System Resiliency | It Auditing: Using Controls to Protect Information Assets [IT AUDITING -OS N/D]

Most information systems that reside within data centers process information that has a high requirement for system availability. Data center controls ensure high availability in relation to the facility, whereas redundant system components and sites are used to ensure high system availability in relation to the computer hardware.

1 Ensure that hardware redundancy is used to provide high availability where required.

When high system availability is required, systems should contain redundant system components such as redundant array of inexpensive drives (RAID) or redundant power supplies. Failure of system components will cause system outages and data loss.

How

When auditing redundant systems, the auditor should ensure that critical system components such as disk storage and power supplies are redundant wherever possible. Information about hardware redundancy can be found within system specification documents. Data custodians (administration personnel) should be able to provide this documentation.

2 Verify that redundant systems at separate sites are used where very high system availability is required.

In situations where there is no toleration for system downtime, redundant systems are placed at two or more separate locations. Information can be copied to alternate sites at set intervals such as daily or in real time. In cases where very high system availability is required, a system failure would cost an organization hundreds of thousands of dollars or more.

How

When reviewing system redundancy, it is important to review the manner in which data are copied from the main system to redundant systems. Since most systems with this level of criticality are database applications, we will focus on database redundancy. In general, there are three types of systems that provide database transaction redundancy:

Electronic vaulting-which provides periodic data copies through a batch process.
Remote journaling- which provides real-time parallel processing over a network connection.
Database shadowing-which provides real-time parallel processing over two or more network connections.

The auditor should ensure that the appropriate system is being used for the level of system availability that is required. System redundancy information usually can be obtained from system architecture documentation.