Tips to Prepare for a Network Disaster Recovery Audit

The disaster recovery, or DR, audit of the network provides an objective examination of the controls that manage network performance, and assess whether the results are consistent with control objectives.

Network operations, including local access, WAN, wireless networks, and Internet access, are mission critical. As such, companies should periodically review them to ensure they are following operating policies and procedures, test recovery and restoration procedures, and carefully document the results of each activity.

This article offers tips that companies can follow to prepare for an audit of DR activities of voice and data networks. These tips help ensure network operations are protected from potentially disruptive events such as power outages, network outages, and equipment outages. Network teams should also audit network integrity and recoverability controls.

Following three types of audits are possible

  • first type, which is carried out by the internal audit;
  • second type, in which a client or authorized organization performs an external audit of the DR of the network; either
  • third type, which is a totally independent external audit.

Make sure the internal auditor or external audit firm is familiar with issues related to network DR, including the following:

  • DR plans of the network;
  • network DR tests;
  • network DR policies and procedures
  • network access;
  • network diversity;
  • network settings;
  • network routing;
  • network backup;
  • network security;
  • network equipment environment;
  • managed network services;
  • local exchange access services;
  • WAN services;
  • Internet access;
  • cloud-based network services; Y
  • availability of devices, such as routers and switches, to replace failed units.

Importance of a network DR audit

network operations are essential for organizations of any kind and size and must be managed in accordance with established policies and procedures. Failure to conduct regular reviews of network DR plans and procedures – as well as testing of those resources – can increase the risk of a network outage that may be difficult to recover from in time.

Regular audits of network DR program activities ensure that the network is working as it should and help quickly identify and correct outages.

Two important elements for an audit

Preparation and documentation are the two most important elements when preparing for a network DR audit. Both electronic and paper documents are essential as evidence, so teams need to make sure they identify those items and prepare them for audit. It is also essential to select and prepare a team to work with the auditors.

The internal audit team must understand what happens during the audit, to be able to answer the auditors’ questions accurately. Support from IT management is also essential, as auditors may want to interview IT leaders along with members of the network management team. It is also important that teams have the ability to demonstrate how the organization’s network DR activities work, as auditors may want to see how a network recovery is performed.

Best Practices for Network DR Audit Preparation

As mentioned above, preparation and documentation are key elements for the audit. The following is a checklist of audit items:

  • Current copies of all documentation related to network and DR operations, including network DR plans, DR policies and procedures, recent DR assessments, roles and responsibilities of DR teams network, the results of the network DR tests, the documents that describe the above problems network recovery issues and how they were resolved, DR test schedules, DR training activities, DR test reports, evidence of previous management reviews and DR audits of the network, and evidence of ongoing network improvement activities.
  • Evidence that the network DR program is part of a comprehensive IT DR program.
  • Evidence of network DR tests scheduled, completed, and documented as part of an overall IT DR program.
  • Evidence of periodic network DR assessments, DR plan updates, and updates to the network DR policies and procedures.
  • Evidence demonstrating senior management support for the network’s DR program, including a senior management sponsor or advocate, a budget, and staff dedicated to the network’s DR activities.
  • Evidence that the network’s DR activities are considered a strategic activity for the company.

Though this list of pre-audit activities may not be ready before the audit begins, be prepared to confirm that the audit report’s conclusions and recommendations will be addressed in a timely manner.

Are the auditors prepared?

Since managing network operations is a daily IT function, confirm that auditors—whether internal or external—are familiar with network operations issues as well as network DR activities. It is also important to confirm that they have previously performed audits of the network’s DR program.

For first party audits, ensure that auditors have background material on network operations and DR activities so that they can prepare accordingly. If an external auditor is used, confirm that the potential audit company understands the DR activities of the network.

Network DR controls that should be audited

The following checklist provides a list of controls that auditors they can review. Use the checklist to prepare for potential audit requests, making it easy to complete and deliver the audit report on time.

Network DR Audit Controls Examples of audit evidence

Network DR Plan

Documented plan that includes incident response activities, identification of network DR teams, procedures to follow in the event of a network outage, and internal and external contact lists.

Network DR Program Policy

Documented policy that specifies the types of disruptions to be addressed and how the organization intends to deal with them

Network RD program procedures and pertinent documentation, forms, etc.

Documented procedures, forms, templates, checklists

Network operating hours (for example, software backups, network rerouting and recovery activities)

Printouts or screenshots of schedules

Network operating elements

Screenshots of network operational controls, for example, access controls, normal routing methods, emergency alternate routing plans, environment plans, change management, wireless elements

Network performance reliability metrics

Screenshots of network reliability metrics, eg uptime, throughput, MTBF/MTTR*.

Network DR test plans and documented results

Copies of recent network DR test plans, actual test data, and after action reports

Network DR Assessment and Test Frequency Metrics

Screenshots of network DR testing and evaluation schedules showing frequency measurement (e.g., monthly, quarterly) for each activity

Network DR systems, software, local access facilities, WAN facilities, internet facilities, managed services, cloud-based services

Operational documentation and relevant screenshots of resources used in network DR activities

Local, network operational resources (for example, data center network devices, local exchange network services)

Operational documentation and screenshots relevant to local network resources

Network operational resources, external (for example, ISPs, WAN service providers, cloud services, wireless providers, managed network services)

Operational documentation and screenshots relevant to external network resources

Operational network security: May include perimeter defenses such as firewalls, intrusion detection and prevention systems, internal network security monitoring applications, and physical access to the data center or network operations center

Operational documentation and screenshots relevant to network security measures

Network DR equipment that can be used in an emergency

Testing of a supply of network-related devices, e.g., routers, switches, circuit boards, servers, power supplies, wireless components, cabling, that are available for use in an emergency

* Mean Time Between Failures (MTBF), Mean Time To Repair (MTTR)

Download the Network Disaster Recovery Audit Checklist here.

Network DR Audit Report Review

Once the teams have completed and submitted the network DR audit report, they should review the findings and recommendations. Note the proposed deadlines for delivering the responses to the auditors. Inform senior IT management of the report as soon as possible and be prepared to address any serious performance or operational issues identified in the report.

The network DR audit team should prepare a response to the audit report as soon as possible, with proposed actions and dates to address the audit recommendations.

Summary

Audit experiences can be informative and enlightening if you prepare properly, understand the audit process, and provide evidence to support network disaster recovery activities. In addition, audits can help teams establish comprehensive and resilient network operations already to plan disaster recovery.

Leave a Comment

Your email address will not be published.