Internal Audit ReportICT backup and recovery

Report status Final

Report date 14th November 2013

Financial Period 2013/14

Prepared by Mark Gee, ICT Auditor (Haines Watts)

47

ICT backup and Recovery INTERNAL AUDIT REVIEW

Page 2 of 8

The ReviewThe overall objective of the audit was to provide an opinion onthe level of control in place to manage the risks associatedwith ICT backup and recovery.

Background

As part of the internal audit programme for the financial year2013/14 an audit review has been performed on HumbersideFire and Rescue Service (the “Fire Authority”) system ofcontrol in place for ICT backup and recovery.

The Fire Authority is heavily reliant on InformationTechnology. Servers are used to host IT applicationssoftware as well as store and process data for criticalfunctions including Firewatch, finance and email. The partialor total loss of key IT applications or data would havedetrimental effect on the ability of the Fire Authority to carryout its business processes. The ability to restore ITapplications and data is key to mitigate this risk.

The backup and recovery process is managed centrally by ITservices using a computer software and hardware solution.The fire authority currently use two pieces of software.Symantec Backup Exec 2010 R3 and Microsoft DPM v.4.0The hardware component of the backup solution is primarilycomprised of mirrored / clustered servers, multiple SANS andan external tape drives which backup data.

Backups are taken regularly according to an establishedschedule. An audit trail is maintained within the relevantbackup software package to provide assurance thatsuccessful backup has occurred.

The Fire Authority, in 2013 has invested in an upgraded datacentre for ICT equipment. This has a range of physicalcontrols for temperature, moisture, flood defence and backuppower.

For the majority of applications and data currently hostedreliance is placed on the integrity of the server room atSummergroves Way. Tapes are taken off site on a weeklybasis. This provides resilience if the server room was to becompromised.

From 2014 onwards joint working arrangements such as withthe East Coast and Hertfordshire control room consortium willallow the fire authority to increasingly backup data directly toremote sites to reduce the reliance on the integrity of theserver room.

The IT manager is responsible for the IT section to documentand execute the backup process. Regular test restores arecompleted confirming integrity and suitability for the backupand restore process.

The adequacy of ICT's backup and service continuityarrangements are demonstrably relied upon by the FireAuthority. For key systems such as service control andfinance we noted individual plans for which there is referenceto the ICT service continuity plan.

48

ICT backup and Recovery INTERNAL AUDIT REVIEW

Page 3 of 8

The review has considered the following control objectives: procedures have been documented and formally approved

to support the backup and recovery processes in place; roles and responsibilities have been defined and assigned

to a named officer(s) to ensure accountability for keyprocesses;

recovery procedures are regularly tested and these testsare recorded, reported appropriately and any resultingnecessary actions identified taken promptly.

an assessment has been carried out to identify businesscritical IT systems;

the risks that could result in physical damage toinfrastructure or individual server hardware) or data loss orcorruption have been identified and a managementapproach to each risk identified has been agreed; and

a disaster recovery plan that details the proceduresrequired to permit recovery from a partial or total physicalloss of IT services in a controlled manner is in place.

Key FindingsOur key findings are: business continuity plans within the authority refer to an

ICT business continuity plan. ICT do not maintain a singlerepository for business continuity and disaster recovery;

retention schedule guidelines do not specifically mentionICT based backups; and

quotas are not used to manage staff backup volume.

Areas of Good Practice

The following areas of good practice were noted: roles and responsibilities have been defined and

assigned to named officers for the ICT backup andrecovery process;

the authority have a detailed, documented and testedbackup recovery solution;

the ICT department have detailed list of serversmaintained including details for name, location, I.P.address and data contained;

access to the data centre is restricted via key pad and islimited to authorised staff only;

The data centre contains a monitored and alarmed suiteof physical controls including for temperature, humidityand power supply;

the fire authority have implemented mirrored serverswithin the data centre to minimise potential of servicedisruption; and

ICT have configured file stores to allow staff to restorefiles from backup that have been deleted erroneously.

Audit Opinion and ConclusionOverall, Internal Audit can give Adequate assurance on thelevel of control in place to manage the risks associated withthe ICT backup and recovery process.

Within the body of this report 3 areas of risk have beenidentified and corresponding recommendations have beenmade to address these risks. Of the 3 recommendationsmade, 2 have been classified as medium priority.

