Incident response plan

            Management will likely need to provide for contingency planning other than disaster recovery and
            business continuity for its IT and systems. Other damaging events that carry any substantial risk should
            have been identified in the IT risk assessment, including risks associated with errors in applications;
            mistakes in installing hardware; bugs in coding applications; security of data in storage; errors in
            communications; risks in data integrity during transfers; and other similar risks associated with IT.

            The internal CITP will want to be aware of the various IT risks associated with the entity and its systems,
            business processes, IT function, and controls in order to properly address or review those risks. The best
            way to ensure that information is available is by applying the risk assessment model with due diligence.

            There are a number of bad things that can happen related to IT that could potentially affect its public
            image or customer base in a negative manner.

            For instance, if a company were to experience a malicious attack on its system where data on credit
            cards of its customers were compromised, and if that information gets to the public, it could not only
            affect its customers but prospective customers as well (i.e., its ability to maintain its market share, much
            less grow).

            The same would be true for most frauds, especially for not-for-profit (NFP) organizations. In order to
            mitigate these kinds of risks, management should make plans in advance of the incident in order to
            effectively respond to the negative event. That plan, known as an incident response plan (IRP), should
            include the following:

            1.  The IRP would be thoroughly developed and tested in advance of potential negative incidents.
            2.  It should be written, and become part of the entity’s policies and procedures.
            3.  Like the DRP, it should include a team which would be responsible for carrying out the actual
               response.
            4.  It should describe the investigation process of the incident (for example, who or what department
               specifically is in charge of the incident response investigation, to whom the team reports, and so on).
               Because incidents could range from fraud to loss of data to very high-tech intrusions, the team needs
               to be broad enough to handle a variety of incidents.

            The purpose of an IRP is to minimize the damages that could happen as a result of the incident. A
            secondary purpose is usually to provide feedback to management on changes to preventive or detective
            controls related to the business processes and functions associated with the incident (i.e., how the entity
            can prevent that particular event from occurring again).


            Data backup and recovery
            The entity should have policies and procedures that are effective in enabling the entity to recover fully its
            data should the data be destroyed or lost. There are some principles, or best practices, associated with
            backup and recovery of data. The minimum P&P would include the following:

              Regular backups of data
              Offsite storage of data
              Testing of recovery


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-20