Security & Auditing

 

Audit planning & preparation

 

  • Meet with IT management to determine possible areas of concern
  • Review the current IT organization chart
  • Review job descriptions of data center employees
  • Research all operating systemssoftware applications and data center equipment operating within the data center
  • Review the company’s IT policies and procedures
  • Evaluate the company’s IT budget and systems planning documentation
  • Review the data center’s disaster recovery plan

 

Establishing audit objectives

 

  • Personnel procedures and responsibilities including systems and cross-functional training
  • Change management processes are in place and followed by IT and management personnel
  • Appropriate back up procedures are in place to minimize downtime and prevent loss of important data
  • The data center has adequate physical security controls to prevent unauthorized access to the data center
  • Adequate environmental controls are in place to ensure equipment is protected from fire and flooding

 

Objective Review & Testing

 

  • Equipment – The auditor should verify that all data center equipment is working properly and effectively. Equipment utilization reports, equipment inspection for damage and functionality, system downtime records and equipment performance measurements all help the auditor determine the state of data center equipment. Additionally, the auditor should interview employees to determine if preventative maintenance policies are in place and performed.
  • Policies and Procedures – All data center policies and procedures should be documented and located at the data center. Important documented procedures include: data center personnel job responsibilities, back up policies, security policies, employee termination policies, system operating procedures and an overview of operating systems.
  • Physical security / environmental controls – The auditor should assess the security of the client’s data center. Physical security includes bodyguards, locked cages, man traps, single entrances, bolted down equipment, and computer monitoring systems. Additionally, environmental controls should be in place to ensure the security of data center equipment. These include: Air conditioning units, raised floors, humidifiers and uninterruptible power supply.
  • Backup procedures – The auditor should verify that the client has backup procedures in place in the case of system failure. Clients may maintain a backup data center at a separate location that allows them to instantaneously continue operations in the instance of system failure.

 

Final review report

 

  • summarize the auditor’s findings and be similar in format to a standard review report. The review report should be dated as of the completion of the auditor's inquiry and procedures.