Network disaster recovery, or DR, auditing provides an objective examination of controls that manage network performance, and it evaluates whether the results are consistent with control objectives.
Network operations, including local access, WAN, wireless networking and internet access, are mission-critical. As such, enterprises should review them periodically to ensure they follow operational policies and procedures, test recovery and restoration procedures and carefully document results for each activity.
This article provides tips enterprises can follow to prepare for an audit of voice and data network DR activities. These tips help ensure network operations are protected from potentially disruptive events, such as power outages, network outages and equipment outages. Network teams should also audit controls for network integrity and recoverability.
The following three types of audits are possible:
- first party, which is conducted by internal audit;
- second party, in which a customer or approved organization conducts an external audit of network DR; or
- third party, which is a fully independent external audit.
Ensure the internal auditor or external audit firm is familiar with issues associated with network DR, including the following:
- network DR plans;
- network DR tests;
- network DR policies and procedures;
- network access;
- network diversity;
- network configuration;
- network routing;
- network backup;
- network security;
- network equipment environment;
- managed network services;
- local exchange access services;
- WAN services;
- internet access;
- cloud-based network services; and
- availability of devices, such as routers and switches, to replace damaged units.
Importance of a network DR audit
Network operations are critical to organizations of any type and size and must be managed according to established policies and procedures. Failure to perform periodic reviews of network DR plans and procedures -- as well as testing those resources -- can increase the risk of a network disruption that may be difficult to recover in a timely fashion.
Periodic audits of network DR program activities ensure the network performs as it should and help identify and correct disruptions quickly.
2 important items for an audit
Preparation and documentation are the two most important items when preparing for a network DR audit. Both electronic and hard copy documents are essential as evidence, so teams should ensure they identify those items and ready them for the audit. It's also essential to select and prepare a team that works with the auditors.
The internal audit team must understand what happens during the audit, so they can respond to auditor questions accurately. Support from senior IT leadership is also essential, as the auditors may wish to interview IT leaders along with network management team members. It's also important for teams to have the ability to demonstrate how the organization's network DR activities operate, as auditors may wish to see how a network recovery is performed.
Best practices for network DR audit preparation
As mentioned earlier, preparation and documentation are key elements for the audit. The following is a checklist of audit items:
- Current copies of all network operations and DR-related documentation, including network DR plans, DR policies and procedures, recent DR assessments, roles and responsibilities of network DR teams, results of network DR tests, documents describing previous network recovery issues and how they were resolved, DR test schedules, DR training activities, reports on DR tests, evidence of previous management reviews and network DR audits, and evidence of ongoing network improvement activities.
- Evidence that the network DR program is part of a comprehensive IT DR program.
- Evidence of scheduled, completed and documented network DR tests as part of an overall IT DR program.
- Evidence of periodic network DR assessments, DR plan updates and updates to network DR policies and procedures.
- Evidence that demonstrates senior management support for the network DR program, including a senior management sponsor or champion, a budget and staff dedicated to network DR activities.
- Evidence that network DR activities are considered a strategic activity for the firm.
While this list of pre-audit activities may not be in place before the audit commences, be prepared to confirm that the audit report findings and recommendations will be addressed in a timely fashion.
Are the auditors prepared?
As network operations management is a daily IT function, confirm that the auditors -- whether internal or external -- are familiar with issues associated with network operations as well as network DR activities. It's also important to confirm they have previously performed network DR program audits.
For first-party audits, ensure the auditors have background materials on network operations and DR activities so they can prepare accordingly. When using an external auditor, confirm that the prospective audit firm understands network DR activities.
Network DR controls to be audited
The checklist below provides a list of controls auditors may review. Use the list to prepare for potential audit requests, which facilitates the timely completion and delivery of the audit report.
|✔||Network DR audit controls||Examples of audit evidence|
|Network DR plan||Documented plan including incident response activities, identification of network DR teams, procedures to take when dealing with a network outage, lists of internal and external contacts|
|Network DR program policy||Documented policy that specifies the kinds of disruptions to be addressed and how the organization intends to deal with them|
|Network DR program procedures and relevant documentation, forms, etc.||Documented procedures, forms, templates, checklists|
|Network operational schedules (e.g., software backups, network rerouting and recovery activities)||Hardcopies or screenshots of schedules|
|Network operational elements||Screenshots of network operational controls, e.g., access controls, normal routing methods, emergency alternate routing plans, environment plans, change management, wireless elements|
|Network performance reliability metrics||Screenshots of network reliability metrics, e.g., uptime, throughput, MTBF/MTTR*|
|Network DR test plans and documented results||Copies of recent network DR test plans, data from actual tests and after-action reports|
|Network DR testing and assessment frequency metrics||Screenshots of network DR test and assessment schedules showing frequency metric (e.g., monthly, quarterly) for each activity|
|Network DR systems, software, local access facilities, WAN facilities, internet facilities, managed services, cloud-based services||Operational documentation and relevant screenshots for resources used in network DR activities|
|Network operational resources -- local (e.g., data center network devices, local exchange network services)||Operational documentation and relevant screenshots for local network resources|
|Network operational resources -- external (e.g., ISPs, WAN service providers, cloud services, wireless providers, managed network services)||Operational documentation and relevant screenshots for external network resources|
|Network operational security -- this can include perimeter defenses such as firewalls, intrusion detection and prevention systems, internal network security monitoring applications, and physical access into the data center or network operations center||Operational documentation and relevant screenshots for network security measures|
|Network DR equipment that can be used in an emergency||Evidence of a supply of network-related devices, e.g., routers, switches, circuit boards, servers, power supplies, wireless components, cabling, that are available for use in an emergency|
* Mean time between failure (MTBF), mean time to repair (MTTR)
Download the network disaster recovery audit checklist here.
Reviewing the network DR audit report
Once teams have completed and delivered the network DR audit report, they should review the findings and recommendations. Note any proposed time frames for delivering responses to the auditors. Brief senior IT management on the report as soon as possible and be prepared to address any serious performance or operational issues identified in the report.
The IT network DR audit team should prepare a response to the audit report as soon as possible, with proposed actions and dates to address the audit recommendations.
Audit experiences can be informative and enlightening with proper preparation, an understanding of the audit process and evidence supporting network disaster recovery activities. And audits can help teams establish comprehensive and resilient network operations and DR planning.