EXAMINING DATA CENTERS SUBMITTED BY: Rick Kolker The City of Phoenix e-mail =>
[email protected] Attached (or in the accompanying file) is an audit program that I use as a starting point for examining data centers. It is only a guideline and not intended to address all data center issues. I modify this program for every review that I perform (i.e. depending on scope, nature of data center, etc).
COMPUTER CENTER DETAIL AUDIT STEPS AUDIT OBJECTIVES: To determine that: * personnel procedures and responsibiliites address employee termination, crossfunctional and systems training * program change controls are adequate to ensure that changes are tested and approved before being moved into production status * backup procedures are adequate to minimize business interruption and protect against loss of data in the event of a disaster, * physical security controls are adequate to prevent unauthorized access to computer center areas * environmental controls are adequate to minimize hardware/software losses from fire or flood. ADM. ADMINISTRATIVE SECTION 1. Complete the Quality Assurance Checklist. 2. Complete detailed audit program (See sections below for audit steps) 3. Prepare Statement of Scope and Methods memorandum 4. Obtain copies of any prior and/or related audit reports 5. Document Opening Conference: a. Notification Memo b. Meeting Agenda c. Management's Comments / Meeting Notes 6. Document Exit Conference 7. Document Closing Conference 8. Review of Applicable Laws, Rules, & Regulations 9. End of Survey Phase Commitment Letter 10. Comparison of Budgeted Hours to Actual Hours
11. 12. 13. A.
Document, as necessary, any Notes for Future Audits NOT USED (NO WORKPAPER CROSS-REFERENCE) Prepare a Draft Audit Report documenting audit observations and any recommendations.
ORGANIZATIONAL STRUCTURE / SYSTEM OVERVIEW, DOCUMENTATION, & TRAINING 1. Document organizational structure a. Identify those positions responsible for maintaining the programs, backing-up the system / data files, and using the various computer center systems. If necessary, review the written job descriptions for each functional duty described in the organization chart. b. Determine whether provisions are made for backup personnel in key positions? c. Determine if termination procedures are adequate: (1) The employee's I.D. badge should be collected when he or she is terminated. (2) Passwords that the terminating employee was privy to should be removed or changed. (3) His or her keys should be collected and/or locks be changed. (4) Is there a termination check out briefing session/procedure? d. Determine if adequate system training and supervision is provided to the employees using the system. 2. Determine whether vendor service personnel are supervised while on site? 3. Obtain or document an overview of the Information Systems (Including hardware resources, software, support/design staff, and users) in the Computer Center a. Determine the overall criticalness of each major system identified b. On dial-in lines does the security system include call-back features or some other means of control to ensure authorized access? 4. Determine if written system operation procedures exist (especially for start-up, shut-down, file maintenance, and preventive maintenance).
B.
PROGRAM CHANGE CONTROL MANAGEMENT 1. Obtain copies of the problem and change control procedures. Verify that changes must go through this process and are properly approved. 2. Determine whether the procedures provide for an adequate separation of program changes and production data
C.
COMPUTER CENTER OPERATIONS 1. Performance a. Examine utilization reports, determine the times of peak resource demand within the processing day. Determine how Computer Center management reacts to equipment utilization information. b. Determine whether capacity planning (processor, memory, channels, disk, etc.) performed, are consistent with, and integrated into strategic long-range plans c. Determine whether performance measurements are in place d. Determine whether system downtime is recorded or tracked. 2. Preventative Maintenance a. Interview employees and/or review vendor maintenance agreements to identify the responsibilities for preventive maintenance. Determine whether preventive maintenance is performed as prescribed, e.g., review preventive maintenance logs
D.
PHYSICAL SECURITY / ENVIRONMENTAL CONTROLS NOTE: A negative response to any of the questions in section D & E does not necessarily represent a significant control weakness. The environment should be evaluated as a whole and an overall determination made of its internal controls. 1. Determine that physical security policies and procedures are adequate by evaluating controls through interview and observation. Use the following audit steps/questions as a guideline in determining adequacy. a. Assure that there are written procedures in effect which prevent unauthorized persons from gaining access to computer facilities. b. Assure that authorized personnel are specifically defined in operation standards and/or procedures. c. Observe at several different times whether only authorized personnel are in the processing area. d. Determine whether the computer room facilities are restricted by the use of keys, badges or other automated security devices. e. Does the computer site have a ground floor location and possibly a showcase
window? f. Is computer site below ground level? g. Is air conditioning outside air intake at ground level? h. Is direct access into computer site possible from the outside or through a public hallway? i. Are keys to cabinets, equipment rooms, and wiring closets held under proper custody? j. Are all telecommunication line junction points (wiring and router closets, etc.) secured to prevent tampering? k. Is the computer center subject to catastrophic mishap, i.e., aircraft collision, etc.? 2. The adequacy of fire protection systems should be determined by using the following issues as a guideline. a. Clear and adequate fire instructions should be posted in strategic locations. b. Fire alarm pull boxes and emergency power switches should be clearly visible and unobstructed. c. The computer room should have an automatic fire extinguishing system which should be tested periodically by the manufacturer or service representative. d. The fire detection system should detect smoke, excessive heat or combustible fumes. e. The detectors should be located in the ceiling air ducts and beneath the raised flooring. Detectors should be tested frequently and protected by a backup power supply. f. When the fire alarm is activated, it should sound outside the computer room area at a guard station and a local fire station or emergency control center. Data Center personnel should be able to identify the sound of the fire alarm. g. What are the exposures to flooding? Would a burst pipe or rising river cause damage? h. The computer room should be kept clean at all times. 3. The environmental equipment and controls should be adequate to protect the computer hardware from damage. Use the following areas as a guideline in determining adequacy.
a. Ventilation and air conditioning should be adequate to maintain appropriate temperature level specified by the manufacturer. b. Recording thermometers and humidity indicators should be located so the readings can be obtained easily. These instruments should be monitored on a routine basis by a trained person. c. The hardware should automatically shut down to protect itself from damage if unacceptable temperatures reached. d. The computer equipment should be subject to periodic maintenance, cleaning and inspection and a record kept of such. e. The computer room ceiling should be adequately constructed to prevent water from entering the computer room. f. Overhead water steam and pipes should be avoided. g. Adequate drainage should be provided. h. Independent air conditioning system with backup power supply should be installed. E.
BACKUP 1. Determine that system and data file backup procedures are adequate to minimize recovery time and or loss of data. 2. Determine whether backups are maintained offsite. 3. Identify the backup power supplies/equipment relating to the following areas: a. Emergency backup lights b. Computer systems 4. Determine wheter the backup power is of adequate size to power all equipment relying on it, including those not within the scope of this audit.