MINUTES
MID-AMERICA CONTINGENCY PLANNING FORUM
JOINT GENERAL BUSINESS MEETING
With St. Louis ISACA Chapter
January 21, 1998 4:30 PM
Junior League of St. Louis
Present (
according to sign in sheet):Anna Bathon NationsBank
Tom Monroe Safe Deposit Company/CompuVault
Virgil Mueller Comdisco Recovery Services
Tamra O’Brien DataSafe Storage, Inc.
Timothy Proost A. G. Edwards & Sons, Inc.
Julie Scott Safe Deposit Company/CompuVault
Joan Speaker DataSafe Storage, Inc.
Clint Williams BJC Health System
The meeting was held at the Junior League of St. Louis and began at 4:30 p.m. This was a joint meeting with the St. Louis Chapter of Information Systems Audit and Control Association (ISACA).
Ray Bueneman began the meeting with a networking session from 4:30 until 5:00. Ray then introduced Doug Menendez (Express Scripts, Inc.), who gave a presentation on "Auditing the Disaster Recovery Plan." Highlights from Doug’s discussion include d:
"Auditing the Disaster Recovery Plan"
Why Audit:
v
Provides insurance to Management that plans are complete and up-to-date.v
Motivates associates/personnel to maintain their recovery plans.v
Can identify and track improvements across operations.v
Helps to justify allocation of resources.v
Timing can occur during development of a recovery plan or once the plan has been completed.v
Can develop an alliance, build support, share issues, and maintain open lines of communication
Pre-Audit Steps:
v
Obtain from business units:Ø
Business Functional or Risk Analysis documentationØ
Existing contractsØ
Previous test resultsØ
Previous audit resultsv
Obtain from auditors:Ø
Audit scopeØ
Objectives of auditØ
Reports issuedØ
Work plan / proceduresv
Ensure auditors understand the functions to be auditedv
Get Management’s expectations for audit or testing and recovery
Audit Approach/Testing:
v
Four means of auditing:Ø
Inspection/ReviewØ
ObservationØ
ParticipationØ
VerificationAuditing Plan Components:
v
Initiation and Administration:Ø
Ensure Senior Management supportØ
Organizational responsibility and user involvementØ
Key strategies and assumptionsv
Emergency Preparedness:Ø
Declaration and evacuation proceduresØ
Public relationsØ
Damage containment, clean up and salvaging programv
User Interim Procedures:Ø
Key strategies and assumptionsØ
Security and audit trailsØ
Manual proceduresØ
Arrangements for fall-back equipmentØ
Will the same environment exist in a recovery mode?v
Back-Up Process:Ø
Data filesØ
Application and System SoftwareØ
Hardware and Support FacilitiesØ
Logistics Support and PersonnelØ
Verify contents at offsite storage locationØ
Review contractsØ
Ensure the authorized signature list is updatedv
Recovery Procedures:Ø
Data center activationØ
File recovery proceduresØ
Start-up of critical systemsØ
Ensure configurations match logistics to/from facilitiesØ
How detailed are the procedures?v
Documentation:Ø
Accountability for maintenanceØ
Distribution and version controlØ
Currency, form, style, and clarityØ
Use of automated toolsv
Testing and Training:Ø
Exercise objectivesØ
Roles and responsibilitiesØ
Types of testing – simulation or live; announced or unannounced; frequencyØ
Plan maintenanceØ
Verify completeness and accuracyØ
Increases the confidence in the ability to recoverv
Summary:Ø
Create awareness of the recovery processØ
Include Auditing as an observer of testsØ
Auditors can see across a wide range of business units or departmentsØ
Assists in gaining Management’s support
Following dinner, Ray Bueneman made a few announcements and introduced Anna Bathon as Secretary of the MCPF group. Anna thanked ISACA for the opportunity for the MCPF to participate in this joint meeting, stated when the MCPF meetings were held, and th at we would welcome any and all new members. Membership applications were available for anyone interested in joining our group. Following this brief period, Ray proceeded to introduce Steve Davis of DataSafe Corporation, who discussed "Future Technolog ies for Safe Storage and the Evolution of Offsite Storage."
"Future Technologies for Safe Storage and the Evolution of Offsite Storage"
Why:
v
If something happens to the host facilityv
Audit compliancev
Disaster recovery preparedness
Security of Offsite Data Storage:
v
Legal compliancev
Audit compliancev
Satisfy management directivev
Disaster recovery preparednessv
Improved securityv
Conveniencev
Third-party disciplinev
Economicsv
Transportation securityv
Magnetic secure containersv
24-hour access to datav
A professional organization
Physical Security:
v
Burglary protectionv
Fire protection (Halon 1301, FM200)v
Secured storage area
Auditing and Bar Code Technology:
v
Satisfies two main needs:Ø
Control – managed and under controlØ
Comfort – stored safely in case the company needs itv
Accomplishes needs by:Ø
AccuracyØ
LocationØ
FlexibilityØ
Restoration/accessØ
Life cycle managementv
Report features:Ø
Activity summaryØ
List of eventsv
Control and Audit features:Ø
TrackingØ
Shipment verificationØ
Site audit
v
Typical type of communication utilizing bar codes:Ø
Pick listsØ
Retrieval requestsØ
Inventory filesØ
E-Mailv
Recordkeeping Advantages:Ø
ReceiptsØ
Computerized inventory controlv
Bar Code Media Tracking and Control:Ø
Electronic file transferØ
100% accurate inventory controlØ
Audit functionØ
E-MailØ
Disaster recovery preparedness for disaster recovery processingv
Key option to bar code scanning – fast, accurate means to verify providing inventory control
Copies of the handouts provided by both Doug Menendez and Steve Davis are available upon request by calling Anna Bathon at 314/466-3509.
The next meeting of the MCPF group will be held on Thursday, February 19, 1998, 3:00 p.m., at the NationsBank Plaza downtown. The featured topic will be on Year 2000 concerns presented by Julie Bergh of MasterCard.
This meeting was adjourned at 7:45 p.m.
Recorded by: Anna M. Bathon
MCPF Secretary