The IT Management controls appear to be properly implemented and effectively working for FFC. The assessed level of risk is low. FFC has a strong IT strategic plan that is in line with the corporate strategic plan which has a diverse set of strong members on the committees and allows for fundamentally sound decisions that are best for the organization by taking all aspects of the business into consideration. The organizational structure is conducive to a strong and clear reporting channels which include the CIO reporting to the CFO and EVP. One step lower on the corporate ladder the VPs of applications, operations, information security and database administration reports to CIO.
Findings -- System Development …show more content…
The primary factor that influenced this grade is the fact that FFC has no documented business continuity or disaster recovery plan in place to provide a framework to ensure that the organization will continue to operate with minimum disruption if a natural disaster or any other event that threatens operations occurs. Management believes such a plan is cost prohibitive for an organization of its size, and relies on the fact that they have never experienced any major business disruption. FFC’s unofficial plan is to have the data center manager retrieve the most recent backup tapes to recover its systems in case of disaster. This plan does not take into account the possibility of their primary facilities and resources becoming unavailable for use. Although FFC back-ups its data on a daily basis, the audit team believes that the backup data should be transported to the off-site facility on a more frequent basis. An additional weakness is that FFC has not tested their backup tapes during the past year, and has no plan to test these tapes in the future. Without this testing, FFC is unable to effectively monitor whether or not they are capable of effectively restoring lost data and resuming operations through the recovery …show more content…
In addition to managing ongoing IT operations and system development, the IT function must ensure that computing resources are operational and secured. To ensure that computing resources are secured, management should establish a process to account for all IT components. Processes should be in place to identify, track, and resolve problems in a timely manner. We recommend that FFC should implement a business continuity management program immediately that defines an effective policy and response plan, and assigns responsibilities to an established response team. FFC should regularly rehearse the plan, perform timely and appropriate maintenance, and review the testing and updating to confirm that the plan is operating effectively. Additionally, FFC should embed the business continuity management program into the organization’s culture, providing the necessary education, training, and awareness to all employees so that they are ready to respond effectively during a catastrophic event. Although mirror sites or electronic vaulting may not be cost effective alternatives, FFC should make arrangements with hardware vendors, service centers, or others for standby use of compatible computer equipment through the use of a hot or cold site. A cold site is a less costly option that will provide FFC with an alternative computer facility