover accomplished, placing the alternate site into production? · Was data from the alternate site restored back into production at the primary site? · Were all services restored in the time allotted by the plan? · Was sensitive data deleted at the conclusion of testing? · Was the DR plan and recall roster stored off-site? · Were both documents current? Post testing: · Did the plan address all business critical services? · Did participants attend a lessons learned session? · Were all testing issues tracked and remediated? I wrote an article on powering down a computer room as a first phase of disaster recovery. It may be of use to you. http://www.gideonrasmussen.com/article-10.html Please feel free to contact me with any questions or comments. Posted: Tue Jun 26, 2007 2:44 am INFOSEC List: