Framework for auditing disaster recovery plans a case for Kenyan based companies
Abstract
lCT systems are vulnerable to a variety of disruptions from a variety of sources which are
both internal and external. While much vulnerability may be minimized or eliminated
through technical and non-technical means as part of the organization's disaster preparedness,
it is virtually impossible to eliminate all risks. Disaster Recovery Planning refers to an
effective and comprehensive statement of consistent actions to be taken before; during and
after a disruption to help an organization resume partially or completely, interrupted critical
functions within a predetermined time after disruption. DRP Audit refers to independent
examination of the DRP to ascertain whether if implemented, it will be able to meet the
actual needs i.e. is it adequate, suitable and effective.
Most companies continue to record losses in data, information, software, hardware and such
due to unsuccessful implementation of the Disaster Recovery Plans caused by unaudited
disaster recovery procedures and/or out dated disaster recovery plans.
The existing DRPs' effectiveness diminish due to changes in the environment that the plan
was developed to protect.
The main aim of this study was to determine how sampled Kenyan organizations with
Disaster Recovery Plans have embraced DRP audit and developed a framework which the
organizations can use to audit the DRP capability.
The study involved development of a framework which will help organizations test and audit
f
J the DRPs and survey the plan for its effectiveness. The audit process ensures that the plan is
adequate as well as current.
In our approach, we focussed on Kenyan firms. This framework was developed to enable
firms to audit after testing, their respective DRPs with a view of seeing how best they can
survive a disruption and re-establish normal business operation. The study relied largely on the
primary data collected through field survey using questionnaires and interviews.
DRP audit problems identified in this study are:
Lack of audit framework in many organizations, lack of DRP audit skills, lack of DRP audit
tools and lack of monitoring and evaluation ofDRP audit capability.
Based on these findings, this study recommends that organizations use the framework
developed in this study to guide them during testing and auditing of Disaster Recovery Plans.
Publisher
School of Computing and Informatics
Subject
Auditing disasterDescription
MSc