Disaster Recovery&

Risk Management in the

Digital WorldJoseph P. Manzelli Jr. CPA.CITP

Director, Fuoco Group LLPwww.fuoco.com

jmanzelli@fuoco.com

IT Infrastructure Background Main office in Hauppauge, NY (Long Island) where all

servers are housed Two other offices – NYC and North Palm Beach, Florida Staff of about 65 individuals 5 Servers Dual T-1’s in NYC, T-1 point-to-point (NYS-LI) T-1 and

5mb line in LI and one T-1 in Florida

Common Disaster Recovery Terms(not just for IT)

Recovery Time Objective (RTO) Time required to recover from a disaster

Recovery Point Objective (RPO) How much data can you afford to lose

Business Impact Analysis (BIA) Understand the degree of potential loss

Bare Metal Recovery – Assumption you are ‘starting from scratch”

Definitions Disaster – 1) A sudden unplanned catastrophic event causing

unacceptable damage or loss 2) An event that compromises an organization’s ability to provide critical functions, processes or services fro some unacceptable period of time 3) An event where an organization’s management invokes their recovery plans

Emergency – An unexpected or impending situation that may cause injury, loss of life, destruction of property or cause the interference, loss or disruption of an organization’s normal business operations to such an extent that it poses a threat

Disaster Recovery – The ability of an organization to respond to a disaster or an interruption in services by implementing a disaster recovery plan to stabilize and restore the organization’s critical functions.

Emergency Response – The immediate reaction and response to an emergency situation commonly focusing on ensuring life safety and reducing the severity of the incident

Definitions (cont’d)

Disaster Recovery Plan – A management-approved document that defines resources, actions, tasks and data required to manage the technology recovery effort. Usually refers to the technology recovery effort. This is a component of the Business Continuity Management Program.

Business Continuity – The ability of an organization to provide service and support for its customers and to maintain its viability before, during and after a business continuity event

Business Continuity Plan – The process of developing and documenting arrangements and procedures that enable an organization lto respond to an event that lasts for an unacceptable period of time and return to performing its critical functions after an interruption

Disaster Recovery (DR) Considerations

(Business Goals) How long can we be down? How much data loss is acceptable? What parts of the business have to be up and

when? What constitutes a disaster? Less downtime vs. greater DR costs

What Kind of Disaster are We Planning For

Possible Disasters Fires (loss of access to building) Power failures (Use of UPS systems) Flooding (broken pipes) Hardware failures Data corruptions (Data backup what type – offsite?) ISP outages (Multiple ISP use) AC failure

Recovery Time Considerations What is acceptable downtime? What is your goal? How long does it take your systems to go from a

completely down state to “ready for use” by staff How long would it take to restore data to servers? How long would it take to “switch back” to your

main site after the disaster?

Disaster Recovery Communications How will you communicate to staff that there is an

emergency? Where will people work from during a disaster? Does everyone know how to access DR systems? Cell phones and backup email addresses

Types of DR Sites to Consider Cold Site – Bare metal build – rebuild & restore everything from

backups

Warm Site – Full duplicates of systems & data maintained, but need work to “go live”

Hot Site – Full duplicate of ‘live’ systems and data always ready for use (failover site)

With multiple offices, we are between a Cold & Warm site option

Hosting center vs. Self-Hosted Hosting Quality: ISP diversity, HVAC, Power? Hosting Costs: Space, Power & Network Equipment costs: Lease? Purchase? Rent? Where is the DR site located? (travel issues) How long can you operate from the DR site? No matter what is chosen, you are maintaining

two IT sites

Planning DR with Virtual Servers Full virtualization, in computer science, is a virtualization

technique used to implement a certain kind of virtual machine environment: one that provides a complete simulation of the underlying hardware. The result is a system in which all software capable of execution on the raw hardware can be run in the virtual machine. In particular, this includes all operating systems. (This is different from other forms of virtualization – which allow only certain or modified software to run within a virtual machine.)

Planning DR with Virtual Servers Allows you to virtualize machines and cut down on

hardware Replication

Frequency & Process VM vs. SAN based Hosted, with agents and 3rd party Bandwidth restrictions (how much data do you have)

Licenses (not trivial) Windows Replication software VMware ESX Server license vs. Windows 2008 Server

Issues to Consider How much work is sitting on people’s desks that is NOT

digital Exceptions is there software, files, processes not on

servers or that are know by only one person Do you have a full inventory of current equipment for the

replacement of equipment and for the insurance company?

