Control Point Ref #: ofconaab A formalized offsite agreement is in place which identifies the offsite center's availability and responsibilities of both parties Audit Steps ----------- Determine if the agreement addresses the following critical issues: o guarantees of availability o timeframes of the offsite processing center's availability when an offsite contingency situation arises o processing windows allocated to the data center to run their application on a given day (if applicable) o notification for change in hardware environment of the offsite processing facility F1 - Info Screen Ref #: ofconaab Background ---------- In order to ensure the availability of the offsite processing center, a formal agreement needs to be in place. The offsite agreement will in most cases be very similar for the three types of offsite facility scenarios: o reciprocal agreement with offsite processing center o one way agreement with offsite processing center o Vendor provided alternate processing site When a vendor provides offsite processing for multiple companies, the priority of your center must be established since some disasters (e.g., power failure) may effect an entire area that the offsite facility provides processing for.
Control Point Ref #: ofconaad An analysis has been performed to ensure that the vendor offsite processing system is compatible Audit Steps ----------- 1) Ensure that an analysis has been performed to determine if the equipment used at the offsite processing facility meets the requirements of your installation. 1.1) Review the inventory list of equipment used at the onsite and offsite facility and determine the differences in equipment type which includes: o printers o telecommunication connections o DASD o controllers (e.g., front-end communication controllers, DASD controller) 1.2) For any differences identified, obtain an explanation of how it is compatible with your system requirements or how your installation can alter its own processing to make it compatible with the system and operating environment of the offsite processing center. 2) Determine if a sufficient amount of system resources (e.g., DASD and memory) are available to perform offsite processing or if an analysis has been performed to determine the level of degradation that it is expected or alternate processing steps required to meet the needs of the business that the system supports. F1 - Info Screen Ref #: ofconaad Background ---------- In order to determine if an offsite storage facility meets the requirements of your installation, an analysis needs to be performed to identify their differences. When there are differences, an action plan must be in place to identify how processing will be changed to meet the hardware and system environment provided at the offsite processing center. Differences in the hardware components can adversely effect the manner in which your installation processes at the offsite processing facility. For instance, if DASD at the offsite processing facility has less storage, then your installation has to adjust its contingency plan of the applications that will be restored. The same scenario exits with the front end processor. For example, if the offsite processing facility has a 3725 and your installation uses a 3745, their will be less connections for your installation to work with. In some cases the differences, will prevent the use of the offsite processing facility. For example, incompatible tape drives would prevent the use of the offsite processing facility. Audit Step Info --------------- If your center has performed an offsite contingency test or had to use the facility for an actual offsite contingency, then your compliance test to determine their compatibility would not need to be performed. The following audit steps are used for determining how specific hardware and system resources are being handled at the offsite processing facility: 1) Determine if the telecommunications needs of the users have been addressed at the offsite processing center 1.1) Determine how access via leased lines are being handled at the offsite facility Determine the leased lines that are used by your processing and who the users are. Determine if leased lines will be switched to the alternate site when a disaster occurs or if access to the system will be performed through an alternate means. If the lines will be switched, determine if a controller switch is used to switch the lines to the offsite processing center or if arrangements have been made with the service company or phone company to reroute the lines. Determine if the service company that will switch the line has committed to the timeframes required. 1.2) Determine how access via switch lines are being handled at the offsite facility. 1.3) Determine the number of dial-up lines that are used by your installation and compare it to the number offsite and verify if it is sufficient to support the access needs of the users. 2) Determine if a memory analysis has been performed to determine if the same amount or additional memory is available. If less memory is available at the offsite processing site, determine if the total memory required to process applications which are being supported at the offsite processing center is analyzed to determine its impact. 3) Determine if DASD space that is available at the offsite processing has been analyzed to determine if it is sufficient to support the storage requirements of the operating system, system software, and applications being restored.
