Advanced Accounting Information Systems

Advanced Accounting Information Systems

Day 21

Systems Availability and Business Continuity

October 12, 2009

AnnouncementsAnnouncements

– Return quiz 4– Assignment 4– Graduate student papers – disaster

recovery planning, recovery from 9/11, Katrina, etc.

– Midterm on October 23– No class on October 26

ObjectivesObjectives

Understand system availability and business continuity and recognize differences between the two

Comprehend incident response systems and their role in achieving the system availability objective

Explain disaster recovery planning objectives and its design, implementation, and testing requirements

Comprehend the link between business continuity and disaster recovery

Understand the role of backup and recovery in disaster recovery plans

Gray CaseGray Case

What factors contributed to this situation? What internal controls could have reduced

the likelihood that this situation occurred? What computer auditing/monitoring

techniques could the Grays develop to reduce the possibility that a similar situation will occur in the future?

Questions for todayQuestions for today

Identify at least one difference between systems availability and business continuity

Why is disaster recovery planning important?

Is disaster recovery planning cost beneficial?

Power outage example at Northwest AirlinesPower outage example at Northwest Airlines

Problem relates to systems availability Business continuity ‘mere power outage’ morning of July 15 in Eagan MN restored in 45

minutes but operated for a prolonged period of time in a degraded manner

– Over 5 minutes to print boarding ticket

– Automated check-in terminals did not work

– Issued manual boarding passes that could not be scanned at the gate – thus passenger database needed to be updated later

– Manual luggage check in

– Impact – loss of revenue, impact on image, customer dissatisfaction, inconvenience and frustration on the part of the airline employee and travelers, additional costs of manual processing

Two worriesTwo worries

Business continuity

Systems availability

Incident ResponseIncident Response

Incident

Questions as incident is identified (order is important)

Incident response team

Nature of response

Preventive measures

Disaster RecoveryDisaster Recovery

Disaster

Postdisaster phases– Response phase– Resumption phase– Recovery phase– Restoration phase– Timeliness of action– Value of recovery

Disaster Recovery PlanningDisaster Recovery Planning

Components of planning (discuss processes and resources rather than details)

Assessing potential losses: disaster impact analysis Value-based recovery planning

Finding criticality Disaster recovery strategies

Disaster Recovery PlanningDisaster Recovery Planning

Recovery locations – New York Board of Trade – New Orleans business recovery

Disaster recovery teams

Disaster Recovery PlanningDisaster Recovery Planning

Disaster readiness– Walkthroughs– Rehearsals– Compliance (live) testing

Business Continuity PlanningBusiness Continuity Planning

Totality of plans made to recover the business operations following a disaster

Business impact analysis

Business recovery

Assurance ConsiderationsAssurance Considerations

Method– Is top management supportive of maintaining a sound systems availability and

business continuity plan? Are adequate resources devoted to this plan? – How is criticality defined? Is it complete and adequate for changing needs of

business?– Are key systems and business processes carefully identified?

Content– Is source(s) of information used to prepare BCP reliable?– What is the quality of instruments and methods used to gather data?– Does BCP reflect recent changes in business, recent acquisitions, mergers?

Live testing– How often is testing performed?– Who is in charge? Are personnel warned ahead of time?– Are test results documented? Is there a follow-up process that may modify plan

if problems are discovered during testing?

Questions for WednesdayQuestions for Wednesday

Exercises 9 and 11