Do you have all of the software ready to restore? Consider software as a service (SaaS)

Plan should be WRITTEN and TESTED

Fuoco Group’s Plans Tape backup of data (daily) considering offsite

online backup as well SAN Snap shots using Acronis software Windows Shadow Copy System Multiple T-1’s ISP’s Considering Virtualization Looking into CCH Global fx and CCH Document

ASP

Risk Management in Digital World Risk – The possibility of suffering harm or loss Management – The act, manner, or practice of

managing, handling, supervision, or control

As the American Heritage Dictionary suggests, risk management is the process by which one attempts to manage or control the possibility of suffering loss

Overview Enron Arthur Anderson Spoliation (destroying evidence) The way in which information is created, processed ,

and maintained in the modern, digital world has added a whole new layer of risk to the operation of any business, especially accounting firms

Email handling has spawned a whole new industry An “ounce of prevention” will prevent “a pound of cure”

Document Management & Retention

What should be kept? For how long? Where is it? How do you maintain it? “Paperless” office A rough rule of thumb is that if electronically stored

information is accessible (actively used for information retrieval) then it is likely subject to disclosure

Don’t write anything you can phone Don’t phone anything you can talk Don’t talk anything you can whisper Don’t whisper anything you can smile Don’t smile anything you can nod Don’t nod anything you can wink

Huey LongNotorious Louisiana governor

Retention Policy Should you have one? Keep everything (electronic files)

Storage space is cheap In litigation, discovery could be expensive as you have

ALL files and pure volume of information would be overwhelming

Keep nothing Litigation – proving your side Unlikely and unreasonable

Retention Policy Bottom line is there is no right or wrong answer Assess

The nature of your practice Client base Claim History Applicable Law Best Practices of comparable firms

Manage your risk by exercising good business judgment, develop procedures and stick to them

Sedona Guidelineswww.thesedonaconference.org

“Absent a legal requirement to the contrary, organizations may adopt programs that routinely delete certain recorded communications, such as electronic mail, instant messaging, text messaging and voice mail”

Legal requirements could be: Sarbanes Oxley State law Federal law State accountancy regulations Self-imposed “litigation hold”

Retention Policies Whether hard copy or electronic the policies

MUST BE Documented Communicated Enforced Updated

Train staff – make them aware

Privacy Issues IRS reg. 7216

Mandatory consent form for outsourcing overseas Effective January 1, 2009

Social security numbers Redacting on copies of returns IRS still sending notices with full social security number and address

listed Emailing of tax returns

Encryption of emails with personal information Bank & Brokerage Account numbers/ credit card information Deloitte 2007 Privacy & Data Protection Survey

http://www.deloitte.com/dtt/cda/doc/content/us_risk_s&P_2007%20Privacy10Dec2007final.pdf

IT Security & Fraud Risks External and Internal threats Most threats and breaches are from within Laptops

49% of companies have had laptops stolen in the past 12 months 90% are never recovered 57% of corporate crimes are linked to stolen laptops 73% of companies had no specific security policies for their laptops in

2003 25% of security breaches involving identity theft involved missing

laptops Opportunities

CISA certification (Certified Information Systems Auditor) CFE (Certified Fraud Examiner)

Doesn’t apply to you?AICPA’s 2008 Top Technology Initiatives

1. Information Security Management

2. IT Governance3. Business Continuity

Management (BCM) and Disaster Recovery Planning (DRP)

4. Privacy Management5. Business Process

Improvement (BPI) Workflow and Process exception Alerts

6. Identity and Access Management

7. Conforming to Assurance and Compliance Standards

8. Business Intelligence (BI)

9. Mobile & Remote Computing

10. Document, Forms, Content and Knowledge Management

Honorable MentionTechnology Initiatives

11. Customer Relationship Management (CRM)

12. Improved Application and Data Integration

13. Training & Competency

14. Web-deployed Applications

15. Information Portals

More detailshttp://infotech.aicpa.org/Resources/Top+Technology+Initiatives/2008+Top+10+Technology+Initiatives/

2008+Top+Technologies+and+Honorable+Mentions.htm

345 Seventh Avenue 212-947-20008th FloorNew York, NY 10001

200 Parkway Drive South 631-360-1700Suite 302Hauppauge, NY 11788

1224 US Highway One 561-625-6692Suite HNorth Palm Beach, FL 33402

www.fuoco.comjmanzelli@fuoco.com