Page 188 - Courses
P. 188

Exploring Corrective Controls

            Auditing Backup Processes

            Internal auditors should consider designing tests to review backup processes.

            Protection and Encryption
            Test to ensure:
                 Confidential data on backup media is encrypted at rest and in transit if being duplicated to
                   another server inside the network or outside to a cloud provider.
                 Courier service guarantees media are protected while en route to offsite storage facility.
                 Backup media is protected from unauthorized access.
                 Offsite storage facility has appropriate controls to safeguard backup media. This may also
                   require reviewing the third-party audit reports and performing a walkthrough of the facility
                   (announced or unannounced).

            Monitoring
            Test to ensure:
                 Access to storage management console is limited and access is monitored.
                 Alerts are sent and assessed whenever a change is made to a backup policy (rule).
                 Backup policy changes are approved by the data, system, or process owner.
                 Backups are monitored for successful completion.

            Preservation and Restoration
            Test to ensure:
                 Restores from media occur to test backups.
                 Media preservation and re-use procedures exist and are functioning correctly, including:
                   frequency of use, errors present, and age of the media.
                 Archive media are brought back and restored to newer media.

            Business Continuity and Disaster Recovery

            Organizations usually develop business continuity, disaster recovery, and incident response plans
            such that the types of assurance activities performed by internal auditors include:
                 Testing annual certifications to verify that if departments or business units are required to
                   certify, they have reviewed and updated their individual plans.
                 Observing business continuity, disaster recovery, and incident recovery testing and making
                   suggestions on control and process items identified.
                 Testing to ensure lesson-learned items are remediated and incorporated into later testing
                   and, if appropriate, the corresponding plans or playbooks are updated.

            Assessing Plan Implementation or Revision

            For an organization implementing or reviewing their organizational resiliency program or specific
            plans, internal audit may be asked to participate in the following activities:
                 Review and make suggestions on planned methodology.
                 Review and make suggestions on project deliverables for each defined phase.
            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
   183   184   185   186   187   188   189   190   191   192   193