49

ICT backup and Recovery INTERNAL AUDIT REVIEW

Page 4 of 8

Assurance Level Definition: Adequate

Level ofAssurance

Definition

Substantial There is a sound system of internalcontrol designed to achieve the systemobjectives.

Adequate While there is a basically soundsystem of internal control designed,there are weaknesses, which putsome of the system objectives at risk.

Limited Weaknesses in the design of the systemof internal controls are such as to put thesystem objectives at risk.

None Control design is generally weak leavingthe system open to significant error orabuse.

50

Page 5 of 8

Appendix A – Findings & Action Plan

Explanation of Priority ratings:

Priority Explanation

High:

Action that is considered imperative to ensure that the Fire Authority is not exposed to high risks. Major adverse impacton achievement of Authority’s objectives if not adequately addressed.

Medium:

Action that is considered necessary to avoid exposing the Fire Authority to significant risks.

Low:

Action that is considered desirable and should result in enhanced control or better value for money. Minimal adverseimpact on achievement of the Fire Authority’s objectives if not adequately addressed.

51

Page 6 of 8

Finding Risk Recommended Action Priority Management Action

1 Business continuity planswithin the authority refer toan ICT business continuityplan. ICT do not maintaina single repository forbusiness continuity anddisaster recovery.

ICT do maintain an 'Out ofhours' pack' that would gosome way to mitigatingthis risk if obtained in asignificant disruptionscenario.

Failure to define a singlerepository for the ICTbusiness continuity planmay result in:

lack of clarity within theauthority;

dependence on key ICTpersonnel to locatenecessary information;and

failure to restorebusiness systems in adefined order in thecase of a seriousdisruption

ICT should ensure that they maintain aspecific ICT service continuity plan.

This plan should incorporate relevantinformation from: backup procedures; hardware lists; location of tapes; key contacts both internal and

external; list of systems that are hosted by

ICT list of applications / services that

are hosted by a third party;

Agreed.

Responsibility:[IT manager]

Target date: [ March 2014 ]

2 Whilst a retentionschedule is maintained(that is updated under anSLA), this does notexplicitly mention IT basedbackups

Within the authoritycurrently, service headshave responsibility fordata retention whichrequires compliance withthe data protection act.

Failure to maintain anelectronic retentionschedule for both shareddrives and SharePointcould result in a loss of data/ breach of data protectionrules.

This could cause damageto reputation and/or attractfines for breach oflegislation.

The authority should perform a riskassessment to ensure that retentionschedules are defined for IT basedbackups including for documents storedon all shared drives and SharePoint.

Agreed

Responsibility:[IT manager]

Target date: [March 2014 ]

52

Page 7 of 8

Finding Risk Recommended Action Priority Management Action3 Quotas are not used to

manage staff backupallowances.

Excessive use of backupfacilities may causeincreased operationalcosts incurred throughinefficient use of IT

ICT should consider introduce quotason storage allowance for staff.

Quotas should be defined toaccommodate different staff roles withinthe authority.

Agreed

Responsibility:[IT manager]

Target date: [ March 2014]

53

Page 8 of 8

The matters raised in this report are only those that came to our attention during the course of the audit work and are not necessarily a comprehensive statement of all the weaknessesthat exist or of all the improvements that may be required.

Whilst every care has been taken to ensure that the information in this report is as accurate as possible, it is based on the information provided and documents reviewed. Nocomplete guarantee or warranty can be given with regard to the advice and information contained within the report. We emphasise that the responsibility to implement a sound systemof internal controls rests with management and that our work should not be taken as a substitute for this responsibility. Our work has been considered to identify material irregularitywhich has a reasonable possibility of discovery, however, this does not provide absolute assurance that material error, loss or fraud do not exist.

This report is intended solely for the use of the Audit, Performance and Scrutiny Committee and Senior Management of the Fire Authority. The dissemination, distribution, copying ordisclosure of this report or its contents is prohibited unless prior written permission is obtained by HW Controls & Assurance LLP. No responsibility to any third party is accepted as thereport has not been prepared and has not been intended for any other purpose.

© 2013 HW Controls and Assurance LLP. All rights reserved.

HW Controls & Assurance LLPRegistered in England & Wales, No. OC323078Registered Office: 30 Camp Road, Farnborough, Hampshire GU14 6EW.

54