25 questions to ask IT about your disaster security

25 Questions to Ask IT

Guide to Good Data Processing Operations

Most IT disasters can be avoided but you need to plan to avoid them. A faulty recovery from a disaster is often the cause of a further disaster. This is often the worst kind of security failure where data is more likely to be lost. Planning for computer failure will reduce the risk to your business.

Satisfactory answers to the following 25 computer operations and business procedure questions will not guarantee that you will not experience a major business problem, but without them there is a disaster waiting to happen. (The worst score we have encountered so far is one out of twenty five. We would be interested in hearing your score).

Use your result in planning the development of your operational procedures.

Links to other best practices and training at bottom of page.

1.	Are "data roll back" facilities employed by the software? ("Data roll back" prevents corruption of the database if a transaction or batch programme terminates abnormally).
2.	Is forward recovery to the point of system error or duplicate "mirrored" updates to separate and physically remote hard disc provided? (This should avoid you having to re-enter all the data since the last backup in the event of a fault.)
3.	Are regular backups of the data taken at least daily to avoid data loss & kept off-site and / or kept in a fire-safe?
4.	Are at least 3 versions retained (grandfather, father, son), and strategic copies kept before and after major changes?
5.	Is the recovery process documented and checked regularly?
6.	Does the system provide a comprehensive audit trail of updates, and is it switched on?
7.	Is a test system with "as supplied" software available in separate program libraries with separate databases, and all patches transferred to these libraries before being transferred to the live system following testing.
8.	Is a test system for the live production computer system available in separate program libraries with separate databases (a mirror image, including local software modifications, customisation)?
9.	Is a mature change control procedure in use in the Data Processing Department and does the audit trail of changes include: Date? Change Numbers? An overview of the change? Why was it done? Who did it? Test to production library updates?
10.	Has there been a policy of minimum change to the supplied software package?
11.	Have local modifications been done in such a way that they can be reapplied when a new version of the software (as opposed to directly changing the supplied source code) is released?
12.	Are client computers or users allowed & able to download unauthorised software and is all current software in use a legitimate (not a pirate) copy?
13.	Are program libraries backed up regularly? & are at least 3 versions retained (grandfather, father, son), and strategic copies kept before and after major changes?
14.	Is the recovery process checked regularly?
15.	Are there preventive measures in place and does a disaster recovery plan exist for the Data Processing Department as a whole, concerning the following potential disasters: Computer room destruction? Software sabotage (accidental or deliberate)? Software virus infection? Prolonged absence of key personnel? Hardware maintenance agreement, or alternative? Software maintenance agreement, or alternative? System operation faults? Hardware theft (including servers)? Any combination of these disasters?
16.	Is access to computer facilities, systems, programs & sensitive, specific data and back ups of the data, privileged, and taking of copies of the data (summaries or individual records), prohibited and prevented without specific permission, and is data never allowed to leave the site on laptop PC, flash drives, email attachments, etc.?
17.	Do user departments have a disaster plan whereby they can continue working for a day without serious operational problems in the absence of the computer system? Has this been tested, and can it be invoked simply and quickly?
18.	Is operational cover provided to ensure that the system is operational through ALL working hours and is there time to do the housekeeping?
19.	Are system reliability records kept and used as a measure of performance for the Data Processing Department?
20.	Are software bugs dealt with comprehensively and speedily, and records kept as a measure of performance for the Data Processing Department?
21.	Does the computer system provide adequate response time for the users in batch or on-line are problems performance problems investigated?
22.	Is there an effective Help-desk facility to allow users to report system problems and to record and manage problems?
23.	As there an active process of archiving old versions of programs and data to that you can see the wood for the trees?
24.	Do adequate written procedures for the computer operation exist?
25.	Can your software supplier be given limited and privileged access to the system for the purpose of : observing a problem providing fixes

The following further best practice articles are also available on IT Operations:

Previous Best Practice of the Week 017: The fix library

Previous Best Practice of the Week 019: Archiving

Previous Best Practice of the Week 022: Change control

Previous Best Practice of the Week 025: Version control

Previous Best Practice of the Week 032: IS / IT Policy

Previous Questions of the week Q21: IS / IT Strategy: key points and priorities

The following public training courses and in-house workshops cover Best Practice Computer Operations:

I03: Best Practice Computer Operations

D02 Specification Change Management (Managing Product, Computer Program, Documentation & Process Changes)

To discuss your consulting or training needs with one of our independent consultants or trainers please Contact Us.

Home Page

Summary: Best Practice Business Processes

Summary: Change and Improvement

Summary: E-commerce, IS / IT

Summary: Training Courses

Your Question

Help

This Week's Features

About SM Thacker & Associates