Control Point Ref #: ofconaaf An offsite Contingency Plan is in place which will enable the business to be maintained in the event of a disaster Audit Steps ----------- 1) Determine if the Contingency Plan contains the information necessary to initiate the plan. 1.1) Determine if the Contingency Plan addresses the conditions which would necessitate the transfer of operations to the offsite processing facility. 1.2) Determine if the responsibility has been delegated to individuals or jobs functions that are responsible for initiating the contingency plan which includes the following: o retrieving or arrange delivery of the tapes from the offsite storage facility o calling all appropriate individuals from the contact list and vendors (e.g., perform necessary switching to enable the offsite processing center, couriers for report distribution and tape delivery) 1.3) Determine if a contact list is established with home numbers of the individuals that need to be contacted (e.g., system, application, operations, management) 2) Determine if the necessary arrangements have been planned for running the business from the offsite processing facility which includes: o transportation for individuals who need to be at the offsite processing facility o hotel arrangements for personnel 3) Ensure that a process is in place to determine whether all data has been loaded on to the offsite processing system. 3.1) Determine if selected data sets will be restored or if the entire system will be restored (i.e., full volume restores). If selected datasets will be restored, ensure that there is a list maintained of those data sets that should be restored which will be used to compare to a list taken after the selected data sets are restored. 4) Ensure that a step-by-step approach is documented to determine how to load the offsite processing system. 5) Determine if all of the documentation (i.e., run manuals, technical manuals) is stored at the offsite facility or arrangements made for their delivery from an offsite storage facility. F1 - Info Screen Ref #: ofconaaf Background ---------- Having an overall plan to initiate the plan and restore the system at the offsite processing location is required to ensure a smooth transfer of operations. When developing a contingency plan it always must be assumed that no materials can be retrieved from the existing processing environment. Audit Step Info --------------- All contingency situations that require the transfer of operations to the offsite processing facility is not necessarily based on a fire to your existing processing facility. Depending on the timeframes that are required to restore the business, a partial loss of your existing processing environment may require the transfer of operations to the offsite processing center. The partial loss of each type of equipment that would necessitate the transfer of operations should outlined in the plan for initiating the offsite contingency plan. For example, the loss of the CPU or Air conditioning unit for more than 24 hours may require the transfer of operations.
Control Point Ref #: ofconaag The offsite Contingency Plan is tested to ensure that it will function in a real contingency situation Audit Steps ----------- 1) Determine if the contingency plan is test once a year or within the timeframes that is required by your installation. 2) Ensure that the contingency test plan is comprehensive enough to prove that the business can be supported at the offsite processing facility. 2.1) Ensure that all phases of processing is performed which includes: o loading of the operating system and performing an IPL o loading all applications that are being provided support for offsite processing o testing the online facilities through all telecommunication sources o sample selection of online transaction processing is performed o the entire batch process which includes the printing of all reports at the contingency specified locations 2.2) Ensure that all applications are reconciled to ensure accurate results. 2.3) Ensure that other system interfaces are tested and tapes produced for other centers who receive tapes. 3) Ensure that the offsite contingency test uses back-up files from the offsite storage location. 4) Ensure that statistics are maintained from the point that the test begins from the loading of the operating system till the completion of the days work in order to determine amount of time it takes to recover from an offsite contingency and the time frames required to perform a days worth of work. 5) Ensure that representatives from the various job functions that support the business participate in the test. 6) Ensure that individuals from each job function that participate in the test are rotated to ensure that individuals are trained in how to operate in a disaster. 6.1) Review the test participants list from a sample of tests to ensure that individuals are rotated. F1 - Info Screen Ref #: ofconaag Background ---------- A contingency test is required to ensure that the offsite processing facility can actually support the processing requirements of the business that your site supports. In addition, performing a contingency test ensures that the contingency plan addresses all of the requirement for processing your system at the offsite processing facility. Audit Step Info ---------------- Many contingency tests are divided into multiple contingency tests to provide assurance that the entire contingency plan works. This approach should be avoided since only a full test would provide the information required to determine how a business is affected by an offsite contingency situation. The level of application testing that is required during an offsite contingency test is viewed differently based on the following issues: o Is there assurance that the offsite media storage area contains the most current production version of the system and application software which includes the level of control that your installation has on performing backups? o Is the hardware environment the same as the current processing environment? If no, then the initial test of the offsite processing environment would require more extensive testing since the device configuration is different or the level of capacity may not be able to sustain the processing load contained within your applications. o The complexity of the telecommunications environment will drive the level of testing required. The method that is used to ensure that sufficient level of testing was performed to gain assurance that the offsite processing center can sustain the business is via user signoffs. However, the auditor should conduct their own review which includes the following: o Review the listing of jobs that were executed from the scheduling system to ensure that all of the batch jobs were successfully run. A comparison should also be performed to the job schedule from the onsite processing center to ensure that all jobs were run. o The transaction log (i.e., assuming that it is provided by your application) should be reviewed to determine if transactions tested are a fair representation of the transactions normally executed by each application. ************************************************************************ Copyright 1991 - 2009, Audit Serve, Inc. All rights reserved. All Audit Programs are copyrighted and may not be posted electronically or redistributed unless written permission is granted by Audit Serve, Inc. The Audit Programs may be used for internal use within organizations. Audit Programs may not be resold. *************************************************************
Free Audit Vision Newsletter Since 1991 Join 3,500 other subscribers
Advertise with Us