Framework for auditing disaster recovery plans a case for Kenyan based companies

Abstract

lCT systems are vulnerable to a variety of disruptions from a variety of sources which are both internal and external. While much vulnerability may be minimized or eliminated through technical and non-technical means as part of the organization's disaster preparedness, it is virtually impossible to eliminate all risks. Disaster Recovery Planning refers to an effective and comprehensive statement of consistent actions to be taken before; during and after a disruption to help an organization resume partially or completely, interrupted critical functions within a predetermined time after disruption. DRP Audit refers to independent examination of the DRP to ascertain whether if implemented, it will be able to meet the actual needs i.e. is it adequate, suitable and effective. Most companies continue to record losses in data, information, software, hardware and such due to unsuccessful implementation of the Disaster Recovery Plans caused by unaudited disaster recovery procedures and/or out dated disaster recovery plans. The existing DRPs' effectiveness diminish due to changes in the environment that the plan was developed to protect. The main aim of this study was to determine how sampled Kenyan organizations with Disaster Recovery Plans have embraced DRP audit and developed a framework which the organizations can use to audit the DRP capability. The study involved development of a framework which will help organizations test and audit f J the DRPs and survey the plan for its effectiveness. The audit process ensures that the plan is adequate as well as current. In our approach, we focussed on Kenyan firms. This framework was developed to enable firms to audit after testing, their respective DRPs with a view of seeing how best they can survive a disruption and re-establish normal business operation. The study relied largely on the primary data collected through field survey using questionnaires and interviews. DRP audit problems identified in this study are: Lack of audit framework in many organizations, lack of DRP audit skills, lack of DRP audit tools and lack of monitoring and evaluation ofDRP audit capability. Based on these findings, this study recommends that organizations use the framework developed in this study to guide them during testing and auditing of Disaster Recovery Plans.