Page 345 -
P. 345
344 Part Two Information Technology Infrastructure
devises plans for the restoration of computing and communications services
after they have been disrupted. Disaster recovery plans focus primarily on
the technical issues involved in keeping systems up and running, such as
which files to back up and the maintenance of backup computer systems or
disaster recovery services.
For example, MasterCard maintains a duplicate computer center in Kansas
City, Missouri, to serve as an emergency backup to its primary computer center
in St. Louis. Rather than build their own backup facilities, many firms contract
with disaster recovery firms, such as Comdisco Disaster Recovery Services in
Rosemont, Illinois, and SunGard Availability Services, headquartered in Wayne,
Pennsylvania. These disaster recovery firms provide hot sites housing spare
computers at locations around the country where subscribing firms can run their
critical applications in an emergency. For example, Champion Technologies,
which supplies chemicals used in oil and gas operations, is able to switch its
enterprise systems from Houston to a SunGard hot site in Scottsdale, Arizona,
in two hours.
Business continuity planning focuses on how the company can restore
business operations after a disaster strikes. The business continuity plan
identifies critical business processes and determines action plans for handling
mission-critical functions if systems go down. For example, Deutsche Bank,
which provides investment banking and asset management services in 74
different countries, has a well-developed business continuity plan that it
continually updates and refines. It maintains full-time teams in Singapore,
Hong Kong, Japan, India, and Australia to coordinate plans addressing loss of
facilities, personnel, or critical systems so that the company can continue to
operate when a catastrophic event occurs. Deutsche Bank’s plan distinguishes
between processes critical for business survival and those critical to crisis
support and is coordinated with the company’s disaster recovery planning for
its computer centers.
Business managers and information technology specialists need to work
together on both types of plans to determine which systems and business
processes are most critical to the company. They must conduct a business
impact analysis to identify the firm’s most critical systems and the impact a
systems outage would have on the business. Management must determine the
maximum amount of time the business can survive with its systems down and
which parts of the business must be restored first.
THE ROLE OF AUDITING
How does management know that information systems security and controls
are effective? To answer this question, organizations must conduct comprehen-
sive and systematic audits. An MIS audit examines the firm’s overall security
environment as well as controls governing individual information systems. The
auditor should trace the flow of sample transactions through the system and
perform tests, using, if appropriate, automated audit software. The MIS audit
may also examine data quality.
Security audits review technologies, procedures, documentation, training,
and personnel. A thorough audit will even simulate an attack or disaster to
test the response of the technology, information systems staff, and business
employees.
The audit lists and ranks all control weaknesses and estimates the probabil-
ity of their occurrence. It then assesses the financial and organizational impact
MIS_13_Ch_08 Global.indd 344 1/17/2013 3:10:21 PM
