Which of the following issues should be the GREATEST concern to the IS auditor when reviewing an IT disaster recovery test?
A.
Due to the limited test time window, only the most essential systems were tested. The other systems were tested separately during the rest of the year.
B.
During the test it was noticed that some of the backup systems were defective or not working, causing the test of these systems to fail.
C.
The procedures to shut down and secure the original production site before starting the backup site required far more time than planned.
D.
Every year, the same employees perform the test. The recovery plan documents are not used since every step is well known by all participants.
Explanation:
A disaster recovery test should test the plan, processes, people and IT systems. Therefore, if the plan is not used, its accuracy and adequacy cannot be verified. Disaster recovery should not rely on key staff since a disaster can occur when they arenot available. It is common that not all systems can be tested in a limited test time frame. It is important, however, that those systems which are essential to the business are tested, and that the other systems are eventually tested throughout theyear . One aim of the test is to identify and replace defective devices so that all systems can be replaced in the case of a disaster. Choice B would only be a concern if the number of discovered problems is systematically very high, in a real disaster, there is no need for a clean shutdown of the original production environment since the first priority is to bring the backup site up.
Correct answer is B:
You answered D. The correct answer is B.
A. This is not a concern because over the course of the year, all the systems were tested.
B. The purpose of the test is to test the backup plan. When the backup systems are not working then the plan cannot be counted on in a real disaster. This is the most serious problem.
C. In a real disaster, there is no need for a clean shutdown of the original production environment because the first priority is to bring the backup site up.
D. A disaster recovery test should test the plan, processes, people and IT systems. Therefore, if the plan is not used, its accuracy and adequacy cannot be verified. Disaster recovery should not rely on key staff because a disaster can occur when they are not available. However, the fact that the test works is less serious than the failure of the systems and infrastructure that the recovery plan counts on. Best practice would rotate different people through the test and ensure that the plan itself is followed and tested.